• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

PPTP and L2TP issues...

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> PPTP and L2TP issues... Page: [1]
Login
Message << Older Topic   Newer Topic >>
PPTP and L2TP issues... - 22.Jul.2004 3:08:00 PM   
_Trip

 

Posts: 14
Joined: 6.Apr.2004
From: Appleton, WI
Status: offline
After weeks of attempting to get this all functioning, I finally found that the certifcates on my machine were completely broken, even though everything looked fine (all the certs I needed were installed).

Installed a new machine and everything came up working on L2TP using NAT-T! (son-of-a...)

Anyway, I now have two issues *still* remaining:
PPTP will NOT connect from the internet in, it hangs on "verifying username and password". If I connect from the internal, everything works fine. I do have firwall (managed by AT&T) on the outer perimeter of the network with PPTP and GRE forwarded to my ISA box via NAT. Is there something I can do? I've tried four different machines and they all fail at the same point coming in from the net.

Also - After finally connecting last evening to L2TP, I couldn't ping anything (Had to change some default routes on the network for my added static pool). Anyway, when I disconnected, I could no longer connect at all! What might cause that?

Thanks!

-Tim
Post #: 1
RE: PPTP and L2TP issues... - 22.Jul.2004 4:17:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tim,

Here's some good advice: tell who ever is managing the upstream router to open is all up and forward everything inbound to the external interface of the ISA firewall. Otherwise, we're all playing guessing games with what they're doing.

Once you get everything opened up, we can do some serious troubleshooting.

When you say that after you connected via L2TP/IPSec and couldn't connect. What do you mean?

How are you assigning addresses to the VPN clients?

Thanks!
Tom

(in reply to _Trip)
Post #: 2
RE: PPTP and L2TP issues... - 22.Jul.2004 4:17:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tim,

Here's some good advice: tell who ever is managing the upstream router to open is all up and forward everything inbound to the external interface of the ISA firewall. Otherwise, we're all playing guessing games with what they're doing.

Once you get everything opened up, we can do some serious troubleshooting.

When you say that after you connected via L2TP/IPSec and couldn't connect. What do you mean?

How are you assigning addresses to the VPN clients?

Thanks!
Tom

(in reply to _Trip)
Post #: 3
RE: PPTP and L2TP issues... - 22.Jul.2004 4:49:00 PM   
_Trip

 

Posts: 14
Joined: 6.Apr.2004
From: Appleton, WI
Status: offline
Thanks Tom,

I really don't want to have them pass everything - the idea behind that firewall (module in a Cisco router), was to handle hte stateful packet filtering so the ISA box only contended with Application level filtering, etc.

Here is the pertinent info from the routers config though:
access-list 112 permit tcp any host 12.38.12.141 eq 1723
access-list 112 permit udp any host 12.38.12.141 eq 1701
access-list 112 permit tcp any host 12.38.12.141 eq 1701
access-list 112 permit tcp any host 12.38.12.141 eq 4500
access-list 112 permit udp any host 12.38.12.141 eq 4500
access-list 112 permit gre any host 12.38.12.141
access-list 112 permit udp any host 12.38.12.141 eq isakmp

The external address of 12.38.12.141 has been NAT'd to an private address bound to the ISA box.

Hopefully something sticks out above as being wrong with the config and I can have AT&T fix it!

One interesting note though - I seem to recall reading on MS site something to the effect of ESP needing to be opened as well for NAT-T. Although I did connect that first time without it... hmmm.
Also with L2TP, my internal network did not have any way to communicate back to my VPN assigned address pool, so nothing would communicate. I fixed that, but the problem was that after I disconnected from the VPN the first time, I was unable to connect again to the ISA box (it just hung on trying to connect). thought maybe there is a known bug with L2TP connectivity that might relate to this... or some other config issue.

Thanks!

(in reply to _Trip)
Post #: 4
RE: PPTP and L2TP issues... - 22.Jul.2004 5:57:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
You only need ESP if NAT-T doesn't get invoked. Since you're running NAT, just UDP 500 and 4500 are needed.

Additionally, you can remove the 1701 mapping - this is only needed on the ISA Server itself - UDP 1701 is never seen on the wire, unless you've disabled IPSec encapsulation of L2TP.

As for the "hung" authentication, this was similar to a bug in Beta 2 - are you running the final released version?

[ July 22, 2004, 06:00 PM: Message edited by: ClintD ]

(in reply to _Trip)
Post #: 5
RE: PPTP and L2TP issues... - 22.Jul.2004 6:29:00 PM   
_Trip

 

Posts: 14
Joined: 6.Apr.2004
From: Appleton, WI
Status: offline
I am running the final release version, but was running beta2 on the same server (I uninstalled everything first).

(in reply to _Trip)
Post #: 6
RE: PPTP and L2TP issues... - 22.Jul.2004 8:48:00 PM   
_Trip

 

Posts: 14
Joined: 6.Apr.2004
From: Appleton, WI
Status: offline
L2TP/IPSec now works! The diagnostics into it sucked, but it was because I had the AT&T Globalnet client installed on my system. Even after uninstalling the AT&T VPN Client, things didn't work. I had to go to a system restore point to just before I installed it...

Very nice - very fast comparatively speaking.

Now... I still don't work with PPTP though...

Thanks all - I'm still open to suggestions on the PPTP

(in reply to _Trip)
Post #: 7
RE: PPTP and L2TP issues... - 26.Jul.2004 9:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Trip,

Great! Good to hear you got it working.

For PPTP, you need to allow inbound TCP 1723 and GRE (IP Protocol 47) through the front end packet filter.

HTH,
Tom

(in reply to _Trip)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> PPTP and L2TP issues... Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts