Re: VPN not working when client behind another firewall
From: Franz Leu (franz.leu.spam_removal_at_spam_removal.norfolk.ch)
Date: 08/05/04
- Next message: Sleurhutje: "Re: Win98 migration on SBS2003"
- Previous message: Lanwench [MVP - Exchange]: "Re: Outlook Web in SBS2003"
- In reply to: Mark Richards: "Re: VPN not working when client behind another firewall"
- Next in thread: Mark Richards: "Re: VPN not working when client behind another firewall"
- Reply: Mark Richards: "Re: VPN not working when client behind another firewall"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 5 Aug 2004 16:32:37 +0200
Got the picture ...mmmhhhm
To be honest, I am a not real help now, but maybe this is something:
[from SBS 2003 Best Practices]
be advised there is an issue with respect to having VPN connections
when you
place a hardwarebased firewall router out in front of SBS 2003 and want
to
tunnel into the SBS network (especially if you're adhering to the best
practice
of a dual firewall). This area is NAT-T over IPSec across the firewall.
Technically speaking, IPSec NAT Traversal (NAT-T) allows IPSec clients
and
server to work when behind a NAT. To use NAT-T, both the remote access
VPN
client and the remote access server must be IPSec NAT-T-capable. IPSec
NAT-T
provides UDP encapsulation of IPSec packets to enable Internet Key
Exchange
(IKE) and Encapsulating Security Payload (ESP)-protected traffic to
pass through
a NAT. IKE automatically detects that a NAT is present and uses User
Datagram
Protocol- Encapsulating Security Payload (UDP-ESP) encapsulation to
enable
ESPprotected IPSec traffic to pass through the NAT. IPSec NAT-T is
supported by
the Windows Server 2003 family. As such, it's supported in SBS 2003.
Your next
step might be to delve deeper into the issue with the Microsoft Press
Windows
Server 2003 Resource Kit or look up some
articles on TechNet.
[thanks Harry]
I'll get back if some new ideas hit me.
Maybe someone of the real "pro's" can jump in.
Bye, Franz
"Mark Richards" <mark.richards@expw.co.uk> schrieb im Newsbeitrag
news:0a5001c47af2$e4d560c0$a601280a@phx.gbl...
> Please excuse my ignorance Franz!
>
> We have a Thomson / Speedtouch 510 and a Symantec 200
> Firewall Appliance. I believe that these are configured
> correctly as we have used VPN successfully before. The
> difference now is that we have guys trying to VPN from
> behind another firewall. However, other guys (not from
> our company) are able to VPN into their own server from
> behind this same firewall. So it would seem that the
> other firewall is also configured correctly.
>
> Regards
> Mark
>
> >-----Original Message-----
> >Mark,
> >
> >It's not "port 47". It's "GRE-protocol 47".
> >Your router need to pass it through. You can close port
> 47. Maybe there
> >is setting which enables VPM pass-thru in general.
> >What type of router is it?
> >
> >Franz
> >
> >
> >"Mark Richards" <mark.richards@expw.co.uk> schrieb im
> Newsbeitrag
> >news:07bf01c47acd$82f5d5d0$a401280a@phx.gbl...
> >> Hi Marina,
> >>
> >> OK - so our VPN is working fine when the client is NOT
> >> behind another firewall - and our port 47 is definately
> >> open on our firewall.
> >>
> >> Do we need to make sure that the other firewall has port
> >> 47 open too?
> >>
> >> Regards
> >> Mark
> >>
> >>
> >>
> >> >-----Original Message-----
> >> >Hi Mark,
> >> >
> >> >Error 721 means that the router is not passing through
> >> the GRE-protocol 47,
> >> >which is needed for VPN.
> >> >Check the documentation of the router/firewall or the
> >> website for firmware
> >> >upgrade or even downgrade.
> >> >
> >> >--
> >> >Regards,
> >> >
> >> >Marina
> >> >Microsoft SBS-MVP
> >> >
> >> >"Mark Richards" <mark.richards@expw.co.uk> schreef in
> >> bericht
> >> >news:c1da01c47a30$9def6fb0$a301280a@phx.gbl...
> >> >> Hi,
> >> >>
> >> >> VPN is not working for our client PCs currently
> trying
> >> to
> >> >> connect from behind another firewall. The
> >> administrators
> >> >> of the "other" firewall have opened up ports 1721,
> 1723
> >> >> and 500, 1701, but our PCs get the following error
> after
> >> >> the dialog box says "Checking password":
> >> >>
> >> >> "The remote computer did not respond. For further
> >> >> assistance, click More Info or search Help and
> Support
> >> >> Center for this error number. (Error 721) For
> customized
> >> >> troubleshooting information for this connection,
> click
> >> >> Help.
> >> >> Pausing before reconnecting (3 seconds)..."
> >> >>
> >> >> We've tried opening ALL ports on our firewall but to
> no
> >> >> avail. I am also unable to telnet to any of the
> ports,
> >> >> although I may be attempting to do this incorrectly.
> >> >>
> >> >> Any thoughts / help would be much appreciated.
> >> >>
> >> >> Regards
> >> >>
> >> >> Mark
> >> >
> >> >
> >> >.
> >> >
> >
> >.
> >
- Next message: Sleurhutje: "Re: Win98 migration on SBS2003"
- Previous message: Lanwench [MVP - Exchange]: "Re: Outlook Web in SBS2003"
- In reply to: Mark Richards: "Re: VPN not working when client behind another firewall"
- Next in thread: Mark Richards: "Re: VPN not working when client behind another firewall"
- Reply: Mark Richards: "Re: VPN not working when client behind another firewall"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
