Re: Easy RRAS VPN question
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/22/05
- Next message: Steven L Umbach: "Re: Anonymous Enumeration of accounts and shares"
- Previous message: Steven L Umbach: "Re: VPN users not able to map drives using NetBIOS names"
- In reply to: Jarryd: "Re: Easy RRAS VPN question"
- Next in thread: Steven L Umbach: "Re: Easy RRAS VPN question"
- Reply: Steven L Umbach: "Re: Easy RRAS VPN question"
- Reply: Steven L Umbach: "Re: Easy RRAS VPN question"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 22 Feb 2005 13:23:01 -0600
Well that is a huge disadvantage if you can not access the firewall to make
changes or see the firewall logs for dropped traffic or other error
messages. Since you can connect to the internal IP it sounds like your VPN
is set correctly and it most likely is an issue with the firewall/router. I
would try preshared key since it is easy enough to see what happens. The
other thing I would try is to see if it works with pptp. Pptp is not subject
to the same problems with NAT that l2tp is. Another thing to try is if you
can connect your VPN server directly to the internet via an unfiltered
public tcp/ip address. You could try to use the built in ICF firewall for
Windows 2003 to protect the computer and create the exceptions for inbound
l2tp. You can also turn on logging for the ICF Windows 2003 firewall so that
you would be able to see what traffic is being blocked if any.A third party
personal firewall such as Sygate would also be worth consideration. You can
try it free for thirty days and it has very advanced loggin features. I
would certainly push your ISP to allow 1701 UDP to your network to see what
happens. Also check to see if the packet filters are correct on your
interface for the VPN server if is configured as shown in the link below.
You also may want to post in the win2000.ras_routing newsgroup to see if
they have any words of wisdom there. --- Steve
"Jarryd" <Jarryd@youllneverknow.com> wrote in message
news:%23ARsaGMGFHA.2608@TK2MSFTNGP10.phx.gbl...
> Hi Steve,
>
> I have been having this discussion with someone else as well. This is an
> excerpt of my most recent posting:
>
> "I am having trouble with this and it very well may be what
> you are saying. It just contradicts what I have read about stateful
> inspection. But i have added the IpSec monitor snap-in to an MMC and
> checked it out, with a connection made internally. Definately seems to do
> what you say, i.e. client listens on 1701 every time so it must be fixed.
> Even more weird it says that the destination port is ANY. How on earth is
> that supposed to work? Is that because it is tunneling through IPsec ESP
> payload (re: article) and therefore is not blocked? Then the VPN adaptor
> has to get a new IP address. Is this where things are not falling in-line
> with my understanding of how it should work, because I can see the IP and
> ports reversed at this point: starts source clientLAN-IP 1701 destination
> serverIP ANY, but then becomes source serverIP 1701 clientVPNAdaptor-IP
> ANY?
>
> I really thought this wouldn't be causing a problem but it really does
> seem
> to be. If I was in control of my firewall then I would just play around
> with it but I have to get the ISP to do it and it is a real pain. Please
> forgive me if I am coming across as though I think I know it all, it is
> not
> my intention. I am getting the following error:
>
> Error: 789 "The L2TP connection attempt failed because the security layer
> encountered a processing error during initial negotiations with the remote
> computer".
>
> The way it set up at the moment is as follows:
>
> Client > Internet > Firewall > Router/NAT > RRAS
>
> The server has a static NAT from public to private address so that it can
> be
> accessed from the internet. The firewall rules are applied to the LAN
> interface of the router. It works fine when I use the private IP address
> to
> connect internally. If I use the public IP address it fails in exactly
> the
> same way as if I were coming in over the internet. So could it be the
> firewall, or is it a NAT problem. I have SP2 installed on the client so
> perhaps that could be the problem:
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043. But I
> have added that to the registry
> (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\AssumeUDPEncapsulationContextOnSendRule
> (1)) and it still deosn't work. So now what could be going on. It is
> really doing my head in.
>
> Please let me know what you think. I am trying to get the ISP to change
> the
> router in accordance with your sugestion, but it is like trying to squeeze
> blood out of a stone to get them to do anything."
>
> I know it is a bit long winded. But now you are up to speed with
> everything I have done to date. I haven't tried the pre-shared key.
> I'll give it a go, but the thing works using the certificate I created
> with my CA when I use the private IP address of the server, so doens't
> that already prove that PKI is not a problem.
>
> Please let me know what you think.
>
> Thanks a mil for your help.
>
> Jarryd
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:ORs4SpKGFHA.4088@TK2MSFTNGP09.phx.gbl...
>>I am a bit confused about that as I don't understand why there would be a
>>difference where the VPN server is after all the firewall simply should
>>allow the authorized traffic to pass. I have seen other documentation from
>>MS that says that 1701 UDP needs to be allowed. I would open that port at
>>least until you have your problem resolved and also examine the firewall
>>logs for dropped packets for the IP address of the VPN client which often
>>is the best bet for troubleshooting such problems. Since you are using NAT
>>make sure the VPN client has the NAT-T update installed on it and if you
>>are using XP SP2 see the KB link below on how it used the NAT-T client.
>>L2TP also uses computer certificates on the VPN server and client. If you
>>are using XP Pro client you might want to try to use pre shared key
>>instead as a test to rule out problems with certificates/PKI. Also try to
>>connect via L2TP to your VPN server from the LAN using the VPN servers LAN
>>IP address to make sure it is correctly configured. --- Steve
>>
>> http://support.microsoft.com/kb/885348 --- KB on NAT-T and XP SP2
>> http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=20274&DisplayTab=Article
>> --- also refers to the need to allow 1701 UDP
>>
>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>> news:%239pgeoCGFHA.1396@tk2msftngp13.phx.gbl...
>>> Hi Steve,
>>>
>>> I have re-read the article. It says, "There are no filters required for
>>> L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall,
>>> including tunnel maintenance and tunneled data, is encrypted as an IPSec
>>> ESP payload." So why do I have to also allow port 1701?
>>>
>>> That was actually a co-incidental type-o; protocol 51 should be 50, but
>>> well done for noticing it.
>>>
>>> Please let me know about 1701 because I am getting stopped at every turn
>>> here. I have permitted any UDP 4500, UDP 500 and IP 50 to the servers
>>> address but I get Error: 789 "The L2TP connection attempt failed
>>> because the security layer encountered a processing error during initial
>>> negotiations with the remote computer". I don't see anything in event
>>> viewer but I probably have to set something in the audit policy. Will
>>> post any updates from my side, but if you know the answer to this one
>>> please please please let me know. Driving me nuts!!
>>>
>>> TIA,
>>>
>>> Jarryd
>>>
>>>
>>>
>>>
>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>> news:O4l632rFFHA.3732@TK2MSFTNGP14.phx.gbl...
>>>> The article you referenced has all the info. You may also need to allow
>>>> access for port 1701 UDP and protocol 50 - not 51. Protocol 50 is
>>>> for --- Steve
>>>>
>>>>
>>>> "Jefferey Simons" <asdfsdaf@asdf.asd> wrote in message
>>>> news:OedcPSnFFHA.2156@TK2MSFTNGP09.phx.gbl...
>>>>> Hi Steve,
>>>>>
>>>>> Thanks for your advice. So what you are saying is that I have assumed
>>>>> correctly, and to get this working all I should need to do is enable
>>>>> inbound traffic to my RRAS servers interface on UDP 500 and 4500 and
>>>>> IP Protocal 51? After that I should be laughing?
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Jarryd
>>>>>
>>>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>>>> news:edRIRajFFHA.1260@TK2MSFTNGP12.phx.gbl...
>>>>>> You do not need to enable outgoing connections. The VPN server will
>>>>>> listed for VPN clients that want to connect and then evaluate the
>>>>>> connection based on Remote Access Policy conditions/profile. ---
>>>>>> Steve
>>>>>>
>>>>>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>>>>>> news:%23q%237W5cFFHA.2564@tk2msftngp13.phx.gbl...
>>>>>>> Hello,
>>>>>>>
>>>>>>> I have found the following article which answers all my questions in
>>>>>>> the last post. What I am not sure of now is if I need to enable
>>>>>>> outoing connections. Please see:
>>>>>>> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_VPN_und13.asp
>>>>>>>
>>>>>>> As far as I know the firewall will block syn packets, so I am
>>>>>>> assuming that if I only to use my RRAS server to handle incoming
>>>>>>> connections then I should be OK just permitting inward traffic. The
>>>>>>> sessions are initiated by the clients and the server server piggy
>>>>>>> backs out. I don't necessarily want the server to initiate remote
>>>>>>> sessions, i.e. with other VPN servers. Is my thinking correct?
>>>>>>>
>>>>>>> Please help, TIA,
>>>>>>>
>>>>>>> Jarryd
>>>>>>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>>>>>>> news:uQcei5aFFHA.3648@TK2MSFTNGP10.phx.gbl...
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to
>>>>>>>> allow L2TP connections using MS-CHAP v2. I have configured this
>>>>>>>> already on the server. Certificates are sorted as well. The only
>>>>>>>> thing is the ports that need to be opened on the firewall and NAT
>>>>>>>> on the router.
>>>>>>>>
>>>>>>>> As for the ports, do I only need to open up access to the server
>>>>>>>> for MS-CHAPv2 and IP/Sec? And what are the port numbers for that?
>>>>>>>> I think I have to have IP protocols 50 and UDP port 1701 allowed on
>>>>>>>> the router. But what about a port for MS-CHAPv2? Or is that
>>>>>>>> tunnelled through 1701? And does that then handle everything? If
>>>>>>>> so then I shouldn't have to enable 88 for Kerberos or 443 for SSL
>>>>>>>> because it is all tunnelled through?
>>>>>>>>
>>>>>>>> With regards to the router and NAT. I have a public address
>>>>>>>> assigned to the LAN interface that is statically NATed to an
>>>>>>>> address on our private range. To see the NAS from the internet I
>>>>>>>> will configure it the same (static NAT public.IP private.IP). Is
>>>>>>>> that going to cause any problems. I once read somewhere that it can
>>>>>>>> and you use port forwarding. Is that the answer? If so, what do I
>>>>>>>> forward to what? All L2TP and IP 50 packets to the server's IP,
>>>>>>>> rather than set up NAT?
>>>>>>>>
>>>>>>>> Please help, TIA,
>>>>>>>>
>>>>>>>> Jarryd
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Steven L Umbach: "Re: Anonymous Enumeration of accounts and shares"
- Previous message: Steven L Umbach: "Re: VPN users not able to map drives using NetBIOS names"
- In reply to: Jarryd: "Re: Easy RRAS VPN question"
- Next in thread: Steven L Umbach: "Re: Easy RRAS VPN question"
- Reply: Steven L Umbach: "Re: Easy RRAS VPN question"
- Reply: Steven L Umbach: "Re: Easy RRAS VPN question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
