RRAS 08 R2 IPSec L2TP Behind Sonicwall

Posted on 2012-08-30
Last Modified: 2012-08-31
Hey Team,
I'm looking for a boost in terms of troubleshooting VPN connectivity issue.  Due to recent vulnerability exposure, i'm trying to move my organization away from PPTP.

Currently, the box (an 08 R2 DC) runs RRAS and PPTP functions normally.

I set up IPsec with PSK via its own NPS Policy and here's what I'm seeing:

From LAN, i can connect without issue
From WAN, i cannot connect.  Packet capture shows IKE traffic back and fourth, sonicwall confirms that no packets are dropped, all are forwarded.  At this point, the client connection fails with error 809.

Ports opened (and natted) to the server on the SW:
UDP 500
UDP 4500
Protocol 50 ESP
UDP 1721

Side note: The Sonicwall runs a site-to-site VPN tunnel and also serves VPN (wan group VPN) The DC has a dedicated public IP
Question by:AJromito

    Author Comment

    Update:  The issue now magically seems to have resolved itself.  The only change is that there are no PPTP clients connected.  
    Does RRAS allow vpn connections of different type at the same time?

    Author Comment

    Latest update: This is annoying.

    IPSec connection works perfectly from Mac OSX, IOS, and Android, from public.  

    I cannot get windows 7 client connected.  Any suggestions?   ...i would've expected this client to be the easiest to configure..

    Author Comment

    AssumeUDPEncapsulationContextOnSendRule  <--tried adding registry key on win7 client, still no success.
    LVL 77

    Accepted Solution

    Sounds like a NAT-T issue to me. Since about the time Server 2003 SP2 was released NAT-T is not supported with IPSec Vista or Win7 clients.  This is not a problem with PPTP.  The following may help to address your problem

    However if concerned about security I would recommend moving from RRAS to a VPN appliance.  They are quite affordable now, very easy to configure, have better performance, and offer better security both due to full IPSec support and moving authentication to the perimeter of the network.

    Author Comment

    A hardware solution is something we've been contemplating for some time seems this is our best bet.
    Thanks Rob.
    LVL 77

    Expert Comment

    by:Rob Williams
    Just to confirm thoughNAT-Tt is not supported the link shows how you should be able to modify the registry so it will work.  Keep in mind this was removed to increase security so the modification reduces security a little.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now