Solved

VPN using L2TP not working over NAT

Posted on 2003-11-13
11
6,902 Views
Last Modified: 2008-02-01
I am setting up a windows2003 server as a VPN Server. When I try to connect from a Windows XP system over a Dial up modem everything works fine. However when I try to connect from behind a Broadband router I get the following error Error 788: The L2TP connection attempt failed because the security layer could not negotiate compitable parameters with the remote computer.
I am using a preshared secret instead of a certificate. PPTP works fine even behind the nat device. Ahy ideas what the problem could be?
0
Comment
Question by:saunders4tom
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 9744796
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9745356
Are you using IPSEC?  Check your VPN end-points to see where it is located with the broadband setup.  Your VPN tunnel end points for the dial-up is computer to computer, so this is not a problem.  

Your scenario of broadband:  NAT is incompatible with IPSEC
http://support.microsoft.com/default.aspx?scid=kb;en-us;301284&Product=win2000#12

Make your broadband router your end point for IPSEC - that way you don't deal with NAT.  Also check your security association (SA) on the broadband and make sure that you have a matching SA on the other end.

Please provide more information on your VPN setup.

cheers
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9748572
Your problem is due to the fact that the server receives the connection from the broadband router, but when negotiating IPSec it finds a different address (the NATed Address).

What you should do is find out a way to tell your client to negotiate IPSec with the external address of the router.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:saunders4tom
ID: 9750093
My client is the standard VPN client shipped with WindowsXP Service pack one. The way it won't work is when I am behind a broadband router. My XP system will have a private IP address using the Broadband router as a NAT device.
I know microsoft released a patch in May 2003 to improve the way XP handeled NAT with IPSEC/L2TP. However the next day they pulled the patch from their site as it caused a lot of users to loose internet access. It seems like it had some bugs. I am not sure if the XP VPN client has the ability to handel NAT. Does anyone know if their is a new patch from microsoft to make it work. I couldn't find one.
How do I tell the MS VPN CLient to negotiate IPSec with the external address of the router?
I know that my boradband router can handel IPSec as I can use checkpoints vpn client with a checkpoint vpn server with no problems.
I need the Microsoft VPN client to work behind NAT as I plan to roll it out to our remote users. When I use PPTP it works fine from behind a NAT device
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9752612
If you are planning to roll it out to remote users (remote office - I presume) - why not make the router the end-point - instead of managing many client end-points.  One end-point is one maintenance point for security association change.  All traffic going from branch to HQ can be selectively encrypted and tunnel....

I don't know if MS pulled it because of a bug.  I think you are talking about this - it contains a link to the update that you are looking for as well as instruction for implementation:

http://support.microsoft.com/default.aspx?scid=kb;en-us;818043&Product=winxp

Many companies tried go around the way IPSEC and NAT work and ran into the source address being encrypted and then NAT.  When IPSEC authenticate the source address in the IP header it fails.  MS is not doing anything new, other than creating VPN-end-points between the server and the client (bypassing the routers and everything in between).  Their end-points check for their patch and rework the NATted address to circumvent the incompatabilities.

cheers

0
 
LVL 5

Expert Comment

by:ralonso
ID: 9754625
So far, whenever I have encountered those problems the only solutions I have found are using the router as VPN endpoint or use a different software to establish the VPN connection.

I seem to remember that you can download intel VPN client for free from their website, but I can´t remember if it worked properly.
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9754818
That's what I stated that in my first post.  We are in agreement here.

MS and others have been trying to circumvent the incompatability problem w/o much success because of the mirage of applications and theirs solutions NAT/PAT, FTP, Multimedia using multiple channels, etc....  Router End-points VPN is the way to go (one maintenance point).  

Hey, I proposed that, but Saunders4tom still want to try end-point to the clients.  It should work if the VPN on the router is disabled.  But think about the number of end-points and client PCs that you have to deal with if there is any problem on the PCs.  Heck, a client update something the VPN break and more head aches..... With router end-point - you don't need to muck with anyone's PC.

cheers
0
 

Author Comment

by:saunders4tom
ID: 9755154
The reason I need the end point to be the client laptops is that by remote office I mean home office. We have sales people all over the country that work from home and need network access. They also need access from hotels etc. Currently we us a Checkpoint VPN solution and wanted to move to a Microsoft solution.
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9757500
Now we know your objective.... OK, the MS link I provided above should help you achieve your objective.

cheers
0
 

Author Comment

by:saunders4tom
ID: 9757609
Hi Gnart. The link below is one of many that talk about the problems with Microsofts IPSec patch talked about in the 818043 KB article in the link you posted. It also talks about the patch being pulled the following day.
http://www.pcworld.com/news/article/0,aid,110897,00.asp
When you go to the link you posted. http://support.microsoft.com/default.aspx?scid=kb;en-us;818043&Product=winxp
Microsoft say the patch is available and give no indication that there was ever a problem with it. However if you follow their instructions and attempt to download or locate the patch it is nowhere to be found. If you can locate this patch and post the actual download link I would appriciate it.
Thanks
0
 
LVL 13

Accepted Solution

by:
Gnart earned 500 total points
ID: 9761314
Hi, the download is still at Microsoft - I followed the direction on the article and found it.
Follow the following directions - obviously you can jump to the direct link:

1) I started with the link that I posted:
http://support.microsoft.com/default.aspx?scid=kb;en-us;818043&Product=winxp 

2) The above link leads you to the following:
http://v4.windowsupdate.microsoft.com/catalog/en/default.asp

3) Click on "Find Microsoft Updates" under Microsoft Update Catalog

4) Click on advance searched option to open up the advanced search option

5) select operating system Windows XP SP1 (the last on the list)
5a in "Contains these words" put in 818043
5b click "Search" - it will come back with one "Recommended Updates (1)"

6) Click on the "Recommended Updates (1)" and you will get
Download size: 771 KB
This update to internet Protocol Security Clients IPSec and L2TP/IPSec allows IPSec to work across Network Address Translation (NAT) boundaries. A client may connect to a Windows Server 2003 Server with IPSec or L2TP/IPSec when the client is behind one or more NATs. Users should download this update if they use IPSec and/or L2TP Virtual Private Network (VPN) connections. After you install this item, you may have to restart your computer.

7) Download the program - it's what you need.

cheers
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
IT certifications are a concrete representation of continual learning on the part of the candidate.  Continual learning is necessary for the long term success of an IT professional, but are IT certifications the right path for you?
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question