No announcement yet.

RRAS L2TP Policy issue

  • Filter
  • Time
  • Show
Clear All
new posts

  • RRAS L2TP Policy issue

    Hi All:

    I have a stand alone 2008 R2 x64 machine in a DMZ behind a Cisco 1841. The 2008 server has a real IP NAT's over to with the Cisco's ACL in front. I have got L2TP setup in the Windows 2008 box as we are modeling a system that will be placed in the cloud (so we need to learn how to terminate IPSec tunnels in windows rather than Cisco). I have done the registry change to allow Windows to operate IPSec behind NAT and make NAT-T work properly (Article ID: 926179). I am connecting to windows using a Digi Transport WR21 router configured as an L2TP client. I have followed Digi's AN26 app note and its up and working.....with one problem:
    Immediately upon the ppp being authenticated by RRAS, the Digi is immediately logged out again. The is the security event viewer:
    Audit Success 12/5/2014 9:54:10 PM Microsoft Windows security auditing. 4634 Logoff
    Audit Success 12/5/2014 9:54:10 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 12/5/2014 9:54:10 PM Microsoft Windows security auditing. 4648 Logon
    Audit Success 12/5/2014 9:54:10 PM Microsoft Windows security auditing. 4776 Credential Validation

    So in short, I have the IKE SAs, I have the 2 IPSec SAs, I have the L2TP tunnel up and PPP comes up....for a second, then is disconnected.

    This behavior is confirmed by the anappp.cap wireshark logs that the router keeps.
    The wireshark dump shows the PPP challenge from the server, the server's name is sent, the Digi's username and password are send and the server response with "Success". Then there is two Conf Request packets send from the server and the Digi and two reject packets, then two conf packets and to conf ack packets then the server sends a termination request packet and the digi acks and its done, just to repeat again.

    I was getting RRAS event 20255, "CoId={NA}: The following error occurred in the Point to Point Protocol module on port: VPN2-9, UserName: remote1. The remote computer does not support the required data encryption type." until I rebooted the 2008 R2 box and now there is no error from RRAS, just the same behavior.

    I have a Network Policy setup that is enabled to allow L2TP and ESP packets but this problem persists.

    Any ideas from the experts out there?


  • #2
    Re: RRAS L2TP Policy issue

    L2TP is really L2TP over IPsec, meaning if you get far enough for the PPP negotiation to start, the IPsec part must be working.

    The error message about RAS encryption types is a bit odd, as L2TP neither uses nor needs any kind of encryption, since it's already running inside an IPsec ESP transport-mode connection.

    I'm not familiar with "Digi Transport WR21" routers, but make sure the PPP settings for the L2TP connection is set to use plaintext PPP authentication (PAP) and no PPP encryption.

    If you're using Network Policy Server, make sure the policy isn't set to require encryption. While that would be a valid setting for PPTP, it makes no sense for L2TP or SSTP.