• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

L2TP/IPSec VPN...error 791

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> L2TP/IPSec VPN...error 791 Page: [1]
Login
Message << Older Topic   Newer Topic >>
L2TP/IPSec VPN...error 791 - 21.Jul.2004 4:05:00 AM   
mossk

 

Posts: 6
Joined: 21.Jul.2004
From: Germany
Status: offline
Hi Y'all. I'm a newbie here, so a quick "how u doin to all?", and then down to business!
Hope it aint too long...just bare with me...
Here's the deal,
I'm testing an L2TP/IPSec router-router VPN with Win2k advanced server. Trying to simulate a MAIN_OFFICE-BRANCH_OFFICE kind of VPN.

My setup:
MAIN OFFICE LAN :
1 firewall (2 Nics-one Public IP, the other Private IP)-doing IP forwarding on the firewall, NAT too.

1 VPN-server behind the firewall.
(running Win2k adv.server, Active Directory installed, its a Domain Controller).
Its also my root Enterprise CA-dont have many PCs hanging around u know "[Wink]" -
Gat a demand dial interface, and static routes, I/O filters configured, etc.

1 client(Win 2k proffessional), has the VPN server as its gateway.

BRANCH OFFICE LAN:
Basically the same setup as main office, only that VPN server is not a CA.

Have installed machine certificate on MAIN Office VPN-server, and also installed router certificates for both demand dial interfaces (on both servers that is), also configured MAIN OFFICE VPN server as calling and answering router, the branch office Server as calling only (has no machine certificate yet).....
........hope u guyz are still patient with me....

LANS working well, can ping each other etc... internal clients and servers also ping both firewall public IPs aswell...

PROBLEM: on trying to connect, "Error 791: The L2TP connection attempt failed because security policy for the connection was not found."

Been on this for a day already...goin nuts! Help guyz...
thanks alot....
Mo
Post #: 1
RE: L2TP/IPSec VPN...error 791 - 21.Jul.2004 6:07:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
quote:
I'm testing an L2TP/IPSec router-router VPN with Win2k advanced server. Trying to simulate a MAIN_OFFICE-BRANCH_OFFICE kind of VPN.

My setup:
MAIN OFFICE LAN :
1 firewall (2 Nics-one Public IP, the other Private IP)-doing IP forwarding on the firewall, NAT too.

1 VPN-server behind the firewall.

Are you saying that the VPN server is NAT'd behind the firewall? If so, then this is not possible with Win2000 - only Win2003 has the NAT-T update in RRAS in order for this to function. Win2000 only has the clietn side NAT-T change - RRAS wasn't updated.

[ July 21, 2004, 06:08 AM: Message edited by: ClintD ]

(in reply to mossk)
Post #: 2
RE: L2TP/IPSec VPN...error 791 - 21.Jul.2004 8:32:00 PM   
mossk

 

Posts: 6
Joined: 21.Jul.2004
From: Germany
Status: offline
Hi ClintD...thanks for the quick reply...
Well, actually had read about NAT-T and completely forgotten that only Win2003 server supports it.
Ok, I changed my setup...still wanted a firewall infront of my servers tho. So I now gat public IPs on my 2 subnets...and using a public IP class net ofcourse to simulate my internet...my 2 firewalls are directly connected using a cross cable...

So i now can directly address my "internal" networks from "outside"(like one normally would for public IPs)-all pcs can ping each other...bottom line, the LANs seem just fine...

However, when I try to connect using the Dial interface, I still get the Same error...
Any other possiblity...
Thanks again...
Mo

(in reply to mossk)
Post #: 3
RE: L2TP/IPSec VPN...error 791 - 21.Jul.2004 10:51:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mossak,

Why not terminate the VPN connection at the ISA firewall? And put the ISA firewall at the edge?

Do you REALLY think the packet filters you're putting in front of the ISA firewall are adding security?

Thanks!
Tom

(in reply to mossk)
Post #: 4
RE: L2TP/IPSec VPN...error 791 - 21.Jul.2004 11:07:00 PM   
mossk

 

Posts: 6
Joined: 21.Jul.2004
From: Germany
Status: offline
Hi tshinder...thanks for the reply...
Well now that you ask(about the filters ), maybe not REALLY...
But do you think it really think its the problem?

OK, the thing is, I'm workin with University computers (in the Lab),and no server-capable machine has 2 interfaces installed...as I would need in order to terminate the VPN connection at the server (as u suggest, or??)...ok I could as for permission to install them...but chances are slim on that...

Should I really try that, or could it be something else...??

Thanks again...
MO

(in reply to mossk)
Post #: 5
RE: L2TP/IPSec VPN...error 791 - 21.Jul.2004 11:26:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi MO,

OK, I didn't realize you didn't have control of the network.

Have you tried using PPTP yet? Most NAT devices included a PPTP NAT editor.

Thanks!
Tom

(in reply to mossk)
Post #: 6
RE: L2TP/IPSec VPN...error 791 - 21.Jul.2004 11:43:00 PM   
mossk

 

Posts: 6
Joined: 21.Jul.2004
From: Germany
Status: offline
Hi tshinder...
if I understood yo question well, yes I used PPTP before and it worked, no problem...but I now HAVE to use L2TP over IPSec for this VPN...
Thanks..
Mo

(in reply to mossk)
Post #: 7
RE: L2TP/IPSec VPN...error 791 - 21.Jul.2004 11:53:00 PM   
mossk

 

Posts: 6
Joined: 21.Jul.2004
From: Germany
Status: offline
Hi again tshinder...
one other thing, about the control of the network, I do have control of the "network" coz its not connected physically to the uni network. Its basically 2 private LANs each with a switch, and they are (the LANs) connected to each other by a cross cable(my internet simulation)...

Its the computers themselves that have a limitation...can only work with these unfortunately...ofcourse unless its NECESSARY otherwise--
Thanks again..
MO

(in reply to mossk)
Post #: 8
RE: L2TP/IPSec VPN...error 791 - 22.Jul.2004 5:05:00 PM   
pinball

 

Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
Hi mossk,

I've never tried connecting to test lans with just a cross over cable, when you tried PPTP, where you able to access servers in one lan from the other lan?

On a side note, how much memory do your computers have? The best way I found to test a similar setup to the one you are trying to test was with one switch, two computers (both with only one network card!) and a copy of vmware.

HTH.

(in reply to mossk)
Post #: 9
RE: L2TP/IPSec VPN...error 791 - 22.Jul.2004 6:10:00 PM   
mossk

 

Posts: 6
Joined: 21.Jul.2004
From: Germany
Status: offline
Hi pinball...thanks for replyin. Well, first things first, I must apologize to all that I didn't REALLY realise that this forum was mainly about the ISA firewall...when i read how (user)ClintD helped somebody who had a VPN problem (a link from google), I just signed up and asked for help...
Sorry I didn't really specify my situation...
The fact is, I'm not running an ISA firewall. I'm running 2 Linux firewalls and 2 WIN2k adv.Servers as my VPN-servers. I'd appreciate any further help if anyone wishes.
To answer yo question pinball, I gat my LAN setup like below...just some arbitrary IPs, and I'm not connected to any Real network or Internet.
FW-Firewall, Def.Gw-Default gateway
************************************************

134.91.242.0(LAN1) 134.91.241.0(LAN2)


134.91.90.0(internet)

LAN2===FW 1========================= FW 2==LAN2

Ext NIC :134.91.90.1 Ext NIC :134.91.90.254
Def.Gw:134.91.90.254 Def.Gw:134.91.90.1

int Nic :134.91.242.1 int Nic :134.91.241.1
**********************************************
so basically I then have my internal lans behind these firewalls, and each LAN has the "Int NIC" IP as its gateway. The "Def.Gw" IPs are for my internet simulation...so YES i can connect (atleast ping) to any computer from any where on either LAN
...
Thanks again

(in reply to mossk)
Post #: 10
RE: L2TP/IPSec VPN...error 791 - 23.Jul.2004 10:13:00 AM   
pinball

 

Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline
Hi mossk,

If the purpose of your testing is to teach yourself Linux, then I am afraid I cant help.

However if the purpose of your testing is to learn about firewalls, then now you have tried with Linux why not download the ISA2004 trial version and see how much easier it is [Big Grin]

HTH

(in reply to mossk)
Post #: 11
RE: L2TP/IPSec VPN...error 791 - 23.Jul.2004 2:33:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mossk,

We focus only on the ISA 2004 firewall in this area, although we're always glad to hear about solutions with integrating with third party VPN gateways with the ISA 2004 firewall.

Thanks!
Tom

(in reply to mossk)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> L2TP/IPSec VPN...error 791 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts