RE: Client VPN using IPSec not working - 9.Jan.2007 3:41:03 AM
Hi Sunny, what's the exact problem you are facing?
PPTP works fine and i can import the certificate to the client pc fine, but even after i import certificate it still remains with MPPE 128 encryption.
you are connecting with PPTP/EAP and the encryption is still MPPE? no problem with that. The certificate you are using with EAP it is only for authentication to eliminate MS-CHAP v2 from equation. The encryption will still be MPPE. on the other hand for example IPSec/L2TP with pre-shared key still uses MS-CHAP v2 for authetication and for encryption will use IPSec, ESP 3DES.
RE: Client VPN using IPSec not working - 9.Jan.2007 5:48:45 AM
I'm not sure I'm following this. this is not possible. forget for a moment about certificates. test first with a pre-shared key. if everything goes fine here then go to the next step using certificates. the certificates you are trying to use have nothing to do with the encryption protocol. they have to do with the authentication protocol. the encryption protocol is selected by the VPN protocol used. check this: http://tinyurl.com/y8n7kp you can use ISA VPN kit for a detailed guide how to setup VPn with ISA: http://tinyurl.com/5so2a when connected what is said on the vpn connection properties details on: Device Name Wan Miniport "_____" -> what's here?
RE: Client VPN using IPSec not working - 10.Jan.2007 3:44:50 AM
Plenty of them. Take it step by step. Test first with the pre-shared key from a host directly connected to ISA to eliminate any problems related to NAT-T. Make sure you have enabled the L2TP/IPSec on ISA and put the pre-shared key in the"Authentication" tab when you select "Authentication Methods". On the client side isn't much to do: just choose L2TP/IPSec in the "Networking" tab and in the "Security" tab put the pre-shared key in "IPSec Settings". The rest will remain unchanged. If it works with PPTP probably the "users" are set correctly. Make sure you don't have added to the registry the ProhibitIPSec setting with a value of 1 on thye client side. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters If so, delete that. If it is not working try from other client. Setting L2TP/IPSec with a pre-shared key is a very simple task as involves only a little configuration on both sides. If the test is OK then use certificates. By the way you can leave all the certificates in place. You don't have to delete them.
Test first with the pre-shared key from a host directly connected to ISA to eliminate any problems related to NAT-T.
That is what i am using at the moment.
Make sure you have enabled the L2TP/IPSec on ISA and put the pre-shared key in the"Authentication" tab when you select "Authentication Methods". On the client side isn't much to do: just choose L2TP/IPSec in the "Networking" tab and in the "Security" tab put the pre-shared key in "IPSec Settings".
Make sure you don't have added to the registry the ProhibitIPSec setting with a value of 1 on thye client side. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters If so, delete that.
It is not there.
May i also add that is there any configuration need to be done if the client is behind a Nat Router?
RE: Client VPN using IPSec not working - 11.Jan.2007 5:12:12 AM
Yep! dude you're missing the point. have you heard about system policy rules ? if so, there is a system policy rule which should be enabled if you have set the vpn corectly. you have to create just one rule: allowing access for vpn clients to your internal network or whatever. do you have two ISA servers ? a front-end and a back-end ? here you need NAT-T for traversing the front-end ISA and ending the vpn tunnel at the back-end ISA. the idea is that L2TP/IPSec cannot travers a NAT device. So if you have in front of your ISA Server which will serve as and end-point to your vpn tunnel a device that is doing NAT, L2TP/IPSec cannot travers it. So here comes NAT-T to solve this problem. So your NAT device must support L2TP/IPSec vpn passthrough. There isn't such a problem for PPTP. Also for the vpn client that sits behind a NAt device you need the following updated vpn client to get it working: http://support.microsoft.com/?id=818043 also a full story about how to pass IPSec traffic through ISA here: http://www.isaserver.org/articles/IPSec_Passthrough.html how to publish a VPN server with ISA: http://www.microsoft.com/technet/isa/2004/plan/publishingVPNservers.mspx As I said before: the test with L2TP/IPSec is done first with a pre-shared key with a client connected directly to ISA just to make sure that your server is configured correctly. 'cause this is a pretty direct and simple job. you can't make a mess like the one when playing with certificates and you get ride of dumb devices that can block your vpn tunnel. if it works with PPTP with windows users the only thing to do on ISA is to enable L2TP/IPSec and set the pre-shared key. and you are ready to rock. on the client side just select L2TP/IPSec and put the pre-shared key and you are done. make sure you don't have a dumb personal firewall on that client which blocks your connection. if it is not working from one client try with another one(try with at least two clients if you want to be sure). if it is not working with any of above: go back and read the documentation available or if you don't like reading go for video training like Train Signal or whatever.
< Message edited by adrian_dimcev -- 11.Jan.2007 5:37:33 AM >
RE: Client VPN using IPSec not working - 11.Jan.2007 5:45:53 AM
that videos are not for free. sorry. go to train signal site or learnkey or cbt nuggets. still not working with a client connected directly to ISA? what the hack you are doing? tested with multiple clients?
RE: Client VPN using IPSec not working - 11.Jan.2007 8:09:59 AM
what does directly connected to ISA means to you? it means to connect the vpn client directly to the ISA external interface!!! with no device between them!(except a hub or a switch...) not behind your NAT device! if it works so then go to the next step.
I can assure you that the ISA remote access VPN solution is rock solid! I use it since ISA 2000 and never had any problem with it.
Now, back to your case:
1) Delete your Firewall Policy rules #3 up to and including #7. They won't help you.
2) Instead, check out that the VPN Client wizard did enable the System Policy rule #13.
3) As said by Adrian, test first with a preshared key and without NAT between the VPN client and the ISA Server. Once that is working, add complexity by using machine certificates for the IPSec stuff and by dropping one or more NAT boxes between the client and the ISA Server.
RE: Client VPN using IPSec not working - 12.Jan.2007 4:33:39 AM
Hey mate I think you are lost in there!
I am starting to think that i should use another vpn solution such as Cisco.
Dear Sunny, Let me tell you how good and easy to setup is VPN with ISA: The first vpn that I ever configured was with ISA a while ago. I did not have any clue about vpn. Absolutely zero. In a matter of minutes I was able to make it work. Minutes. That's about it. I know that you need to get it going with that NAT box in front. But again does it works directly connected? Please test it like so. Also what NAT device are you using in front of ISA? From your logs I see that it should be a DSL connection with a static IP. Is that so? What options has vor vpn passthrough? did you put ISA as a dmz host on that box? If so it should forward all ports to ISA. You said you have already added to the registry this value: AssumeUDPEncapsulationContextOnSendRule About the logs. what a mess!!! you said that you have deleted that rule 4 huh? I don't see that. What are exactly the network ids for the external and internal interface of ISA(just to be sure I have understand the logs correctly). AGAIN: do the test with the client connected directly to ISA interfaces without your rules in place! May I suggest you to unninstall ISA and to start with a clean install using only ISA interface to set the vpn connections and adding just one rule to pass traffic from vpn clients to your internal network?
RE: Client VPN using IPSec not working - 12.Jan.2007 5:58:20 AM
I don't know about that netgear. Interesting information about it: They say:
VPN Functionality * NAT traversal (VPN pass-through) for IPSec, PPTP and L2TP VPNs
And only RFC compliant: I
PSec tunnel mode (RFC 2401) (pass through mode), IP v.4
DMZ support allows unrestricted access from the Internet to one computer (for hosting web services).
if its unrestricted why they only mention web services? Anyway before talking about that "router": remove it from ISA external interface and connect directly with a cross-over cable your external computer(laptop) to ISA external interface(it shoud work if you plugged itr in one of the switch ports of that netgear but let's keep him out of the game). assign to your external computer an ip address from 192.168.10.x and try to connect with the vpn client to ISA external IP address: 192.168.10.20 with the pre-shared key in place and the L2TP/IPSec selected. try with at least two computers and put the logs here(screeshots would be good). It's good to see if the packets are reaching ISA external interface and if so what's happening(a whireshark trace would be nice also but let's see first the logs).