g127404
asked on
VPN with IPSec (L2TP) and Certificates or Preshared Keys
Microsoft and Google simply aren't helping me out anymore. Hopefully someone here can.
I setup SBS 2003 with the Remote Access Wizard from the "To Do" list.
I was able to immediatly setup a client vpn to access the server using PPTP.
So far so good.
Then I tried switching the protocol to L2TP IPSec VPN and it quickly went downhill from there.
I'm trying to go as secure as possible so I went the harder route first and tried using certificates.
Recently I switched from that and tried just using a preshared key.
I've received the can't connect errors.
Error 789
Error 798
Error 792
And probably a few more...
I have a SonicWall Pro Firewall that has these ports on DMZ: 500(UDP), IPSec 4500(UDP), IPSec 1701(UDP) and IPSec (ESP)
I don't believe the Firewall is an issue at this point as I'm testing behind the firewall and just pointing the client to the local server name.
I guess for now if I can get the "easier" way to work (preshared keys). then I'll be happy and figure out certificates afterwards.
My most current error if you'd like to help from there is:
Error 792 (Microsoft document doesn't help on this - http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299307)
I'll beat you to it and post some of the "suggested reading" I have a feeling you'll send me to. =-)
(Just my list of recent bookmarks... some may not apply or be for the wrong server type)
Note: I have SBS 2003 Standard and NO ISA.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndeplr.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/nwpriv.mspx
http://support.microsoft.com/?kbid=259880
http://support.microsoft.com/?kbid=314831
http://support.microsoft.com/kb/253498/EN-US/
http://support.microsoft.com/default.aspx?scid=kb;en-us;q281555&sd=tech
http://support.microsoft.com/default.aspx?scid=kb;en-us;M555281
http://support.microsoft.com/kb/240262/
http://www.isaserver.org/tutorials/Configuring_the_VPN_Client_and_Server_to_Support_CertificateBased_PPTP_EAPTLS_Authentication__Part_2.html
I setup SBS 2003 with the Remote Access Wizard from the "To Do" list.
I was able to immediatly setup a client vpn to access the server using PPTP.
So far so good.
Then I tried switching the protocol to L2TP IPSec VPN and it quickly went downhill from there.
I'm trying to go as secure as possible so I went the harder route first and tried using certificates.
Recently I switched from that and tried just using a preshared key.
I've received the can't connect errors.
Error 789
Error 798
Error 792
And probably a few more...
I have a SonicWall Pro Firewall that has these ports on DMZ: 500(UDP), IPSec 4500(UDP), IPSec 1701(UDP) and IPSec (ESP)
I don't believe the Firewall is an issue at this point as I'm testing behind the firewall and just pointing the client to the local server name.
I guess for now if I can get the "easier" way to work (preshared keys). then I'll be happy and figure out certificates afterwards.
My most current error if you'd like to help from there is:
Error 792 (Microsoft document doesn't help on this - http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299307)
I'll beat you to it and post some of the "suggested reading" I have a feeling you'll send me to. =-)
(Just my list of recent bookmarks... some may not apply or be for the wrong server type)
Note: I have SBS 2003 Standard and NO ISA.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndeplr.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/nwpriv.mspx
http://support.microsoft.com/?kbid=259880
http://support.microsoft.com/?kbid=314831
http://support.microsoft.com/kb/253498/EN-US/
http://support.microsoft.com/default.aspx?scid=kb;en-us;q281555&sd=tech
http://support.microsoft.com/default.aspx?scid=kb;en-us;M555281
http://support.microsoft.com/kb/240262/
http://www.isaserver.org/tutorials/Configuring_the_VPN_Client_and_Server_to_Support_CertificateBased_PPTP_EAPTLS_Authentication__Part_2.html
ASKER
Yes, the Pro series Sonicwall does act as a VPN router. We have a hardware Sonicwall -> Sonicwall VPN setup and working already. I was hoping to use the Windows VPN method instead of hardware (mucho cheaper). As far as Sonicwall software for the client... I had thought of that but wanted to try Windows. The hardware to hardware setup we have now is veeery slow when it comes to VPN traffic and I thought it might be different with another software approach.
I tried giving as much information as possible on my senario to help narrow down the possibilites.
Router ports are open
Not using certificates yet (just preshared keys)
... I don't think I've done much with policies and filters. Are they needed to get it working or just make it more secure. Maybe that's where I've gone wrong.
I tried giving as much information as possible on my senario to help narrow down the possibilites.
Router ports are open
Not using certificates yet (just preshared keys)
... I don't think I've done much with policies and filters. Are they needed to get it working or just make it more secure. Maybe that's where I've gone wrong.
>>"We have a hardware Sonicwall -> Sonicwall VPN setup and working already."
Is this on the same router?
If so, my understanding is if the router is using IPSec for it's own VPN connection you cannot do IPSec pass-trough as well. L2TP/IPSec requires that, so I question if it is possible. The basic Windows PPTP VPN uses PPTP/GRE protocol so most routers will allow it to pass even with an IPSec VPN established, where it is a different protocol.
The SonicWall client would be IPSec as well,l but connects to the router, not a device behind it, so you can have the site to site tunnel as well as VPN software clients connecting simultaneously.
Is this on the same router?
If so, my understanding is if the router is using IPSec for it's own VPN connection you cannot do IPSec pass-trough as well. L2TP/IPSec requires that, so I question if it is possible. The basic Windows PPTP VPN uses PPTP/GRE protocol so most routers will allow it to pass even with an IPSec VPN established, where it is a different protocol.
The SonicWall client would be IPSec as well,l but connects to the router, not a device behind it, so you can have the site to site tunnel as well as VPN software clients connecting simultaneously.
ASKER
I'll definetly look into that and probably make a call to Sonicwall...
..however I'm trying this behind the firewall in our internal network. I have my gateway/dns pointing to the VPN server and am just using the server name not FQDN to connect such as: "Server1"
Shouldn't this still work regardless of the firewall?
..however I'm trying this behind the firewall in our internal network. I have my gateway/dns pointing to the VPN server and am just using the server name not FQDN to connect such as: "Server1"
Shouldn't this still work regardless of the firewall?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is IAS a requirement to getting L2TP working?
No, not all. Actually having it adds another "dimension", i.e. more work.
ASKER
Well, I finally got it working. Thank you RobWill for your help.
I actually bought a Microsoft Press book called: Windows Small Business Server 2003
It walks you through the whole process. To tell you the truth I'm not sure what I missed because it looked like I had done everything.
In the end I restarted all the services involved on the server and then it worked.
net stop policyagent
net start policyagent
net stop remoteaccess
net start remoteaccess
Much thanks again for pointing out those references and shedding some light on this difficult technology.
One last question and I'll let you go (and give you the points).
I put my logon information in the vpn connection the first time.
I disconnected and tried it again (to make sure it wasn't a fluke!) and this time it didn't ask for my credentials. I made sure I have the options selected to prompt for name, password, certificate, etc.
In order to be the most secure I'd like to require a username/password entered each time. Is this possible or is it just the first time in.
I actually bought a Microsoft Press book called: Windows Small Business Server 2003
It walks you through the whole process. To tell you the truth I'm not sure what I missed because it looked like I had done everything.
In the end I restarted all the services involved on the server and then it worked.
net stop policyagent
net start policyagent
net stop remoteaccess
net start remoteaccess
Much thanks again for pointing out those references and shedding some light on this difficult technology.
One last question and I'll let you go (and give you the points).
I put my logon information in the vpn connection the first time.
I disconnected and tried it again (to make sure it wasn't a fluke!) and this time it didn't ask for my credentials. I made sure I have the options selected to prompt for name, password, certificate, etc.
In order to be the most secure I'd like to require a username/password entered each time. Is this possible or is it just the first time in.
Odd that it didn't request at least a password. After logging in the first time, some information is cached, and the user's name from the last time the connection was used (from that user profile) should be automatically entered in the box, but unless you selected "save password" you should always be asked for a password. I don't have one here to look at but there is an "options" section on the client, that should allow you to ask to be prompted, or not, for user name and password.
Pat yourself on the back. Not an easy task to set up. I don't think I have done any since Win2000, and I remember it's not fun. One little over-site and it doesn't connect. The good news is, it works well once configured correctly.
Cheers,
--Rob
Pat yourself on the back. Not an easy task to set up. I don't think I have done any since Win2000, and I remember it's not fun. One little over-site and it doesn't connect. The good news is, it works well once configured correctly.
Cheers,
--Rob
ASKER
Yes, I've made sure the "options" section on the client is checked to prompt for password.. but to no avail.
I'm just hoping it will ask me when I'm not behind the firewall and already logged into the network. Anyway... that's a different problem for a different day. I'm "patting myself on the back" today. =-)
Thanks again Rob. Good work.
I'm just hoping it will ask me when I'm not behind the firewall and already logged into the network. Anyway... that's a different problem for a different day. I'm "patting myself on the back" today. =-)
Thanks again Rob. Good work.
Forgot you are still behind the firewall, if using domain names/accounts it might use cached credentials. Will be interesting to see if remotely performs differently.
Actually I wasn't a lot of help, but thanks.
--Rob
Actually I wasn't a lot of help, but thanks.
--Rob
Having said that, a 792 error, as you are likely aware, is usually due to mis-matched keys, missing certificates or blocked fragmented packets. L2TP tunnels are difficult to diagnose here, when you are not hands on, as there are so many variables with router ports, certificates, policies and filters.