Solved

VPN using L2TP not working over NAT

Posted on 2003-11-13
11
6,341 Views
Last Modified: 2008-02-01
I am setting up a windows2003 server as a VPN Server. When I try to connect from a Windows XP system over a Dial up modem everything works fine. However when I try to connect from behind a Broadband router I get the following error Error 788: The L2TP connection attempt failed because the security layer could not negotiate compitable parameters with the remote computer.
I am using a preshared secret instead of a certificate. PPTP works fine even behind the nat device. Ahy ideas what the problem could be?
0
Comment
Question by:saunders4tom
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
Comment Utility
0
 
LVL 13

Expert Comment

by:Gnart
Comment Utility
Are you using IPSEC?  Check your VPN end-points to see where it is located with the broadband setup.  Your VPN tunnel end points for the dial-up is computer to computer, so this is not a problem.  

Your scenario of broadband:  NAT is incompatible with IPSEC
http://support.microsoft.com/default.aspx?scid=kb;en-us;301284&Product=win2000#12

Make your broadband router your end point for IPSEC - that way you don't deal with NAT.  Also check your security association (SA) on the broadband and make sure that you have a matching SA on the other end.

Please provide more information on your VPN setup.

cheers
0
 
LVL 5

Expert Comment

by:ralonso
Comment Utility
Your problem is due to the fact that the server receives the connection from the broadband router, but when negotiating IPSec it finds a different address (the NATed Address).

What you should do is find out a way to tell your client to negotiate IPSec with the external address of the router.
0
 

Author Comment

by:saunders4tom
Comment Utility
My client is the standard VPN client shipped with WindowsXP Service pack one. The way it won't work is when I am behind a broadband router. My XP system will have a private IP address using the Broadband router as a NAT device.
I know microsoft released a patch in May 2003 to improve the way XP handeled NAT with IPSEC/L2TP. However the next day they pulled the patch from their site as it caused a lot of users to loose internet access. It seems like it had some bugs. I am not sure if the XP VPN client has the ability to handel NAT. Does anyone know if their is a new patch from microsoft to make it work. I couldn't find one.
How do I tell the MS VPN CLient to negotiate IPSec with the external address of the router?
I know that my boradband router can handel IPSec as I can use checkpoints vpn client with a checkpoint vpn server with no problems.
I need the Microsoft VPN client to work behind NAT as I plan to roll it out to our remote users. When I use PPTP it works fine from behind a NAT device
0
 
LVL 13

Expert Comment

by:Gnart
Comment Utility
If you are planning to roll it out to remote users (remote office - I presume) - why not make the router the end-point - instead of managing many client end-points.  One end-point is one maintenance point for security association change.  All traffic going from branch to HQ can be selectively encrypted and tunnel....

I don't know if MS pulled it because of a bug.  I think you are talking about this - it contains a link to the update that you are looking for as well as instruction for implementation:

http://support.microsoft.com/default.aspx?scid=kb;en-us;818043&Product=winxp

Many companies tried go around the way IPSEC and NAT work and ran into the source address being encrypted and then NAT.  When IPSEC authenticate the source address in the IP header it fails.  MS is not doing anything new, other than creating VPN-end-points between the server and the client (bypassing the routers and everything in between).  Their end-points check for their patch and rework the NATted address to circumvent the incompatabilities.

cheers

0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 5

Expert Comment

by:ralonso
Comment Utility
So far, whenever I have encountered those problems the only solutions I have found are using the router as VPN endpoint or use a different software to establish the VPN connection.

I seem to remember that you can download intel VPN client for free from their website, but I can´t remember if it worked properly.
0
 
LVL 13

Expert Comment

by:Gnart
Comment Utility
That's what I stated that in my first post.  We are in agreement here.

MS and others have been trying to circumvent the incompatability problem w/o much success because of the mirage of applications and theirs solutions NAT/PAT, FTP, Multimedia using multiple channels, etc....  Router End-points VPN is the way to go (one maintenance point).  

Hey, I proposed that, but Saunders4tom still want to try end-point to the clients.  It should work if the VPN on the router is disabled.  But think about the number of end-points and client PCs that you have to deal with if there is any problem on the PCs.  Heck, a client update something the VPN break and more head aches..... With router end-point - you don't need to muck with anyone's PC.

cheers
0
 

Author Comment

by:saunders4tom
Comment Utility
The reason I need the end point to be the client laptops is that by remote office I mean home office. We have sales people all over the country that work from home and need network access. They also need access from hotels etc. Currently we us a Checkpoint VPN solution and wanted to move to a Microsoft solution.
0
 
LVL 13

Expert Comment

by:Gnart
Comment Utility
Now we know your objective.... OK, the MS link I provided above should help you achieve your objective.

cheers
0
 

Author Comment

by:saunders4tom
Comment Utility
Hi Gnart. The link below is one of many that talk about the problems with Microsofts IPSec patch talked about in the 818043 KB article in the link you posted. It also talks about the patch being pulled the following day.
http://www.pcworld.com/news/article/0,aid,110897,00.asp
When you go to the link you posted. http://support.microsoft.com/default.aspx?scid=kb;en-us;818043&Product=winxp
Microsoft say the patch is available and give no indication that there was ever a problem with it. However if you follow their instructions and attempt to download or locate the patch it is nowhere to be found. If you can locate this patch and post the actual download link I would appriciate it.
Thanks
0
 
LVL 13

Accepted Solution

by:
Gnart earned 500 total points
Comment Utility
Hi, the download is still at Microsoft - I followed the direction on the article and found it.
Follow the following directions - obviously you can jump to the direct link:

1) I started with the link that I posted:
http://support.microsoft.com/default.aspx?scid=kb;en-us;818043&Product=winxp

2) The above link leads you to the following:
http://v4.windowsupdate.microsoft.com/catalog/en/default.asp

3) Click on "Find Microsoft Updates" under Microsoft Update Catalog

4) Click on advance searched option to open up the advanced search option

5) select operating system Windows XP SP1 (the last on the list)
5a in "Contains these words" put in 818043
5b click "Search" - it will come back with one "Recommended Updates (1)"

6) Click on the "Recommended Updates (1)" and you will get
Download size: 771 KB
This update to internet Protocol Security Clients IPSec and L2TP/IPSec allows IPSec to work across Network Address Translation (NAT) boundaries. A client may connect to a Windows Server 2003 Server with IPSec or L2TP/IPSec when the client is behind one or more NATs. Users should download this update if they use IPSec and/or L2TP Virtual Private Network (VPN) connections. After you install this item, you may have to restart your computer.

7) Download the program - it's what you need.

cheers
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now