Welcome to ISAserver.org

WinMe client can't access to ISA2k4(Win2k3) behind Firewall.

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> WinMe client can't access to ISA2k4(Win2k3) behind Firewall.

Page: [1]

Message

<< Older Topic Newer Topic >>

WinMe client can't access to ISA2k4(Win2k3) behind Fire... - 30.Jan.2005 11:22:00 AM

dogman

Posts: 3
Joined: 30.Jan.2005
Status: offline

I tried to access VPN(L2TP/IPSec) server(ISA2004) from a variety of WinMe or WinXP SP1 or WinXP SP2 or Win2k SP4.
Access OK is WinXP SP1 or WinXP SP2 or Win2k SP4.
Access NG is WinMe(with Microsoft L2TP/IPSec VPN Client). I got error 629.
Can anyone help ?

I inform informaion:
Network diagram:
- ClientPC <-> Firewall(NAT) <-> internet <-> Firewall(NAT) <-> ISA2004(Win2k3)

Thanks

Post #: 1

Featured Links*

RE: WinMe client can't access to ISA2k4(Win2k3) behind ... - 31.Jan.2005 5:19:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Dogman,

The ISA firewall will support NAT-T, but you need to have the ISA firewall on the VPN server, and you need to install the updated L2TP/IPSec NAT-T VPN client on the VPN client machines.

HTH,
Tom

(in reply to dogman)

Post #: 2

RE: WinMe client can't access to ISA2k4(Win2k3) behind ... - 1.Feb.2005 4:46:00 PM

dogman

Posts: 3
Joined: 30.Jan.2005
Status: offline

Hi Tom,

I have already install as follows,

WinMe:the Microsoft L2TP/IPSec VPN Client
WinXP SP1&Win2K:KB818043
WinXP SP2:KB885407

But WinMe only can't access it. I get error 629.
He have same issue as below,too.
<http://x220.win2ktest.com/forum/topic.asp?TOPIC_ID=6402>

I want to know how to fix it.
Thanks

(in reply to dogman)

Post #: 3

RE: WinMe client can't access to ISA2k4(Win2k3) behind ... - 1.Feb.2005 11:48:00 PM

ClintD

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

If your IPSec diagnostic log looks like the posters from win2ktest.com, then it's failing during Main Mode negotiations. Sinec this is where we authenticate the peer with either a PreShared Key or certificate, does the connection attempt work if you use a PreShared key?

The IPSec diagnostic shows that the client is sending it's certificate, but the remote server doesn't reeive it (or the entire payload) - this is usually due to fragmentation. Win2k and WinXP have improved fragmentation checking for L2TP connections, so the L2TP/IPSec Client for Win9x/ME will have different behavior than later clients.

(in reply to dogman)

Post #: 4

RE: WinMe client can't access to ISA2k4(Win2k3) behind ... - 2.Feb.2005 1:11:00 PM

dogman

Posts: 3
Joined: 30.Jan.2005
Status: offline

Hi ClintD

Thank you for reply.

I use a Pre-shared key.
Is this Software issue ?

Thanks

(in reply to dogman)

Post #: 5

RE: WinMe client can't access to ISA2k4(Win2k3) behind ... - 2.Feb.2005 2:24:00 PM

ClintD

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

You're gonna hate me, but I've got to ask. [Big Grin]

You're absolutely certain that the PSK is good on both sides? Is it a simple PSK (123456789) or something more involved? Again, we are failing in Main Mode so this is where the PSK or Certs are exchanged to authenticate each peer, so I've got to ask.

If the PSK is good, can you enable Oakley logging on the server and attempt to connect again? Server side logging can give us a better idea of the failure as the server logs more information than the Win9x/ME client logging.

c:\netsh ipsec dynamic set config ikelogging 1

After you try to connect, look in the c:\Windows\Debug directory on the server for the oakley.log file. Post the results up here and we'll see where it's going wrong.

(in reply to dogman)

Post #: 6