Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 583
  • Last Modified:

L2TP on Windows 2003 with Windows XP client

I am having a problem getting L2TP to work correctly.  I have a Windows 2003 SP1 server running RRAS and am trying to connect to it using a Windows XP SP2 workstation. I have tested it on a workstation inside our network and it works fine.  I then tried to test it on a laptop coming from outside our network and it fails.  I don't think it's our firewall (PIX 515e) rules that are the problem though, as I've allowed UDP 500, 4500 and 1701 through, and I see no denials on my syslog server.

The error that I get in the event log on the laptop is:

Event ID 547:
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)
Filter:
(..Info blacked out for security..)
Protocol 17
Source Port 1701
Destination Port 1701
(..Info blacked out for security..)
Failure Point:
Me
Failure Reason:
New policy invalidated SAs formed with old policy
Extra Status:
0x0 0x0
0
zheron
Asked:
zheron
  • 2
1 Solution
 
KCTSCommented:
Does a PPTP VPN work? is NAT involved? if so it could be a NAT traversal issue - see http://support.microsoft.com/kb/314831
0
 
zheronAuthor Commented:
Yes PPTP does work.  Yes NAT is involved, however, the Windows 2003 server is in a static one-to-one NAT, so I didn't think that the NAT would cause a problem.

It definately appears to be the firewall though.  I took the laptop and connected directly to our network nd tested the VPN without the firewall in the way and it connected no problem, so it's definately not a certificate issue.

Would static NAT still be an issue for the IPSec?
0
 
zheronAuthor Commented:
I guess NAT was it.  Apparently the Windows L2TP client doesn't like the server behind NAT, even if it is a static NAT.  I found this article that helped.:

http://support.microsoft.com/kb/885407/

By making the registry change I was able to get it to work.  Not really what I want to have to do, but at least now I know what the problem is.  Thanks.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now