We help IT Professionals succeed at work.
Get Started

Windows 7 L2TP IPSec NAT-T

3,537 Views
Last Modified: 2012-05-11
Hello
I've set up a VPN between Windows 7 clients and a Juniper NS5GT Firewall according the Juniper KB articles http://kb.juniper.net/InfoCenter/index?page=content&id=KB10939  and http://kb.juniper.net/InfoCenter/index?page=content&id=KB16075.
With the first Windows 7 client, it work's just fine. With the second and the third clients, it won't work.

The error message while conecting is:
"Error 810: A network connection between your computer and the VPN server was started, but the VPN connection was not completed. This is typically caused by the use of an incorrect or expired certificate for authentication between the client and the server. Please contact your Administrator to ensure that the certificate being used for authentication is valid"

Debugging the vpn on the juniper firewall while connecting, I get the following difference betwen phase 1 and phase 2:

With the client that is ok:
## 2011-05-16 11:18:47 : IKE<138.188.100.248> responder (pki) constructing remote NAT-D
## 2011-05-16 11:18:47 : IKE<138.188.100.248> Construct [NATD]
## 2011-05-16 11:18:47 : IKE<138.188.100.248> responder (pki) constructing local NAT-D
## 2011-05-16 11:18:47 : IKE<138.188.100.248> Construct [NATD]
## 2011-05-16 11:18:47 : IKE<138.188.100.248> Xmit : [KE] [NONCE] [CERT-REQ] [NATD] [NATD]
## 2011-05-16 11:18:47 : IKE<138.188.100.248> Responder sending IPv4 IP 138.188.100.248/port 357
## 2011-05-16 11:18:47 : IKE<138.188.100.248> Send Phase 1 packet (len=278)
## 2011-05-16 11:18:47 : IKE<138.188.100.248> IKE msg done: PKI state<0> IKE state<2/1017200f>
## 2011-05-16 11:18:49 : IKE<0.0.0.0        >   from FLOAT port.
## 2011-05-16 11:18:49 : IKE<138.188.100.248> ike packet, len 1716, action 0## 2011-05-16 11:18:49 : IKE<138.188.100.248> Catcher: received 1688 bytes from socket.
## 2011-05-16 11:18:49 : IKE<138.188.100.248> ****** Recv packet if <untrust> of vsys <Root> ******
## 2011-05-16 11:18:49 : IKE<138.188.100.248> Catcher: get 1688 bytes. src port 63177
## 2011-05-16 11:18:49 : IKE<0.0.0.0        >   ISAKMP msg: len 1684, nxp 5[ID], exch 2[MM], flag 01  E
## 2011-05-16 11:18:49 : IKE<138.188.100.248> gen_skeyid()


With a client that isn't building up the VPN:
## 2011-05-16 11:43:57 : IKE<138.188.100.226> responder (pki) constructing remote NAT-D
## 2011-05-16 11:43:57 : IKE<138.188.100.226> Construct [NATD]
## 2011-05-16 11:43:57 : IKE<138.188.100.226> responder (pki) constructing local NAT-D
## 2011-05-16 11:43:57 : IKE<138.188.100.226> Construct [NATD]
## 2011-05-16 11:43:57 : IKE<138.188.100.226> Xmit : [KE] [NONCE] [CERT-REQ] [NATD] [NATD]
## 2011-05-16 11:43:57 : IKE<138.188.100.226> Responder sending IPv4 IP 138.188.100.226/port 381
## 2011-05-16 11:43:57 : IKE<138.188.100.226> Send Phase 1 packet (len=278)
## 2011-05-16 11:43:57 : IKE<138.188.100.226> IKE msg done: PKI state<0> IKE state<2/1017200f>
## 2011-05-16 11:43:57 : IKE<0.0.0.0        >   from FLOAT port.
## 2011-05-16 11:43:57 : IKE<138.188.100.226> ike packet, len 116, action 0## 2011-05-16 11:43:57 : IKE<138.188.100.226> Catcher: received 88 bytes from socket.
## 2011-05-16 11:43:57 : IKE<138.188.100.226> ****** Recv packet if <untrust> of vsys <Root> ******
## 2011-05-16 11:43:57 : IKE<138.188.100.226> Catcher: get 88 bytes. src port 14989
## 2011-05-16 11:43:57 : IKE<0.0.0.0        >   ISAKMP msg: len 84, nxp 8[HASH], exch 5[INFO], flag 01  E
## 2011-05-16 11:43:57 : IKE<138.188.100.226> Error: Responder expecting non-floated IKE packets in phase 2, drop pak.
According to the sent packet size I'm tempted to say that the second client isn't sending all the things he should, or he is floating to a different port when he shouldn't.

On booth machines, MS kb926179 (How to configure an L2TP/IPsec server behind a NAT-T)  is applied, AssumeUDPEncapsulationContextOnSendRule has value 2.

Any Idea ?
Comment
Watch Question
Commented:
This problem has been solved!
Unlock 3 Answers and 7 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE