ipsec/l2tp what am i missing? - Network

This is a discussion on ipsec/l2tp what am i missing? - Network ; I've configured my vpn for remote access, no firewall/nat on an external static ip but nat on the internal interface, and set up all the certificates. When I try and connect to the vpn using the internal ip I can ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: ipsec/l2tp what am i missing?

  1. ipsec/l2tp what am i missing?

    I've configured my vpn for remote access, no firewall/nat on an external
    static ip but nat on the internal interface, and set up all the
    certificates. When I try and connect to the vpn using the internal ip I can
    connect but when I try and connect from outside the network (or just to the
    external ip) I am getting an error 678. It definetly sounds like a network
    issue, though like I said I don't have any firewall set up. I am fairly new
    to windows server though so I'm sure I'm just missing something obvious but
    its something obvious that 2 days of google groups searching hasn't been
    able to find. I don't see anything useful in event viewer but I dont really
    know what other logs I should be checking. Also worth noting is that if I
    switch everything to PPTP it does work on the external interface. Any
    ideas? Thank you.

    Lloyd Christopher
    SLOW30



  2. Re: ipsec/l2tp what am i missing?

    "Lloyd" wrote in message
    news:lLB1g.78$_h5.39@fe05.lga...
    > I've configured my vpn for remote access, no firewall/nat on an external
    > static ip but nat on the internal interface, and set up all the
    > certificates. When I try and connect to the vpn using the internal ip I
    > can connect but when I try and connect from outside the network (or just
    > to the external ip) I am getting an error 678. It definetly sounds like a
    > network issue, though like I said I don't have any firewall set up. I am
    > fairly new to windows server though so I'm sure I'm just missing something
    > obvious but its something obvious that 2 days of google groups searching
    > hasn't been able to find. I don't see anything useful in event viewer but
    > I dont really know what other logs I should be checking. Also worth noting
    > is that if I switch everything to PPTP it does work on the external
    > interface. Any ideas? Thank you.
    >


    Computer certificates and trust lists for the certs?

    How are the L2TP/IPSec COMPUTERS to authenticate
    the IPSec? (before the pure user authentication of the
    L2TP).



    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    > Lloyd Christopher
    > SLOW30
    >




  3. Re: ipsec/l2tp what am i missing?

    "Herb Martin" wrote:

    > "Lloyd" wrote in message
    > news:lLB1g.78$_h5.39@fe05.lga...
    > > I've configured my vpn for remote access, no firewall/nat on an external
    > > static ip but nat on the internal interface, and set up all the
    > > certificates. When I try and connect to the vpn using the internal ip I
    > > can connect but when I try and connect from outside the network (or just
    > > to the external ip) I am getting an error 678. It definetly sounds like a
    > > network issue, though like I said I don't have any firewall set up. I am
    > > fairly new to windows server though so I'm sure I'm just missing something
    > > obvious but its something obvious that 2 days of google groups searching
    > > hasn't been able to find. I don't see anything useful in event viewer but
    > > I dont really know what other logs I should be checking. Also worth noting
    > > is that if I switch everything to PPTP it does work on the external
    > > interface. Any ideas? Thank you.
    > >

    >
    > Computer certificates and trust lists for the certs?
    >
    > How are the L2TP/IPSec COMPUTERS to authenticate
    > the IPSec? (before the pure user authentication of the
    > L2TP).
    >


    Ya added the root cert and the computer store one.

    The security settings are left at "typical", with "require secured
    password", "automatically use my windows logon name", and "require data
    encryption". the ipsec settings are blank (only option is the preshared
    key), and "l2tp ipsec vpn" settings i have "enable lcp extensions" and
    "enabled software compression" checked but not "negotiate multi-link for
    single link connections"


  4. Re: ipsec/l2tp what am i missing?

    If everything is the same except that you can not connect from outside the
    network it sounds like some sort of filtering issue. If the VPN client is
    behind a NAT router that can make a difference in that the client end device
    needs to be configured for ipsec pass-through and the client may need to be
    configured to work with NAT even if the VPN server is not behind a NAT
    device. Also always check the logs on the VPN server via Event Viewer to see
    if anything helpful is recorded and you may need to enable advanced logging.
    The link below may be helpful if the client is XP. --- Steve

    http://support.microsoft.com/kb/885407

    "Lloyd" wrote in message
    news:EB70158C-80F4-4C99-BBE2-02E0DC639164@microsoft.com...
    > "Herb Martin" wrote:
    >
    >> "Lloyd" wrote in message
    >> news:lLB1g.78$_h5.39@fe05.lga...
    >> > I've configured my vpn for remote access, no firewall/nat on an
    >> > external
    >> > static ip but nat on the internal interface, and set up all the
    >> > certificates. When I try and connect to the vpn using the internal ip
    >> > I
    >> > can connect but when I try and connect from outside the network (or
    >> > just
    >> > to the external ip) I am getting an error 678. It definetly sounds
    >> > like a
    >> > network issue, though like I said I don't have any firewall set up. I
    >> > am
    >> > fairly new to windows server though so I'm sure I'm just missing
    >> > something
    >> > obvious but its something obvious that 2 days of google groups
    >> > searching
    >> > hasn't been able to find. I don't see anything useful in event viewer
    >> > but
    >> > I dont really know what other logs I should be checking. Also worth
    >> > noting
    >> > is that if I switch everything to PPTP it does work on the external
    >> > interface. Any ideas? Thank you.
    >> >

    >>
    >> Computer certificates and trust lists for the certs?
    >>
    >> How are the L2TP/IPSec COMPUTERS to authenticate
    >> the IPSec? (before the pure user authentication of the
    >> L2TP).
    >>

    >
    > Ya added the root cert and the computer store one.
    >
    > The security settings are left at "typical", with "require secured
    > password", "automatically use my windows logon name", and "require data
    > encryption". the ipsec settings are blank (only option is the preshared
    > key), and "l2tp ipsec vpn" settings i have "enable lcp extensions" and
    > "enabled software compression" checked but not "negotiate multi-link for
    > single link connections"
    >




  5. Re: ipsec/l2tp what am i missing?

    I've plugged a laptop straight into the external interface of the server and
    I get the same behavior so the server is definetly behind the filtering. In
    the event viewer whenever I try and connect I get hundreds of IKE events of
    type 541 542 and 543, all return successfully. What is the next stage in
    the connection process? Perhaps once i know that I can finally figure this
    out. Thanks.

    Lloyd Christopher
    SLOW30

    "Steven L Umbach" wrote in message
    news:O%23mfMyyaGHA.5000@TK2MSFTNGP05.phx.gbl...
    > If everything is the same except that you can not connect from outside the
    > network it sounds like some sort of filtering issue. If the VPN client is
    > behind a NAT router that can make a difference in that the client end
    > device needs to be configured for ipsec pass-through and the client may
    > need to be configured to work with NAT even if the VPN server is not
    > behind a NAT device. Also always check the logs on the VPN server via
    > Event Viewer to see if anything helpful is recorded and you may need to
    > enable advanced logging. The link below may be helpful if the client is
    > XP. --- Steve
    >
    > http://support.microsoft.com/kb/885407
    >
    > "Lloyd" wrote in message
    > news:EB70158C-80F4-4C99-BBE2-02E0DC639164@microsoft.com...
    >> "Herb Martin" wrote:
    >>
    >>> "Lloyd" wrote in message
    >>> news:lLB1g.78$_h5.39@fe05.lga...
    >>> > I've configured my vpn for remote access, no firewall/nat on an
    >>> > external
    >>> > static ip but nat on the internal interface, and set up all the
    >>> > certificates. When I try and connect to the vpn using the internal ip
    >>> > I
    >>> > can connect but when I try and connect from outside the network (or
    >>> > just
    >>> > to the external ip) I am getting an error 678. It definetly sounds
    >>> > like a
    >>> > network issue, though like I said I don't have any firewall set up. I
    >>> > am
    >>> > fairly new to windows server though so I'm sure I'm just missing
    >>> > something
    >>> > obvious but its something obvious that 2 days of google groups
    >>> > searching
    >>> > hasn't been able to find. I don't see anything useful in event viewer
    >>> > but
    >>> > I dont really know what other logs I should be checking. Also worth
    >>> > noting
    >>> > is that if I switch everything to PPTP it does work on the external
    >>> > interface. Any ideas? Thank you.
    >>> >
    >>>
    >>> Computer certificates and trust lists for the certs?
    >>>
    >>> How are the L2TP/IPSec COMPUTERS to authenticate
    >>> the IPSec? (before the pure user authentication of the
    >>> L2TP).
    >>>

    >>
    >> Ya added the root cert and the computer store one.
    >>
    >> The security settings are left at "typical", with "require secured
    >> password", "automatically use my windows logon name", and "require data
    >> encryption". the ipsec settings are blank (only option is the preshared
    >> key), and "l2tp ipsec vpn" settings i have "enable lcp extensions" and
    >> "enabled software compression" checked but not "negotiate multi-link for
    >> single link connections"
    >>

    >
    >




  6. Re: ipsec/l2tp what am i missing?

    You said it works fine on the internal adapter but not the external adapter
    I believe. What I would do is to go into Remote Access Management Console
    and under ip routing - general check the properties of the external adapter
    for input/output filters to see if anything there is blocking access. You
    don't mention what operating system the server is but Windows 2003 also has
    possible settings for firewall in rras also. Also under server properties in
    Remote Access Management Console you can go to logging and select log all
    events which may help give more information. In the VPN client connectoid
    properties under networking try selecting l2tp as VPN type if you are
    currently using auto. If problems persist you may also want to post in the
    ras_routing newsgroup. --- Steve


    "Lloyd" wrote in message
    news:uJx6g.52$t54.42@fe07.lga...
    > I've plugged a laptop straight into the external interface of the server
    > and I get the same behavior so the server is definetly behind the
    > filtering. In the event viewer whenever I try and connect I get hundreds
    > of IKE events of type 541 542 and 543, all return successfully. What is
    > the next stage in the connection process? Perhaps once i know that I can
    > finally figure this out. Thanks.
    >
    > Lloyd Christopher
    > SLOW30
    >
    > "Steven L Umbach" wrote in message
    > news:O%23mfMyyaGHA.5000@TK2MSFTNGP05.phx.gbl...
    >> If everything is the same except that you can not connect from outside
    >> the network it sounds like some sort of filtering issue. If the VPN
    >> client is behind a NAT router that can make a difference in that the
    >> client end device needs to be configured for ipsec pass-through and the
    >> client may need to be configured to work with NAT even if the VPN server
    >> is not behind a NAT device. Also always check the logs on the VPN server
    >> via Event Viewer to see if anything helpful is recorded and you may need
    >> to enable advanced logging. The link below may be helpful if the client
    >> is XP. --- Steve
    >>
    >> http://support.microsoft.com/kb/885407
    >>
    >> "Lloyd" wrote in message
    >> news:EB70158C-80F4-4C99-BBE2-02E0DC639164@microsoft.com...
    >>> "Herb Martin" wrote:
    >>>
    >>>> "Lloyd" wrote in message
    >>>> news:lLB1g.78$_h5.39@fe05.lga...
    >>>> > I've configured my vpn for remote access, no firewall/nat on an
    >>>> > external
    >>>> > static ip but nat on the internal interface, and set up all the
    >>>> > certificates. When I try and connect to the vpn using the internal
    >>>> > ip I
    >>>> > can connect but when I try and connect from outside the network (or
    >>>> > just
    >>>> > to the external ip) I am getting an error 678. It definetly sounds
    >>>> > like a
    >>>> > network issue, though like I said I don't have any firewall set up.
    >>>> > I am
    >>>> > fairly new to windows server though so I'm sure I'm just missing
    >>>> > something
    >>>> > obvious but its something obvious that 2 days of google groups
    >>>> > searching
    >>>> > hasn't been able to find. I don't see anything useful in event
    >>>> > viewer but
    >>>> > I dont really know what other logs I should be checking. Also worth
    >>>> > noting
    >>>> > is that if I switch everything to PPTP it does work on the external
    >>>> > interface. Any ideas? Thank you.
    >>>> >
    >>>>
    >>>> Computer certificates and trust lists for the certs?
    >>>>
    >>>> How are the L2TP/IPSec COMPUTERS to authenticate
    >>>> the IPSec? (before the pure user authentication of the
    >>>> L2TP).
    >>>>
    >>>
    >>> Ya added the root cert and the computer store one.
    >>>
    >>> The security settings are left at "typical", with "require secured
    >>> password", "automatically use my windows logon name", and "require data
    >>> encryption". the ipsec settings are blank (only option is the preshared
    >>> key), and "l2tp ipsec vpn" settings i have "enable lcp extensions" and
    >>> "enabled software compression" checked but not "negotiate multi-link for
    >>> single link connections"
    >>>

    >>
    >>

    >
    >




  7. RE: ipsec/l2tp what am i missing?

    You might wanna check this KB Article:
    http://support.microsoft.com/kb/326816/en-us

    It's for Windows 2000 computers, so I'm unsure if it works out for you. I
    didn't catch the version of Windows you're running. But if it applies, all
    you gotta do is get the update and it should work from there.

    Nico Mendoza

    "Lloyd" wrote:

    > I've configured my vpn for remote access, no firewall/nat on an external
    > static ip but nat on the internal interface, and set up all the
    > certificates. When I try and connect to the vpn using the internal ip I can
    > connect but when I try and connect from outside the network (or just to the
    > external ip) I am getting an error 678. It definetly sounds like a network
    > issue, though like I said I don't have any firewall set up. I am fairly new
    > to windows server though so I'm sure I'm just missing something obvious but
    > its something obvious that 2 days of google groups searching hasn't been
    > able to find. I don't see anything useful in event viewer but I dont really
    > know what other logs I should be checking. Also worth noting is that if I
    > switch everything to PPTP it does work on the external interface. Any
    > ideas? Thank you.
    >
    > Lloyd Christopher
    > SLOW30
    >
    >
    >


+ Reply to Thread