Easy RRAS VPN question

Hi,

I am wanting to use Win Srvr 2003 as a VPN server. I only want to allow
L2TP connections using MS-CHAP v2. I have configured this already on the
server. Certificates are sorted as well. The only thing is the ports that
need to be opened on the firewall and NAT on the router.

As for the ports, do I only need to open up access to the server for
MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I think I
have to have IP protocols 50 and UDP port 1701 allowed on the router. But
what about a port for MS-CHAPv2? Or is that tunnelled through 1701? And
does that then handle everything? If so then I shouldn't have to enable 88
for Kerberos or 443 for SSL because it is all tunnelled through?

With regards to the router and NAT. I have a public address assigned to the
LAN interface that is statically NATed to an address on our private range.
To see the NAS from the internet I will configure it the same (static NAT
public.IP private.IP). Is that going to cause any problems. I once read
somewhere that it can and you use port forwarding. Is that the answer? If
so, what do I forward to what? All L2TP and IP 50 packets to the server's
IP, rather than set up NAT?

Please help, TIA,

Jarryd

Hello,

I have found the following article which answers all my questions in the
last post. What I am not sure of now is if I need to enable outoing
connections. Please see:
http://www.microsoft.com/resources/d..._VPN_und13.asp

As far as I know the firewall will block syn packets, so I am assuming that
if I only to use my RRAS server to handle incoming connections then I should
be OK just permitting inward traffic. The sessions are initiated by the
clients and the server server piggy backs out. I don't necessarily want the
server to initiate remote sessions, i.e. with other VPN servers. Is my
thinking correct?

Please help, TIA,

Jarryd
"Jarryd" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I am wanting to use Win Srvr 2003 as a VPN server. I only want to allow
> L2TP connections using MS-CHAP v2. I have configured this already on the
> server. Certificates are sorted as well. The only thing is the ports
> that need to be opened on the firewall and NAT on the router.
>
> As for the ports, do I only need to open up access to the server for
> MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I think I
> have to have IP protocols 50 and UDP port 1701 allowed on the router. But
> what about a port for MS-CHAPv2? Or is that tunnelled through 1701? And
> does that then handle everything? If so then I shouldn't have to enable
> 88 for Kerberos or 443 for SSL because it is all tunnelled through?
>
> With regards to the router and NAT. I have a public address assigned to
> the LAN interface that is statically NATed to an address on our private
> range. To see the NAS from the internet I will configure it the same
> (static NAT public.IP private.IP). Is that going to cause any problems.
> I once read somewhere that it can and you use port forwarding. Is that
> the answer? If so, what do I forward to what? All L2TP and IP 50 packets
> to the server's IP, rather than set up NAT?
>
> Please help, TIA,
>
> Jarryd
>

You do not need to enable outgoing connections. The VPN server will listed
for VPN clients that want to connect and then evaluate the connection based
on Remote Access Policy conditions/profile. --- Steve

"Jarryd" <(E-Mail Removed)> wrote in message
news:%23q%(E-Mail Removed)...
> Hello,
>
> I have found the following article which answers all my questions in the
> last post. What I am not sure of now is if I need to enable outoing
> connections. Please see:
> http://www.microsoft.com/resources/d..._VPN_und13.asp
>
> As far as I know the firewall will block syn packets, so I am assuming
> that if I only to use my RRAS server to handle incoming connections then I
> should be OK just permitting inward traffic. The sessions are initiated
> by the clients and the server server piggy backs out. I don't necessarily
> want the server to initiate remote sessions, i.e. with other VPN servers.
> Is my thinking correct?
>
> Please help, TIA,
>
> Jarryd
> "Jarryd" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi,
>>
>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to allow
>> L2TP connections using MS-CHAP v2. I have configured this already on the
>> server. Certificates are sorted as well. The only thing is the ports
>> that need to be opened on the firewall and NAT on the router.
>>
>> As for the ports, do I only need to open up access to the server for
>> MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I think I
>> have to have IP protocols 50 and UDP port 1701 allowed on the router.
>> But what about a port for MS-CHAPv2? Or is that tunnelled through 1701?
>> And does that then handle everything? If so then I shouldn't have to
>> enable 88 for Kerberos or 443 for SSL because it is all tunnelled
>> through?
>>
>> With regards to the router and NAT. I have a public address assigned to
>> the LAN interface that is statically NATed to an address on our private
>> range. To see the NAS from the internet I will configure it the same
>> (static NAT public.IP private.IP). Is that going to cause any problems.
>> I once read somewhere that it can and you use port forwarding. Is that
>> the answer? If so, what do I forward to what? All L2TP and IP 50
>> packets to the server's IP, rather than set up NAT?
>>
>> Please help, TIA,
>>
>> Jarryd
>>
>
>

Hi Steve,

Thanks for your advice. So what you are saying is that I have assumed
correctly, and to get this working all I should need to do is enable inbound
traffic to my RRAS servers interface on UDP 500 and 4500 and IP Protocal 51?
After that I should be laughing?

Cheers,

Jarryd

"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You do not need to enable outgoing connections. The VPN server will listed
> for VPN clients that want to connect and then evaluate the connection
> based on Remote Access Policy conditions/profile. --- Steve
>
> "Jarryd" <(E-Mail Removed)> wrote in message
> news:%23q%(E-Mail Removed)...
>> Hello,
>>
>> I have found the following article which answers all my questions in the
>> last post. What I am not sure of now is if I need to enable outoing
>> connections. Please see:
>> http://www.microsoft.com/resources/d..._VPN_und13.asp
>>
>> As far as I know the firewall will block syn packets, so I am assuming
>> that if I only to use my RRAS server to handle incoming connections then
>> I should be OK just permitting inward traffic. The sessions are
>> initiated by the clients and the server server piggy backs out. I don't
>> necessarily want the server to initiate remote sessions, i.e. with other
>> VPN servers. Is my thinking correct?
>>
>> Please help, TIA,
>>
>> Jarryd
>> "Jarryd" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hi,
>>>
>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to allow
>>> L2TP connections using MS-CHAP v2. I have configured this already on
>>> the server. Certificates are sorted as well. The only thing is the
>>> ports that need to be opened on the firewall and NAT on the router.
>>>
>>> As for the ports, do I only need to open up access to the server for
>>> MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I think
>>> I have to have IP protocols 50 and UDP port 1701 allowed on the router.
>>> But what about a port for MS-CHAPv2? Or is that tunnelled through 1701?
>>> And does that then handle everything? If so then I shouldn't have to
>>> enable 88 for Kerberos or 443 for SSL because it is all tunnelled
>>> through?
>>>
>>> With regards to the router and NAT. I have a public address assigned to
>>> the LAN interface that is statically NATed to an address on our private
>>> range. To see the NAS from the internet I will configure it the same
>>> (static NAT public.IP private.IP). Is that going to cause any problems.
>>> I once read somewhere that it can and you use port forwarding. Is that
>>> the answer? If so, what do I forward to what? All L2TP and IP 50
>>> packets to the server's IP, rather than set up NAT?
>>>
>>> Please help, TIA,
>>>
>>> Jarryd
>>>
>>
>>
>
>

The article you referenced has all the info. You may also need to allow
access for port 1701 UDP and protocol 50 - not 51. Protocol 50 is for
SP. --- Steve


"Jefferey Simons" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Steve,
>
> Thanks for your advice. So what you are saying is that I have assumed
> correctly, and to get this working all I should need to do is enable
> inbound traffic to my RRAS servers interface on UDP 500 and 4500 and IP
> Protocal 51? After that I should be laughing?
>
> Cheers,
>
> Jarryd
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> You do not need to enable outgoing connections. The VPN server will
>> listed for VPN clients that want to connect and then evaluate the
>> connection based on Remote Access Policy conditions/profile. --- Steve
>>
>> "Jarryd" <(E-Mail Removed)> wrote in message
>> news:%23q%(E-Mail Removed)...
>>> Hello,
>>>
>>> I have found the following article which answers all my questions in the
>>> last post. What I am not sure of now is if I need to enable outoing
>>> connections. Please see:
>>> http://www.microsoft.com/resources/d..._VPN_und13.asp
>>>
>>> As far as I know the firewall will block syn packets, so I am assuming
>>> that if I only to use my RRAS server to handle incoming connections then
>>> I should be OK just permitting inward traffic. The sessions are
>>> initiated by the clients and the server server piggy backs out. I don't
>>> necessarily want the server to initiate remote sessions, i.e. with other
>>> VPN servers. Is my thinking correct?
>>>
>>> Please help, TIA,
>>>
>>> Jarryd
>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Hi,
>>>>
>>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to
>>>> allow L2TP connections using MS-CHAP v2. I have configured this
>>>> already on the server. Certificates are sorted as well. The only
>>>> thing is the ports that need to be opened on the firewall and NAT on
>>>> the router.
>>>>
>>>> As for the ports, do I only need to open up access to the server for
>>>> MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I think
>>>> I have to have IP protocols 50 and UDP port 1701 allowed on the router.
>>>> But what about a port for MS-CHAPv2? Or is that tunnelled through
>>>> 1701? And does that then handle everything? If so then I shouldn't
>>>> have to enable 88 for Kerberos or 443 for SSL because it is all
>>>> tunnelled through?
>>>>
>>>> With regards to the router and NAT. I have a public address assigned
>>>> to the LAN interface that is statically NATed to an address on our
>>>> private range. To see the NAS from the internet I will configure it the
>>>> same (static NAT public.IP private.IP). Is that going to cause any
>>>> problems. I once read somewhere that it can and you use port
>>>> forwarding. Is that the answer? If so, what do I forward to what?
>>>> All L2TP and IP 50 packets to the server's IP, rather than set up NAT?
>>>>
>>>> Please help, TIA,
>>>>
>>>> Jarryd
>>>>
>>>
>>>
>>
>>
>
>

Hi Steve,

I have re-read the article. It says, "There are no filters required for
L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall,
including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP
payload." So why do I have to also allow port 1701?

That was actually a co-incidental type-o; protocol 51 should be 50, but well
done for noticing it.

Please let me know about 1701 because I am getting stopped at every turn
here. I have permitted any UDP 4500, UDP 500 and IP 50 to the servers
address but I get Error: 789 "The L2TP connection attempt failed because
the security layer encountered a processing error during initial
negotiations with the remote computer". I don't see anything in event
viewer but I probably have to set something in the audit policy. Will post
any updates from my side, but if you know the answer to this one please
please please let me know. Driving me nuts!!

TIA,

Jarryd




"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> The article you referenced has all the info. You may also need to allow
> access for port 1701 UDP and protocol 50 - not 51. Protocol 50 is for
> P. --- Steve
>
>
> "Jefferey Simons" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi Steve,
>>
>> Thanks for your advice. So what you are saying is that I have assumed
>> correctly, and to get this working all I should need to do is enable
>> inbound traffic to my RRAS servers interface on UDP 500 and 4500 and IP
>> Protocal 51? After that I should be laughing?
>>
>> Cheers,
>>
>> Jarryd
>>
>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> You do not need to enable outgoing connections. The VPN server will
>>> listed for VPN clients that want to connect and then evaluate the
>>> connection based on Remote Access Policy conditions/profile. --- Steve
>>>
>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>> news:%23q%(E-Mail Removed)...
>>>> Hello,
>>>>
>>>> I have found the following article which answers all my questions in
>>>> the last post. What I am not sure of now is if I need to enable
>>>> outoing connections. Please see:
>>>> http://www.microsoft.com/resources/d..._VPN_und13.asp
>>>>
>>>> As far as I know the firewall will block syn packets, so I am assuming
>>>> that if I only to use my RRAS server to handle incoming connections
>>>> then I should be OK just permitting inward traffic. The sessions are
>>>> initiated by the clients and the server server piggy backs out. I
>>>> don't necessarily want the server to initiate remote sessions, i.e.
>>>> with other VPN servers. Is my thinking correct?
>>>>
>>>> Please help, TIA,
>>>>
>>>> Jarryd
>>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> Hi,
>>>>>
>>>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to
>>>>> allow L2TP connections using MS-CHAP v2. I have configured this
>>>>> already on the server. Certificates are sorted as well. The only
>>>>> thing is the ports that need to be opened on the firewall and NAT on
>>>>> the router.
>>>>>
>>>>> As for the ports, do I only need to open up access to the server for
>>>>> MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I
>>>>> think I have to have IP protocols 50 and UDP port 1701 allowed on the
>>>>> router. But what about a port for MS-CHAPv2? Or is that tunnelled
>>>>> through 1701? And does that then handle everything? If so then I
>>>>> shouldn't have to enable 88 for Kerberos or 443 for SSL because it is
>>>>> all tunnelled through?
>>>>>
>>>>> With regards to the router and NAT. I have a public address assigned
>>>>> to the LAN interface that is statically NATed to an address on our
>>>>> private range. To see the NAS from the internet I will configure it
>>>>> the same (static NAT public.IP private.IP). Is that going to cause
>>>>> any problems. I once read somewhere that it can and you use port
>>>>> forwarding. Is that the answer? If so, what do I forward to what?
>>>>> All L2TP and IP 50 packets to the server's IP, rather than set up NAT?
>>>>>
>>>>> Please help, TIA,
>>>>>
>>>>> Jarryd
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

I am a bit confused about that as I don't understand why there would be a
difference where the VPN server is after all the firewall simply should
allow the authorized traffic to pass. I have seen other documentation from
MS that says that 1701 UDP needs to be allowed. I would open that port at
least until you have your problem resolved and also examine the firewall
logs for dropped packets for the IP address of the VPN client which often is
the best bet for troubleshooting such problems. Since you are using NAT make
sure the VPN client has the NAT-T update installed on it and if you are
using XP SP2 see the KB link below on how it used the NAT-T client. L2TP
also uses computer certificates on the VPN server and client. If you are
using XP Pro client you might want to try to use pre shared key instead as a
test to rule out problems with certificates/PKI. Also try to connect via
L2TP to your VPN server from the LAN using the VPN servers LAN IP address to
make sure it is correctly configured. --- Steve

http://support.microsoft.com/kb/885348 --- KB on NAT-T and XP SP2
http://www.windowsitpro.com/Articles...layTab=Article
--- also refers to the need to allow 1701 UDP

"Jarryd" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi Steve,
>
> I have re-read the article. It says, "There are no filters required for
> L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall,
> including tunnel maintenance and tunneled data, is encrypted as an IPSec
> ESP payload." So why do I have to also allow port 1701?
>
> That was actually a co-incidental type-o; protocol 51 should be 50, but
> well done for noticing it.
>
> Please let me know about 1701 because I am getting stopped at every turn
> here. I have permitted any UDP 4500, UDP 500 and IP 50 to the servers
> address but I get Error: 789 "The L2TP connection attempt failed because
> the security layer encountered a processing error during initial
> negotiations with the remote computer". I don't see anything in event
> viewer but I probably have to set something in the audit policy. Will
> post any updates from my side, but if you know the answer to this one
> please please please let me know. Driving me nuts!!
>
> TIA,
>
> Jarryd
>
>
>
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> The article you referenced has all the info. You may also need to allow
>> access for port 1701 UDP and protocol 50 - not 51. Protocol 50 is for
>> . --- Steve
>>
>>
>> "Jefferey Simons" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hi Steve,
>>>
>>> Thanks for your advice. So what you are saying is that I have assumed
>>> correctly, and to get this working all I should need to do is enable
>>> inbound traffic to my RRAS servers interface on UDP 500 and 4500 and IP
>>> Protocal 51? After that I should be laughing?
>>>
>>> Cheers,
>>>
>>> Jarryd
>>>
>>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> You do not need to enable outgoing connections. The VPN server will
>>>> listed for VPN clients that want to connect and then evaluate the
>>>> connection based on Remote Access Policy conditions/profile. --- Steve
>>>>
>>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>>> news:%23q%(E-Mail Removed)...
>>>>> Hello,
>>>>>
>>>>> I have found the following article which answers all my questions in
>>>>> the last post. What I am not sure of now is if I need to enable
>>>>> outoing connections. Please see:
>>>>> http://www.microsoft.com/resources/d..._VPN_und13.asp
>>>>>
>>>>> As far as I know the firewall will block syn packets, so I am assuming
>>>>> that if I only to use my RRAS server to handle incoming connections
>>>>> then I should be OK just permitting inward traffic. The sessions are
>>>>> initiated by the clients and the server server piggy backs out. I
>>>>> don't necessarily want the server to initiate remote sessions, i.e.
>>>>> with other VPN servers. Is my thinking correct?
>>>>>
>>>>> Please help, TIA,
>>>>>
>>>>> Jarryd
>>>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>>>> news:(E-Mail Removed)...
>>>>>> Hi,
>>>>>>
>>>>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to
>>>>>> allow L2TP connections using MS-CHAP v2. I have configured this
>>>>>> already on the server. Certificates are sorted as well. The only
>>>>>> thing is the ports that need to be opened on the firewall and NAT on
>>>>>> the router.
>>>>>>
>>>>>> As for the ports, do I only need to open up access to the server for
>>>>>> MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I
>>>>>> think I have to have IP protocols 50 and UDP port 1701 allowed on the
>>>>>> router. But what about a port for MS-CHAPv2? Or is that tunnelled
>>>>>> through 1701? And does that then handle everything? If so then I
>>>>>> shouldn't have to enable 88 for Kerberos or 443 for SSL because it is
>>>>>> all tunnelled through?
>>>>>>
>>>>>> With regards to the router and NAT. I have a public address assigned
>>>>>> to the LAN interface that is statically NATed to an address on our
>>>>>> private range. To see the NAS from the internet I will configure it
>>>>>> the same (static NAT public.IP private.IP). Is that going to cause
>>>>>> any problems. I once read somewhere that it can and you use port
>>>>>> forwarding. Is that the answer? If so, what do I forward to what?
>>>>>> All L2TP and IP 50 packets to the server's IP, rather than set up
>>>>>> NAT?
>>>>>>
>>>>>> Please help, TIA,
>>>>>>
>>>>>> Jarryd
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Hi Steve,

I have been having this discussion with someone else as well. This is an
excerpt of my most recent posting:

"I am having trouble with this and it very well may be what
you are saying. It just contradicts what I have read about stateful
inspection. But i have added the IpSec monitor snap-in to an MMC and
checked it out, with a connection made internally. Definately seems to do
what you say, i.e. client listens on 1701 every time so it must be fixed.
Even more weird it says that the destination port is ANY. How on earth is
that supposed to work? Is that because it is tunneling through IPsec ESP
payload (re: article) and therefore is not blocked? Then the VPN adaptor
has to get a new IP address. Is this where things are not falling in-line
with my understanding of how it should work, because I can see the IP and
ports reversed at this point: starts source clientLAN-IP 1701 destination
serverIP ANY, but then becomes source serverIP 1701 clientVPNAdaptor-IP ANY?

I really thought this wouldn't be causing a problem but it really does seem
to be. If I was in control of my firewall then I would just play around
with it but I have to get the ISP to do it and it is a real pain. Please
forgive me if I am coming across as though I think I know it all, it is not
my intention. I am getting the following error:

Error: 789 "The L2TP connection attempt failed because the security layer
encountered a processing error during initial negotiations with the remote
computer".

The way it set up at the moment is as follows:

Client > Internet > Firewall > Router/NAT > RRAS

The server has a static NAT from public to private address so that it can be
accessed from the internet. The firewall rules are applied to the LAN
interface of the router. It works fine when I use the private IP address to
connect internally. If I use the public IP address it fails in exactly the
same way as if I were coming in over the internet. So could it be the
firewall, or is it a NAT problem. I have SP2 installed on the client so
perhaps that could be the problem:
http://support.microsoft.com/default...en-us%3B818043. But I
have added that to the registry
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\IPSec\AssumeUDPEncapsulationContextOnSendRule
(1)) and it still deosn't work. So now what could be going on. It is
really doing my head in.

Please let me know what you think. I am trying to get the ISP to change the
router in accordance with your sugestion, but it is like trying to squeeze
blood out of a stone to get them to do anything."

I know it is a bit long winded. But now you are up to speed with everything
I have done to date. I haven't tried the pre-shared key. I'll give it a
go, but the thing works using the certificate I created with my CA when I
use the private IP address of the server, so doens't that already prove that
PKI is not a problem.

Please let me know what you think.

Thanks a mil for your help.

Jarryd

"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am a bit confused about that as I don't understand why there would be a
>difference where the VPN server is after all the firewall simply should
>allow the authorized traffic to pass. I have seen other documentation from
>MS that says that 1701 UDP needs to be allowed. I would open that port at
>least until you have your problem resolved and also examine the firewall
>logs for dropped packets for the IP address of the VPN client which often
>is the best bet for troubleshooting such problems. Since you are using NAT
>make sure the VPN client has the NAT-T update installed on it and if you
>are using XP SP2 see the KB link below on how it used the NAT-T client.
>L2TP also uses computer certificates on the VPN server and client. If you
>are using XP Pro client you might want to try to use pre shared key instead
>as a test to rule out problems with certificates/PKI. Also try to connect
>via L2TP to your VPN server from the LAN using the VPN servers LAN IP
>address to make sure it is correctly configured. --- Steve
>
> http://support.microsoft.com/kb/885348 --- KB on NAT-T and XP SP2
> http://www.windowsitpro.com/Articles...layTab=Article
> --- also refers to the need to allow 1701 UDP
>
> "Jarryd" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Hi Steve,
>>
>> I have re-read the article. It says, "There are no filters required for
>> L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall,
>> including tunnel maintenance and tunneled data, is encrypted as an IPSec
>> ESP payload." So why do I have to also allow port 1701?
>>
>> That was actually a co-incidental type-o; protocol 51 should be 50, but
>> well done for noticing it.
>>
>> Please let me know about 1701 because I am getting stopped at every turn
>> here. I have permitted any UDP 4500, UDP 500 and IP 50 to the servers
>> address but I get Error: 789 "The L2TP connection attempt failed because
>> the security layer encountered a processing error during initial
>> negotiations with the remote computer". I don't see anything in event
>> viewer but I probably have to set something in the audit policy. Will
>> post any updates from my side, but if you know the answer to this one
>> please please please let me know. Driving me nuts!!
>>
>> TIA,
>>
>> Jarryd
>>
>>
>>
>>
>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> The article you referenced has all the info. You may also need to allow
>>> access for port 1701 UDP and protocol 50 - not 51. Protocol 50 is for
>>> --- Steve
>>>
>>>
>>> "Jefferey Simons" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Hi Steve,
>>>>
>>>> Thanks for your advice. So what you are saying is that I have assumed
>>>> correctly, and to get this working all I should need to do is enable
>>>> inbound traffic to my RRAS servers interface on UDP 500 and 4500 and IP
>>>> Protocal 51? After that I should be laughing?
>>>>
>>>> Cheers,
>>>>
>>>> Jarryd
>>>>
>>>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> You do not need to enable outgoing connections. The VPN server will
>>>>> listed for VPN clients that want to connect and then evaluate the
>>>>> connection based on Remote Access Policy conditions/profile. ---
>>>>> Steve
>>>>>
>>>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>>>> news:%23q%(E-Mail Removed)...
>>>>>> Hello,
>>>>>>
>>>>>> I have found the following article which answers all my questions in
>>>>>> the last post. What I am not sure of now is if I need to enable
>>>>>> outoing connections. Please see:
>>>>>> http://www.microsoft.com/resources/d..._VPN_und13.asp
>>>>>>
>>>>>> As far as I know the firewall will block syn packets, so I am
>>>>>> assuming that if I only to use my RRAS server to handle incoming
>>>>>> connections then I should be OK just permitting inward traffic. The
>>>>>> sessions are initiated by the clients and the server server piggy
>>>>>> backs out. I don't necessarily want the server to initiate remote
>>>>>> sessions, i.e. with other VPN servers. Is my thinking correct?
>>>>>>
>>>>>> Please help, TIA,
>>>>>>
>>>>>> Jarryd
>>>>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>>>>> news:(E-Mail Removed)...
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to
>>>>>>> allow L2TP connections using MS-CHAP v2. I have configured this
>>>>>>> already on the server. Certificates are sorted as well. The only
>>>>>>> thing is the ports that need to be opened on the firewall and NAT on
>>>>>>> the router.
>>>>>>>
>>>>>>> As for the ports, do I only need to open up access to the server for
>>>>>>> MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I
>>>>>>> think I have to have IP protocols 50 and UDP port 1701 allowed on
>>>>>>> the router. But what about a port for MS-CHAPv2? Or is that
>>>>>>> tunnelled through 1701? And does that then handle everything? If so
>>>>>>> then I shouldn't have to enable 88 for Kerberos or 443 for SSL
>>>>>>> because it is all tunnelled through?
>>>>>>>
>>>>>>> With regards to the router and NAT. I have a public address
>>>>>>> assigned to the LAN interface that is statically NATed to an address
>>>>>>> on our private range. To see the NAS from the internet I will
>>>>>>> configure it the same (static NAT public.IP private.IP). Is that
>>>>>>> going to cause any problems. I once read somewhere that it can and
>>>>>>> you use port forwarding. Is that the answer? If so, what do I
>>>>>>> forward to what? All L2TP and IP 50 packets to the server's IP,
>>>>>>> rather than set up NAT?
>>>>>>>
>>>>>>> Please help, TIA,
>>>>>>>
>>>>>>> Jarryd
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Well that is a huge disadvantage if you can not access the firewall to make
changes or see the firewall logs for dropped traffic or other error
messages. Since you can connect to the internal IP it sounds like your VPN
is set correctly and it most likely is an issue with the firewall/router. I
would try preshared key since it is easy enough to see what happens. The
other thing I would try is to see if it works with pptp. Pptp is not subject
to the same problems with NAT that l2tp is. Another thing to try is if you
can connect your VPN server directly to the internet via an unfiltered
public tcp/ip address. You could try to use the built in ICF firewall for
Windows 2003 to protect the computer and create the exceptions for inbound
l2tp. You can also turn on logging for the ICF Windows 2003 firewall so that
you would be able to see what traffic is being blocked if any.A third party
personal firewall such as Sygate would also be worth consideration. You can
try it free for thirty days and it has very advanced loggin features. I
would certainly push your ISP to allow 1701 UDP to your network to see what
happens. Also check to see if the packet filters are correct on your
interface for the VPN server if is configured as shown in the link below.
You also may want to post in the win2000.ras_routing newsgroup to see if
they have any words of wisdom there. --- Steve

http://www.microsoft.com/windows2000...putfilters.htm


"Jarryd" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi Steve,
>
> I have been having this discussion with someone else as well. This is an
> excerpt of my most recent posting:
>
> "I am having trouble with this and it very well may be what
> you are saying. It just contradicts what I have read about stateful
> inspection. But i have added the IpSec monitor snap-in to an MMC and
> checked it out, with a connection made internally. Definately seems to do
> what you say, i.e. client listens on 1701 every time so it must be fixed.
> Even more weird it says that the destination port is ANY. How on earth is
> that supposed to work? Is that because it is tunneling through IPsec ESP
> payload (re: article) and therefore is not blocked? Then the VPN adaptor
> has to get a new IP address. Is this where things are not falling in-line
> with my understanding of how it should work, because I can see the IP and
> ports reversed at this point: starts source clientLAN-IP 1701 destination
> serverIP ANY, but then becomes source serverIP 1701 clientVPNAdaptor-IP
> ANY?
>
> I really thought this wouldn't be causing a problem but it really does
> seem
> to be. If I was in control of my firewall then I would just play around
> with it but I have to get the ISP to do it and it is a real pain. Please
> forgive me if I am coming across as though I think I know it all, it is
> not
> my intention. I am getting the following error:
>
> Error: 789 "The L2TP connection attempt failed because the security layer
> encountered a processing error during initial negotiations with the remote
> computer".
>
> The way it set up at the moment is as follows:
>
> Client > Internet > Firewall > Router/NAT > RRAS
>
> The server has a static NAT from public to private address so that it can
> be
> accessed from the internet. The firewall rules are applied to the LAN
> interface of the router. It works fine when I use the private IP address
> to
> connect internally. If I use the public IP address it fails in exactly
> the
> same way as if I were coming in over the internet. So could it be the
> firewall, or is it a NAT problem. I have SP2 installed on the client so
> perhaps that could be the problem:
> http://support.microsoft.com/default...en-us%3B818043. But I
> have added that to the registry
> (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\IPSec\AssumeUDPEncapsulationContextOnSendRule
> (1)) and it still deosn't work. So now what could be going on. It is
> really doing my head in.
>
> Please let me know what you think. I am trying to get the ISP to change
> the
> router in accordance with your sugestion, but it is like trying to squeeze
> blood out of a stone to get them to do anything."
>
> I know it is a bit long winded. But now you are up to speed with
> everything I have done to date. I haven't tried the pre-shared key.
> I'll give it a go, but the thing works using the certificate I created
> with my CA when I use the private IP address of the server, so doens't
> that already prove that PKI is not a problem.
>
> Please let me know what you think.
>
> Thanks a mil for your help.
>
> Jarryd
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I am a bit confused about that as I don't understand why there would be a
>>difference where the VPN server is after all the firewall simply should
>>allow the authorized traffic to pass. I have seen other documentation from
>>MS that says that 1701 UDP needs to be allowed. I would open that port at
>>least until you have your problem resolved and also examine the firewall
>>logs for dropped packets for the IP address of the VPN client which often
>>is the best bet for troubleshooting such problems. Since you are using NAT
>>make sure the VPN client has the NAT-T update installed on it and if you
>>are using XP SP2 see the KB link below on how it used the NAT-T client.
>>L2TP also uses computer certificates on the VPN server and client. If you
>>are using XP Pro client you might want to try to use pre shared key
>>instead as a test to rule out problems with certificates/PKI. Also try to
>>connect via L2TP to your VPN server from the LAN using the VPN servers LAN
>>IP address to make sure it is correctly configured. --- Steve
>>
>> http://support.microsoft.com/kb/885348 --- KB on NAT-T and XP SP2
>> http://www.windowsitpro.com/Articles...layTab=Article
>> --- also refers to the need to allow 1701 UDP
>>
>> "Jarryd" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> Hi Steve,
>>>
>>> I have re-read the article. It says, "There are no filters required for
>>> L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall,
>>> including tunnel maintenance and tunneled data, is encrypted as an IPSec
>>> ESP payload." So why do I have to also allow port 1701?
>>>
>>> That was actually a co-incidental type-o; protocol 51 should be 50, but
>>> well done for noticing it.
>>>
>>> Please let me know about 1701 because I am getting stopped at every turn
>>> here. I have permitted any UDP 4500, UDP 500 and IP 50 to the servers
>>> address but I get Error: 789 "The L2TP connection attempt failed
>>> because the security layer encountered a processing error during initial
>>> negotiations with the remote computer". I don't see anything in event
>>> viewer but I probably have to set something in the audit policy. Will
>>> post any updates from my side, but if you know the answer to this one
>>> please please please let me know. Driving me nuts!!
>>>
>>> TIA,
>>>
>>> Jarryd
>>>
>>>
>>>
>>>
>>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> The article you referenced has all the info. You may also need to allow
>>>> access for port 1701 UDP and protocol 50 - not 51. Protocol 50 is
>>>> for --- Steve
>>>>
>>>>
>>>> "Jefferey Simons" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> Hi Steve,
>>>>>
>>>>> Thanks for your advice. So what you are saying is that I have assumed
>>>>> correctly, and to get this working all I should need to do is enable
>>>>> inbound traffic to my RRAS servers interface on UDP 500 and 4500 and
>>>>> IP Protocal 51? After that I should be laughing?
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Jarryd
>>>>>
>>>>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>>>>> news:(E-Mail Removed)...
>>>>>> You do not need to enable outgoing connections. The VPN server will
>>>>>> listed for VPN clients that want to connect and then evaluate the
>>>>>> connection based on Remote Access Policy conditions/profile. ---
>>>>>> Steve
>>>>>>
>>>>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>>>>> news:%23q%(E-Mail Removed)...
>>>>>>> Hello,
>>>>>>>
>>>>>>> I have found the following article which answers all my questions in
>>>>>>> the last post. What I am not sure of now is if I need to enable
>>>>>>> outoing connections. Please see:
>>>>>>> http://www.microsoft.com/resources/d..._VPN_und13.asp
>>>>>>>
>>>>>>> As far as I know the firewall will block syn packets, so I am
>>>>>>> assuming that if I only to use my RRAS server to handle incoming
>>>>>>> connections then I should be OK just permitting inward traffic. The
>>>>>>> sessions are initiated by the clients and the server server piggy
>>>>>>> backs out. I don't necessarily want the server to initiate remote
>>>>>>> sessions, i.e. with other VPN servers. Is my thinking correct?
>>>>>>>
>>>>>>> Please help, TIA,
>>>>>>>
>>>>>>> Jarryd
>>>>>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>>>>>> news:(E-Mail Removed)...
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to
>>>>>>>> allow L2TP connections using MS-CHAP v2. I have configured this
>>>>>>>> already on the server. Certificates are sorted as well. The only
>>>>>>>> thing is the ports that need to be opened on the firewall and NAT
>>>>>>>> on the router.
>>>>>>>>
>>>>>>>> As for the ports, do I only need to open up access to the server
>>>>>>>> for MS-CHAPv2 and IP/Sec? And what are the port numbers for that?
>>>>>>>> I think I have to have IP protocols 50 and UDP port 1701 allowed on
>>>>>>>> the router. But what about a port for MS-CHAPv2? Or is that
>>>>>>>> tunnelled through 1701? And does that then handle everything? If
>>>>>>>> so then I shouldn't have to enable 88 for Kerberos or 443 for SSL
>>>>>>>> because it is all tunnelled through?
>>>>>>>>
>>>>>>>> With regards to the router and NAT. I have a public address
>>>>>>>> assigned to the LAN interface that is statically NATed to an
>>>>>>>> address on our private range. To see the NAS from the internet I
>>>>>>>> will configure it the same (static NAT public.IP private.IP). Is
>>>>>>>> that going to cause any problems. I once read somewhere that it can
>>>>>>>> and you use port forwarding. Is that the answer? If so, what do I
>>>>>>>> forward to what? All L2TP and IP 50 packets to the server's IP,
>>>>>>>> rather than set up NAT?
>>>>>>>>
>>>>>>>> Please help, TIA,
>>>>>>>>
>>>>>>>> Jarryd
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Oops. I forgot you can not enable the Windows 2003 ICF firewall on a RRAS
server. A third party product should work however. --- Steve


"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Well that is a huge disadvantage if you can not access the firewall to
> make changes or see the firewall logs for dropped traffic or other error
> messages. Since you can connect to the internal IP it sounds like your VPN
> is set correctly and it most likely is an issue with the firewall/router.
> I would try preshared key since it is easy enough to see what happens. The
> other thing I would try is to see if it works with pptp. Pptp is not
> subject to the same problems with NAT that l2tp is. Another thing to try
> is if you can connect your VPN server directly to the internet via an
> unfiltered public tcp/ip address. You could try to use the built in ICF
> firewall for Windows 2003 to protect the computer and create the
> exceptions for inbound l2tp. You can also turn on logging for the ICF
> Windows 2003 firewall so that you would be able to see what traffic is
> being blocked if any.A third party personal firewall such as Sygate would
> also be worth consideration. You can try it free for thirty days and it
> has very advanced loggin features. I would certainly push your ISP to
> allow 1701 UDP to your network to see what happens. Also check to see if
> the packet filters are correct on your interface for the VPN server if is
> configured as shown in the link below. You also may want to post in the
> win2000.ras_routing newsgroup to see if they have any words of wisdom
> there. --- Steve
>
> http://www.microsoft.com/windows2000...putfilters.htm
>
>
> "Jarryd" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Hi Steve,
>>
>> I have been having this discussion with someone else as well. This is an
>> excerpt of my most recent posting:
>>
>> "I am having trouble with this and it very well may be what
>> you are saying. It just contradicts what I have read about stateful
>> inspection. But i have added the IpSec monitor snap-in to an MMC and
>> checked it out, with a connection made internally. Definately seems to
>> do
>> what you say, i.e. client listens on 1701 every time so it must be fixed.
>> Even more weird it says that the destination port is ANY. How on earth
>> is
>> that supposed to work? Is that because it is tunneling through IPsec ESP
>> payload (re: article) and therefore is not blocked? Then the VPN adaptor
>> has to get a new IP address. Is this where things are not falling
>> in-line
>> with my understanding of how it should work, because I can see the IP and
>> ports reversed at this point: starts source clientLAN-IP 1701 destination
>> serverIP ANY, but then becomes source serverIP 1701 clientVPNAdaptor-IP
>> ANY?
>>
>> I really thought this wouldn't be causing a problem but it really does
>> seem
>> to be. If I was in control of my firewall then I would just play around
>> with it but I have to get the ISP to do it and it is a real pain. Please
>> forgive me if I am coming across as though I think I know it all, it is
>> not
>> my intention. I am getting the following error:
>>
>> Error: 789 "The L2TP connection attempt failed because the security layer
>> encountered a processing error during initial negotiations with the
>> remote
>> computer".
>>
>> The way it set up at the moment is as follows:
>>
>> Client > Internet > Firewall > Router/NAT > RRAS
>>
>> The server has a static NAT from public to private address so that it can
>> be
>> accessed from the internet. The firewall rules are applied to the LAN
>> interface of the router. It works fine when I use the private IP address
>> to
>> connect internally. If I use the public IP address it fails in exactly
>> the
>> same way as if I were coming in over the internet. So could it be the
>> firewall, or is it a NAT problem. I have SP2 installed on the client so
>> perhaps that could be the problem:
>> http://support.microsoft.com/default...en-us%3B818043. But
>> I
>> have added that to the registry
>> (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\IPSec\AssumeUDPEncapsulationContextOnSendRule
>> (1)) and it still deosn't work. So now what could be going on. It is
>> really doing my head in.
>>
>> Please let me know what you think. I am trying to get the ISP to change
>> the
>> router in accordance with your sugestion, but it is like trying to
>> squeeze
>> blood out of a stone to get them to do anything."
>>
>> I know it is a bit long winded. But now you are up to speed with
>> everything I have done to date. I haven't tried the pre-shared key.
>> I'll give it a go, but the thing works using the certificate I created
>> with my CA when I use the private IP address of the server, so doens't
>> that already prove that PKI is not a problem.
>>
>> Please let me know what you think.
>>
>> Thanks a mil for your help.
>>
>> Jarryd
>>
>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>I am a bit confused about that as I don't understand why there would be a
>>>difference where the VPN server is after all the firewall simply should
>>>allow the authorized traffic to pass. I have seen other documentation
>>>from MS that says that 1701 UDP needs to be allowed. I would open that
>>>port at least until you have your problem resolved and also examine the
>>>firewall logs for dropped packets for the IP address of the VPN client
>>>which often is the best bet for troubleshooting such problems. Since you
>>>are using NAT make sure the VPN client has the NAT-T update installed on
>>>it and if you are using XP SP2 see the KB link below on how it used the
>>>NAT-T client. L2TP also uses computer certificates on the VPN server and
>>>client. If you are using XP Pro client you might want to try to use pre
>>>shared key instead as a test to rule out problems with certificates/PKI.
>>>Also try to connect via L2TP to your VPN server from the LAN using the
>>>VPN servers LAN IP address to make sure it is correctly configured. ---
>>>Steve
>>>
>>> http://support.microsoft.com/kb/885348 --- KB on NAT-T and XP SP2
>>> http://www.windowsitpro.com/Articles...layTab=Article
>>> --- also refers to the need to allow 1701 UDP
>>>
>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>> news:%(E-Mail Removed)...
>>>> Hi Steve,
>>>>
>>>> I have re-read the article. It says, "There are no filters required
>>>> for L2TP traffic at the UDP port of 1701. All L2TP traffic at the
>>>> firewall, including tunnel maintenance and tunneled data, is encrypted
>>>> as an IPSec ESP payload." So why do I have to also allow port 1701?
>>>>
>>>> That was actually a co-incidental type-o; protocol 51 should be 50, but
>>>> well done for noticing it.
>>>>
>>>> Please let me know about 1701 because I am getting stopped at every
>>>> turn here. I have permitted any UDP 4500, UDP 500 and IP 50 to the
>>>> servers address but I get Error: 789 "The L2TP connection attempt
>>>> failed because the security layer encountered a processing error during
>>>> initial negotiations with the remote computer". I don't see anything
>>>> in event viewer but I probably have to set something in the audit
>>>> policy. Will post any updates from my side, but if you know the answer
>>>> to this one please please please let me know. Driving me nuts!!
>>>>
>>>> TIA,
>>>>
>>>> Jarryd
>>>>
>>>>
>>>>
>>>>
>>>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> The article you referenced has all the info. You may also need to
>>>>> allow access for port 1701 UDP and protocol 50 - not 51. Protocol 50
>>>>> is for --- Steve
>>>>>
>>>>>
>>>>> "Jefferey Simons" <(E-Mail Removed)> wrote in message
>>>>> news:(E-Mail Removed)...
>>>>>> Hi Steve,
>>>>>>
>>>>>> Thanks for your advice. So what you are saying is that I have
>>>>>> assumed correctly, and to get this working all I should need to do is
>>>>>> enable inbound traffic to my RRAS servers interface on UDP 500 and
>>>>>> 4500 and IP Protocal 51? After that I should be laughing?
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Jarryd
>>>>>>
>>>>>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>>>>>> news:(E-Mail Removed)...
>>>>>>> You do not need to enable outgoing connections. The VPN server will
>>>>>>> listed for VPN clients that want to connect and then evaluate the
>>>>>>> connection based on Remote Access Policy conditions/profile. ---
>>>>>>> Steve
>>>>>>>
>>>>>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>>>>>> news:%23q%(E-Mail Removed)...
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I have found the following article which answers all my questions
>>>>>>>> in the last post. What I am not sure of now is if I need to enable
>>>>>>>> outoing connections. Please see:
>>>>>>>> http://www.microsoft.com/resources/d..._VPN_und13.asp
>>>>>>>>
>>>>>>>> As far as I know the firewall will block syn packets, so I am
>>>>>>>> assuming that if I only to use my RRAS server to handle incoming
>>>>>>>> connections then I should be OK just permitting inward traffic.
>>>>>>>> The sessions are initiated by the clients and the server server
>>>>>>>> piggy backs out. I don't necessarily want the server to initiate
>>>>>>>> remote sessions, i.e. with other VPN servers. Is my thinking
>>>>>>>> correct?
>>>>>>>>
>>>>>>>> Please help, TIA,
>>>>>>>>
>>>>>>>> Jarryd
>>>>>>>> "Jarryd" <(E-Mail Removed)> wrote in message
>>>>>>>> news:(E-Mail Removed)...
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to
>>>>>>>>> allow L2TP connections using MS-CHAP v2. I have configured this
>>>>>>>>> already on the server. Certificates are sorted as well. The only
>>>>>>>>> thing is the ports that need to be opened on the firewall and NAT
>>>>>>>>> on the router.
>>>>>>>>>
>>>>>>>>> As for the ports, do I only need to open up access to the server
>>>>>>>>> for MS-CHAPv2 and IP/Sec? And what are the port numbers for that?
>>>>>>>>> I think I have to have IP protocols 50 and UDP port 1701 allowed
>>>>>>>>> on the router. But what about a port for MS-CHAPv2? Or is that
>>>>>>>>> tunnelled through 1701? And does that then handle everything? If
>>>>>>>>> so then I shouldn't have to enable 88 for Kerberos or 443 for SSL
>>>>>>>>> because it is all tunnelled through?
>>>>>>>>>
>>>>>>>>> With regards to the router and NAT. I have a public address
>>>>>>>>> assigned to the LAN interface that is statically NATed to an
>>>>>>>>> address on our private range. To see the NAS from the internet I
>>>>>>>>> will configure it the same (static NAT public.IP private.IP). Is
>>>>>>>>> that going to cause any problems. I once read somewhere that it
>>>>>>>>> can and you use port forwarding. Is that the answer? If so, what
>>>>>>>>> do I forward to what? All L2TP and IP 50 packets to the server's
>>>>>>>>> IP, rather than set up NAT?
>>>>>>>>>
>>>>>>>>> Please help, TIA,
>>>>>>>>>
>>>>>>>>> Jarryd
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>