• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

L2TP/IPSEC VPN Natting anyone ever done it

P

pollardhimself

Senior member
I tested the VPN internally using the local ip address and it works fine. As soon as I try it from the wan on a remote computer it will not work. Gives me this

"error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with remote computer"

This is on a server 2008 r2 platform with a L2TP\IPSEC VPN with a preshared key.

Port 1701 tcp\udp mapped over the local server address. Are there and other ports the need to be mapped?

What I have checked so far

I have mapped over the port in the router, However when I use the online open port checker tool it cant find the service. I tested a http file server on that port and it saw my service to the port is not being block by my router. The Firewall is a set to allow the connection over the correct network interface. Edge translation is allowed

Any ideas?
 
Last edited:
You need to forward UDP port 500 and enable L2TP VPN Passthrough on the router as well (if the router supports it).
 
added 4500 and 500 with no luck...

Router logs show its coming in
[LAN access from remote] from remoteip:4500 to 192.168.1.2:4500 Tuesday, Jun 29,2010 06:10:25
[LAN access from remote] from remoteip:500 to 192.168.1.2:500 Tuesday, Jun 29,2010 06:10:25
 
Router setup

image1vc.png




Does this mean I can only have two clients? Found this on the router


 
New router using pfsense on a server still no luck

I have fixed the firewall rules but I am still unable to get it to work. It works internally if I put in the local ip and use it from a internal computer. And I see it allowing the ports threw when I try to connect from a remote computer

I have to be missing something what is it... 2 different routers still the same issue

image7mx.png

image8a.png

image10hl.png
 
Last edited:
Ran in to this setting one of these up for a client. The reasoning behind why this solution is necessary sucks, but the solution is relatively easy.

Microsoft decided that after Windows XP SP2 (that includes Vista and 7), they were going to require VPN servers to be public-facing. Basically, they turned off the native NAT-T (NAT traversal) that had existed in these versions of Windows' VPN software. Their justification is that VPNs should be perimiter-based. The justification is sound, but removing the capability to easily set it up otherwise is kind of shitty.

Anyway, there's a registry key you need to create. It's in a different place in Windows XP than in Windows Vista and 7. Here's both locations:

In Windows XP:
HKLM\System\CurrentControlSet\services\IPSec
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system.

In Windows Vista/7:
HKLM\System\CurrentControlSet\services\PolicyAgent
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system

You'll need to do this on every client you want to connect to this VPN.

Note: This is only the case for L2TP IPSec VPNs. The HTTPS VPNs and PPTP VPNs do not have this requirement.
 
drebo said:
Ran in to this setting one of these up for a client. The reasoning behind why this solution is necessary sucks, but the solution is relatively easy.

Microsoft decided that after Windows XP SP2 (that includes Vista and 7), they were going to require VPN servers to be public-facing. Basically, they turned off the native NAT-T (NAT traversal) that had existed in these versions of Windows' VPN software. Their justification is that VPNs should be perimiter-based. The justification is sound, but removing the capability to easily set it up otherwise is kind of shitty.

Anyway, there's a registry key you need to create. It's in a different place in Windows XP than in Windows Vista and 7. Here's both locations:

In Windows XP:
HKLM\System\CurrentControlSet\services\IPSec
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system.

In Windows Vista/7:
HKLM\System\CurrentControlSet\services\PolicyAgent
Create DWORD named AssumeUDPEncapsulationContextOnSendRule and set value to 2
Reboot system

You'll need to do this on every client you want to connect to this VPN.

Note: This is only the case for L2TP IPSec VPNs. The HTTPS VPNs and PPTP VPNs do not have this requirement.
Click to expand...

Does it still have to have a public ip? I did this already still had no luck.. Someone told me pfsense 1.2.3 had an issue with this so I think I got a issues all over the place I am going to test today behind another server thats natted to see its pfsense
 
If you make those registry changes, it will enable NAT Traversal on those clients and allow them to connect to a server that is behind a NAT. Setting it to 2 indicates that both the server and the client are behind NAT, but that won't hurt it in the event that the client is not behind a NAT for some reason.

You may need to forward ESP or AH protocols through your firewall, though you shouldn't if you employ these registry changes. I do know that they work because I have set up an L2TP IPSec VPN on Server 2008 R2 behind a NAT and once I made these changes, both XP and 7 systems could connect.

I'll look at my settings when I get in to work and see if I notice anything else that I may have changed.
 
Last edited:
RebateMonger said:
Here's the MS KB that Drebo is referring to:

http://support.microsoft.com/kb/926179
Click to expand...


I've done this on both the client and server and rebooted.


11111111111111111111111xy.png



Heres where I am at

I got a nat server I just setup to test this

Ive got the nat server connected to my server and I configured them both with public ip's

hooked up my computer the the lan side of the nat server

I have disabled the firewall on the connection from my domain server to the nat server.

I can connect with pptp but not with l2tp.
 
Can you diagram out what your topology looks like and indicate where you CAN connect to the VPN and where you CANNOT connect to the VPN?

The terminology you're using seems to be changing each post, and I'm not really following it very well at this point.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top