Solved

VPN using L2TP not working over NAT

Posted on 2003-11-13
11
7,525 Views
Last Modified: 2008-02-01
I am setting up a windows2003 server as a VPN Server. When I try to connect from a Windows XP system over a Dial up modem everything works fine. However when I try to connect from behind a Broadband router I get the following error Error 788: The L2TP connection attempt failed because the security layer could not negotiate compitable parameters with the remote computer.
I am using a preshared secret instead of a certificate. PPTP works fine even behind the nat device. Ahy ideas what the problem could be?
0
Comment
Question by:saunders4tom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 13

Expert Comment

by:Gnart
ID: 9745356
Are you using IPSEC?  Check your VPN end-points to see where it is located with the broadband setup.  Your VPN tunnel end points for the dial-up is computer to computer, so this is not a problem.  

Your scenario of broadband:  NAT is incompatible with IPSEC
http://support.microsoft.com/default.aspx?scid=kb;en-us;301284&Product=win2000#12

Make your broadband router your end point for IPSEC - that way you don't deal with NAT.  Also check your security association (SA) on the broadband and make sure that you have a matching SA on the other end.

Please provide more information on your VPN setup.

cheers
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9748572
Your problem is due to the fact that the server receives the connection from the broadband router, but when negotiating IPSec it finds a different address (the NATed Address).

What you should do is find out a way to tell your client to negotiate IPSec with the external address of the router.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:saunders4tom
ID: 9750093
My client is the standard VPN client shipped with WindowsXP Service pack one. The way it won't work is when I am behind a broadband router. My XP system will have a private IP address using the Broadband router as a NAT device.
I know microsoft released a patch in May 2003 to improve the way XP handeled NAT with IPSEC/L2TP. However the next day they pulled the patch from their site as it caused a lot of users to loose internet access. It seems like it had some bugs. I am not sure if the XP VPN client has the ability to handel NAT. Does anyone know if their is a new patch from microsoft to make it work. I couldn't find one.
How do I tell the MS VPN CLient to negotiate IPSec with the external address of the router?
I know that my boradband router can handel IPSec as I can use checkpoints vpn client with a checkpoint vpn server with no problems.
I need the Microsoft VPN client to work behind NAT as I plan to roll it out to our remote users. When I use PPTP it works fine from behind a NAT device
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9752612
If you are planning to roll it out to remote users (remote office - I presume) - why not make the router the end-point - instead of managing many client end-points.  One end-point is one maintenance point for security association change.  All traffic going from branch to HQ can be selectively encrypted and tunnel....

I don't know if MS pulled it because of a bug.  I think you are talking about this - it contains a link to the update that you are looking for as well as instruction for implementation:

http://support.microsoft.com/default.aspx?scid=kb;en-us;818043&Product=winxp

Many companies tried go around the way IPSEC and NAT work and ran into the source address being encrypted and then NAT.  When IPSEC authenticate the source address in the IP header it fails.  MS is not doing anything new, other than creating VPN-end-points between the server and the client (bypassing the routers and everything in between).  Their end-points check for their patch and rework the NATted address to circumvent the incompatabilities.

cheers

0
 
LVL 5

Expert Comment

by:ralonso
ID: 9754625
So far, whenever I have encountered those problems the only solutions I have found are using the router as VPN endpoint or use a different software to establish the VPN connection.

I seem to remember that you can download intel VPN client for free from their website, but I can´t remember if it worked properly.
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9754818
That's what I stated that in my first post.  We are in agreement here.

MS and others have been trying to circumvent the incompatability problem w/o much success because of the mirage of applications and theirs solutions NAT/PAT, FTP, Multimedia using multiple channels, etc....  Router End-points VPN is the way to go (one maintenance point).  

Hey, I proposed that, but Saunders4tom still want to try end-point to the clients.  It should work if the VPN on the router is disabled.  But think about the number of end-points and client PCs that you have to deal with if there is any problem on the PCs.  Heck, a client update something the VPN break and more head aches..... With router end-point - you don't need to muck with anyone's PC.

cheers
0
 

Author Comment

by:saunders4tom
ID: 9755154
The reason I need the end point to be the client laptops is that by remote office I mean home office. We have sales people all over the country that work from home and need network access. They also need access from hotels etc. Currently we us a Checkpoint VPN solution and wanted to move to a Microsoft solution.
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9757500
Now we know your objective.... OK, the MS link I provided above should help you achieve your objective.

cheers
0
 

Author Comment

by:saunders4tom
ID: 9757609
Hi Gnart. The link below is one of many that talk about the problems with Microsofts IPSec patch talked about in the 818043 KB article in the link you posted. It also talks about the patch being pulled the following day.
http://www.pcworld.com/news/article/0,aid,110897,00.asp
When you go to the link you posted. http://support.microsoft.com/default.aspx?scid=kb;en-us;818043&Product=winxp
Microsoft say the patch is available and give no indication that there was ever a problem with it. However if you follow their instructions and attempt to download or locate the patch it is nowhere to be found. If you can locate this patch and post the actual download link I would appriciate it.
Thanks
0
 
LVL 13

Accepted Solution

by:
Gnart earned 500 total points
ID: 9761314
Hi, the download is still at Microsoft - I followed the direction on the article and found it.
Follow the following directions - obviously you can jump to the direct link:

1) I started with the link that I posted:
http://support.microsoft.com/default.aspx?scid=kb;en-us;818043&Product=winxp 

2) The above link leads you to the following:
http://v4.windowsupdate.microsoft.com/catalog/en/default.asp

3) Click on "Find Microsoft Updates" under Microsoft Update Catalog

4) Click on advance searched option to open up the advanced search option

5) select operating system Windows XP SP1 (the last on the list)
5a in "Contains these words" put in 818043
5b click "Search" - it will come back with one "Recommended Updates (1)"

6) Click on the "Recommended Updates (1)" and you will get
Download size: 771 KB
This update to internet Protocol Security Clients IPSec and L2TP/IPSec allows IPSec to work across Network Address Translation (NAT) boundaries. A client may connect to a Windows Server 2003 Server with IPSec or L2TP/IPSec when the client is behind one or more NATs. Users should download this update if they use IPSec and/or L2TP Virtual Private Network (VPN) connections. After you install this item, you may have to restart your computer.

7) Download the program - it's what you need.

cheers
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article outlines the struggles that Macs encounter in Windows-dominated workplace environments – and what Mac users can do to improve their network connectivity and remain productive.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question