• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

LPl2TP/IPSec NAT-T back-to-back

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> LPl2TP/IPSec NAT-T back-to-back Page: [1]
Login
Message << Older Topic   Newer Topic >>
LPl2TP/IPSec NAT-T back-to-back - 28.Oct.2005 10:56:00 AM   
kdiekemper

 

Posts: 54
Joined: 26.Sep.2005
Status: offline
I am using the ISA Server 2004 VPN Deployment kit chapter 12, Inbound L2TP/IPSec NAT-T connection through a back-to-back ISA Server 2004 Server DMZ.

The PPTP client works but not the L2TP client.
The client is a Windows XP with SP2 on it.
If I connect client directly to the Back-end ISA Server the L2TP/IPSec works.

In the Front-end ISA Server log I see the 500 and 4500 port connections the the Back-end ISA server.

In the Back-end ISA Server log I see the same 500 and 4500 Port connections to it but the is no response back from the Back-end ISA Server.

Why does the Front-end log show 500 and 1701 port connections when the L2TP/Sec client is directly attached to it when it works and not the 500 and 4500 port connections when it does not work going thru the Front-end ISA Server?

Thanks,
Ken
Post #: 1
RE: LPl2TP/IPSec NAT-T back-to-back - 28.Oct.2005 4:43:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
It shows 1701 because the ISA Server is the endpoint, and IPSec has decapsulated the traffic prior to ISA seeing it - it's just a matter of the RRAS / ISA / IPSec network plumbing.

Since ISA isn't the endpoint when you publish the Back End server, the front end server can't see inside the encrypted data.

Have you implemented the AssumeUDPEncapsulationContextOnSendRule regitry key on the client? I'm not sure if Tom addresses this in the guide.
MS introduced a securty restriction in XP SP2 that prevents NAT-T connectiosn from being established with servers behind a NAT device. It's not a bug as this was designed into the product, but you do have to implement the reg key on you clients.

[ October 28, 2005, 04:44 PM: Message edited by: ClintD ]

(in reply to kdiekemper)
Post #: 2
RE: LPl2TP/IPSec NAT-T back-to-back - 28.Oct.2005 5:30:00 PM   
kdiekemper

 

Posts: 54
Joined: 26.Sep.2005
Status: offline
Thanks for the response to my question.
That fixed the problem.
I saw that before I sent my question in but did not think it applied to me. I will have to do some more reading on that.

Thanks again
Ken

(in reply to kdiekemper)
Post #: 3
RE: LPl2TP/IPSec NAT-T back-to-back - 30.Oct.2005 10:48:00 AM   
kdiekemper

 

Posts: 54
Joined: 26.Sep.2005
Status: offline
KB885348 recommends that if you have a Windows Server 2003-based VPN server to assign a public IP addresses to the VPN server.

Does this apply if you are using back-to-back ISA Server 2004 VPN access?

Thanks,
Ken

(in reply to kdiekemper)
Post #: 4
RE: LPl2TP/IPSec NAT-T back-to-back - 30.Oct.2005 12:41:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
It doesn't really matter the IP address - they just don't want you to use the VPN Server behind a NAT device, but you have to do this in the Back to Back setup, by default.

If you want to change the Front End network rules to route, then that'd work as well.

(in reply to kdiekemper)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> LPl2TP/IPSec NAT-T back-to-back Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts