In news:(E-Mail Removed),
Jeff Vandervoort <jeffv @ jrvsystems dot com> stated, which I commented on
below:
> VPN newbie trying to set up a site-to-site L2TP/IPSec VPN as follows:
>
>
>
> Main Office Internal (192.168.0.x)--WS2003 RRAS+ISA2004 VPN
> (172.16.100.220)--ISA external (192.168.1.101)--DMZ of Linksys
> RV082--Internet--WS2003 External NIC w/RRAS basic firewall--WS2003
> RRAS VPN (172.16.100.221)--Remote Office Internal (10.2.0.x)
>
>
>
> The main office ISA/WS2003 computer also hosts L2TP VPN Client
> connections; they are working.
>
>
>
> NAT-T registry setting for both sides behind NAT is set on both
> computers. Currently, remote WS2003 is just using the RRAS firewall
> but will ultimately be in the DMZ of another RV082 with the RRAS
> firewall enabled. IKE, NAT-T and L2TP are forwarded from the external
> interface to the VPN interface.
>
>
> When Main Office ISA tries to connect, I get this message: "An error
> occurred during connection of the interface. The L2TP connection
> attempt failed because security negotiation timed out." Both sides
> have identical security settings. Verified that the cert, which is
> valid, is installed in local store on both computers and CA is
> trusted.
>
>
> When Remote Office WS2003 tries to connect, I get this message: "An
> error occurred during connection of the interface. A connection to
> the remote computer could not be established. You might need to
> change the network settings for this connection. For further
> assistance, click More Info or search Help and Support Center for
> this error number." There is no More Info button or error number.
> I've made lots of changes to the network settings, but nothing so far
> has worked!
>
>
> On remote office RRAS, there are currently no packet filters set.
>
>
>
> Each side can ping the other's external IP.
>
>
>
> In ISA monitoring, I can see the IKE, L2TP and IPSec NAT-T packets
> arriving at the main office from the remote site ("Initiated
> connection"). In Network Monitor at the remote site, monitoring the
> external NIC, I see packets arriving at the external NIC when I try
> to connect from the main office. I have to confess I'm not sure what
> I'm looking at for VPN connections in Network Monitor, but at least
> packets are arriving.
>
>
> If I deliberately make the calling RRAS's credentials invalid, I get a
> message to that effect when I try to connect, and it's recorded in the
> answering computer's event log, so I can see evidence that it's
> trying to connect.
>
>
>
> IOW, authentication packets are flowing.but the connection is not
> being made.
>
>
>
> So.where do I start troubleshooting?
Since this is all based on ISA, I would suggest to post to the
microsoft.public.isa and the microsoft.public.isa.vpn newsgroups for
*specific* help with ISA. I think you will be happy that you did. Of course
if you are using a different vendor for VPN (PIX, Netscreen, etc), I would
suggest to post to the vendor's forums for specifics.
If you notice with my post in the newsgroups I posted this to, I
cross-posted it to the groups I mentioned (which simultaneously posts them
to all). You can now find my response with your original post below, in all
of them groups. One other nice thing about cross-posting that if anyone from
the other groups respond to it, all groups get updated with the response.
I hope that helps.
--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."
The only constant in life is change...
Similar Threads
Linear Mode
