Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Some Client have problems with l2tp/ipsec connection
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Some Client have problems with l2tp/ipsec connection - 5.May2006 11:57:42 AM
|
|
|
jneumann
Posts: 8
Joined: 3.Dec.2004
Status: offline
|
Hello memebers of the forum,
I'm responsoble for a ISA Server 2004 Enterprise NLB installation. I configured vpn client access using our own CA and l2tp/ipsec. All clients trust the CA and they requested a client certificate. The most clients have no problems to connect to the network, but even identical configurations and certificates that are requested exactly the same way show connection problems on some clients.
The error code you can see at the client is Error 792 and in the eventlog of the ISA servers you see a Failure EventID 547 IKE security association negotiation failed.
It can't be a general server configuration problem.
Is there anybody with the same problems or a resolution for this problems?
Thanks for your help.
Kind regards
Jens
|
|
|
|
|
RE: Some Client have problems with l2tp/ipsec connection - 7.May2006 8:56:35 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jens,
Are some of these NAT-T clients running WinXP SP2? If so, that could be the problem. SP2 broke NAT-T and you need to apply a Registry fix.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Some Client have problems with l2tp/ipsec connection - 9.May2006 8:18:28 AM
|
|
|
jneumann
Posts: 8
Joined: 3.Dec.2004
Status: offline
|
Hi Tom,
thanks for your response. There is no SP2 installed on all machines (working and not working). I can see the same problem on the specific clients even when the PCs are directly (ISDN Dial IN) connected to the Internet and there is no NAT in use.
I tried PPTP with the same clients and it works. What Registry fix do you mean? Does it make sense to try it without SP2?
Thanks for your help.
Jens
|
|
|
|
|
RE: Some Client have problems with l2tp/ipsec connection - 11.May2006 3:14:12 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Well, they did it on purpose so it can't really be considered a bug. But that's splitting hairs. :P
I think it should be a part of a security hardening guide somehwere and not the default behavior.
|
|
|
|
|
RE: Some Client have problems with l2tp/ipsec connection - 12.May2006 12:57:25 AM
|
|
|
Jason Jones
Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
quote:
ORIGINAL: ClintD
Well, they did it on purpose so it can't really be considered a bug. But that's splitting hairs. :P
I think it should be a part of a security hardening guide somehwere and not the default behavior.
Yeah would agree.
One nice way around it is to use CMAK and run a reg file to add the awful reg key during connectoid installation. Otherwise I guess you could use Group Policy with a custom adm.
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Some Client have problems with l2tp/ipsec connection - 12.May2006 2:36:42 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Yeah - I don't know who's in charge of these friggin registry keys, but this has got to stop.
SkipAuthenticationForRoutingInformation = AnonymousWPAD
AssumeUDPEncapsulationContextOnSendRule = AllowIPSecToNATdServer
My all time favorite is...."Allow Replication With Divergent and Corrupt Partner"
Not only is it ridiculously long, but they even included spaces in it. Gah!!!
:D
|
|
|
|
|
RE: Some Client have problems with l2tp/ipsec connection - 12.May2006 3:46:09 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: Jason Jones
quote:
ORIGINAL: ClintD
Well, they did it on purpose so it can't really be considered a bug. But that's splitting hairs. :P
I think it should be a part of a security hardening guide somehwere and not the default behavior.
Yeah would agree.
One nice way around it is to use CMAK and run a reg file to add the awful reg key during connectoid installation. Otherwise I guess you could use Group Policy with a custom adm.
JJ
Hi Jason,
Nice tip!
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
RE: Some Client have problems with l2tp/ipsec connection - 18.May2006 10:27:40 AM
|
|
|
jneumann
Posts: 8
Joined: 3.Dec.2004
Status: offline
|
Dear group members,
thanks for your help. We analysed the difference between working and not working clients carefully and we found the patch Q818043 is needed. When we apply this patch to the XP Clients with the problems the l2tp/ipsec tunnel can be established.
Regards
Jens
|
|
|
|
|
RE: Some Client have problems with l2tp/ipsec connection - 18.May2006 2:18:04 PM
|
|
|
jneumann
Posts: 8
Joined: 3.Dec.2004
Status: offline
|
Hi Tom,
on http://support.microsoft.com/kb/818043/en-us you can find the following summary:
SUMMARYloadTOCNode(1, 'summary');Microsoft has released an update package to enhance the current functionality of Layer Two Tunneling Protocol (L2TP) and Internet Protocol security (IPsec) on computers that run Microsoft Windows 2000, Microsoft Windows XP without service packs installed, and Windows XP with Service Pack 1 (SP1).This functionality is included in Windows XP Service Pack 2 (SP2). Computers that run Windows XP with a service pack do not have to install this update package.
This update includes improvements to IPsec to better support virtual private network (VPN) clients that are behind network address translation (NAT) devices. If you apply this update to a computer that is running Windows XP, and if the IPsec service encounters a runtime error and cannot start for any reason, the IPsec driver operates in block mode because it cannot secure network traffic.
At the more detailed part you can find:
The updated IPsec services on Windows XP-based computers can expose most of the new features that are provided in a Windows Server 2003 policy.
Note Certificate Mapping is not available.•If an earlier version of the IPseccmd tool is installed on a Windows XP-based computer (this tool is not available in Windows 2000), an updated IPseccmd is installed in the drive:\Program Files\Support Tools folder.
The updated IPseccmd has the following features: •It dynamically turns Internet Key Exchange (IKE) logging on and off.•It displays information about a currently assigned policy.•It lets you create a persistent IPsec policy.Note The earlier version of IPseccmd does not work on updated computers, and the updated IPseccmd does not work on computers that are not updated.
I can't find that it fixes my problem, but it really does.
Kind regards
Jens
|
|
|
|
|
RE: Some Client have problems with l2tp/ipsec connection - 18.May2006 2:28:29 PM
|
|
|
jneumann
Posts: 8
Joined: 3.Dec.2004
Status: offline
|
Hi Tom,
I forgot. It's part of SP2. You're proposal was right. The problem is that our customer refused the rollout of SP2 because of an NT -> AD migration project.
Thanks for you're help again.
Jens
|
|
|
|
|
RE: Some Client have problems with l2tp/ipsec connection - 19.May2006 3:23:28 PM
|
|
|
jneumann
Posts: 8
Joined: 3.Dec.2004
Status: offline
|
Hi Tom,
the phase 1 failed even with NAT and with direct ISDN Internet access without NAT. I think Microsoft fixed some more problems with this patch.
Kind regards
Jens
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
