L2TP/IPsec, Win98SE, NAT-T, Win2k3 failure after a firewall, please help

05-25-2004, 09:00 PM

I setup
1) a Windows 2003 Server as a DC and DNS.
2) a Windows 2003 Server as a VPN server (member server).
The VPN server also as certificate server included with Win2k3.
3) a XP client with patch(818043) from microsoft.
4) a Windows 98 client with "Windows 98 SE DUN v1.4","ie6"
and "Windows 98 L2TP/IPSec client v1.0"

Everything works fine, WinXP and Win98SE machines can connect without
any problems.

But when I put a checkpoint 4.1 firewall in between the vpn server and
the clients.
(For the firewall rules, any<=>any,any,accept.
same as for the interfaces' rule.)

Result: XP works on both l2tp and pptp,
Win98SE fail on L2tp(error 629) but works on pptp.

Can someone help ? I need the win98se connect via l2tp!

Here is the isakmp.log from the Win98SE computer:
5-25: 15:27:41.430
5-25: 15:27:41.430 Microsoft IPsec VPN\L2TP/IPsec - Generic entry
match with remote address 68.166.96.198.
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE
Phase 2 with Client IDs (message id: E0AAF7F1)
5-25: 15:27:42.590 Initiator = IP ADDR=68.166.96.214, prot = 17
port = 1701
5-25: 15:27:42.590 Responder = IP ADDR=68.166.96.198, prot = 17
port = 1701
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>>
ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NAT-OA)
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Local ID
Received from NAT Peer: IP ADDR=68.166.96.214 (prot = 17, port = 1701)
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Remote ID
Received from NAT Peer: DOMAIN=vpn.domain.www.test.com (prot = 17,
port = 1701)
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Indeterminate
remote internal address.
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Error validating
Proxy IDs.
5-25: 15:27:43.470 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:27:43.470 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
E0AAF7F1)
5-25: 15:27:45.440 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:27:45.440 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
E0AAF7F1)
5-25: 15:27:49.450 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:27:49.450 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
E0AAF7F1)
5-25: 15:27:54.450 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:27:54.450 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
30AB1649)
5-25: 15:27:57.470 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:27:57.470 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
E0AAF7F1)
5-25: 15:28:13.460 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:28:13.460 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
E0AAF7F1)

05-28-2004, 05:09 AM

I don't believe that Windows 98 supports a NAT-Traversal
environment... This is why the 98 machine fails after you insert a
NAT gateway device...

Jeffrey Randow (Windows Networking & Smart Display MVP)
jeffreyr-(E-Mail Removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On 25 May 2004 14:00:41 -0700, (E-Mail Removed) (ocheung)
wrote:

>I setup
>1) a Windows 2003 Server as a DC and DNS.
>2) a Windows 2003 Server as a VPN server (member server).
> The VPN server also as certificate server included with Win2k3.
>3) a XP client with patch(818043) from microsoft.
>4) a Windows 98 client with "Windows 98 SE DUN v1.4","ie6"
> and "Windows 98 L2TP/IPSec client v1.0"
>
>Everything works fine, WinXP and Win98SE machines can connect without
>any problems.
>
>But when I put a checkpoint 4.1 firewall in between the vpn server and
>the clients.
>(For the firewall rules, any<=>any,any,accept.
>same as for the interfaces' rule.)
>
>Result: XP works on both l2tp and pptp,
> Win98SE fail on L2tp(error 629) but works on pptp.
>
>Can someone help ? I need the win98se connect via l2tp!
>
>Here is the isakmp.log from the Win98SE computer:
> 5-25: 15:27:41.430
> 5-25: 15:27:41.430 Microsoft IPsec VPN\L2TP/IPsec - Generic entry
>match with remote address 68.166.96.198.
> 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE
>Phase 2 with Client IDs (message id: E0AAF7F1)
> 5-25: 15:27:42.590 Initiator = IP ADDR=68.166.96.214, prot = 17
>port = 1701
> 5-25: 15:27:42.590 Responder = IP ADDR=68.166.96.198, prot = 17
>port = 1701
> 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>>
>ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
> 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
>ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NAT-OA)
> 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Local ID
>Received from NAT Peer: IP ADDR=68.166.96.214 (prot = 17, port = 1701)
> 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Remote ID
>Received from NAT Peer: DOMAIN=vpn.domain.www.test.com (prot = 17,
>port = 1701)
> 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Indeterminate
>remote internal address.
> 5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Error validating
>Proxy IDs.
> 5-25: 15:27:43.470 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
>ISAKMP OAK QM *(HASH, )
> 5-25: 15:27:43.470 Microsoft IPsec VPN\L2TP/IPsec - Received
>malformed message or negotiation no longer active (message id:
>E0AAF7F1)
> 5-25: 15:27:45.440 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
>ISAKMP OAK QM *(HASH, )
> 5-25: 15:27:45.440 Microsoft IPsec VPN\L2TP/IPsec - Received
>malformed message or negotiation no longer active (message id:
>E0AAF7F1)
> 5-25: 15:27:49.450 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
>ISAKMP OAK QM *(HASH, )
> 5-25: 15:27:49.450 Microsoft IPsec VPN\L2TP/IPsec - Received
>malformed message or negotiation no longer active (message id:
>E0AAF7F1)
> 5-25: 15:27:54.450 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
>ISAKMP OAK QM *(HASH, )
> 5-25: 15:27:54.450 Microsoft IPsec VPN\L2TP/IPsec - Received
>malformed message or negotiation no longer active (message id:
>30AB1649)
> 5-25: 15:27:57.470 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
>ISAKMP OAK QM *(HASH, )
> 5-25: 15:27:57.470 Microsoft IPsec VPN\L2TP/IPsec - Received
>malformed message or negotiation no longer active (message id:
>E0AAF7F1)
> 5-25: 15:28:13.460 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
>ISAKMP OAK QM *(HASH, )
> 5-25: 15:28:13.460 Microsoft IPsec VPN\L2TP/IPsec - Received
>malformed message or negotiation no longer active (message id:
>E0AAF7F1)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Vista can't connect to Win2k3 L2TP VPN server	tkmlee	Windows Networking	2	11-06-2007 06:42 PM
windows mobile L2TP/IPSEC to win2k3	chris82	Windows Networking	3	06-06-2006 04:48 AM
Win2K3 L2TP VPN server behind Cisco PIX firewall - Help!	mjcsfo	Windows Networking	0	05-17-2005 09:52 PM
Win2k3 VPN using L2TP	Dan Pucek	Windows Networking	0	01-20-2004 01:18 PM
L2TP/IPSec with NAT-T	BC	Windows Networking	1	01-05-2004 05:12 PM