Re: Easy RRAS VPN question
From: Jarryd (Jarryd_at_youllneverknow.com)
Date: 02/22/05
- Next message: yves PION: "How to install "Microsoft Network client" on WinServer2003"
- Previous message: Gunjan Desai: "Redirect web site on Private LAN"
- In reply to: Steven L Umbach: "Re: Easy RRAS VPN question"
- Next in thread: Steven L Umbach: "Re: Easy RRAS VPN question"
- Reply: Steven L Umbach: "Re: Easy RRAS VPN question"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 22 Feb 2005 09:34:34 -0000
Hi Steve,
I have been having this discussion with someone else as well. This is an
excerpt of my most recent posting:
"I am having trouble with this and it very well may be what
you are saying. It just contradicts what I have read about stateful
inspection. But i have added the IpSec monitor snap-in to an MMC and
checked it out, with a connection made internally. Definately seems to do
what you say, i.e. client listens on 1701 every time so it must be fixed.
Even more weird it says that the destination port is ANY. How on earth is
that supposed to work? Is that because it is tunneling through IPsec ESP
payload (re: article) and therefore is not blocked? Then the VPN adaptor
has to get a new IP address. Is this where things are not falling in-line
with my understanding of how it should work, because I can see the IP and
ports reversed at this point: starts source clientLAN-IP 1701 destination
serverIP ANY, but then becomes source serverIP 1701 clientVPNAdaptor-IP ANY?
I really thought this wouldn't be causing a problem but it really does seem
to be. If I was in control of my firewall then I would just play around
with it but I have to get the ISP to do it and it is a real pain. Please
forgive me if I am coming across as though I think I know it all, it is not
my intention. I am getting the following error:
Error: 789 "The L2TP connection attempt failed because the security layer
encountered a processing error during initial negotiations with the remote
computer".
The way it set up at the moment is as follows:
Client > Internet > Firewall > Router/NAT > RRAS
The server has a static NAT from public to private address so that it can be
accessed from the internet. The firewall rules are applied to the LAN
interface of the router. It works fine when I use the private IP address to
connect internally. If I use the public IP address it fails in exactly the
same way as if I were coming in over the internet. So could it be the
firewall, or is it a NAT problem. I have SP2 installed on the client so
perhaps that could be the problem:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043. But I
have added that to the registry
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\AssumeUDPEncapsulationContextOnSendRule
(1)) and it still deosn't work. So now what could be going on. It is
really doing my head in.
Please let me know what you think. I am trying to get the ISP to change the
router in accordance with your sugestion, but it is like trying to squeeze
blood out of a stone to get them to do anything."
I know it is a bit long winded. But now you are up to speed with everything
I have done to date. I haven't tried the pre-shared key. I'll give it a
go, but the thing works using the certificate I created with my CA when I
use the private IP address of the server, so doens't that already prove that
PKI is not a problem.
Please let me know what you think.
Thanks a mil for your help.
Jarryd
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ORs4SpKGFHA.4088@TK2MSFTNGP09.phx.gbl...
>I am a bit confused about that as I don't understand why there would be a
>difference where the VPN server is after all the firewall simply should
>allow the authorized traffic to pass. I have seen other documentation from
>MS that says that 1701 UDP needs to be allowed. I would open that port at
>least until you have your problem resolved and also examine the firewall
>logs for dropped packets for the IP address of the VPN client which often
>is the best bet for troubleshooting such problems. Since you are using NAT
>make sure the VPN client has the NAT-T update installed on it and if you
>are using XP SP2 see the KB link below on how it used the NAT-T client.
>L2TP also uses computer certificates on the VPN server and client. If you
>are using XP Pro client you might want to try to use pre shared key instead
>as a test to rule out problems with certificates/PKI. Also try to connect
>via L2TP to your VPN server from the LAN using the VPN servers LAN IP
>address to make sure it is correctly configured. --- Steve
>
> http://support.microsoft.com/kb/885348 --- KB on NAT-T and XP SP2
> http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=20274&DisplayTab=Article
> --- also refers to the need to allow 1701 UDP
>
> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
> news:%239pgeoCGFHA.1396@tk2msftngp13.phx.gbl...
>> Hi Steve,
>>
>> I have re-read the article. It says, "There are no filters required for
>> L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall,
>> including tunnel maintenance and tunneled data, is encrypted as an IPSec
>> ESP payload." So why do I have to also allow port 1701?
>>
>> That was actually a co-incidental type-o; protocol 51 should be 50, but
>> well done for noticing it.
>>
>> Please let me know about 1701 because I am getting stopped at every turn
>> here. I have permitted any UDP 4500, UDP 500 and IP 50 to the servers
>> address but I get Error: 789 "The L2TP connection attempt failed because
>> the security layer encountered a processing error during initial
>> negotiations with the remote computer". I don't see anything in event
>> viewer but I probably have to set something in the audit policy. Will
>> post any updates from my side, but if you know the answer to this one
>> please please please let me know. Driving me nuts!!
>>
>> TIA,
>>
>> Jarryd
>>
>>
>>
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:O4l632rFFHA.3732@TK2MSFTNGP14.phx.gbl...
>>> The article you referenced has all the info. You may also need to allow
>>> access for port 1701 UDP and protocol 50 - not 51. Protocol 50 is for
>>> --- Steve
>>>
>>>
>>> "Jefferey Simons" <asdfsdaf@asdf.asd> wrote in message
>>> news:OedcPSnFFHA.2156@TK2MSFTNGP09.phx.gbl...
>>>> Hi Steve,
>>>>
>>>> Thanks for your advice. So what you are saying is that I have assumed
>>>> correctly, and to get this working all I should need to do is enable
>>>> inbound traffic to my RRAS servers interface on UDP 500 and 4500 and IP
>>>> Protocal 51? After that I should be laughing?
>>>>
>>>> Cheers,
>>>>
>>>> Jarryd
>>>>
>>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>>> news:edRIRajFFHA.1260@TK2MSFTNGP12.phx.gbl...
>>>>> You do not need to enable outgoing connections. The VPN server will
>>>>> listed for VPN clients that want to connect and then evaluate the
>>>>> connection based on Remote Access Policy conditions/profile. ---
>>>>> Steve
>>>>>
>>>>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>>>>> news:%23q%237W5cFFHA.2564@tk2msftngp13.phx.gbl...
>>>>>> Hello,
>>>>>>
>>>>>> I have found the following article which answers all my questions in
>>>>>> the last post. What I am not sure of now is if I need to enable
>>>>>> outoing connections. Please see:
>>>>>> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_VPN_und13.asp
>>>>>>
>>>>>> As far as I know the firewall will block syn packets, so I am
>>>>>> assuming that if I only to use my RRAS server to handle incoming
>>>>>> connections then I should be OK just permitting inward traffic. The
>>>>>> sessions are initiated by the clients and the server server piggy
>>>>>> backs out. I don't necessarily want the server to initiate remote
>>>>>> sessions, i.e. with other VPN servers. Is my thinking correct?
>>>>>>
>>>>>> Please help, TIA,
>>>>>>
>>>>>> Jarryd
>>>>>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>>>>>> news:uQcei5aFFHA.3648@TK2MSFTNGP10.phx.gbl...
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to
>>>>>>> allow L2TP connections using MS-CHAP v2. I have configured this
>>>>>>> already on the server. Certificates are sorted as well. The only
>>>>>>> thing is the ports that need to be opened on the firewall and NAT on
>>>>>>> the router.
>>>>>>>
>>>>>>> As for the ports, do I only need to open up access to the server for
>>>>>>> MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I
>>>>>>> think I have to have IP protocols 50 and UDP port 1701 allowed on
>>>>>>> the router. But what about a port for MS-CHAPv2? Or is that
>>>>>>> tunnelled through 1701? And does that then handle everything? If so
>>>>>>> then I shouldn't have to enable 88 for Kerberos or 443 for SSL
>>>>>>> because it is all tunnelled through?
>>>>>>>
>>>>>>> With regards to the router and NAT. I have a public address
>>>>>>> assigned to the LAN interface that is statically NATed to an address
>>>>>>> on our private range. To see the NAS from the internet I will
>>>>>>> configure it the same (static NAT public.IP private.IP). Is that
>>>>>>> going to cause any problems. I once read somewhere that it can and
>>>>>>> you use port forwarding. Is that the answer? If so, what do I
>>>>>>> forward to what? All L2TP and IP 50 packets to the server's IP,
>>>>>>> rather than set up NAT?
>>>>>>>
>>>>>>> Please help, TIA,
>>>>>>>
>>>>>>> Jarryd
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: yves PION: "How to install "Microsoft Network client" on WinServer2003"
- Previous message: Gunjan Desai: "Redirect web site on Private LAN"
- In reply to: Steven L Umbach: "Re: Easy RRAS VPN question"
- Next in thread: Steven L Umbach: "Re: Easy RRAS VPN question"
- Reply: Steven L Umbach: "Re: Easy RRAS VPN question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
