Re: L2TP/IPSec VPN Configuration

Tech-Archive recommends: Speed Up your PC by fixing your registry

Oh, and just for a point of reference. On the only SBS network I support that allows VPN, my own personal one where I know every single machine that might ever connect via VPN, and know it's health, I stopped using L2TP for VPN after about 3 months and switched back to PPTP. The L2TP was just too fragile. I still use Remote Web Workplace, securing that with RWWGuard and AuthAnvil (www.scorpionsoft.com), and I don't think I've used VPN in the last 5 months. RWW with a good two factor authentication solution is a better bet all the way round.

--
Charlie.
http://msmvps.com/xperts64
http://mvp.support.microsoft.com/profile/charlie.russel


"Jon-Alfred Smith" <jonsmi@xxxxxxxxxxxxxxxx> wrote in message news:pojhq3p9hbmrdtcs4hl517i8o7atkdv2d1@xxxxxxxxxx
On Tue, 5 Feb 2008 07:31:15 -0800, "Charlie Russel - MVP"
<charlie@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

It is possible, but extremely fussy. If you do everything exactly right it
works, but one misstep and it doesn't.

This is covered extensively in chapter 15 of our SBS R2 book, but the basic
steps are:

[SNIP]

There are thirteen pages on this in chapter 15. And another batch in chapter
16 if you're using ISA 2k4. It's not trivial, but is possible if you follow
the steps exactly. Unfortunately, all the steps are actually required.

Charlie Russel
Author: Microsoft Windows Small Business Server 2003 R2 Administrator's
Companion (MS Press)
http://www.amazon.com/Microsoft-Business-Administrators-Companion-Pro-Administrators/dp/0735622809/ref=sr_11_1/104-0475887-4767969?ie=UTF8

The book details all steps in an excellent way. However, I still
wonder about IPSec from a client behind a NAT to a server behind a
different NAT.

MS has at least two KB articles on this subject, and MS says: IPSec
NAT-T is not recommended for Windows Server 2003 computers that are
behind network address translators
http://support.microsoft.com/kb/885348

The default behavior of IPSec NAT traversal (NAT-T) is changed in
Windows XP Service Pack 2
http://support.microsoft.com/kb/885407/

It should not be too uncommon that clients and SBS servers are located
behind different NATs. Does this really mean that best practice is to
use PPTP / MPPE instead?

jas

.

Relevant Pages

  • Re: Laptop Remote access question
    ... In a normal situation you are in, I would actually implement the VPN on the ... The Laptop when connected to the SBS Network in the Office, ... Users Shared Folder on the SBS Server. ... Access the Shares on the Server/ workstations within the SBS Network. ...
    (microsoft.public.windows.server.sbs)
  • RE :Laptop Remote Access Question
    ... In a normal situation you are in, I would actually implement the VPN on the ... The Laptop when connected to the SBS Network in the Office, ... Users Shared Folder on the SBS Server. ... Access the Shares on the Server/ workstations within the SBS Network. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Problem, need your help.....
    ... Are you actually connecting one card to the NAT ... get this server to a single NIC scenario ... > VPN server. ... > Internet for all the systems on the network. ...
    (comp.security.firewalls)
  • Re: WS2003, XP Clients, and Network Setup Help
    ... AD plus NAT plus PPPoE plus Macs! ... > The server has an Internet connection using PPPoE. ... > remote access in RRAS and try making a VPN connection from a LAN client. ...
    (microsoft.public.windows.server.networking)
  • Re: Small network to Net setup suggestions.
    ... You can certainly do what you're attempting with just two NICs and a server. ... Just turn up RRAS with a NAT interface, make sure the external side of NAT ... If you want VPN, be sure to get a router that supports VPN passthrough, or better, a ...
    (microsoft.public.win2000.networking)