Announcement

Collapse
No announcement yet.

Vpn l2tp

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Vpn l2tp

    Hi

    i tried to set up a l2tp vpn on sbs 2003
    but had some issues with it
    maybe you can help me ...

    first of all PPTP work ...
    the problem is .. i get error 678 on l2tp connection
    "server did not respond in time"

    now i checked a comp inside the network to see if the certificate setting were correct
    and it does, the comp connect by L2TP inside the lan

    when trying a remote client (xp) i get error 678

    (*note that earlier i've set a wrong certificate and i got a diffrent error saying that the machine cert is not recognized so it does allow the connection in)

    i've set up ca certificate and a mchine cert

    i've opened the required ports for l2tp...

    i tried checking logs both in event viewer and the rras log
    (rras log on default set to log errors)
    either does not say anything about L2tp,
    only pptp connections are logged (success and fails)

    what can be the problem ?

    thanx
    Last edited by doom; 2nd April 2008, 01:23.

  • #2
    Re: Vpn l2tp

    What ports did you open for L2TP? You should have 1701 and 500.

    Comment


    • #3
      Re: Vpn l2tp

      i used this page for ports

      http://www.steveneppler.com/blog/200...and-l2tp-ports

      Comment


      • #4
        Re: Vpn l2tp

        Well it definitely sounds like a firewall issue since an internal client can make a connection. Try putting a traffic sniffer on the server and see if you see incoming L2TP traffic.

        Comment


        • #5
          Re: Vpn l2tp

          thanx i'll try that when i get a chance

          anymore suggestions anyone ?

          Comment


          • #6
            Re: Vpn l2tp

            ok

            i used wireshark to sniff the network

            it does seems like there is a negotiation about a L2TP connection
            i see ISAKMP and main mode\quick mode

            so packet go through the router


            what should i be looking for in the sniffer?

            Comment


            • #7
              Re: Vpn l2tp

              You need to create a logging of the ipsec process.
              You need to change the following value to one for the logging:
              Code:
              HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\DisableIKEAudits
              http://technet2.microsoft.com/Window...px#view_events

              Something goes wrong and without the logging you don't know a thing
              Also I know that there's a bug in Windows 2003 SP1 with the IPSEC driver.
              I don't know if this was applicable to SBS to.

              http://support.microsoft.com/kb/923339
              http://support.microsoft.com/KB/945410
              http://blogs.isaserver.org/pouseele/...-based-server/
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Vpn l2tp

                Originally posted by Dumber View Post

                Also I know that there's a bug in Windows 2003 SP1 with the IPSEC driver.
                I don't know if this was applicable to SBS to.
                If it isn't connected to the special SBS limitations (One SBS per domain, no trusts or child domains, 75-user limit) then any bug in Windows 2003 (RTM, SP1 or SP2) is also in SBS.
                TIA

                Steven Teiger [SBS-MVP(2003-2009)]
                http://www.wintra.co.il/
                sigpic
                Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                We donít stop playing because we grow old, we grow old because we stop playing.

                Comment


                • #9
                  Re: Vpn l2tp

                  I think we can rule out the server and the client as being the problem as the poster said that it works internally. My next question is are you NAT'ing the traffic to the server? I believe that IPSEC won't work through NAT. Can anyone confirm this?

                  Comment


                  • #10
                    Re: Vpn l2tp

                    With the adjustment of the registry setting you can completly see what happens on ipsec.
                    If the firewall is in transparant mode of is a NAT-T device it's possible. However the TS didn't mention the kind of firewall.
                    Otherwise it won't work and the firewall should terminate the VPN Connections.
                    This is because IPSEC doesn't have ports.

                    It also should explain why it goes wrong. Just what the logging will do.
                    The logging probably will show that phase one can't setup because whatever error.

                    Also I don't see why you want to use L2TP for client VPN. You make it more difficult than it needs to be and PPTP is secure enough for client vpns.
                    For site-to-site I would stick to IPSEC.


                    edit: and the logging is really fun to see (at least it was for me when i finally found the setting )
                    Last edited by Dumber; 3rd April 2008, 12:57.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Vpn l2tp

                      I agree that L2TP is more difficult than it's worth and that PPTP offers sufficient security and is easier to set up and troubleshoot.

                      Comment


                      • #12
                        Re: Vpn l2tp

                        mmm... something very wierd i noticed
                        i noticed event viewer only log if i am sniffing the network while trying l2tp connection
                        if sniffer not "capturing" so does the event viewer

                        anyway the error is this

                        IKE security association negotiation failed.
                        Mode:
                        Key Exchange Mode (Main Mode)

                        Filter:
                        Source IP Address 192.168.0.100
                        Source IP Address Mask 255.255.255.255
                        Destination IP Address 79.177.113.*
                        Destination IP Address Mask 255.255.255.255
                        Protocol 0
                        Source Port 0
                        Destination Port 0
                        IKE Local Addr 192.168.0.100
                        IKE Peer Addr 79.177.113.*
                        IKE Source Port 4500
                        IKE Destination Port 0
                        Peer Private Addr

                        Peer Identity:
                        Certificate based Identity.
                        Peer IP Address: 79.177.113.*

                        Failure Point:
                        Me

                        Failure Reason:
                        Negotiation timed out

                        Extra Status:
                        Processed second (KE) payload
                        Responder. Delta Time 63
                        0x0 0x0

                        ( i used * to hide part of the ip (client)


                        and yes i use router with nat to point to server
                        Last edited by doom; 4th April 2008, 04:44.

                        Comment


                        • #13
                          Re: Vpn l2tp

                          So you didn't read my previous posts?
                          Again NAT won't work. Only Transparent NAT or NAT-T
                          Marcel
                          Technical Consultant
                          Netherlands
                          http://www.phetios.com
                          http://blog.nessus.nl

                          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                          "No matter how secure, there is always the human factor."

                          "Enjoy life today, tomorrow may never come."
                          "If you're going through hell, keep going. ~Winston Churchill"

                          Comment


                          • #14
                            Re: Vpn l2tp

                            dumber: i thought it's the "same" hehe

                            after i google nat-t, i understand the problem ...


                            thanx anyway

                            Comment


                            • #15
                              Re: Vpn l2tp

                              No sorry, there are some differences

                              NAT-T:
                              http://en.wikipedia.org/wiki/NAT_Traversal
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X