Solved

Windows VPN Server, IKE VPN Error

Posted on 2016-08-09
5
19 Views
Last Modified: 2016-09-08
I've setup a Windows 2012R2 VPN server with IKEv2 and SSTP.

Public Certificate has been installed and users can connection just fine using SSTP.

Also, from an internal 2012R2 server I'm able to connect to the VPN server using IKEv2 using the public hostname.

However, from external users when they try and connect using IKEv2 I get an error, see attached images.

The firewall in use is a Sonicwall NSA.

The ports being NAT'd are:

    IP Protocol Type=UDP, UDP Port Number=500   <- Used by IKEv2 (IPSec control path)
    IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
    IP Protocol Type=UDP, UDP Port Number=1701  <- Used by L2TP control/data path
    IP Protocol Type=50 <- Used by data path (ESP)

In the Sonicwall I've also checked the box for: "Preserve IKE Port for Pass Through Connections" and also disabled the WAN VPN Group so its not using IKE.

See attached security configuration for clients. This works for an internal client but not an external one.
Win-10-Connection-Error.PNG
Win-7-Connection-Error.PNG
IKEv2-settings.PNG
0
Comment
Question by:RFVDB
  • 3
5 Comments
 
LVL 5

Assisted Solution

by:Manuel Flores
Manuel Flores earned 500 total points
ID: 41749390
Could you try to configure in NAT-T (transversal mode)?
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41749490
IKEv2 requires that the computer or user connecting to the VPN have a valid certificate to provide the underlying PKI encryption. Basically, if you don't have certificates installed on the client machines that they can use to authenticate themselves, IKEv2 won't work. It requires an Internal CA or Client certificates from a Third Party CA (super expensive).
0
 

Accepted Solution

by:
RFVDB earned 0 total points
ID: 41782539
Looks like the issue is with the Windows Client when the Firewall is behind a NAT for IKEv2. I just tried this Microsoft KB handling on a Windows 7 PC and it allowed the IKEv2 connection just fine.

https://support.microsoft.com/en-us/kb/926179

I didn't have to import any certificate of any kind as I'm using a public certificate on the server.

I'm trying this on Win 10 and I'll let you know on the results.
0
 

Author Comment

by:RFVDB
ID: 41783383
Just tried that article that supposed only works for Windows Vista and Server 2008 and it works on Windows 10. I was able to now connect using IKEv2.
0
 

Author Closing Comment

by:RFVDB
ID: 41789218
I figured out the finite solution in the end and thus selected my answer as the best solution.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
OfficeMate Freezes on login or does not load after login credentials are input.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now