VPN client behind Windows 2003 NAT problem

Hi all,
I have a third party VPN client on an XP workstation on a private LAN. The
Win 2003 server is the router/nat. The NAT service must be corrupting or
blocking the IPSEC packets because the handshaking is successful up to the
moment that the VPN is established and then times out waiting on the remote
server. If I connect the workstation directly to the internet, it works.

I've tried a number of different settings in RRAS to make this work.

Any ideas?
Chuck

If this is IPSec VPN, you may need to open the port UDP 500. these web pages may help,

IPSec The ports need to open for IPSec The IPSec Policy storage container could not be opened Time out when using ping command Troubleshooting IPSec ...
www.chicagotech.net/ipsec.htm

NAT and Firewall In the Select Routing Protocol dialog box, click NAT/Firewall, and then click OK. How to enable NAT name resolution Open Routing and Remote Access>server ...
www.chicagotech.net/nat.htm



Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"ChuckM" <(E-Mail Removed)> wrote in message news:C44329EA-DCF1-49F7-A272-(E-Mail Removed)...
Hi all,
I have a third party VPN client on an XP workstation on a private LAN. The
Win 2003 server is the router/nat. The NAT service must be corrupting or
blocking the IPSEC packets because the handshaking is successful up to the
moment that the VPN is established and then times out waiting on the remote
server. If I connect the workstation directly to the internet, it works.

I've tried a number of different settings in RRAS to make this work.

Any ideas?
Chuck

Thanks Robert,
I looked through the information at the site you recommended. However, I
didn't find anything that fixes this.

Port 500 is open on the WAN side in the NAT properties panel. I tried both
localhost(default) and the internal client IP addresses with no luck.


"Robert L [MS-MVP]" wrote:

> If this is IPSec VPN, you may need to open the port UDP 500. these web pages may help,
>
> IPSec The ports need to open for IPSec The IPSec Policy storage container could not be opened Time out when using ping command Troubleshooting IPSec ...
> www.chicagotech.net/ipsec.htm
>
> NAT and Firewall In the Select Routing Protocol dialog box, click NAT/Firewall, and then click OK. How to enable NAT name resolution Open Routing and Remote Access>server ...
> www.chicagotech.net/nat.htm
>
>
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> "ChuckM" <(E-Mail Removed)> wrote in message news:C44329EA-DCF1-49F7-A272-(E-Mail Removed)...
> Hi all,
> I have a third party VPN client on an XP workstation on a private LAN. The
> Win 2003 server is the router/nat. The NAT service must be corrupting or
> blocking the IPSEC packets because the handshaking is successful up to the
> moment that the VPN is established and then times out waiting on the remote
> server. If I connect the workstation directly to the internet, it works.
>
> I've tried a number of different settings in RRAS to make this work.
>
> Any ideas?
> Chuck

Then you can use IP Security Monitor to troubleshoot it. More IPSec troubleshooting tools can be found this web page,

IPSec Audit Policy: To troubleshoot IPSec when it does not behave the way that you expect it to, first check the results of the Phase One and Phase Two exchanges ...
www.chicagotech.net/ipsec.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"ChuckM" <(E-Mail Removed)> wrote in message news:EC4137FF-7BAB-4550-B80C-(E-Mail Removed)...
Thanks Robert,
I looked through the information at the site you recommended. However, I
didn't find anything that fixes this.

Port 500 is open on the WAN side in the NAT properties panel. I tried both
localhost(default) and the internal client IP addresses with no luck.


"Robert L [MS-MVP]" wrote:

> If this is IPSec VPN, you may need to open the port UDP 500. these web pages may help,
>
> IPSec The ports need to open for IPSec The IPSec Policy storage container could not be opened Time out when using ping command Troubleshooting IPSec ...
> www.chicagotech.net/ipsec.htm
>
> NAT and Firewall In the Select Routing Protocol dialog box, click NAT/Firewall, and then click OK. How to enable NAT name resolution Open Routing and Remote Access>server ...
> www.chicagotech.net/nat.htm
>
>
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> "ChuckM" <(E-Mail Removed)> wrote in message news:C44329EA-DCF1-49F7-A272-(E-Mail Removed)...
> Hi all,
> I have a third party VPN client on an XP workstation on a private LAN. The
> Win 2003 server is the router/nat. The NAT service must be corrupting or
> blocking the IPSEC packets because the handshaking is successful up to the
> moment that the VPN is established and then times out waiting on the remote
> server. If I connect the workstation directly to the internet, it works.
>
> I've tried a number of different settings in RRAS to make this work.
>
> Any ideas?
> Chuck

Thanks Robert.
I installed the tools and watched via IPSec Monitor. It really didn't tell
me anything. The client and the remote machine connect and exchange packets,
but as soon as the connection becomes secure, the replies from the remote
server never make it to the client. The tools don't tell why they are being
blocked.

One thing that did occur to me, though is that the VPN client hides the LAN
from the client, overriding settings with those of the remote network. I
wonder if this is preventing the client from communicating with the 2003
server NAT service.

Like I said earlier, this worked with our Linksys router acting as the NAT
firewall, but not windows 2003 server acting as the NAT firewall. I think we
will just buy another hardware firewall and blow off the Microsoft solution.

"Robert L [MS-MVP]" wrote:

> Then you can use IP Security Monitor to troubleshoot it. More IPSec troubleshooting tools can be found this web page,
>
> IPSec Audit Policy: To troubleshoot IPSec when it does not behave the way that you expect it to, first check the results of the Phase One and Phase Two exchanges ...
> www.chicagotech.net/ipsec.htm
>
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> "ChuckM" <(E-Mail Removed)> wrote in message news:EC4137FF-7BAB-4550-B80C-(E-Mail Removed)...
> Thanks Robert,
> I looked through the information at the site you recommended. However, I
> didn't find anything that fixes this.
>
> Port 500 is open on the WAN side in the NAT properties panel. I tried both
> localhost(default) and the internal client IP addresses with no luck.
>
>
> "Robert L [MS-MVP]" wrote:
>
> > If this is IPSec VPN, you may need to open the port UDP 500. these web pages may help,
> >
> > IPSec The ports need to open for IPSec The IPSec Policy storage container could not be opened Time out when using ping command Troubleshooting IPSec ...
> > www.chicagotech.net/ipsec.htm
> >
> > NAT and Firewall In the Select Routing Protocol dialog box, click NAT/Firewall, and then click OK. How to enable NAT name resolution Open Routing and Remote Access>server ...
> > www.chicagotech.net/nat.htm
> >
> >
> >
> > Bob Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> > How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> > "ChuckM" <(E-Mail Removed)> wrote in message news:C44329EA-DCF1-49F7-A272-(E-Mail Removed)...
> > Hi all,
> > I have a third party VPN client on an XP workstation on a private LAN. The
> > Win 2003 server is the router/nat. The NAT service must be corrupting or
> > blocking the IPSEC packets because the handshaking is successful up to the
> > moment that the VPN is established and then times out waiting on the remote
> > server. If I connect the workstation directly to the internet, it works.
> >
> > I've tried a number of different settings in RRAS to make this work.
> >
> > Any ideas?
> > Chuck

I don't think that MS supports NAT-T, which sounds like the issue.

"ChuckM" <(E-Mail Removed)> wrote in message
news:8DC77670-CC90-48CD-8A90-(E-Mail Removed)...
> Thanks Robert.
> I installed the tools and watched via IPSec Monitor. It really didn't
tell
> me anything. The client and the remote machine connect and exchange
packets,
> but as soon as the connection becomes secure, the replies from the remote
> server never make it to the client. The tools don't tell why they are
being
> blocked.
>
> One thing that did occur to me, though is that the VPN client hides the
LAN
> from the client, overriding settings with those of the remote network. I
> wonder if this is preventing the client from communicating with the 2003
> server NAT service.
>
> Like I said earlier, this worked with our Linksys router acting as the NAT
> firewall, but not windows 2003 server acting as the NAT firewall. I think
we
> will just buy another hardware firewall and blow off the Microsoft
solution.
>
> "Robert L [MS-MVP]" wrote:
>
> > Then you can use IP Security Monitor to troubleshoot it. More IPSec
troubleshooting tools can be found this web page,
> >
> > IPSec Audit Policy: To troubleshoot IPSec when it does not behave the
way that you expect it to, first check the results of the Phase One and
Phase Two exchanges ...
> > www.chicagotech.net/ipsec.htm
> >
> >
> > Bob Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
> > How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
> > "ChuckM" <(E-Mail Removed)> wrote in message
news:EC4137FF-7BAB-4550-B80C-(E-Mail Removed)...
> > Thanks Robert,
> > I looked through the information at the site you recommended.
However, I
> > didn't find anything that fixes this.
> >
> > Port 500 is open on the WAN side in the NAT properties panel. I tried
both
> > localhost(default) and the internal client IP addresses with no luck.
> >
> >
> > "Robert L [MS-MVP]" wrote:
> >
> > > If this is IPSec VPN, you may need to open the port UDP 500. these
web pages may help,
> > >
> > > IPSec The ports need to open for IPSec The IPSec Policy storage
container could not be opened Time out when using ping command
Troubleshooting IPSec ...
> > > www.chicagotech.net/ipsec.htm
> > >
> > > NAT and Firewall In the Select Routing Protocol dialog box,
click NAT/Firewall, and then click OK. How to enable NAT name resolution
Open Routing and Remote Access>server ...
> > > www.chicagotech.net/nat.htm
> > >
> > >
> > >
> > > Bob Lin, MS-MVP, MCSE & CNE
> > > Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
> > > How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
> > > "ChuckM" <(E-Mail Removed)> wrote in message
news:C44329EA-DCF1-49F7-A272-(E-Mail Removed)...
> > > Hi all,
> > > I have a third party VPN client on an XP workstation on a private
LAN. The
> > > Win 2003 server is the router/nat. The NAT service must be
corrupting or
> > > blocking the IPSEC packets because the handshaking is successful
up to the
> > > moment that the VPN is established and then times out waiting on
the remote
> > > server. If I connect the workstation directly to the internet, it
works.
> > >
> > > I've tried a number of different settings in RRAS to make this
work.
> > >
> > > Any ideas?
> > > Chuck

That sure seems like the problem, but MS advertises NAT-T as the default for
Windows 2003 server.

"Neteng" wrote:

> I don't think that MS supports NAT-T, which sounds like the issue.
>
> "ChuckM" <(E-Mail Removed)> wrote in message
> news:8DC77670-CC90-48CD-8A90-(E-Mail Removed)...
> > Thanks Robert.
> > I installed the tools and watched via IPSec Monitor. It really didn't
> tell
> > me anything. The client and the remote machine connect and exchange
> packets,
> > but as soon as the connection becomes secure, the replies from the remote
> > server never make it to the client. The tools don't tell why they are
> being
> > blocked.
> >
> > One thing that did occur to me, though is that the VPN client hides the
> LAN
> > from the client, overriding settings with those of the remote network. I
> > wonder if this is preventing the client from communicating with the 2003
> > server NAT service.
> >
> > Like I said earlier, this worked with our Linksys router acting as the NAT
> > firewall, but not windows 2003 server acting as the NAT firewall. I think
> we
> > will just buy another hardware firewall and blow off the Microsoft
> solution.
> >
> > "Robert L [MS-MVP]" wrote:
> >
> > > Then you can use IP Security Monitor to troubleshoot it. More IPSec
> troubleshooting tools can be found this web page,
> > >
> > > IPSec Audit Policy: To troubleshoot IPSec when it does not behave the
> way that you expect it to, first check the results of the Phase One and
> Phase Two exchanges ...
> > > www.chicagotech.net/ipsec.htm
> > >
> > >
> > > Bob Lin, MS-MVP, MCSE & CNE
> > > Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> > > How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> > > "ChuckM" <(E-Mail Removed)> wrote in message
> news:EC4137FF-7BAB-4550-B80C-(E-Mail Removed)...
> > > Thanks Robert,
> > > I looked through the information at the site you recommended.
> However, I
> > > didn't find anything that fixes this.
> > >
> > > Port 500 is open on the WAN side in the NAT properties panel. I tried
> both
> > > localhost(default) and the internal client IP addresses with no luck.
> > >
> > >
> > > "Robert L [MS-MVP]" wrote:
> > >
> > > > If this is IPSec VPN, you may need to open the port UDP 500. these
> web pages may help,
> > > >
> > > > IPSec The ports need to open for IPSec The IPSec Policy storage
> container could not be opened Time out when using ping command
> Troubleshooting IPSec ...
> > > > www.chicagotech.net/ipsec.htm
> > > >
> > > > NAT and Firewall In the Select Routing Protocol dialog box,
> click NAT/Firewall, and then click OK. How to enable NAT name resolution
> Open Routing and Remote Access>server ...
> > > > www.chicagotech.net/nat.htm
> > > >
> > > >
> > > >
> > > > Bob Lin, MS-MVP, MCSE & CNE
> > > > Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> > > > How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> > > > "ChuckM" <(E-Mail Removed)> wrote in message
> news:C44329EA-DCF1-49F7-A272-(E-Mail Removed)...
> > > > Hi all,
> > > > I have a third party VPN client on an XP workstation on a private
> LAN. The
> > > > Win 2003 server is the router/nat. The NAT service must be
> corrupting or
> > > > blocking the IPSEC packets because the handshaking is successful
> up to the
> > > > moment that the VPN is established and then times out waiting on
> the remote
> > > > server. If I connect the workstation directly to the internet, it
> works.
> > > >
> > > > I've tried a number of different settings in RRAS to make this
> work.
> > > >
> > > > Any ideas?
> > > > Chuck
>
>
>

There is an update you need to install if you haven't already (on the
client). You'll also see in the article that you'll have to open UDP 4500
for NAT-T.

http://support.microsoft.com/default...22120121120120

"ChuckM" <(E-Mail Removed)> wrote in message
news:17050FA4-C113-4C72-AA5B-(E-Mail Removed)...
> That sure seems like the problem, but MS advertises NAT-T as the default
for
> Windows 2003 server.
>
> "Neteng" wrote:
>
> > I don't think that MS supports NAT-T, which sounds like the issue.
> >
> > "ChuckM" <(E-Mail Removed)> wrote in message
> > news:8DC77670-CC90-48CD-8A90-(E-Mail Removed)...
> > > Thanks Robert.
> > > I installed the tools and watched via IPSec Monitor. It really didn't
> > tell
> > > me anything. The client and the remote machine connect and exchange
> > packets,
> > > but as soon as the connection becomes secure, the replies from the
remote
> > > server never make it to the client. The tools don't tell why they are
> > being
> > > blocked.
> > >
> > > One thing that did occur to me, though is that the VPN client hides
the
> > LAN
> > > from the client, overriding settings with those of the remote network.
I
> > > wonder if this is preventing the client from communicating with the
2003
> > > server NAT service.
> > >
> > > Like I said earlier, this worked with our Linksys router acting as the
NAT
> > > firewall, but not windows 2003 server acting as the NAT firewall. I
think
> > we
> > > will just buy another hardware firewall and blow off the Microsoft
> > solution.
> > >
> > > "Robert L [MS-MVP]" wrote:
> > >
> > > > Then you can use IP Security Monitor to troubleshoot it. More IPSec
> > troubleshooting tools can be found this web page,
> > > >
> > > > IPSec Audit Policy: To troubleshoot IPSec when it does not behave
the
> > way that you expect it to, first check the results of the Phase One and
> > Phase Two exchanges ...
> > > > www.chicagotech.net/ipsec.htm
> > > >
> > > >
> > > > Bob Lin, MS-MVP, MCSE & CNE
> > > > Networking, Internet, Routing, VPN Troubleshooting on
> > http://www.ChicagoTech.net
> > > > How to Setup Windows, Network, VPN & Remote Access on
> > http://www.HowToNetworking.com
> > > > "ChuckM" <(E-Mail Removed)> wrote in message
> > news:EC4137FF-7BAB-4550-B80C-(E-Mail Removed)...
> > > > Thanks Robert,
> > > > I looked through the information at the site you recommended.
> > However, I
> > > > didn't find anything that fixes this.
> > > >
> > > > Port 500 is open on the WAN side in the NAT properties panel. I
tried
> > both
> > > > localhost(default) and the internal client IP addresses with no
luck.
> > > >
> > > >
> > > > "Robert L [MS-MVP]" wrote:
> > > >
> > > > > If this is IPSec VPN, you may need to open the port UDP 500.
these
> > web pages may help,
> > > > >
> > > > > IPSec The ports need to open for IPSec The IPSec Policy storage
> > container could not be opened Time out when using ping command
> > Troubleshooting IPSec ...
> > > > > www.chicagotech.net/ipsec.htm
> > > > >
> > > > > NAT and Firewall In the Select Routing Protocol dialog
box,
> > click NAT/Firewall, and then click OK. How to enable NAT name resolution
> > Open Routing and Remote Access>server ...
> > > > > www.chicagotech.net/nat.htm
> > > > >
> > > > >
> > > > >
> > > > > Bob Lin, MS-MVP, MCSE & CNE
> > > > > Networking, Internet, Routing, VPN Troubleshooting on
> > http://www.ChicagoTech.net
> > > > > How to Setup Windows, Network, VPN & Remote Access on
> > http://www.HowToNetworking.com
> > > > > "ChuckM" <(E-Mail Removed)> wrote in message
> > news:C44329EA-DCF1-49F7-A272-(E-Mail Removed)...
> > > > > Hi all,
> > > > > I have a third party VPN client on an XP workstation on a
private
> > LAN. The
> > > > > Win 2003 server is the router/nat. The NAT service must be
> > corrupting or
> > > > > blocking the IPSEC packets because the handshaking is
successful
> > up to the
> > > > > moment that the VPN is established and then times out waiting
on
> > the remote
> > > > > server. If I connect the workstation directly to the
internet, it
> > works.
> > > > >
> > > > > I've tried a number of different settings in RRAS to make this
> > work.
> > > > >
> > > > > Any ideas?
> > > > > Chuck
> >
> >
> >