L2TP/IPSEC VPN Natting anyone ever done it

Discussion in 'Networking' started by pollardhimself, Jun 28, 2010.

  1. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0
    I tested the VPN internally using the local ip address and it works fine. As soon as I try it from the wan on a remote computer it will not work. Gives me this

    "error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with remote computer"

    This is on a server 2008 r2 platform with a L2TP\IPSEC VPN with a preshared key.

    Port 1701 tcp\udp mapped over the local server address. Are there and other ports the need to be mapped?

    What I have checked so far

    I have mapped over the port in the router, However when I use the online open port checker tool it cant find the service. I tested a http file server on that port and it saw my service to the port is not being block by my router. The Firewall is a set to allow the connection over the correct network interface. Edge translation is allowed

    Any ideas?
     
    #1 pollardhimself, Jun 28, 2010
    Last edited: Jul 13, 2010
  2. Loading...

    Similar Threads - L2TP IPSEC Natting Forum Date
    l2tp over ipsec Networking Nov 3, 2014
    Open source VPN client using L2TP for Windows? Networking Aug 17, 2011
    ISA 2006 L2TP with ipsec VPN on Internal Server Networking Apr 19, 2010
    Help/Advice for VPN Newbie: IPsec/L2TP Networking Jan 24, 2004
    Why can't I create a VPN connection using L2TP w/IPSEC? Networking Dec 30, 2001

  3. Fardringle

    Fardringle Diamond Member

    Joined:
    Oct 23, 2000
    Messages:
    8,270
    Likes Received:
    76
    You need to forward UDP port 500 and enable L2TP VPN Passthrough on the router as well (if the router supports it).
     
  4. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0
    added 4500 and 500 with no luck...

    Router logs show its coming in
    [LAN access from remote] from remoteip:4500 to 192.168.1.2:4500 Tuesday, Jun 29,2010 06:10:25
    [LAN access from remote] from remoteip:500 to 192.168.1.2:500 Tuesday, Jun 29,2010 06:10:25
     
  5. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0
    Router setup

    [​IMG]



    Does this mean I can only have two clients? Found this on the router

    [​IMG]
     
  6. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0
    New router using pfsense on a server still no luck

    I have fixed the firewall rules but I am still unable to get it to work. It works internally if I put in the local ip and use it from a internal computer. And I see it allowing the ports threw when I try to connect from a remote computer

    I have to be missing something what is it... 2 different routers still the same issue

    [​IMG]
    [​IMG]
    [​IMG]
     
    #5 pollardhimself, Jul 12, 2010
    Last edited: Jul 12, 2010
  7. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0
    has any sucessfully natted a ipsec/l2tp vpn?
     
  8. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    Ran in to this setting one of these up for a client. The reasoning behind why this solution is necessary sucks, but the solution is relatively easy.

    Microsoft decided that after Windows XP SP2 (that includes Vista and 7), they were going to require VPN servers to be public-facing. Basically, they turned off the native NAT-T (NAT traversal) that had existed in these versions of Windows' VPN software. Their justification is that VPNs should be perimiter-based. The justification is sound, but removing the capability to easily set it up otherwise is kind of shitty.

    Anyway, there's a registry key you need to create. It's in a different place in Windows XP than in Windows Vista and 7. Here's both locations:

    In Windows XP:
    HKLM\System\CurrentControlSet\services\IPSec
    Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
    Reboot system.

    In Windows Vista/7:
    HKLM\System\CurrentControlSet\services\PolicyAgent
    Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
    Reboot system

    You'll need to do this on every client you want to connect to this VPN.

    Note: This is only the case for L2TP IPSec VPNs. The HTTPS VPNs and PPTP VPNs do not have this requirement.
     
  9. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0
    Does it still have to have a public ip? I did this already still had no luck.. Someone told me pfsense 1.2.3 had an issue with this so I think I got a issues all over the place I am going to test today behind another server thats natted to see its pfsense
     
  10. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    If you make those registry changes, it will enable NAT Traversal on those clients and allow them to connect to a server that is behind a NAT. Setting it to 2 indicates that both the server and the client are behind NAT, but that won't hurt it in the event that the client is not behind a NAT for some reason.

    You may need to forward ESP or AH protocols through your firewall, though you shouldn't if you employ these registry changes. I do know that they work because I have set up an L2TP IPSec VPN on Server 2008 R2 behind a NAT and once I made these changes, both XP and 7 systems could connect.

    I'll look at my settings when I get in to work and see if I notice anything else that I may have changed.
     
    #9 drebo, Jul 14, 2010
    Last edited: Jul 14, 2010
  11. RebateMonger

    RebateMonger Elite Member

    Joined:
    Dec 24, 2005
    Messages:
    11,592
    Likes Received:
    0
  12. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0

    I've done this on both the client and server and rebooted.


    [​IMG]


    Heres where I am at

    I got a nat server I just setup to test this

    Ive got the nat server connected to my server and I configured them both with public ip's

    hooked up my computer the the lan side of the nat server

    I have disabled the firewall on the connection from my domain server to the nat server.

    I can connect with pptp but not with l2tp.
     
  13. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    You can't connect on the LAN side either?
     
  14. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0
    Lan side works fine with L2TP on the domain server..

    The lan side I am trying to connect on is on a separate server that I have created a NAT connection to the domain server on
     
  15. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    Can you diagram out what your topology looks like and indicate where you CAN connect to the VPN and where you CANNOT connect to the VPN?

    The terminology you're using seems to be changing each post, and I'm not really following it very well at this point.
     
  16. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0
    Better? Sorry I suck at explaining things

    [​IMG]
     
    #15 pollardhimself, Jul 14, 2010
    Last edited: Jul 14, 2010
  17. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0
    Well... now its working over the real wan hurray

    Guess it took a minute to figure out wtf it wanted todo
     
  18. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0
    everything works
     
    #17 pollardhimself, Jul 14, 2010
    Last edited: Jul 14, 2010
  19. drebo

    drebo Diamond Member

    Joined:
    Feb 24, 2006
    Messages:
    7,043
    Likes Received:
    1
    What was the final resolution?
     
  20. pollardhimself

    pollardhimself Senior member

    Joined:
    Nov 6, 2009
    Messages:
    281
    Likes Received:
    0
    applying the registry fix... on both computers then I guess I just had to wait a min for it to take effect