Re: Easy RRAS VPN question
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/22/05
- Next message: Matt Gibson: "Re: Cant access the Internet using Wless Routing"
- Previous message: Steven L Umbach: "Re: Easy RRAS VPN question"
- In reply to: Steven L Umbach: "Re: Easy RRAS VPN question"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 22 Feb 2005 14:33:13 -0600
Here is another article that may help. When NAT-T is used port 1701 UDP
traffic is wrapped in the port 4500 UDP traffic which is why the firewalls
does not need port 1701 UDP to be opened when NAT-T is used. If l2tp is used
to go through a firewall directly then port 1701 UDP needs to be open. If
packet filtering is used on the network adapter in the VPN server, port 1701
UDP and 4500 UDP need to be allowed. --- Steve
http://www.isaserver.org/tutorials/natt2003.html
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ecH2TORGFHA.524@TK2MSFTNGP14.phx.gbl...
> Well that is a huge disadvantage if you can not access the firewall to
> make changes or see the firewall logs for dropped traffic or other error
> messages. Since you can connect to the internal IP it sounds like your VPN
> is set correctly and it most likely is an issue with the firewall/router.
> I would try preshared key since it is easy enough to see what happens. The
> other thing I would try is to see if it works with pptp. Pptp is not
> subject to the same problems with NAT that l2tp is. Another thing to try
> is if you can connect your VPN server directly to the internet via an
> unfiltered public tcp/ip address. You could try to use the built in ICF
> firewall for Windows 2003 to protect the computer and create the
> exceptions for inbound l2tp. You can also turn on logging for the ICF
> Windows 2003 firewall so that you would be able to see what traffic is
> being blocked if any.A third party personal firewall such as Sygate would
> also be worth consideration. You can try it free for thirty days and it
> has very advanced loggin features. I would certainly push your ISP to
> allow 1701 UDP to your network to see what happens. Also check to see if
> the packet filters are correct on your interface for the VPN server if is
> configured as shown in the link below. You also may want to post in the
> win2000.ras_routing newsgroup to see if they have any words of wisdom
> there. --- Steve
>
> http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/mpr_how_L2TPinputfilters.htm
>
>
> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
> news:%23ARsaGMGFHA.2608@TK2MSFTNGP10.phx.gbl...
>> Hi Steve,
>>
>> I have been having this discussion with someone else as well. This is an
>> excerpt of my most recent posting:
>>
>> "I am having trouble with this and it very well may be what
>> you are saying. It just contradicts what I have read about stateful
>> inspection. But i have added the IpSec monitor snap-in to an MMC and
>> checked it out, with a connection made internally. Definately seems to
>> do
>> what you say, i.e. client listens on 1701 every time so it must be fixed.
>> Even more weird it says that the destination port is ANY. How on earth
>> is
>> that supposed to work? Is that because it is tunneling through IPsec ESP
>> payload (re: article) and therefore is not blocked? Then the VPN adaptor
>> has to get a new IP address. Is this where things are not falling
>> in-line
>> with my understanding of how it should work, because I can see the IP and
>> ports reversed at this point: starts source clientLAN-IP 1701 destination
>> serverIP ANY, but then becomes source serverIP 1701 clientVPNAdaptor-IP
>> ANY?
>>
>> I really thought this wouldn't be causing a problem but it really does
>> seem
>> to be. If I was in control of my firewall then I would just play around
>> with it but I have to get the ISP to do it and it is a real pain. Please
>> forgive me if I am coming across as though I think I know it all, it is
>> not
>> my intention. I am getting the following error:
>>
>> Error: 789 "The L2TP connection attempt failed because the security layer
>> encountered a processing error during initial negotiations with the
>> remote
>> computer".
>>
>> The way it set up at the moment is as follows:
>>
>> Client > Internet > Firewall > Router/NAT > RRAS
>>
>> The server has a static NAT from public to private address so that it can
>> be
>> accessed from the internet. The firewall rules are applied to the LAN
>> interface of the router. It works fine when I use the private IP address
>> to
>> connect internally. If I use the public IP address it fails in exactly
>> the
>> same way as if I were coming in over the internet. So could it be the
>> firewall, or is it a NAT problem. I have SP2 installed on the client so
>> perhaps that could be the problem:
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043. But
>> I
>> have added that to the registry
>> (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\AssumeUDPEncapsulationContextOnSendRule
>> (1)) and it still deosn't work. So now what could be going on. It is
>> really doing my head in.
>>
>> Please let me know what you think. I am trying to get the ISP to change
>> the
>> router in accordance with your sugestion, but it is like trying to
>> squeeze
>> blood out of a stone to get them to do anything."
>>
>> I know it is a bit long winded. But now you are up to speed with
>> everything I have done to date. I haven't tried the pre-shared key.
>> I'll give it a go, but the thing works using the certificate I created
>> with my CA when I use the private IP address of the server, so doens't
>> that already prove that PKI is not a problem.
>>
>> Please let me know what you think.
>>
>> Thanks a mil for your help.
>>
>> Jarryd
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:ORs4SpKGFHA.4088@TK2MSFTNGP09.phx.gbl...
>>>I am a bit confused about that as I don't understand why there would be a
>>>difference where the VPN server is after all the firewall simply should
>>>allow the authorized traffic to pass. I have seen other documentation
>>>from MS that says that 1701 UDP needs to be allowed. I would open that
>>>port at least until you have your problem resolved and also examine the
>>>firewall logs for dropped packets for the IP address of the VPN client
>>>which often is the best bet for troubleshooting such problems. Since you
>>>are using NAT make sure the VPN client has the NAT-T update installed on
>>>it and if you are using XP SP2 see the KB link below on how it used the
>>>NAT-T client. L2TP also uses computer certificates on the VPN server and
>>>client. If you are using XP Pro client you might want to try to use pre
>>>shared key instead as a test to rule out problems with certificates/PKI.
>>>Also try to connect via L2TP to your VPN server from the LAN using the
>>>VPN servers LAN IP address to make sure it is correctly configured. ---
>>>Steve
>>>
>>> http://support.microsoft.com/kb/885348 --- KB on NAT-T and XP SP2
>>> http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=20274&DisplayTab=Article
>>> --- also refers to the need to allow 1701 UDP
>>>
>>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>>> news:%239pgeoCGFHA.1396@tk2msftngp13.phx.gbl...
>>>> Hi Steve,
>>>>
>>>> I have re-read the article. It says, "There are no filters required
>>>> for L2TP traffic at the UDP port of 1701. All L2TP traffic at the
>>>> firewall, including tunnel maintenance and tunneled data, is encrypted
>>>> as an IPSec ESP payload." So why do I have to also allow port 1701?
>>>>
>>>> That was actually a co-incidental type-o; protocol 51 should be 50, but
>>>> well done for noticing it.
>>>>
>>>> Please let me know about 1701 because I am getting stopped at every
>>>> turn here. I have permitted any UDP 4500, UDP 500 and IP 50 to the
>>>> servers address but I get Error: 789 "The L2TP connection attempt
>>>> failed because the security layer encountered a processing error during
>>>> initial negotiations with the remote computer". I don't see anything
>>>> in event viewer but I probably have to set something in the audit
>>>> policy. Will post any updates from my side, but if you know the answer
>>>> to this one please please please let me know. Driving me nuts!!
>>>>
>>>> TIA,
>>>>
>>>> Jarryd
>>>>
>>>>
>>>>
>>>>
>>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>>> news:O4l632rFFHA.3732@TK2MSFTNGP14.phx.gbl...
>>>>> The article you referenced has all the info. You may also need to
>>>>> allow access for port 1701 UDP and protocol 50 - not 51. Protocol 50
>>>>> is for --- Steve
>>>>>
>>>>>
>>>>> "Jefferey Simons" <asdfsdaf@asdf.asd> wrote in message
>>>>> news:OedcPSnFFHA.2156@TK2MSFTNGP09.phx.gbl...
>>>>>> Hi Steve,
>>>>>>
>>>>>> Thanks for your advice. So what you are saying is that I have
>>>>>> assumed correctly, and to get this working all I should need to do is
>>>>>> enable inbound traffic to my RRAS servers interface on UDP 500 and
>>>>>> 4500 and IP Protocal 51? After that I should be laughing?
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Jarryd
>>>>>>
>>>>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>>>>> news:edRIRajFFHA.1260@TK2MSFTNGP12.phx.gbl...
>>>>>>> You do not need to enable outgoing connections. The VPN server will
>>>>>>> listed for VPN clients that want to connect and then evaluate the
>>>>>>> connection based on Remote Access Policy conditions/profile. ---
>>>>>>> Steve
>>>>>>>
>>>>>>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>>>>>>> news:%23q%237W5cFFHA.2564@tk2msftngp13.phx.gbl...
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I have found the following article which answers all my questions
>>>>>>>> in the last post. What I am not sure of now is if I need to enable
>>>>>>>> outoing connections. Please see:
>>>>>>>> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_VPN_und13.asp
>>>>>>>>
>>>>>>>> As far as I know the firewall will block syn packets, so I am
>>>>>>>> assuming that if I only to use my RRAS server to handle incoming
>>>>>>>> connections then I should be OK just permitting inward traffic.
>>>>>>>> The sessions are initiated by the clients and the server server
>>>>>>>> piggy backs out. I don't necessarily want the server to initiate
>>>>>>>> remote sessions, i.e. with other VPN servers. Is my thinking
>>>>>>>> correct?
>>>>>>>>
>>>>>>>> Please help, TIA,
>>>>>>>>
>>>>>>>> Jarryd
>>>>>>>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>>>>>>>> news:uQcei5aFFHA.3648@TK2MSFTNGP10.phx.gbl...
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to
>>>>>>>>> allow L2TP connections using MS-CHAP v2. I have configured this
>>>>>>>>> already on the server. Certificates are sorted as well. The only
>>>>>>>>> thing is the ports that need to be opened on the firewall and NAT
>>>>>>>>> on the router.
>>>>>>>>>
>>>>>>>>> As for the ports, do I only need to open up access to the server
>>>>>>>>> for MS-CHAPv2 and IP/Sec? And what are the port numbers for that?
>>>>>>>>> I think I have to have IP protocols 50 and UDP port 1701 allowed
>>>>>>>>> on the router. But what about a port for MS-CHAPv2? Or is that
>>>>>>>>> tunnelled through 1701? And does that then handle everything? If
>>>>>>>>> so then I shouldn't have to enable 88 for Kerberos or 443 for SSL
>>>>>>>>> because it is all tunnelled through?
>>>>>>>>>
>>>>>>>>> With regards to the router and NAT. I have a public address
>>>>>>>>> assigned to the LAN interface that is statically NATed to an
>>>>>>>>> address on our private range. To see the NAS from the internet I
>>>>>>>>> will configure it the same (static NAT public.IP private.IP). Is
>>>>>>>>> that going to cause any problems. I once read somewhere that it
>>>>>>>>> can and you use port forwarding. Is that the answer? If so, what
>>>>>>>>> do I forward to what? All L2TP and IP 50 packets to the server's
>>>>>>>>> IP, rather than set up NAT?
>>>>>>>>>
>>>>>>>>> Please help, TIA,
>>>>>>>>>
>>>>>>>>> Jarryd
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Matt Gibson: "Re: Cant access the Internet using Wless Routing"
- Previous message: Steven L Umbach: "Re: Easy RRAS VPN question"
- In reply to: Steven L Umbach: "Re: Easy RRAS VPN question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
