Problems With VPN Server

When connecting to a Windows 2003 Server, receive an
Error 789 on the server when connecting, and an error 792
from Windows XP Pro client. All certificates are valid.
Server was updated from Windows 2000 where VPN Server was
working.

Disabled and re-enabled the VPN and no luck, still unable
to connect via L2TP. Able to connect via PPTP.

Any Ideas on where I should Look?

Don Jones

Are 500/udp and 4500/udp forwarded to the VPN server?

I would say they are since they the VPN server is behind
the firewall, but is there something within 2003 to allow
forwarding of ports?

Don Jones
>-----Original Message-----
>Are 500/udp and 4500/udp forwarded to the VPN server?
>
>
>.
>

The firewall is probably the cause. I don't think L2TP will work with
normal NAT, I think it requires NAT-T and the Firewall may not be capable of
that.

If the VPN box was also the Firewall at the same time then it probably would
work because the VPN wouldn't have to pass thorough the NAT processing.
With this idea in mind, many Firewall products now have VPN ability built in
so they can be VPN Server in addition to being Firewalls.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Don Jones" <(E-Mail Removed)> wrote in message
news:2280d01c45d3e$ab0fa020$(E-Mail Removed)...
> I would say they are since they the VPN server is behind
> the firewall, but is there something within 2003 to allow
> forwarding of ports?
>
> Don Jones
> >-----Original Message-----
> >Are 500/udp and 4500/udp forwarded to the VPN server?
> >
> >
> >.
> >

In news:uZU$(E-Mail Removed),
Phillip Windell in <@.> posted their thoughts, then I offered mine
> The firewall is probably the cause. I don't think L2TP will work with
> normal NAT, I think it requires NAT-T and the Firewall may not be
> capable of that.
>
> If the VPN box was also the Firewall at the same time then it
> probably would work because the VPN wouldn't have to pass thorough
> the NAT processing. With this idea in mind, many Firewall products
> now have VPN ability built in so they can be VPN Server in addition
> to being Firewalls.
>
>

Hi Phillip,

I believe that L2TP IPSec pass thru for NAT is now supported.
Maybe Don needs to open up a few more ports to allow this. These are the 4
that are required for L2TP using IPSec:

UDP 500 (for the SA)
TCP 1701 (for L2TP)
Protocol ID 50 (for AH)
Protocol ID 51 (for ESP)

Here's more info...

Virtual Private Networks - MS Support for IPSec thru NAT:
http://www.microsoft.com/windows2000...pn/default.asp

Microsoft L2TP-IPSec VPN Client - MS Support for IPSec thru NAT:
http://www.microsoft.com/windows2000...l2tpclient.asp

Cheers!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

> "Ace Fekay [MVP]" > I believe that L2TP IPSec pass thru for NAT is now
> supported.
> Maybe Don needs to open up a few more ports to allow this. These are the 4
> that are required for L2TP using IPSec:

I didn't see where to look in the first link, but the second one indicated
that it required NAT Traversal which is what I meant by NAT-T. But I could
be missing something,...it's irritating when they keep changing what is true
and what isn't.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

In news:(E-Mail Removed),
Phillip Windell in <@.> posted their thoughts, then I offered mine
>> "Ace Fekay [MVP]" > I believe that L2TP IPSec pass thru for NAT is
>> now supported.
>> Maybe Don needs to open up a few more ports to allow this. These are
>> the 4 that are required for L2TP using IPSec:
>
> I didn't see where to look in the first link, but the second one
> indicated that it required NAT Traversal which is what I meant by
> NAT-T. But I could be missing something,...it's irritating when they
> keep changing what is true and what isn't.

I know what you mean. I guess just testing it to see if it works is the best
bet!
:-)



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroup so all can
benefit.
This posting is provided "AS-IS" with no warranties and confers no rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a pig.
--
=================================

Don't forget UDP 4500 for NAT-T...

Jeffrey Randow (Windows Networking & Smart Display MVP)
jeffreyr-(E-Mail Removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone


On Mon, 28 Jun 2004 23:50:22 -0400, "Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@ho tmail.com> wrote:

>In news:uZU$(E-Mail Removed),
>Phillip Windell in <@.> posted their thoughts, then I offered mine
>> The firewall is probably the cause. I don't think L2TP will work with
>> normal NAT, I think it requires NAT-T and the Firewall may not be
>> capable of that.
>>
>> If the VPN box was also the Firewall at the same time then it
>> probably would work because the VPN wouldn't have to pass thorough
>> the NAT processing. With this idea in mind, many Firewall products
>> now have VPN ability built in so they can be VPN Server in addition
>> to being Firewalls.
>>
>>
>
>Hi Phillip,
>
>I believe that L2TP IPSec pass thru for NAT is now supported.
>Maybe Don needs to open up a few more ports to allow this. These are the 4
>that are required for L2TP using IPSec:
>
>UDP 500 (for the SA)
>TCP 1701 (for L2TP)
>Protocol ID 50 (for AH)
>Protocol ID 51 (for ESP)
>
>Here's more info...
>
>Virtual Private Networks - MS Support for IPSec thru NAT:
>http://www.microsoft.com/windows2000...pn/default.asp
>
>Microsoft L2TP-IPSec VPN Client - MS Support for IPSec thru NAT:
>http://www.microsoft.com/windows2000...l2tpclient.asp
>
>Cheers!

In news:(E-Mail Removed),
Jeffrey Randow (MVP) in <jeffreyr-(E-Mail Removed)>
posted their thoughts, then I offered mine
> Don't forget UDP 4500 for NAT-T...
>
> Jeffrey Randow (Windows Networking & Smart Display MVP)
> jeffreyr-(E-Mail Removed)
>

But of course! Forgot all about that one.
:-)

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroup so all
can benefit. This posting is provided "AS-IS" with no warranties and
confers no rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

Thanks for the reply the information is helpful, but
unfortunately, this doesn't resolve my problem.

Let me see if I can clarify My problem. Connections to
the VPN server, do not go through any firewalls (HW or
SW).

Connections are being made from wireless laptops
configured with a 10.1.1.x network address. Once
connected to the VPN Server, the laptops are connected
using a 192.168.x.x address that allows them to access
the local network resources as well as access the
internet.

All of this was working with Windows 2000 Server, but
after the upgrade to Windows Server 2003, it stopped
working.

Sorry for any confusion.

Don Jones
>-----Original Message-----
>Are 500/udp and 4500/udp forwarded to the VPN server?
>
>
>.
>