• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Client VPN using IPSec not working

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Client VPN using IPSec not working Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Client VPN using IPSec not working - 8.Jan.2007 12:33:06 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Hey there,

I am trying to configure vpn client access using IPSec connections.
I have followed:
http://www.isaserver.org/articles/2004vpnserver.html

PPTP works fine and i can import the certificate to the client pc fine,
but even after i import certificate it still remains with MPPE 128 encryption.

What am i missing here??
I have no errors in logs.

< Message edited by Sunny.C -- 8.Jan.2007 12:34:37 AM >
Post #: 1
RE: Client VPN using IPSec not working - 9.Jan.2007 3:41:03 AM   
Guest
Hi Sunny,
what's the exact problem you are facing?
quote:

PPTP works fine and i can import the certificate to the client pc fine,
but even after i import certificate it still remains with MPPE 128 encryption.

you are connecting with PPTP/EAP and the encryption is still MPPE?
no problem with that. The certificate you are using with EAP it is only for authentication to eliminate MS-CHAP v2 from equation. The encryption will still be MPPE.
on the other hand for example IPSec/L2TP with pre-shared key still uses MS-CHAP v2 for authetication and for encryption will use IPSec, ESP 3DES.

(in reply to Sunny.C)
  Post #: 2
RE: Client VPN using IPSec not working - 9.Jan.2007 4:24:08 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
I am trying to use ipsec and i can not get it working.
Even after i import certificates it still logs on as MPPE in stead of IPSec.

Is there any working guides or articles out there i can use to get IPSec working?

(in reply to Guest)
Post #: 3
RE: Client VPN using IPSec not working - 9.Jan.2007 5:48:45 AM   
Guest
I'm not sure I'm following this.
this is not possible.
forget for a moment about certificates.
test first with a pre-shared key. if everything goes fine here then go to the next step using certificates.
the certificates you are trying to use have nothing to do with the encryption protocol. they have to do with the authentication protocol.
the encryption protocol is selected by the VPN protocol used.
check this:
http://tinyurl.com/y8n7kp
you can use ISA VPN kit for a detailed guide how to setup VPn with ISA:
http://tinyurl.com/5so2a
when connected what is said on the vpn connection properties details on:
Device Name Wan Miniport "_____"  -> what's here?

(in reply to Sunny.C)
  Post #: 4
RE: Client VPN using IPSec not working - 9.Jan.2007 7:30:02 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
quote:

Device Name Wan Miniport "_____"  -> what's here?

PPTP is what it has.

I have read the guides you have provided already.
I can not even get the Pre-shared key working, i think i might be missing something.

< Message edited by Sunny.C -- 9.Jan.2007 7:31:47 PM >

(in reply to Guest)
Post #: 5
RE: Client VPN using IPSec not working - 10.Jan.2007 12:50:19 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Ok a little progress.
P2TP still works no problem.
When i switch over to L2TP IPSec VPN i get:
Error 678: The remote computer did not repond..

Ideas?

(in reply to Sunny.C)
Post #: 6
RE: Client VPN using IPSec not working - 10.Jan.2007 3:44:50 AM   
Guest
Plenty of them.
Take it step by step.
Test first with the pre-shared key from a host directly connected to ISA to eliminate
any problems related to NAT-T.
Make sure you have enabled the L2TP/IPSec on ISA and put the pre-shared key in the"Authentication" tab when you select "Authentication Methods".
On the client side isn't much to do: just choose L2TP/IPSec in the "Networking" tab
and in the "Security" tab put the pre-shared key in "IPSec Settings". The rest will
remain unchanged.
If it works with PPTP probably the "users" are set correctly.
Make sure you don't have added to the registry the ProhibitIPSec setting with a value of 1 on thye client side.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters If so, delete that.
If it is not working try from other client.
Setting L2TP/IPSec with a pre-shared key is a very simple task as involves only a little configuration on both sides.
If the test is OK then use certificates.
By the way you can leave all the certificates in place. You don't have to delete them.

(in reply to Sunny.C)
  Post #: 7
RE: Client VPN using IPSec not working - 10.Jan.2007 6:00:59 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
quote:

Test first with the pre-shared key from a host directly connected to ISA to eliminate
any problems related to NAT-T.

That is what i am using at the moment.

quote:

Make sure you have enabled the L2TP/IPSec on ISA and put the pre-shared key in the"Authentication" tab when you select "Authentication Methods".
On the client side isn't much to do: just choose L2TP/IPSec in the "Networking" tab
and in the "Security" tab put the pre-shared key in "IPSec Settings".

Confirmed.

quote:

Make sure you don't have added to the registry the ProhibitIPSec setting with a value of 1 on thye client side.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters If so, delete that.

It is not there.

May i also add that is there any configuration need to be done if the client is behind a Nat Router?

(in reply to Guest)
Post #: 8
RE: Client VPN using IPSec not working - 10.Jan.2007 8:11:10 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Am i missing anything in my rules?


(in reply to Sunny.C)
Post #: 9
RE: Client VPN using IPSec not working - 11.Jan.2007 5:12:12 AM   
Guest
Yep!
dude you're missing the point.
have you heard about system policy rules ?
if so, there is a system policy rule which should be enabled if you have set the vpn corectly.
you have to create just one rule: allowing access for vpn clients to your internal network or whatever.
do you have two ISA servers ?
a front-end and a back-end ?
here you need NAT-T for traversing the front-end ISA and ending the vpn tunnel at the back-end ISA.
the idea is that L2TP/IPSec cannot travers a NAT device.
So if you have in front of your ISA Server which will serve as and end-point to your
vpn tunnel a device that is doing NAT, L2TP/IPSec cannot travers it.
So here comes NAT-T to solve this problem.
So your NAT device must support L2TP/IPSec vpn passthrough.
There isn't such a problem for PPTP.
Also for the vpn client that sits behind a NAt device you need the following updated vpn client to get it working:
http://support.microsoft.com/?id=818043
also a full story about how to pass IPSec traffic through ISA here:
http://www.isaserver.org/articles/IPSec_Passthrough.html
how to publish a VPN server with ISA:
http://www.microsoft.com/technet/isa/2004/plan/publishingVPNservers.mspx
As I said before: the test with L2TP/IPSec is done first with a pre-shared key with a client connected directly to ISA just to make sure that your server is configured correctly.
'cause this is a pretty direct and simple job. you can't make a mess like the one when playing with certificates and you get ride of dumb devices that can block your vpn tunnel.
if it works with PPTP with windows users the only thing to do on ISA is to enable L2TP/IPSec and set the pre-shared key.
and you are ready to rock.
on the client side just select L2TP/IPSec and put the pre-shared key and you are done.
make sure you don't have a dumb personal firewall on that client which blocks your connection.
if it is not working from one client try with another one(try with at least two clients
if you want to be sure).
if it is not working with any of above: go back and read the documentation available or if you don't like reading go for video training like Train Signal or whatever.

< Message edited by adrian_dimcev -- 11.Jan.2007 5:37:33 AM >

(in reply to Sunny.C)
  Post #: 10
RE: Client VPN using IPSec not working - 11.Jan.2007 5:37:01 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
quote:

have you heard about system policy rules ?

Yes, already done.

quote:

do you have two ISA servers ?

Just one with a Nat Device in front which does support IPSec Pass through.

quote:

Also for the vpn client that sits behind a NAt device you need the following updated vpn client to get it working:

I've already edited the register for it to work.

quote:

As I said before: the test with L2TP/IPSec is done first with a pre-shared key with a client connected directly to ISA just to make sure that your server is configured correctly.

I am using a Preshared key.

quote:

 or if you don't like reading go for video training like Train Signal or whatever.

Where can i find some training video's for vpn?
ALso have can i trouble shoot this problem?

(in reply to Guest)
Post #: 11
RE: Client VPN using IPSec not working - 11.Jan.2007 5:45:53 AM   
Guest
that videos are not for free.
sorry.
go to train signal site or learnkey or cbt nuggets.
still not working with a client connected directly to ISA?
what the hack you are doing?
tested with multiple clients?

(in reply to Sunny.C)
  Post #: 12
RE: Client VPN using IPSec not working - 11.Jan.2007 6:54:57 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Yes i have tried mutli clients.
It might be the nat device in front of ISA is not passing through even though it claims it does.
Might try it wih a cisco 877 router.

(in reply to Guest)
Post #: 13
RE: Client VPN using IPSec not working - 11.Jan.2007 8:09:59 AM   
Guest
what does directly connected to ISA means to you?
it means to connect the vpn client directly to the ISA external interface!!!
with no device between them!(except a hub or a switch...)
not behind your NAT device!
if it works so then go to the next step.

(in reply to Sunny.C)
  Post #: 14
RE: Client VPN using IPSec not working - 11.Jan.2007 4:52:21 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
This is what my test lab looks like at the moment.

Internal win xp pc-->Switch-->ISA 2006-->DG834G(Nat device)-->Internet.

VPN connection should be made like so.

External win xp pc-->Nat Device-->DG834G(Nat)-->ISA 2006-->Internal.

That how it should work but i can not get it working, dont know why.
I am starting to think that i should use another vpn solution such as Cisco.


(in reply to Guest)
Post #: 15
RE: Client VPN using IPSec not working - 11.Jan.2007 5:34:32 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Sunny,

I can assure you that the ISA remote access VPN solution is rock solid! I use it since ISA 2000 and never had any problem with it.

Now, back to your case:

1) Delete your Firewall Policy rules #3 up to and including #7. They won't help you.

2) Instead, check out that the VPN Client wizard did enable the System Policy rule #13.

3) As said by Adrian, test first with a preshared key and without NAT between the VPN client and the ISA Server. Once that is working, add complexity by using machine certificates for the IPSec stuff and by dropping one or more NAT boxes between the client and the ISA Server.

Also, what do you see in the ISA Monitor log?

HTH,
Stefaan

(in reply to Sunny.C)
Post #: 16
RE: Client VPN using IPSec not working - 11.Jan.2007 7:09:31 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
quote:

1) Delete your Firewall Policy rules #3 up to and including #7. They won't help you. 
Done.


quote:

2) Instead, check out that the VPN Client wizard did enable the System Policy rule #13
.
Yes it is enabled and is listening on external and passing to local host.

quote:

Also, what do you see in the ISA Monitor log?



http://www.users.on.net/~soner/logs.txt

< Message edited by Sunny.C -- 11.Jan.2007 10:51:45 PM >

(in reply to spouseele)
Post #: 17
RE: Client VPN using IPSec not working - 12.Jan.2007 4:33:39 AM   
Guest
Hey mate I think you are lost in there!
quote:

I am starting to think that i should use another vpn solution such as Cisco.

Dear Sunny,
Let me tell you how good and easy to setup is VPN with ISA:
The first vpn that I ever configured was with ISA a while ago.
I did not have any clue about vpn. Absolutely zero.
In a matter of minutes I was able to make it work. Minutes.
That's about it.
I know that you need to get it going with that NAT box in front.
But again does it works directly connected?
Please test it like so.
Also what NAT device are you using in front of ISA?
From your logs I see that it should be a DSL connection with a static IP.
Is that so?
What options has vor vpn passthrough?
did you put ISA as a dmz host on that box?
If so it should forward all ports to ISA.
You said you have already added to the registry this value:
AssumeUDPEncapsulationContextOnSendRule
About the logs.
what a mess!!!
you said that you have deleted that rule 4 huh?
I don't see that.
What are exactly the network ids for the external and internal interface of ISA(just to be sure I have understand the logs correctly).
AGAIN:
do the test with the client connected directly to ISA interfaces without your rules in place!
May I suggest you to unninstall ISA and to start with a clean install using
only ISA interface to set the vpn connections and adding just one rule to pass traffic from vpn clients to your internal network?

(in reply to Sunny.C)
  Post #: 18
RE: Client VPN using IPSec not working - 12.Jan.2007 4:51:31 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
quote:

But again does it works directly connected?

You mean directly connect the ISA's external interface??? If so, no it does not.

quote:

Also what NAT device are you using in front of ISA?
From your logs I see that it should be a DSL connection with a static IP.
Is that so?

Netgear DG834G with DSL static connection.
http://www.netgear.com/Products/RoutersandGateways/GWirelessRouters/DG834G.aspx?detail=Specifications

quote:

did you put ISA as a dmz host on that box?
If so it should forward all ports to ISA.

Currently it's in DMZ to ISA external nic, also tried port forwarding .

quote:

you said that you have deleted that rule 4 huh?

As spouseele advised i have removed rules 3 & 7, the screen shot is a before shot.

quote:

What are exactly the network ids for the external and internal interface of ISA(just to be sure I have understand the logs correctly).
AGAIN:

Internal: 10.0.0.10
External: 192.168.10.20
Router: 192.168.10.60

Thanks for helping out guys.

(in reply to Guest)
Post #: 19
RE: Client VPN using IPSec not working - 12.Jan.2007 5:58:20 AM   
Guest
I don't know about that netgear.
Interesting information about it:
They say:
quote:

VPN Functionality
    * NAT traversal (VPN pass-through) for IPSec, PPTP and L2TP VPNs

And only RFC compliant:
I
quote:

PSec tunnel mode (RFC 2401) (pass through mode), IP v.4

also:
quote:

DMZ support allows unrestricted access from the Internet to one computer (for hosting web services).

if its unrestricted why they only mention web services?
Anyway before talking about that "router":
remove it from ISA external interface and connect directly with a cross-over cable
your external computer(laptop) to ISA external interface(it shoud work if you plugged itr in one of the switch ports of that netgear but let's keep him out of the game).
assign to your external computer an ip address from 192.168.10.x and try to connect with the vpn client to ISA external IP address: 192.168.10.20 with the pre-shared key in place and the L2TP/IPSec selected.
try with at least two computers and put the logs here(screeshots would be good).
It's good to see if the packets are reaching ISA external interface and if so what's happening(a whireshark trace would be nice also but let's see first the logs).

(in reply to Sunny.C)
  Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Client VPN using IPSec not working Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts