PPTP and L2TP issues... (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN



Message


_Trip -> PPTP and L2TP issues... (22.Jul.2004 3:08:00 PM)

After weeks of attempting to get this all functioning, I finally found that the certifcates on my machine were completely broken, even though everything looked fine (all the certs I needed were installed).

Installed a new machine and everything came up working on L2TP using NAT-T! (son-of-a...)

Anyway, I now have two issues *still* remaining:
PPTP will NOT connect from the internet in, it hangs on "verifying username and password". If I connect from the internal, everything works fine. I do have firwall (managed by AT&T) on the outer perimeter of the network with PPTP and GRE forwarded to my ISA box via NAT. Is there something I can do? I've tried four different machines and they all fail at the same point coming in from the net.

Also - After finally connecting last evening to L2TP, I couldn't ping anything (Had to change some default routes on the network for my added static pool). Anyway, when I disconnected, I could no longer connect at all! What might cause that?

Thanks!

-Tim




tshinder -> RE: PPTP and L2TP issues... (22.Jul.2004 4:17:00 PM)

Hi Tim,

Here's some good advice: tell who ever is managing the upstream router to open is all up and forward everything inbound to the external interface of the ISA firewall. Otherwise, we're all playing guessing games with what they're doing.

Once you get everything opened up, we can do some serious troubleshooting.

When you say that after you connected via L2TP/IPSec and couldn't connect. What do you mean?

How are you assigning addresses to the VPN clients?

Thanks!
Tom




tshinder -> RE: PPTP and L2TP issues... (22.Jul.2004 4:17:00 PM)

Hi Tim,

Here's some good advice: tell who ever is managing the upstream router to open is all up and forward everything inbound to the external interface of the ISA firewall. Otherwise, we're all playing guessing games with what they're doing.

Once you get everything opened up, we can do some serious troubleshooting.

When you say that after you connected via L2TP/IPSec and couldn't connect. What do you mean?

How are you assigning addresses to the VPN clients?

Thanks!
Tom




_Trip -> RE: PPTP and L2TP issues... (22.Jul.2004 4:49:00 PM)

Thanks Tom,

I really don't want to have them pass everything - the idea behind that firewall (module in a Cisco router), was to handle hte stateful packet filtering so the ISA box only contended with Application level filtering, etc.

Here is the pertinent info from the routers config though:
access-list 112 permit tcp any host 12.38.12.141 eq 1723
access-list 112 permit udp any host 12.38.12.141 eq 1701
access-list 112 permit tcp any host 12.38.12.141 eq 1701
access-list 112 permit tcp any host 12.38.12.141 eq 4500
access-list 112 permit udp any host 12.38.12.141 eq 4500
access-list 112 permit gre any host 12.38.12.141
access-list 112 permit udp any host 12.38.12.141 eq isakmp

The external address of 12.38.12.141 has been NAT'd to an private address bound to the ISA box.

Hopefully something sticks out above as being wrong with the config and I can have AT&T fix it!

One interesting note though - I seem to recall reading on MS site something to the effect of ESP needing to be opened as well for NAT-T. Although I did connect that first time without it... hmmm.
Also with L2TP, my internal network did not have any way to communicate back to my VPN assigned address pool, so nothing would communicate. I fixed that, but the problem was that after I disconnected from the VPN the first time, I was unable to connect again to the ISA box (it just hung on trying to connect). thought maybe there is a known bug with L2TP connectivity that might relate to this... or some other config issue.

Thanks!




ClintD -> RE: PPTP and L2TP issues... (22.Jul.2004 5:57:00 PM)

You only need ESP if NAT-T doesn't get invoked. Since you're running NAT, just UDP 500 and 4500 are needed.

Additionally, you can remove the 1701 mapping - this is only needed on the ISA Server itself - UDP 1701 is never seen on the wire, unless you've disabled IPSec encapsulation of L2TP.

As for the "hung" authentication, this was similar to a bug in Beta 2 - are you running the final released version?

[ July 22, 2004, 06:00 PM: Message edited by: ClintD ]




_Trip -> RE: PPTP and L2TP issues... (22.Jul.2004 6:29:00 PM)

I am running the final release version, but was running beta2 on the same server (I uninstalled everything first).




_Trip -> RE: PPTP and L2TP issues... (22.Jul.2004 8:48:00 PM)

L2TP/IPSec now works! The diagnostics into it sucked, but it was because I had the AT&T Globalnet client installed on my system. Even after uninstalling the AT&T VPN Client, things didn't work. I had to go to a system restore point to just before I installed it...

Very nice - very fast comparatively speaking.

Now... I still don't work with PPTP though...

Thanks all - I'm still open to suggestions on the PPTP




tshinder -> RE: PPTP and L2TP issues... (26.Jul.2004 9:16:00 PM)

Hi Trip,

Great! Good to hear you got it working.

For PPTP, you need to allow inbound TCP 1723 and GRE (IP Protocol 47) through the front end packet filter.

HTH,
Tom




Page: [1]