Re: VPN using L2TP

From: Phillip Windell (_at_.)
Date: 03/09/05 

Date: Wed, 9 Mar 2005 09:59:34 -0600

I believe it fails because you are trying to cross a "NAT Device".
If your SBS box "replaced" the NAT Device,...that is the 192.168.1.x network
would be eliminated and the SBS box would have a public IP# on the external
side instead of 192.168.1.7,...then it would work. The location where your
NAT Device now sits would have a DSL Modem (not a "router", not a nat
device, doesn't have an IP#) and this "modem" would act as a "transceiver"
and "media converter" to connect the SBS box to the DSL line.

I haven't messed with L2TP myself, but I think it has the similar problem
that IPSec has about requiring "NAT Traversal" (NAT-T) before it can cross a
NAT Device. But then,...like I said, I have never used L2TP,...I do not
consider regular PPTP to be "insecure" and that is what I use. 

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
"Sawlmgsj" <Sawlmgsj@discussions.microsoft.com> wrote in message
news:C8BE5774-6402-410A-B8B9-00A5C8683BFA@microsoft.com...
> I have SBS2003 Standard and want to VPN from XP with SP2.
> No problem using PPTP but cannot make it work with L2TP.
>
> Have created certificates and deployed to workstation.
> I have two NIC's in server:  192.168.16.2 and 192.168.1.7 to my router
which
> is using NAT.  Ports are opened on router and have tried opening it
> completely.  NAT on router for XP workstation.
>
> I have reproduced the first 5 messages from the log - Event Viewer -
> Security.  My domain is ibs.local
> public IP address for XP machine is: 213.218.243.182
>
> I have opened the ports on RRA and also enabled EAP.
>
>
> IKE security association established.
>  Mode:
> Key Exchange Mode (Main Mode)
>
>  Peer Identity:
> Certificate based Identity.
> Peer Subject CN=SAWLMGSJ01.IBS.local
> Peer SHA Thumbprint d33b8e34a1005acebec8862778322d93d9444459
> Peer Issuing Certificate Authority DC=local, DC=IBS, CN=Inform Certificate
> Authority
> Root Certificate Authority DC=local, DC=IBS, CN=Inform Certificate
Authority
> My Subject CN=sbsserver.IBS.local
> My SHA Thumbprint f324e7089d4e2249c8962d449a3b287dff0dc08f
> Peer IP Address: 213.218.243.182
>
>  Filter:
> Source IP Address 192.168.1.7
> Source IP Address Mask 255.255.255.255
> Destination IP Address 213.218.243.182
> Destination IP Address Mask 255.255.255.255
> Protocol 0
> Source Port 0
> Destination Port 0
> IKE Local Addr 192.168.1.7
> IKE Peer Addr 213.218.243.182
> IKE Source Port 4500
> IKE Destination Port 0
> Peer Private Addr
>
>  Parameters:
> ESP Algorithm Triple DES CBC
> HMAC Algorithm SHA
> Lifetime (sec) 28800
> MM delta time (sec) 0
>
>
>
>
> IKE security association established.
>  Mode:
> Data Protection Mode (Quick Mode)
>
>  Peer Identity:
> Certificate based Identity.
> Peer Subject CN=SAWLMGSJ01.IBS.local
> Peer SHA Thumbprint d33b8e34a1005acebec8862778322d93d9444459
> Peer Issuing Certificate Authority DC=local, DC=IBS, CN=Inform Certificate
> Authority
> Root Certificate Authority DC=local, DC=IBS, CN=Inform Certificate
Authority
> My Subject CN=sbsserver.IBS.local
> My SHA Thumbprint f324e7089d4e2249c8962d449a3b287dff0dc08f
> Peer IP Address: 213.218.243.182
>
>  Filter:
> Source IP Address 192.168.1.7
> Source IP Address Mask 255.255.255.255
> Destination IP Address 213.218.243.182
> Destination IP Address Mask 255.255.255.255
> Protocol 17
> Source Port 1701
> Destination Port 1701
> IKE Local Addr 192.168.1.7
> IKE Peer Addr 213.218.243.182
> IKE Source Port 4500
> IKE Destination Port 4500
> Peer Private Addr 192.168.1.11
>
>  Parameters:
> ESP Algorithm Triple DES CBC
> HMAC Algorithm MD5
> AH Algorithm None
> Encapsulation Transport Mode with UDP encapsulation
>
> InboundSpi 1150581090 (0x44947962)
> OutBoundSpi 3886302825 (0xe7a44669)
> Lifetime (sec) 3600
> Lifetime (kb) 250000
> QM delta time (sec) 0
> Total delta time (sec) 0
>
>
>
> IKE security association established.
>  Mode:
> Key Exchange Mode (Main Mode)
>
>  Peer Identity:
> Certificate based Identity.
> Peer Subject CN=SAWLMGSJ01.IBS.local
> Peer SHA Thumbprint d33b8e34a1005acebec8862778322d93d9444459
> Peer Issuing Certificate Authority DC=local, DC=IBS, CN=Inform Certificate
> Authority
> Root Certificate Authority DC=local, DC=IBS, CN=Inform Certificate
Authority
> My Subject CN=sbsserver.IBS.local
> My SHA Thumbprint f324e7089d4e2249c8962d449a3b287dff0dc08f
> Peer IP Address: 213.218.243.182
>
>  Filter:
> Source IP Address 192.168.1.7
> Source IP Address Mask 255.255.255.255
> Destination IP Address 213.218.243.182
> Destination IP Address Mask 255.255.255.255
> Protocol 0
> Source Port 0
> Destination Port 0
> IKE Local Addr 192.168.1.7
> IKE Peer Addr 213.218.243.182
> IKE Source Port 4500
> IKE Destination Port 0
> Peer Private Addr
>
>  Parameters:
> ESP Algorithm Triple DES CBC
> HMAC Algorithm SHA
> Lifetime (sec) 28800
> MM delta time (sec) 1
>
>
>
> IKE security association established.
>  Mode:
> Data Protection Mode (Quick Mode)
>
>  Peer Identity:
> Certificate based Identity.
> Peer Subject CN=SAWLMGSJ01.IBS.local
> Peer SHA Thumbprint d33b8e34a1005acebec8862778322d93d9444459
> Peer Issuing Certificate Authority DC=local, DC=IBS, CN=Inform Certificate
> Authority
> Root Certificate Authority DC=local, DC=IBS, CN=Inform Certificate
Authority
> My Subject CN=sbsserver.IBS.local
> My SHA Thumbprint f324e7089d4e2249c8962d449a3b287dff0dc08f
> Peer IP Address: 213.218.243.182
>
>  Filter:
> Source IP Address 192.168.1.7
> Source IP Address Mask 255.255.255.255
> Destination IP Address 213.218.243.182
> Destination IP Address Mask 255.255.255.255
> Protocol 17
> Source Port 1701
> Destination Port 1701
> IKE Local Addr 192.168.1.7
> IKE Peer Addr 213.218.243.182
> IKE Source Port 4500
> IKE Destination Port 4500
> Peer Private Addr 192.168.1.11
>
>  Parameters:
> ESP Algorithm Triple DES CBC
> HMAC Algorithm MD5
> AH Algorithm None
> Encapsulation Transport Mode with UDP encapsulation
>
> InboundSpi 465703201 (0x1bc21121)
> OutBoundSpi 3730048001 (0xde540401)
> Lifetime (sec) 3600
> Lifetime (kb) 250000
> QM delta time (sec) 0
> Total delta time (sec) 1
>
>
>
> IKE security association ended.
>  Mode: Data Protection (Quick mode) Filter:
> Source IP Address 192.168.1.7
> Source IP Address Mask 255.255.255.255
> Destination IP Address 213.218.243.182
> Destination IP Address Mask 255.255.255.255
> Protocol 17
> Source Port 1701
> Destination Port 1701
> IKE Local Addr 192.168.1.7
> IKE Peer Addr 213.218.243.182
> IKE Source Port 4500
> IKE Destination Port 4500
> Peer Private Addr 192.168.1.11
>
>  Inbound SPI:
> 1150581090 (0x44947962)
>  Outbound SPI:
> 3886302825 (0xe7a44669)
>
>
>
> I can create the VPN connection with the two machines networked on a LAN,
> but strangely I cannot then map any drives.
>
> Can you help?
>
> Thanks,
> Steve.

Relevant Pages

  • VPN using L2TP
    ... IKE security association established. ... Peer Identity: ... Certificate based Identity. ... Destination Port 0 ...
    (microsoft.public.windows.server.sbs)
  • L2TP/IPsec problem - IKE SA deleted by peer before establishment completed
    ... Address 166.154.128.144, Protocol 17, Port 1701 ... IKE security association negotiation failed. ... Destination IP Address Mask 255.255.255.255 ... IKE Peer Addr ...
    (microsoft.public.windows.server.security)
  • Re: L2TP/IPSEC Connection problem to Windows 2000 Server
    ... IKE security association negotiation failed. ... Peer Identity: ... Peer Issuing Certificate Authority ... >Issuing Certificate Authority Root Certificate Authority My ...
    (microsoft.public.win2000.ras_routing)
  • Re: L2TP + NAT-T
    ... please verify that the winxp client has the ipsec nat-t upgrade available ... > IKE security association negotiation failed. ... > Destination Port 0 ... > Peer Private Addr ...
    (microsoft.public.win2000.ras_routing)
  • Re: [fw-wiz] netscreen 25 sofaware ipsec interop
    ... Checkpoint SOFAWARE 4.0.41 appliances. ... peer, as peer IKE ID. ... My problem is that i cannot pass phase 1 (IKE). ... netscreens AutoKey->GateWay configuration dialog. ...
    (Firewall-Wizards)
Loading