Hi Michael,
I hope I am not coming across badly, I just don't want to open things up if
I don't have to. I am having trouble with this and it very well may be what
you are saying. It just contradicts what I have read about stateful
inspection. But i have added the IpSec monitor snap-in to an MMC and
checked it out, with a connection made internally. Definately seems to do
what you say, i.e. client listens on 1701 every time so it must be fixed.
Even more weird it says that the destination port is ANY. How on earth is
that supposed to work? Is that because it is tunneling through IPsec ESP
payload (re: article) and therefore is not blocked? Then the VPN adaptor
has to get a new IP address. Is this where things are not falling in-line
with my understanding of how it should work, because I can see the IP and
ports reversed at this point: starts source clientLAN-IP 1701 destination
serverIP ANY, but then becomes source serverIP 1701 clientVPNAdaptor-IP ANY?
I really thought this wouldn't be causing a problem but it really does seem
to be. If I was in control of my firewall then I would just play around
with it but I have to get the ISP to do it and it is a real pain. Please
forgive me if I am coming across as though I think I know it all, it is not
my intention. I am getting the following error:
Error: 789 "The L2TP connection attempt failed because the security layer
encountered a processing error during initial negotiations with the remote
computer".
The way it set up at the moment is as follows:
Client > Internet > Firewall > Router/NAT > RRAS
The server has a static NAT from public to private address so that it can be
accessed from the internet. The firewall rules are applied to the LAN
interface of the router. It works fine when I use the private IP address to
connect internally. If I use the public IP address it fails in exactly the
same way as if I were coming in over the internet. So could it be the
firewall, or is it a NAT problem. I have SP2 installed on the client so
perhaps that could be the problem:
http://support.microsoft.com/default...en-us%3B818043. But I
have added that to the registry
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\IPSec\AssumeUDPEncapsulationContextOnSendRule
(1)) and it still deosn't work. So now what could be going on. It is
really doing my head in.
Please let me know what you think. I am trying to get the ISP to change the
router in accordance with your sugestion, but it is like trying to squeeze
blood out of a stone to get them to do anything.
Reagards,
Jarryd
"Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> Perhaps I am not understanding your question Jarryd but if you
> want to setup a successful VPN where your clients are dialing
> into to the server and accessing your LAN the server will have
> to be listening on the require VPN ports for outbound connections.
> You don't have to take my word for it go ahead and setup your
> VPN and let us know how you make out.
>
>
> "Jarryd" <(E-Mail Removed)> wrote in message news:
>> So what you are saying is that XP is listening on those same ports as
> well,
>> as if it were an RRAS server. What for?
>> When they set up the session the client will tell the server what
> ports it
>> will listen on an the server will send to those. But
>> the server doesn't initiate anything. So the type of packet is
> different so
>> the firewall doesn't block it:
>>
>> "My initial understanding of stateful inspection (at least on Check
> Point
>> FireWall-1) worked as follows. Whenever a firewall receives a SYN
> packet
>> initiating a TCP connection, that SYN packet is reviewed against the
>> Firewall rulebase. Just like a router, this SYN packet is compared to
> the
>> rules in sequential order (starting with rule 0). If the packet goes
> through
>> every rule without being accepted, the packet is denied. The
> connection is
>> then dropped or rejected (RST is sent back to the remote host).
> However, if
>> the packet is accepted, the session is then entered into the
> firewall's
>> stateful connection table, which is located in kernel memory. Every
> packet
>> that follows (that does not have a SYN) is then compared to the
> stateful
>> inspection table. If the session is in the table, and the packet is
> part of
>> that session, then the packet is accepted. If the packet is not part
> of the
>> session, then it is dropped. This improves system performance, as
> every
>> single packet is not compared against the rule base, only SYN packets
>> initiating a connection are compared to the rule base. All other TCP
> packets
>> are compared to the state table in kernel memory (very fast). "
>>
>> So I really don't see why there has to be any firewall config for
> outbound
>> traffic because all the packets would be associated with a legitimate
>> session in the table that was initiated by the client (inbound). Are
> you
>> sure that I am really way off?
>>
>
>
Similar Threads
Linear Mode
