L2TP/IPSEC VPN Natting anyone ever done it

pollardhimself · 06-28-2010, 05:19 PM

I tested the VPN internally using the local ip address and it works fine. As soon as I try it from the wan on a remote computer it will not work. Gives me this

"error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with remote computer"

This is on a server 2008 r2 platform with a L2TP\IPSEC VPN with a preshared key.

Port 1701 tcp\udp mapped over the local server address. Are there and other ports the need to be mapped?

What I have checked so far

I have mapped over the port in the router, However when I use the online open port checker tool it cant find the service. I tested a http file server on that port and it saw my service to the port is not being block by my router. The Firewall is a set to allow the connection over the correct network interface. Edge translation is allowed

Any ideas?

Fardringle · 06-28-2010, 08:10 PM

You need to forward UDP port 500 and enable L2TP VPN Passthrough on the router as well (if the router supports it).

pollardhimself · 06-29-2010, 09:06 AM

added 4500 and 500 with no luck...

Router logs show its coming in
[LAN access from remote] from remoteip:4500 to 192.168.1.2:4500 Tuesday, Jun 29,2010 06:10:25
[LAN access from remote] from remoteip:500 to 192.168.1.2:500 Tuesday, Jun 29,2010 06:10:25

pollardhimself · 06-29-2010, 05:36 PM

Router setup

Does this mean I can only have two clients? Found this on the router

pollardhimself · 07-12-2010, 01:02 PM

New router using pfsense on a server still no luck

I have fixed the firewall rules but I am still unable to get it to work. It works internally if I put in the local ip and use it from a internal computer. And I see it allowing the ports threw when I try to connect from a remote computer

I have to be missing something what is it... 2 different routers still the same issue

pollardhimself · 07-13-2010, 05:38 PM

has any sucessfully natted a ipsec/l2tp vpn?

drebo · 07-13-2010, 06:56 PM

Ran in to this setting one of these up for a client. The reasoning behind why this solution is necessary sucks, but the solution is relatively easy.

Microsoft decided that after Windows XP SP2 (that includes Vista and 7), they were going to require VPN servers to be public-facing. Basically, they turned off the native NAT-T (NAT traversal) that had existed in these versions of Windows' VPN software. Their justification is that VPNs should be perimiter-based. The justification is sound, but removing the capability to easily set it up otherwise is kind of shitty.

Anyway, there's a registry key you need to create. It's in a different place in Windows XP than in Windows Vista and 7. Here's both locations:

In Windows XP:
HKLM\System\CurrentControlSet\services\IPSec
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system.

In Windows Vista/7:
HKLM\System\CurrentControlSet\services\PolicyAgent
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system

You'll need to do this on every client you want to connect to this VPN.

Note: This is only the case for L2TP IPSec VPNs. The HTTPS VPNs and PPTP VPNs do not have this requirement.

pollardhimself · 07-14-2010, 07:47 AM

Quote:

Originally Posted by drebo

Ran in to this setting one of these up for a client. The reasoning behind why this solution is necessary sucks, but the solution is relatively easy.

Microsoft decided that after Windows XP SP2 (that includes Vista and 7), they were going to require VPN servers to be public-facing. Basically, they turned off the native NAT-T (NAT traversal) that had existed in these versions of Windows' VPN software. Their justification is that VPNs should be perimiter-based. The justification is sound, but removing the capability to easily set it up otherwise is kind of shitty.

Anyway, there's a registry key you need to create. It's in a different place in Windows XP than in Windows Vista and 7. Here's both locations:

In Windows XP:
HKLM\System\CurrentControlSet\services\IPSec
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system.

In Windows Vista/7:
HKLM\System\CurrentControlSet\services\PolicyAgent
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system

You'll need to do this on every client you want to connect to this VPN.

Note: This is only the case for L2TP IPSec VPNs. The HTTPS VPNs and PPTP VPNs do not have this requirement.

Does it still have to have a public ip? I did this already still had no luck.. Someone told me pfsense 1.2.3 had an issue with this so I think I got a issues all over the place I am going to test today behind another server thats natted to see its pfsense

drebo · 07-14-2010, 09:17 AM

If you make those registry changes, it will enable NAT Traversal on those clients and allow them to connect to a server that is behind a NAT. Setting it to 2 indicates that both the server and the client are behind NAT, but that won't hurt it in the event that the client is not behind a NAT for some reason.

You may need to forward ESP or AH protocols through your firewall, though you shouldn't if you employ these registry changes. I do know that they work because I have set up an L2TP IPSec VPN on Server 2008 R2 behind a NAT and once I made these changes, both XP and 7 systems could connect.

I'll look at my settings when I get in to work and see if I notice anything else that I may have changed.

RebateMonger · 07-14-2010, 09:25 AM

Here's the MS KB that Drebo is referring to:

http://support.microsoft.com/kb/926179

pollardhimself · 07-14-2010, 10:03 AM

Quote:

Originally Posted by RebateMonger

Here's the MS KB that Drebo is referring to:

http://support.microsoft.com/kb/926179

I've done this on both the client and server and rebooted.

Heres where I am at

I got a nat server I just setup to test this

Ive got the nat server connected to my server and I configured them both with public ip's

hooked up my computer the the lan side of the nat server

I have disabled the firewall on the connection from my domain server to the nat server.

I can connect with pptp but not with l2tp.

drebo · 07-14-2010, 10:14 AM

You can't connect on the LAN side either?

pollardhimself · 07-14-2010, 10:43 AM

Quote:

Originally Posted by drebo

You can't connect on the LAN side either?

Lan side works fine with L2TP on the domain server..

The lan side I am trying to connect on is on a separate server that I have created a NAT connection to the domain server on

drebo · 07-14-2010, 12:57 PM

Can you diagram out what your topology looks like and indicate where you CAN connect to the VPN and where you CANNOT connect to the VPN?

The terminology you're using seems to be changing each post, and I'm not really following it very well at this point.

pollardhimself · 07-14-2010, 01:50 PM

Better? Sorry I suck at explaining things

pollardhimself · 07-14-2010, 02:10 PM

Well... now its working over the real wan hurray

Guess it took a minute to figure out wtf it wanted todo

pollardhimself · 07-14-2010, 06:24 PM

everything works

drebo · 07-15-2010, 12:11 AM

What was the final resolution?

pollardhimself · 07-15-2010, 08:58 AM

applying the registry fix... on both computers then I guess I just had to wait a min for it to take effect