Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
L2TP VPN issues Unable to conncet more than one client
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
L2TP VPN issues Unable to conncet more than one client - 12.May2007 8:06:27 AM
|
|
|
danrum1
Posts: 8
Joined: 12.May2007
Status: offline
|
I have a new ISA 2006 server deployed and I am having some issues with it. Please bear with me because I am new to the ISA world.
We are a health care org and I need to be able to connect multiple clients from the same office (using a shared internet connection) using L2TP and I have them setup using a IPSec Shared key. I can connect one client fine, but when I try to connect the other client it will never connect. If I disconnect the one connection and wait a couple of minutes the machine that would not connect will connect fine.
I am using our internal DHCP server for IP address assignment.
Any help would be great.
Thanks,
Danny
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 14.May2007 10:08:17 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Danny,
if I have understood correctly you are connecting from a remote office to an ISA 2006 VPN server.
what exactly meansquote:
using a shared internet connection ?
the clients are behind a NAT device in this office?
if so make sure that this device support multiple ipsec passthrough sessions per one vpn server(multiple ipsec vpn clients connected to the same remote vpn server) or with other words multiple vpn clients per one vpn server and not just one vpn client passthrough per vpn server.
if it does not support this it will not work.
Best regards!
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 15.May2007 10:09:51 AM
|
|
|
danrum1
Posts: 8
Joined: 12.May2007
Status: offline
|
Yes, the clients are connected behind a NAT device. do you know of any devices that wil allow for Mulitiple IPSec tunnels? Most of the routers that are aut there are geared for the home user and not the remote office.
Danny
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 16.May2007 7:15:34 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Danny,
in theory if you spice up a little bit the price of that device it should be able to do that.
in practice, well things are not quite so.
I do not want to make any suggestions because I have noticed that some products might vary based on country/region of the world.
The only way to know this is to contact the vendor and find out an "official answer". Unfortunetely also this in practice does not work quite as expected.
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 16.May2007 9:36:51 AM
|
|
|
danrum1
Posts: 8
Joined: 12.May2007
Status: offline
|
This issue is going to cause me a lot of pain. The PPTP works, but how secure is it? Do you have any experience with PPTP?
Danny
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 16.May2007 10:39:38 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
you can use PPTP for a secure connection only with EAP-TLS. this means to use user certificates on client side because TLS will be used to protect credentials(maybe with chiper RC128-bit or 3DES) .
if you use ms-chapv2 there is a tool called asleap that probably can easily reveal your user's credentials due to the weak mechanism used by ms-chapv2. it can do so by using a dictionary attack. the only way to prevent this is to use "very complex" passwords but I have doubts than a normal person can remember such passwords thus probably a big percentage of user's passwords will fall into that dictionary category attack.
also PPTP uses MPPE 128 bit keys(RSA RC4) which is weaker than than 3DES with 168-bit keys.
PPTP lacks advanced data protection features such as establishing a secure connection before authentication(user authentication) takes place, providing data authentication(data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user)), protecting against replay attacks and non-repudiation.
As a conclusion PPTP encrypts data being transmitted but does not encrypt information being exchanged during negotiation(as opposed to IPSec) so how strong PPTP is depends on how strong is your password.
L2TP/IPSec provides two factor authentication levels: machine(IKE) and user(PPP).
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 16.May2007 12:05:47 PM
|
|
|
danrum1
Posts: 8
Joined: 12.May2007
Status: offline
|
Thanks for all your help. All of our users fall into two catagories, one is internal users that need remote access and then offices that need to telnet into a mainframe that we have here.
The internal users I can use L2TP without any issue. They will only be connecting one tunnel at a time so the router that they have is no issue.
The offices use a password that I have generated for them. They do not get to change them. It is something like this "xdyc3xo0". I also have those users limited to only a couple of servers.
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 16.May2007 1:07:12 PM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Danny,
please note that l2tp/ipsec with pre-shared keys has its own security issues because ISA will use one pre-shared key for all users(group mode pre-shared key, n>2 ) because of Main Mode(and NAT-T).
please check my post here.
as long you use long passwords with numbers, *,^,&, upper cases and lower cases letters "probably" you are good to go.also it counts from where they connect: for example from unencrypted wireless lans(this means that everybody has access to the "wire" so the risk is huge).
in the end it's all about the dictionary the attackers have.
George Ou says in one of ihis article that:
quote:
ASLEAP just happens to make that point abundantly clear since it had the ability to scan through a 4 GB pre-computed password hash table at a rate of 45 million passwords a second using a common desktop computer. This new version of ASLEAP not only adds PPTP compatibility, but also extends maximum database size to 4 Terabytes
http://blogs.zdnet.com/Ou/index.php?p=21
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 16.May2007 3:35:07 PM
|
|
|
danrum1
Posts: 8
Joined: 12.May2007
Status: offline
|
Man. you have really opened my eyes up to the risks here. I will be going back to our other VPN solution with our firewall. I jsut dod not want ot deal with the client software part of it. It uses a preshared key for each VPN client and it uses the passwords that I set in the local database.
Again thanks for all the help. You lose site of how people with a small download can start hacking away.
Danny
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 25.May2007 4:24:56 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Danny,
a late solution, maybe this will solve your issues with L2TP/IPSec:
http://forums.isaserver.org/m_2002044504/mpage_1/tm.htm
on your NAT device try to keep the IPSec/VPN passthrough(if there is one) disabled as it might break NAT-T.
Best regards!
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 25.May2007 1:00:44 PM
|
|
|
danrum1
Posts: 8
Joined: 12.May2007
Status: offline
|
Man, Thanks for all your help on this.
The router I am testing from at home does not have the option to turn IPSec passthrough off. I did apply server 2003 sp2 on the ISA 2006 standard Server and I can now connect 2 vpn connections but it will not allow the 3rd. I do't know if it is something in my router causing this, but if I disconnect one of the clients and wait a few minutes it will allow the machine that was not connecting to connect, but then the other will not.
do you think it is in my cheap router?
Thanks,
Danny
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 25.May2007 2:03:29 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Danny,
maybe we can crack this one too if you can provide us for a good *and* bad session the following info unmodified:
- network trace on the client
- network trace on the ISA external interface
- oakley log on the client
- oakley log on he ISA server
HTH,
Stefaan
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 25.May2007 2:34:41 PM
|
|
|
danrum1
Posts: 8
Joined: 12.May2007
Status: offline
|
What trace program do you use?
Thanks,
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 25.May2007 2:38:41 PM
|
|
|
danrum1
Posts: 8
Joined: 12.May2007
Status: offline
|
Also, I found this on the Belkin support site.
Belkin routers support one IPSEC (Internet Protocol Security) tunnel. No configuration is required on the router, provided your VPN server is compatible with Network Address Translation (NAT).
I will get another router and test it. I ell that I am still going to run into this a lot because we don't setup these remote offices and I feel sure they buy the cheapest routers that they can.
Thanks,
Danny
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 25.May2007 2:58:52 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Danny,
my favorite one is http://www.wireshark.org/, but you can use Microsoft NetMon version 3.X too if you like.
HTH,
Stefaan
|
|
|
|
|
RE: L2TP VPN issues Unable to conncet more than one client - 26.May2007 7:38:30 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Danny,
we need the information that Stefaan asked in order to get a complete picture on what is going on there and where things start to break.
Actually in my test lab I have manage to connect 4 VPN clients behind a NAT device to an ISA 2006 with Windows SP2 installed without any problems. I could not go further because my computer cannot cope with more VMs.
Before applying SP2 I could connect 2 VPN clients located behind a NAT device. The third one never made it.
As you are saying something about a couple a minutes if memory helps me I think that after you disconnect the VPN client which is located behind a NAT device, it will keep on sending NAT-keepalive packets(UDPENC) for about 5 minutes. I do not know if this has an impact on your NAT device.
The Wireshark traces will give us the story.
< Message edited by justmee -- 26.May2007 7:48:07 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
