Re: Easy RRAS VPN question
From: Jarryd (Jarryd_at_youllneverknow.com)
Date: 02/21/05
- Next message: Luca: "Re: Server refuse to print on TCP-IP port printers."
- Previous message: Jarryd: "Re: VPN firewall question"
- In reply to: Steven L Umbach: "Re: Easy RRAS VPN question"
- Next in thread: Steven L Umbach: "Re: Easy RRAS VPN question"
- Reply: Steven L Umbach: "Re: Easy RRAS VPN question"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 21 Feb 2005 15:30:15 -0000
Hi Steve,
I have re-read the article. It says, "There are no filters required for
L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall,
including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP
payload." So why do I have to also allow port 1701?
That was actually a co-incidental type-o; protocol 51 should be 50, but well
done for noticing it.
Please let me know about 1701 because I am getting stopped at every turn
here. I have permitted any UDP 4500, UDP 500 and IP 50 to the servers
address but I get Error: 789 "The L2TP connection attempt failed because
the security layer encountered a processing error during initial
negotiations with the remote computer". I don't see anything in event
viewer but I probably have to set something in the audit policy. Will post
any updates from my side, but if you know the answer to this one please
please please let me know. Driving me nuts!!
TIA,
Jarryd
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:O4l632rFFHA.3732@TK2MSFTNGP14.phx.gbl...
> The article you referenced has all the info. You may also need to allow
> access for port 1701 UDP and protocol 50 - not 51. Protocol 50 is for
> P. --- Steve
>
>
> "Jefferey Simons" <asdfsdaf@asdf.asd> wrote in message
> news:OedcPSnFFHA.2156@TK2MSFTNGP09.phx.gbl...
>> Hi Steve,
>>
>> Thanks for your advice. So what you are saying is that I have assumed
>> correctly, and to get this working all I should need to do is enable
>> inbound traffic to my RRAS servers interface on UDP 500 and 4500 and IP
>> Protocal 51? After that I should be laughing?
>>
>> Cheers,
>>
>> Jarryd
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:edRIRajFFHA.1260@TK2MSFTNGP12.phx.gbl...
>>> You do not need to enable outgoing connections. The VPN server will
>>> listed for VPN clients that want to connect and then evaluate the
>>> connection based on Remote Access Policy conditions/profile. --- Steve
>>>
>>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>>> news:%23q%237W5cFFHA.2564@tk2msftngp13.phx.gbl...
>>>> Hello,
>>>>
>>>> I have found the following article which answers all my questions in
>>>> the last post. What I am not sure of now is if I need to enable
>>>> outoing connections. Please see:
>>>> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_VPN_und13.asp
>>>>
>>>> As far as I know the firewall will block syn packets, so I am assuming
>>>> that if I only to use my RRAS server to handle incoming connections
>>>> then I should be OK just permitting inward traffic. The sessions are
>>>> initiated by the clients and the server server piggy backs out. I
>>>> don't necessarily want the server to initiate remote sessions, i.e.
>>>> with other VPN servers. Is my thinking correct?
>>>>
>>>> Please help, TIA,
>>>>
>>>> Jarryd
>>>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>>>> news:uQcei5aFFHA.3648@TK2MSFTNGP10.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to
>>>>> allow L2TP connections using MS-CHAP v2. I have configured this
>>>>> already on the server. Certificates are sorted as well. The only
>>>>> thing is the ports that need to be opened on the firewall and NAT on
>>>>> the router.
>>>>>
>>>>> As for the ports, do I only need to open up access to the server for
>>>>> MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I
>>>>> think I have to have IP protocols 50 and UDP port 1701 allowed on the
>>>>> router. But what about a port for MS-CHAPv2? Or is that tunnelled
>>>>> through 1701? And does that then handle everything? If so then I
>>>>> shouldn't have to enable 88 for Kerberos or 443 for SSL because it is
>>>>> all tunnelled through?
>>>>>
>>>>> With regards to the router and NAT. I have a public address assigned
>>>>> to the LAN interface that is statically NATed to an address on our
>>>>> private range. To see the NAS from the internet I will configure it
>>>>> the same (static NAT public.IP private.IP). Is that going to cause
>>>>> any problems. I once read somewhere that it can and you use port
>>>>> forwarding. Is that the answer? If so, what do I forward to what?
>>>>> All L2TP and IP 50 packets to the server's IP, rather than set up NAT?
>>>>>
>>>>> Please help, TIA,
>>>>>
>>>>> Jarryd
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Luca: "Re: Server refuse to print on TCP-IP port printers."
- Previous message: Jarryd: "Re: VPN firewall question"
- In reply to: Steven L Umbach: "Re: Easy RRAS VPN question"
- Next in thread: Steven L Umbach: "Re: Easy RRAS VPN question"
- Reply: Steven L Umbach: "Re: Easy RRAS VPN question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
