Announcement

Collapse
No announcement yet.

Vpn l2tp

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • doom
    started a topic Vpn l2tp

    Vpn l2tp

    Hi

    i tried to set up a l2tp vpn on sbs 2003
    but had some issues with it
    maybe you can help me ...

    first of all PPTP work ...
    the problem is .. i get error 678 on l2tp connection
    "server did not respond in time"

    now i checked a comp inside the network to see if the certificate setting were correct
    and it does, the comp connect by L2TP inside the lan

    when trying a remote client (xp) i get error 678

    (*note that earlier i've set a wrong certificate and i got a diffrent error saying that the machine cert is not recognized so it does allow the connection in)

    i've set up ca certificate and a mchine cert

    i've opened the required ports for l2tp...

    i tried checking logs both in event viewer and the rras log
    (rras log on default set to log errors)
    either does not say anything about L2tp,
    only pptp connections are logged (success and fails)

    what can be the problem ?

    thanx
    Last edited by doom; 2nd April 2008, 01:23.

  • Dumber
    replied
    Re: Vpn l2tp

    Does the firewall have IP fragments enabled?

    Leave a comment:


  • joeqwerty
    replied
    Re: Vpn l2tp

    Are you running the packet sniffer on the client, the server, or both? I would run it on both and enable conversations if you're using Microsoft Network Monitor 3, that way you can track the conversations to make sure you are seeing all the traffic from the same "session". You'll want to look for traffic in both directions on both the client and the server for each conversation to see where it is encountering a problem.

    Leave a comment:


  • doom
    replied
    Re: Vpn l2tp

    yes i did log...
    i wrote the error in a message

    here it is again

    IKE security association negotiation failed.
    Mode:
    Key Exchange Mode (Main Mode)

    Filter:
    Source IP Address 192.168.0.100
    Source IP Address Mask 255.255.255.255
    Destination IP Address 79.177.113.*
    Destination IP Address Mask 255.255.255.255
    Protocol 0
    Source Port 0
    Destination Port 0
    IKE Local Addr 192.168.0.100
    IKE Peer Addr 79.177.113.*
    IKE Source Port 4500
    IKE Destination Port 0
    Peer Private Addr

    Peer Identity:
    Certificate based Identity.
    Peer IP Address: 79.177.113.*

    Failure Point:
    Me

    Failure Reason:
    Negotiation timed out

    Extra Status:
    Processed second (KE) payload
    Responder. Delta Time 63
    0x0 0x0

    ( i used * to hide part of the ip (client)

    it sp2 with all latest updates


    joe:
    internally it's working
    i meant do i need to configure something else beside certs on the remote client
    (not part of the domain)
    to make it work

    in the sniffer you see the traffic
    there is a lot of ISAKMP pacets going back and forth
    so i don't think a firewall blocking the connection ...

    Leave a comment:


  • Dumber
    replied
    Re: Vpn l2tp

    Joe,
    With the logging enabled you can make it sure that the firewall correctly passed the requests through.
    You can exacally see what the kind of connection he's trying to setup and why it fails.
    Yes, you can point to the firewall but are you really sure that there lies the problem?
    Can't it be the firewall on the remote site?

    Edit -
    The logging what I ment is this one:
    http://forums.petri.com/showpost.php...76&postcount=7
    Last edited by Dumber; 7th April 2008, 20:46.

    Leave a comment:


  • joeqwerty
    replied
    Re: Vpn l2tp

    Again, in your original post you said that a computer on the internal network can successfully make a L2TP connection to the server so don't spend any more time looking at the client computer or the server. Look at your firewall, there is something there that is causing the problem.

    Leave a comment:


  • Dumber
    replied
    Re: Vpn l2tp

    Have you already tried to make the logging I told you earlier?
    Hve you SP1 installed (remember the bug i mentioned earlier)?

    Leave a comment:


  • doom
    replied
    Re: Vpn l2tp

    after i checked the router

    it is supporting nat-t and allows L2tp access
    (D-Link DI-604)

    so again i ask what can be the problem ?
    since network does pass the router and intiate main mode quick mode

    what can be done ?

    maybe something in the client might be worng ?
    (other thing than certs)

    Leave a comment:


  • Dumber
    replied
    Re: Vpn l2tp

    No sorry, there are some differences

    NAT-T:
    http://en.wikipedia.org/wiki/NAT_Traversal

    Leave a comment:


  • doom
    replied
    Re: Vpn l2tp

    dumber: i thought it's the "same" hehe

    after i google nat-t, i understand the problem ...


    thanx anyway

    Leave a comment:


  • Dumber
    replied
    Re: Vpn l2tp

    So you didn't read my previous posts?
    Again NAT won't work. Only Transparent NAT or NAT-T

    Leave a comment:


  • doom
    replied
    Re: Vpn l2tp

    mmm... something very wierd i noticed
    i noticed event viewer only log if i am sniffing the network while trying l2tp connection
    if sniffer not "capturing" so does the event viewer

    anyway the error is this

    IKE security association negotiation failed.
    Mode:
    Key Exchange Mode (Main Mode)

    Filter:
    Source IP Address 192.168.0.100
    Source IP Address Mask 255.255.255.255
    Destination IP Address 79.177.113.*
    Destination IP Address Mask 255.255.255.255
    Protocol 0
    Source Port 0
    Destination Port 0
    IKE Local Addr 192.168.0.100
    IKE Peer Addr 79.177.113.*
    IKE Source Port 4500
    IKE Destination Port 0
    Peer Private Addr

    Peer Identity:
    Certificate based Identity.
    Peer IP Address: 79.177.113.*

    Failure Point:
    Me

    Failure Reason:
    Negotiation timed out

    Extra Status:
    Processed second (KE) payload
    Responder. Delta Time 63
    0x0 0x0

    ( i used * to hide part of the ip (client)


    and yes i use router with nat to point to server
    Last edited by doom; 4th April 2008, 04:44.

    Leave a comment:


  • joeqwerty
    replied
    Re: Vpn l2tp

    I agree that L2TP is more difficult than it's worth and that PPTP offers sufficient security and is easier to set up and troubleshoot.

    Leave a comment:


  • Dumber
    replied
    Re: Vpn l2tp

    With the adjustment of the registry setting you can completly see what happens on ipsec.
    If the firewall is in transparant mode of is a NAT-T device it's possible. However the TS didn't mention the kind of firewall.
    Otherwise it won't work and the firewall should terminate the VPN Connections.
    This is because IPSEC doesn't have ports.

    It also should explain why it goes wrong. Just what the logging will do.
    The logging probably will show that phase one can't setup because whatever error.

    Also I don't see why you want to use L2TP for client VPN. You make it more difficult than it needs to be and PPTP is secure enough for client vpns.
    For site-to-site I would stick to IPSEC.


    edit: and the logging is really fun to see (at least it was for me when i finally found the setting )
    Last edited by Dumber; 3rd April 2008, 12:57.

    Leave a comment:


  • joeqwerty
    replied
    Re: Vpn l2tp

    I think we can rule out the server and the client as being the problem as the poster said that it works internally. My next question is are you NAT'ing the traffic to the server? I believe that IPSEC won't work through NAT. Can anyone confirm this?

    Leave a comment:

Working...
X