Go Back   AnandTech Forums > Hardware and Technology > Networking

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals
· Free Stuff
· Contests and Sweepstakes
· Black Friday 2013
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 06-28-2010, 05:19 PM   #1
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default L2TP/IPSEC VPN Natting anyone ever done it

I tested the VPN internally using the local ip address and it works fine. As soon as I try it from the wan on a remote computer it will not work. Gives me this

"error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with remote computer"

This is on a server 2008 r2 platform with a L2TP\IPSEC VPN with a preshared key.

Port 1701 tcp\udp mapped over the local server address. Are there and other ports the need to be mapped?

What I have checked so far

I have mapped over the port in the router, However when I use the online open port checker tool it cant find the service. I tested a http file server on that port and it saw my service to the port is not being block by my router. The Firewall is a set to allow the connection over the correct network interface. Edge translation is allowed

Any ideas?

Last edited by pollardhimself; 07-13-2010 at 05:39 PM. Reason: update
pollardhimself is offline   Reply With Quote
Old 06-28-2010, 08:10 PM   #2
Fardringle
Diamond Member
 
Fardringle's Avatar
 
Join Date: Oct 2000
Posts: 7,267
Default

You need to forward UDP port 500 and enable L2TP VPN Passthrough on the router as well (if the router supports it).
__________________
"I did RC5, but I didn't flush." - Bill Clinton
"I invented distributed computing." - Al Gore
"I had a dream where every American would be free to run SETI@Home!" - Martin Luther King Jr.
"Greendale is a bodaciously small town, Lane... I can't even Find-A-Drug here!" - Charles De Mar (Better Off Dead)
"I did not have BOINC relations with that woman, Rosetta@Home!" - Bill Clinton
Fardringle is offline   Reply With Quote
Old 06-29-2010, 09:06 AM   #3
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default

added 4500 and 500 with no luck...

Router logs show its coming in
[LAN access from remote] from remoteip:4500 to 192.168.1.2:4500 Tuesday, Jun 29,2010 06:10:25
[LAN access from remote] from remoteip:500 to 192.168.1.2:500 Tuesday, Jun 29,2010 06:10:25
pollardhimself is offline   Reply With Quote
Old 06-29-2010, 05:36 PM   #4
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default

Router setup





Does this mean I can only have two clients? Found this on the router


pollardhimself is offline   Reply With Quote
Old 07-12-2010, 01:02 PM   #5
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default

New router using pfsense on a server still no luck

I have fixed the firewall rules but I am still unable to get it to work. It works internally if I put in the local ip and use it from a internal computer. And I see it allowing the ports threw when I try to connect from a remote computer

I have to be missing something what is it... 2 different routers still the same issue




Last edited by pollardhimself; 07-12-2010 at 01:25 PM.
pollardhimself is offline   Reply With Quote
Old 07-13-2010, 05:38 PM   #6
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default

has any sucessfully natted a ipsec/l2tp vpn?
pollardhimself is offline   Reply With Quote
Old 07-13-2010, 06:56 PM   #7
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,459
Default

Ran in to this setting one of these up for a client. The reasoning behind why this solution is necessary sucks, but the solution is relatively easy.

Microsoft decided that after Windows XP SP2 (that includes Vista and 7), they were going to require VPN servers to be public-facing. Basically, they turned off the native NAT-T (NAT traversal) that had existed in these versions of Windows' VPN software. Their justification is that VPNs should be perimiter-based. The justification is sound, but removing the capability to easily set it up otherwise is kind of shitty.

Anyway, there's a registry key you need to create. It's in a different place in Windows XP than in Windows Vista and 7. Here's both locations:

In Windows XP:
HKLM\System\CurrentControlSet\services\IPSec
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system.

In Windows Vista/7:
HKLM\System\CurrentControlSet\services\PolicyAgent
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system

You'll need to do this on every client you want to connect to this VPN.

Note: This is only the case for L2TP IPSec VPNs. The HTTPS VPNs and PPTP VPNs do not have this requirement.
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is offline   Reply With Quote
Old 07-14-2010, 07:47 AM   #8
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default

Quote:
Originally Posted by drebo View Post
Ran in to this setting one of these up for a client. The reasoning behind why this solution is necessary sucks, but the solution is relatively easy.

Microsoft decided that after Windows XP SP2 (that includes Vista and 7), they were going to require VPN servers to be public-facing. Basically, they turned off the native NAT-T (NAT traversal) that had existed in these versions of Windows' VPN software. Their justification is that VPNs should be perimiter-based. The justification is sound, but removing the capability to easily set it up otherwise is kind of shitty.

Anyway, there's a registry key you need to create. It's in a different place in Windows XP than in Windows Vista and 7. Here's both locations:

In Windows XP:
HKLM\System\CurrentControlSet\services\IPSec
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system.

In Windows Vista/7:
HKLM\System\CurrentControlSet\services\PolicyAgent
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system

You'll need to do this on every client you want to connect to this VPN.

Note: This is only the case for L2TP IPSec VPNs. The HTTPS VPNs and PPTP VPNs do not have this requirement.
Does it still have to have a public ip? I did this already still had no luck.. Someone told me pfsense 1.2.3 had an issue with this so I think I got a issues all over the place I am going to test today behind another server thats natted to see its pfsense
pollardhimself is offline   Reply With Quote
Old 07-14-2010, 09:17 AM   #9
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,459
Default

If you make those registry changes, it will enable NAT Traversal on those clients and allow them to connect to a server that is behind a NAT. Setting it to 2 indicates that both the server and the client are behind NAT, but that won't hurt it in the event that the client is not behind a NAT for some reason.

You may need to forward ESP or AH protocols through your firewall, though you shouldn't if you employ these registry changes. I do know that they work because I have set up an L2TP IPSec VPN on Server 2008 R2 behind a NAT and once I made these changes, both XP and 7 systems could connect.

I'll look at my settings when I get in to work and see if I notice anything else that I may have changed.
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco

Last edited by drebo; 07-14-2010 at 09:21 AM.
drebo is offline   Reply With Quote
Old 07-14-2010, 09:25 AM   #10
RebateMonger
Super Moderator
Elite Member
 
RebateMonger's Avatar
 
Join Date: Dec 2005
Location: Tempe, Arizona, USA
Posts: 11,592
Default

Here's the MS KB that Drebo is referring to:

http://support.microsoft.com/kb/926179
__________________
MCSE:Security:2003 - MCTS:SBS 2008 - Arizona's 1st Microsoft Small Business Specialist
--- In loving memory of my beautiful Australian Shepherd, Skye. July 2001-January 2010 ---
War on Terror 2000-2010 ~ Terrorist-caused Deaths < 10,000 ~ Bush's Wars > 1,000,000 ~ Winning?
RebateMonger is offline   Reply With Quote
Old 07-14-2010, 10:03 AM   #11
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default

Quote:
Originally Posted by RebateMonger View Post
Here's the MS KB that Drebo is referring to:

http://support.microsoft.com/kb/926179

I've done this on both the client and server and rebooted.





Heres where I am at

I got a nat server I just setup to test this

Ive got the nat server connected to my server and I configured them both with public ip's

hooked up my computer the the lan side of the nat server

I have disabled the firewall on the connection from my domain server to the nat server.

I can connect with pptp but not with l2tp.
pollardhimself is offline   Reply With Quote
Old 07-14-2010, 10:14 AM   #12
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,459
Default

You can't connect on the LAN side either?
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is offline   Reply With Quote
Old 07-14-2010, 10:43 AM   #13
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default

Quote:
Originally Posted by drebo View Post
You can't connect on the LAN side either?
Lan side works fine with L2TP on the domain server..

The lan side I am trying to connect on is on a separate server that I have created a NAT connection to the domain server on
pollardhimself is offline   Reply With Quote
Old 07-14-2010, 12:57 PM   #14
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,459
Default

Can you diagram out what your topology looks like and indicate where you CAN connect to the VPN and where you CANNOT connect to the VPN?

The terminology you're using seems to be changing each post, and I'm not really following it very well at this point.
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is offline   Reply With Quote
Old 07-14-2010, 01:50 PM   #15
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default

Better? Sorry I suck at explaining things


Last edited by pollardhimself; 07-14-2010 at 02:05 PM.
pollardhimself is offline   Reply With Quote
Old 07-14-2010, 02:10 PM   #16
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default

Well... now its working over the real wan hurray

Guess it took a minute to figure out wtf it wanted todo
pollardhimself is offline   Reply With Quote
Old 07-14-2010, 06:24 PM   #17
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default

everything works

Last edited by pollardhimself; 07-14-2010 at 06:36 PM.
pollardhimself is offline   Reply With Quote
Old 07-15-2010, 12:11 AM   #18
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,459
Default

What was the final resolution?
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is offline   Reply With Quote
Old 07-15-2010, 08:58 AM   #19
pollardhimself
Senior Member
 
Join Date: Nov 2009
Posts: 281
Default

applying the registry fix... on both computers then I guess I just had to wait a min for it to take effect
pollardhimself is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 03:59 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.