Re: L2TP/IPsec, Win98SE, NAT-T, Win2k3 failure after a firewall, please help

From: Jeffrey Randow (MVP) (jeffreyr-support_at_remotenetworktechnology.com)
Date: 05/28/04

  • Next message: Jeffrey Randow (MVP): "Re: VPN from WinXP to w2k3 through external router, How do I do it?" 
    Date: Fri, 28 May 2004 00:09:36 -0500

    I don't believe that Windows 98 supports a NAT-Traversal
    environment... This is why the 98 machine fails after you insert a
    NAT gateway device...

    Jeffrey Randow (Windows Networking & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On 25 May 2004 14:00:41 -0700, ocheung@tklresearch.com (ocheung)
    wrote:

    >I setup
    >1) a Windows 2003 Server as a DC and DNS.
    >2) a Windows 2003 Server as a VPN server (member server).
    > The VPN server also as certificate server included with Win2k3.
    >3) a XP client with patch(818043) from microsoft.
    >4) a Windows 98 client with "Windows 98 SE DUN v1.4","ie6"
    > and "Windows 98 L2TP/IPSec client v1.0"
    >
    >Everything works fine, WinXP and Win98SE machines can connect without
    >any problems.
    >
    >But when I put a checkpoint 4.1 firewall in between the vpn server and
    >the clients.
    >(For the firewall rules, any<=>any,any,accept.
    >same as for the interfaces' rule.)
    >
    >Result: XP works on both l2tp and pptp,
    > Win98SE fail on L2tp(error 629) but works on pptp.
    >
    >Can someone help ? I need the win98se connect via l2tp!
    >
    >Here is the isakmp.log from the Win98SE computer:
    > 5-25: 15:27:41.430
    > 5-25: 15:27:41.430 Microsoft IPsec VPN\L2TP/IPsec - Generic entry
    >match with remote address 68.166.96.198.
    > 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE
    >Phase 2 with Client IDs (message id: E0AAF7F1)
    > 5-25: 15:27:42.590 Initiator = IP ADDR=68.166.96.214, prot = 17
    >port = 1701
    > 5-25: 15:27:42.590 Responder = IP ADDR=68.166.96.198, prot = 17
    >port = 1701
    > 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>>
    >ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
    > 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
    >ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NAT-OA)
    > 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Local ID
    >Received from NAT Peer: IP ADDR=68.166.96.214 (prot = 17, port = 1701)
    > 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Remote ID
    >Received from NAT Peer: DOMAIN=vpn.domain.www.test.com (prot = 17,
    >port = 1701)
    > 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Indeterminate
    >remote internal address.
    > 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Error validating
    >Proxy IDs.
    > 5-25: 15:27:43.470 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
    >ISAKMP OAK QM *(HASH, )
    > 5-25: 15:27:43.470 Microsoft IPsec VPN\L2TP/IPsec - Received
    >malformed message or negotiation no longer active (message id:
    >E0AAF7F1)
    > 5-25: 15:27:45.440 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
    >ISAKMP OAK QM *(HASH, )
    > 5-25: 15:27:45.440 Microsoft IPsec VPN\L2TP/IPsec - Received
    >malformed message or negotiation no longer active (message id:
    >E0AAF7F1)
    > 5-25: 15:27:49.450 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
    >ISAKMP OAK QM *(HASH, )
    > 5-25: 15:27:49.450 Microsoft IPsec VPN\L2TP/IPsec - Received
    >malformed message or negotiation no longer active (message id:
    >E0AAF7F1)
    > 5-25: 15:27:54.450 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
    >ISAKMP OAK QM *(HASH, )
    > 5-25: 15:27:54.450 Microsoft IPsec VPN\L2TP/IPsec - Received
    >malformed message or negotiation no longer active (message id:
    >30AB1649)
    > 5-25: 15:27:57.470 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
    >ISAKMP OAK QM *(HASH, )
    > 5-25: 15:27:57.470 Microsoft IPsec VPN\L2TP/IPsec - Received
    >malformed message or negotiation no longer active (message id:
    >E0AAF7F1)
    > 5-25: 15:28:13.460 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
    >ISAKMP OAK QM *(HASH, )
    > 5-25: 15:28:13.460 Microsoft IPsec VPN\L2TP/IPsec - Received
    >malformed message or negotiation no longer active (message id:
    >E0AAF7F1)

  • Next message: Jeffrey Randow (MVP): "Re: VPN from WinXP to w2k3 through external router, How do I do it?"