• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Need urgent help with L2TP ipsec behind NAT

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Need urgent help with L2TP ipsec behind NAT Page: [1]
Login
Message << Older Topic   Newer Topic >>
Need urgent help with L2TP ipsec behind NAT - 7.Oct.2008 8:14:49 PM   
snaza

 

Posts: 4
Joined: 7.Oct.2008
Status: offline
Hi Everyone,

Internal nic ip Isa server - 10.1.20.1
External nic ip isa server - 172.18.160.50
External NAT addresss for VPN(forwarded to external ISA NIC) - 203.3.189.1

Trying to setup L2tp ipsec VPN for clients to terminate on my isa2006 server. If I VPN to the external nic (172.18.160.50) IPsec works fine (this is connecting from my xp client on a different VLAN but in the same building). But if i try from outside this building and connect to my 203.3.189.1 address it just sits there waiting. It is going through a checkpoint firewall but everything is open. PPTP works fine when connecting to this 203.3.189.1 address. I guess there is a setting in ISA for NAT or something as it must be getting confused going from 203.3.189.1 -> 172.18.160.50.

Sorry i hope i make sense. Any help would be great

thanks

Aaron
Post #: 1
RE: Need urgent help with L2TP ipsec behind NAT - 8.Oct.2008 9:52:24 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

you must configure your clients to use NAT-T. Check this:

http://technet.microsoft.com/en-us/library/cc713325.aspx

Regards,
Paulo Oliveira.

(in reply to snaza)
Post #: 2
RE: Need urgent help with L2TP ipsec behind NAT - 8.Oct.2008 6:03:28 PM   
snaza

 

Posts: 4
Joined: 7.Oct.2008
Status: offline
Thanks for that but i want to terminate the VPNs on ISA. I'm running XP pr0 SP2 so do i have to make that reg change? There will be a double NAT so will L2TP still work?

(in reply to paulo.oliveira)
Post #: 3
RE: Need urgent help with L2TP ipsec behind NAT - 9.Oct.2008 8:13:02 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

quote:

It is going through a checkpoint firewall but everything is open.

You have to make this registry change, because ISA is behind Checkpoint.

Regards,
Paulo Oliveira.

(in reply to snaza)
Post #: 4
RE: Need urgent help with L2TP ipsec behind NAT - 9.Oct.2008 6:32:15 PM   
snaza

 

Posts: 4
Joined: 7.Oct.2008
Status: offline
Thanks Paulo. I did make that reg change but still having problems with L2TP. i set the dword value to 1.

So it definatly is possible to do L2TP with the double NAT?


(in reply to paulo.oliveira)
Post #: 5
RE: Need urgent help with L2TP ipsec behind NAT - 10.Oct.2008 8:34:03 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

yes, it is. Make sure you allowed the right protocols on your checkpoint and ISA firewalls.

IKE Client = 500 UDP SendReceive
IKE Server = 500 UDP ReceiveSend
L2TP Client = 1701 UDP SendReceive
IPsec NAT-T Client = 4500 UDP SendReceive
L2TP Server = 1701 UDP ReceiveSend
IPsec NAT-T Server = 4500 UDP ReceiveSend

Regards,
Paulo Oliveira.

(in reply to snaza)
Post #: 6
RE: Need urgent help with L2TP ipsec behind NAT - 13.Oct.2008 6:00:22 PM   
snaza

 

Posts: 4
Joined: 7.Oct.2008
Status: offline
Hi Paul,

The checkpoint firewall is open to ALL traffic (while i'm trying to get this working). i can see the IKE packets passing though checkpoint but it seems like its having problems negotiating back to the VPN client. (if that make sense)

After i make the reg change to 1 is there anything i need to change on windows XP SP2 vpn client?

thanks

(in reply to paulo.oliveira)
Post #: 7
RE: Need urgent help with L2TP ipsec behind NAT - 15.Oct.2008 4:54:36 AM   
davei0594

 

Posts: 21
Joined: 9.Feb.2008
Status: offline
In my experience (l2tp/ipsec vpn from client behind a nat, to a vpn server also behind a nat) i had to set the assumeudpencapsulationcontextonsendrule reg key on the xpsp2/3 and vista clients to a value of 2.

then it all worked a treat.

give that a shot if your ISA is beind a napt device (which it sounds like it is).

(in reply to snaza)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Need urgent help with L2TP ipsec behind NAT Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts