XPRoberto
asked on
Error 678 in VPN connection
Hi There,
We are testing a VPN connection in L2TP/IPSec with a pre-shared key in ms windows 2003 server.
The VPN is working correctly when used from an ADSL line that goes thru a Netgear adsl router (udp ports 500, 4500 and 1701 are opened) but FAILS when we use an ADSL line that goes thru a CISCO 2800 router.
We cant directly view or modify the CISCO 2800 configuration so we ask here.
We have analyzed the traffic with ethereal and the communication logs seems to fail in communicate ESP packet.
Can be a problem of the CISCO 2800 configuration? The ESP traffic must be enabled to work or is enabled by default when the port 500, 4500 are opened?
Please advise,
Thank You Roberto
We are testing a VPN connection in L2TP/IPSec with a pre-shared key in ms windows 2003 server.
The VPN is working correctly when used from an ADSL line that goes thru a Netgear adsl router (udp ports 500, 4500 and 1701 are opened) but FAILS when we use an ADSL line that goes thru a CISCO 2800 router.
We cant directly view or modify the CISCO 2800 configuration so we ask here.
We have analyzed the traffic with ethereal and the communication logs seems to fail in communicate ESP packet.
Can be a problem of the CISCO 2800 configuration? The ESP traffic must be enabled to work or is enabled by default when the port 500, 4500 are opened?
Please advise,
Thank You Roberto
this link can be useful:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541de.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541de.html
ASKER
Hi and thanks for the replys,
I've checked other post here in EE and found that maybe this must be enabled in router configuration:
Allow
IPSEC ESP (IP type 50)
IPSEC AH (IP type 51)
And
isakmp nat-traversal 20
to enable nat-traversal
On more simple routers (like our netgear) these are allowed by default (or not filtered at all)??
I will send to tech people who can modify the router configuration and then repost results.
Thanks Bye Roberto
I've checked other post here in EE and found that maybe this must be enabled in router configuration:
Allow
IPSEC ESP (IP type 50)
IPSEC AH (IP type 51)
And
isakmp nat-traversal 20
to enable nat-traversal
On more simple routers (like our netgear) these are allowed by default (or not filtered at all)??
I will send to tech people who can modify the router configuration and then repost results.
Thanks Bye Roberto
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi there!
Finally the VPN goes right in place and i can confirm the problem was the cisco configuration altrough i cant say what the technicians have done on it. I add that in case of clients with xp sp1 you need an update to ipsec.sys that is findable in sp2 or in KB842933! Thanls Rob
Finally the VPN goes right in place and i can confirm the problem was the cisco configuration altrough i cant say what the technicians have done on it. I add that in case of clients with xp sp1 you need an update to ipsec.sys that is findable in sp2 or in KB842933! Thanls Rob
sometimes it can be blocked by firewalls
you can try to use UDP incapsulation (via UDP port 500)
But I'm not sure windows server can do that by default.
Try to allow esp protocol (or IP protocol 50) to pass through on your cisco