[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2808
  • Last Modified:

RRAS 08 R2 IPSec L2TP Behind Sonicwall

Hey Team,
I'm looking for a boost in terms of troubleshooting VPN connectivity issue.  Due to recent vulnerability exposure, i'm trying to move my organization away from PPTP.

Currently, the box (an 08 R2 DC) runs RRAS and PPTP functions normally.

I set up IPsec with PSK via its own NPS Policy and here's what I'm seeing:

From LAN, i can connect without issue
From WAN, i cannot connect.  Packet capture shows IKE traffic back and fourth, sonicwall confirms that no packets are dropped, all are forwarded.  At this point, the client connection fails with error 809.

Ports opened (and natted) to the server on the SW:
UDP 500
UDP 4500
Protocol 50 ESP
UDP 1721

Side note: The Sonicwall runs a site-to-site VPN tunnel and also serves VPN (wan group VPN) The DC has a dedicated public IP
0
AJromito
Asked:
AJromito
  • 4
  • 2
1 Solution
 
AJromitoAuthor Commented:
Update:  The issue now magically seems to have resolved itself.  The only change is that there are no PPTP clients connected.  
Does RRAS allow vpn connections of different type at the same time?
0
 
AJromitoAuthor Commented:
Latest update: This is annoying.

IPSec connection works perfectly from Mac OSX, IOS, and Android, from public.  

I cannot get windows 7 client connected.  Any suggestions?   ...i would've expected this client to be the easiest to configure..
0
 
AJromitoAuthor Commented:
AssumeUDPEncapsulationContextOnSendRule  <--tried adding registry key on win7 client, still no success.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Rob WilliamsCommented:
Sounds like a NAT-T issue to me. Since about the time Server 2003 SP2 was released NAT-T is not supported with IPSec Vista or Win7 clients.  This is not a problem with PPTP.  The following may help to address your problem
http://support.microsoft.com/kb/926179

However if concerned about security I would recommend moving from RRAS to a VPN appliance.  They are quite affordable now, very easy to configure, have better performance, and offer better security both due to full IPSec support and moving authentication to the perimeter of the network.
0
 
AJromitoAuthor Commented:
A hardware solution is something we've been contemplating for some time now...it seems this is our best bet.
Thanks Rob.
0
 
Rob WilliamsCommented:
Just to confirm thoughNAT-Tt is not supported the link shows how you should be able to modify the registry so it will work.  Keep in mind this was removed to increase security so the modification reduces security a little.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now