IPsec problem 4 days no luck - Network

This is a discussion on IPsec problem 4 days no luck - Network ; Guys i have a problem spend 4 days no luck. I have one box Win2003 en ed service pack 1 and winxp service pack2 I created a policy on win2003 as inbound on port 80 and on windows xp as ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: IPsec problem 4 days no luck

  1. IPsec problem 4 days no luck

    Guys i have a problem spend 4 days no luck.
    I have one box Win2003 en ed service pack 1 and winxp service pack2
    I created a policy on win2003 as inbound on port 80 and on windows xp as
    outbound and inbound.
    All works good while i am inside the local network but once iam at internet
    caffe or somewhere else i have a problem. now event viewer says policy is not
    configured.
    but paket capture shows that i do try to negotiate security IKE exchanges
    but no luck. but once i turne on VPN everything works.
    Any ideas? win2003 is on internet directly and windows xp is behind NAT like
    linksys or netgear.
    Thanks for help

  2. Re: IPsec problem 4 days no luck

    You should not be using ipsec to directly access your server over the
    internet [if that is what you are doing?] but use your VPN connection
    instead. If that is configured for l2tp then it will use l2tp/ipsec to
    secure the connection. --- Steve


    "Dimchik" wrote in message
    news:1197B521-FCDB-48FB-8876-53CF6D8A3F5E@microsoft.com...
    > Guys i have a problem spend 4 days no luck.
    > I have one box Win2003 en ed service pack 1 and winxp service pack2
    > I created a policy on win2003 as inbound on port 80 and on windows xp as
    > outbound and inbound.
    > All works good while i am inside the local network but once iam at
    > internet
    > caffe or somewhere else i have a problem. now event viewer says policy is
    > not
    > configured.
    > but paket capture shows that i do try to negotiate security IKE exchanges
    > but no luck. but once i turne on VPN everything works.
    > Any ideas? win2003 is on internet directly and windows xp is behind NAT
    > like
    > linksys or netgear.
    > Thanks for help




  3. Re: IPsec problem 4 days no luck

    Yes thats what i do excatly i want to establish direct access to server
    encrypted by filtering ports. If i am doing it wrong could you tell me why
    shouldn't i do it or why it might not work?

    "Steven L Umbach" wrote:

    > You should not be using ipsec to directly access your server over the
    > internet [if that is what you are doing?] but use your VPN connection
    > instead. If that is configured for l2tp then it will use l2tp/ipsec to
    > secure the connection. --- Steve
    >
    >
    > "Dimchik" wrote in message
    > news:1197B521-FCDB-48FB-8876-53CF6D8A3F5E@microsoft.com...
    > > Guys i have a problem spend 4 days no luck.
    > > I have one box Win2003 en ed service pack 1 and winxp service pack2
    > > I created a policy on win2003 as inbound on port 80 and on windows xp as
    > > outbound and inbound.
    > > All works good while i am inside the local network but once iam at
    > > internet
    > > caffe or somewhere else i have a problem. now event viewer says policy is
    > > not
    > > configured.
    > > but paket capture shows that i do try to negotiate security IKE exchanges
    > > but no luck. but once i turne on VPN everything works.
    > > Any ideas? win2003 is on internet directly and windows xp is behind NAT
    > > like
    > > linksys or netgear.
    > > Thanks for help

    >
    >
    >


  4. Re: IPsec problem 4 days no luck

    Thanks by the way

    "Steven L Umbach" wrote:

    > You should not be using ipsec to directly access your server over the
    > internet [if that is what you are doing?] but use your VPN connection
    > instead. If that is configured for l2tp then it will use l2tp/ipsec to
    > secure the connection. --- Steve
    >
    >
    > "Dimchik" wrote in message
    > news:1197B521-FCDB-48FB-8876-53CF6D8A3F5E@microsoft.com...
    > > Guys i have a problem spend 4 days no luck.
    > > I have one box Win2003 en ed service pack 1 and winxp service pack2
    > > I created a policy on win2003 as inbound on port 80 and on windows xp as
    > > outbound and inbound.
    > > All works good while i am inside the local network but once iam at
    > > internet
    > > caffe or somewhere else i have a problem. now event viewer says policy is
    > > not
    > > configured.
    > > but paket capture shows that i do try to negotiate security IKE exchanges
    > > but no luck. but once i turne on VPN everything works.
    > > Any ideas? win2003 is on internet directly and windows xp is behind NAT
    > > like
    > > linksys or netgear.
    > > Thanks for help

    >
    >
    >


  5. Re: IPsec problem 4 days no luck

    I suppose it is possible to use ipsec directly though l2tp is much more
    secure. Anyhow see the link below on XP SP2 and NAT-T to see how it works in
    SP2. Also the NAT or firewall that your XP computer is behind must have
    ipsec passthrough enabled, and you would also want to try an ipsec policy in
    tunnel mode as described in the second link below though you need to know
    the public IP address of the firewall/NAT device that you are behind. You
    can use preshared key computer authentication for a l2tp/ipsec VPN
    connection between a Windows XP computer and a Windows 2003 VPN server if
    certificate authentication is not possible though it is fairly easy to make
    a Windows 2003 server a Certificate Authority to issue the needed
    certificates. --- Steve

    http://support.microsoft.com/default...b;en-us;885407
    http://support.microsoft.com/default...b;en-us;816514
    http://www.microsoft.com/technet/sec.../ipsecch7.mspx
    --- the best resource on troubleshooting Windows ipsec I know of
    http://www.microsoft.com/technet/sec.../ipsecapa.mspx
    -- ipsec policy concepts

    "Dimchik" wrote in message
    news:456883AE-6829-465A-9A94-FCECCBD98979@microsoft.com...
    > Yes thats what i do excatly i want to establish direct access to server
    > encrypted by filtering ports. If i am doing it wrong could you tell me why
    > shouldn't i do it or why it might not work?
    >
    > "Steven L Umbach" wrote:
    >
    >> You should not be using ipsec to directly access your server over the
    >> internet [if that is what you are doing?] but use your VPN connection
    >> instead. If that is configured for l2tp then it will use l2tp/ipsec to
    >> secure the connection. --- Steve
    >>
    >>
    >> "Dimchik" wrote in message
    >> news:1197B521-FCDB-48FB-8876-53CF6D8A3F5E@microsoft.com...
    >> > Guys i have a problem spend 4 days no luck.
    >> > I have one box Win2003 en ed service pack 1 and winxp service pack2
    >> > I created a policy on win2003 as inbound on port 80 and on windows xp
    >> > as
    >> > outbound and inbound.
    >> > All works good while i am inside the local network but once iam at
    >> > internet
    >> > caffe or somewhere else i have a problem. now event viewer says policy
    >> > is
    >> > not
    >> > configured.
    >> > but paket capture shows that i do try to negotiate security IKE
    >> > exchanges
    >> > but no luck. but once i turne on VPN everything works.
    >> > Any ideas? win2003 is on internet directly and windows xp is behind NAT
    >> > like
    >> > linksys or netgear.
    >> > Thanks for help

    >>
    >>
    >>




  6. Re: IPsec problem 4 days no luck

    The problem is that i always move between different access points with
    different public addresses so i wont be able to use tunneling mode. L2TP is
    working but i want direct you think its not safe? I will read carefully on
    sitting behind NAT
    Thanks for your help

    "Steven L Umbach" wrote:

    > I suppose it is possible to use ipsec directly though l2tp is much more
    > secure. Anyhow see the link below on XP SP2 and NAT-T to see how it works in
    > SP2. Also the NAT or firewall that your XP computer is behind must have
    > ipsec passthrough enabled, and you would also want to try an ipsec policy in
    > tunnel mode as described in the second link below though you need to know
    > the public IP address of the firewall/NAT device that you are behind. You
    > can use preshared key computer authentication for a l2tp/ipsec VPN
    > connection between a Windows XP computer and a Windows 2003 VPN server if
    > certificate authentication is not possible though it is fairly easy to make
    > a Windows 2003 server a Certificate Authority to issue the needed
    > certificates. --- Steve
    >
    > http://support.microsoft.com/default...b;en-us;885407
    > http://support.microsoft.com/default...b;en-us;816514
    > http://www.microsoft.com/technet/sec.../ipsecch7.mspx
    > --- the best resource on troubleshooting Windows ipsec I know of
    > http://www.microsoft.com/technet/sec.../ipsecapa.mspx
    > -- ipsec policy concepts
    >
    > "Dimchik" wrote in message
    > news:456883AE-6829-465A-9A94-FCECCBD98979@microsoft.com...
    > > Yes thats what i do excatly i want to establish direct access to server
    > > encrypted by filtering ports. If i am doing it wrong could you tell me why
    > > shouldn't i do it or why it might not work?
    > >
    > > "Steven L Umbach" wrote:
    > >
    > >> You should not be using ipsec to directly access your server over the
    > >> internet [if that is what you are doing?] but use your VPN connection
    > >> instead. If that is configured for l2tp then it will use l2tp/ipsec to
    > >> secure the connection. --- Steve
    > >>
    > >>
    > >> "Dimchik" wrote in message
    > >> news:1197B521-FCDB-48FB-8876-53CF6D8A3F5E@microsoft.com...
    > >> > Guys i have a problem spend 4 days no luck.
    > >> > I have one box Win2003 en ed service pack 1 and winxp service pack2
    > >> > I created a policy on win2003 as inbound on port 80 and on windows xp
    > >> > as
    > >> > outbound and inbound.
    > >> > All works good while i am inside the local network but once iam at
    > >> > internet
    > >> > caffe or somewhere else i have a problem. now event viewer says policy
    > >> > is
    > >> > not
    > >> > configured.
    > >> > but paket capture shows that i do try to negotiate security IKE
    > >> > exchanges
    > >> > but no luck. but once i turne on VPN everything works.
    > >> > Any ideas? win2003 is on internet directly and windows xp is behind NAT
    > >> > like
    > >> > linksys or netgear.
    > >> > Thanks for help
    > >>
    > >>
    > >>

    >
    >
    >


  7. Re: IPsec problem 4 days no luck

    If you can not use tunneling mode then I believe you are out of luck and
    will need to use l2tp. I like l2tp better because you have both user and
    computer authentication. If you have a website on your server [ since you
    mentioned port 80 TCP] that you want to connect to then you can use SSL
    [port 443 TCP] which also is secure even if you are using basic
    authentication since that would be encrypted in the SSL tunnel. --- Steve


    "Dimchik" wrote in message
    news:7736D705-EBFC-415D-A056-D55113A2FED6@microsoft.com...
    > The problem is that i always move between different access points with
    > different public addresses so i wont be able to use tunneling mode. L2TP
    > is
    > working but i want direct you think its not safe? I will read carefully on
    > sitting behind NAT
    > Thanks for your help
    >
    > "Steven L Umbach" wrote:
    >
    >> I suppose it is possible to use ipsec directly though l2tp is much more
    >> secure. Anyhow see the link below on XP SP2 and NAT-T to see how it works
    >> in
    >> SP2. Also the NAT or firewall that your XP computer is behind must have
    >> ipsec passthrough enabled, and you would also want to try an ipsec policy
    >> in
    >> tunnel mode as described in the second link below though you need to know
    >> the public IP address of the firewall/NAT device that you are behind. You
    >> can use preshared key computer authentication for a l2tp/ipsec VPN
    >> connection between a Windows XP computer and a Windows 2003 VPN server if
    >> certificate authentication is not possible though it is fairly easy to
    >> make
    >> a Windows 2003 server a Certificate Authority to issue the needed
    >> certificates. --- Steve
    >>
    >> http://support.microsoft.com/default...b;en-us;885407
    >> http://support.microsoft.com/default...b;en-us;816514
    >> http://www.microsoft.com/technet/sec.../ipsecch7.mspx
    >> --- the best resource on troubleshooting Windows ipsec I know of
    >> http://www.microsoft.com/technet/sec.../ipsecapa.mspx
    >> -- ipsec policy concepts
    >>
    >> "Dimchik" wrote in message
    >> news:456883AE-6829-465A-9A94-FCECCBD98979@microsoft.com...
    >> > Yes thats what i do excatly i want to establish direct access to server
    >> > encrypted by filtering ports. If i am doing it wrong could you tell me
    >> > why
    >> > shouldn't i do it or why it might not work?
    >> >
    >> > "Steven L Umbach" wrote:
    >> >
    >> >> You should not be using ipsec to directly access your server over the
    >> >> internet [if that is what you are doing?] but use your VPN connection
    >> >> instead. If that is configured for l2tp then it will use l2tp/ipsec to
    >> >> secure the connection. --- Steve
    >> >>
    >> >>
    >> >> "Dimchik" wrote in message
    >> >> news:1197B521-FCDB-48FB-8876-53CF6D8A3F5E@microsoft.com...
    >> >> > Guys i have a problem spend 4 days no luck.
    >> >> > I have one box Win2003 en ed service pack 1 and winxp service pack2
    >> >> > I created a policy on win2003 as inbound on port 80 and on windows
    >> >> > xp
    >> >> > as
    >> >> > outbound and inbound.
    >> >> > All works good while i am inside the local network but once iam at
    >> >> > internet
    >> >> > caffe or somewhere else i have a problem. now event viewer says
    >> >> > policy
    >> >> > is
    >> >> > not
    >> >> > configured.
    >> >> > but paket capture shows that i do try to negotiate security IKE
    >> >> > exchanges
    >> >> > but no luck. but once i turne on VPN everything works.
    >> >> > Any ideas? win2003 is on internet directly and windows xp is behind
    >> >> > NAT
    >> >> > like
    >> >> > linksys or netgear.
    >> >> > Thanks for help
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>




+ Reply to Thread