I'm trying to configure a site to site L2TP/IPSEC VPN between two ISA servers, each of which is on a private LAN behind an edge firewall (Cisco PIX). The edge firewall at each site has a static NAT configured which allows traffic on the following ports through to the ISA servers:
Where 80.xxx.yyy.zzz is the remote ISA server and 172.16.2.56 is the local ISA server.
In the security event log, I see:
IKE security association established. Mode: Data Protection Mode (Quick Mode)
Peer Identity: Preshared key ID. Peer IP Address: 80.xxx.yyy.zzz
Filter: Source IP Address 172.16.2.56 Source IP Address Mask 255.255.255.255 Destination IP Address 80.xxx.yyy.zzz Destination IP Address Mask 255.255.255.255 Protocol 17 Source Port 1701 Destination Port 1701 IKE Local Addr 172.16.2.56 IKE Peer Addr 80.xxx.yyy.zzz IKE Source Port 4500 IKE Destination Port 4500 Peer Private Addr 10.0.0.225
Parameters: ESP Algorithm Triple DES CBC HMAC Algorithm MD5 AH Algorithm None Encapsulation Transport Mode with UDP encapsulation
InboundSpi 1023349694 (0x3cff13be) OutBoundSpi 745487645 (0x2c6f3d1d) Lifetime (sec) 3600 Lifetime (kb) 250000 QM delta time (sec) 0 Total delta time (sec) 0
But in the system event log, I get an EventID 20111:
Event ID 20111: A Demand Dial connection to the remote interface pdhome on port VPN3-101 was successfully initiated but failed to complete successfully because of the following error: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for this error number.
So the question is, how should I go about debugging an L2TP/IPSEC VPN further? (currently, I'm using ethereal to monitor packets), but why didn't the remote computer respond? Do I need extra access rules (currently I've allowed all outgoing on each side). Are there any tools which will give me further info into what's happening (e.g. a detailed log)? What should I see with successful connection in the ISA logs?
This brings up an interesting question that I've wondered about for some time. I've never had a chance to check this configuration, because I always put my ISA Firewalls on the edge, and put the old hardware boxes on eBay
However, I wonder if NAT-T is broken in this scenario. As you might know, the WinXP SP2 and Vista teams broke NAT-T on their clients so that you need to go into the Registry to get NAT-T working when both sides are behind a NAT device.
What I wonder is if in the site to site VPN model, did the Windows Server team create the same SNAFU and break NAT-T when both sides are behind a NAT.
I can neither confirm nor deny, since I've never tested this scenario and never had to put it in production.
You might try putting the ISA Firewall on the edge -- they were designed for that configuration.