Re: L2TP over IPsec VPN and nat-t

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/01/04

• Next message: Ashish Chetal [MSFT]: "RE: PKI"
• Previous message: Phillip Windell: "Re: L2TP over IPsec VPN and nat-t"
• In reply to: Adam: "L2TP over IPsec VPN and nat-t"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 01 Nov 2004 18:01:20 GMT

In addition to suggestions about configuring client for NAT-T the NAT
routers that the users are behind have to be configured. They usually have a
setting for ipsec pass-through that can be switched on or off. -- Steve

"Adam" <Adam@discussions.microsoft.com> wrote in message
news:7EFD4EEB-4421-410B-BB16-9E41752230C5@microsoft.com...
>I am having problems making a L2TP over IPsec VPN work when the remote
>client
> is behind a NAT device. The VPN uses IPsec certificates and this all works
> good if the remote user is directly connected to the internet (i.e. the
> machine has a public IP address assigned), but as soon as the computer is
> behind a device and receives a private IP address, the VPN tunnel times
> out.
> (The IPsec creates successfully, but the L2TP connection fails...error
> 682).
> These remote clients are connecting a Netscreen 25 for their VPN tunnels.
> This device supports nat-t. The L2TP connections for this device only work
> in
> "transport mode".
>
> One other thing, this process works just fine if I have the remote clients
> connect just using an L2TP tunnel (no IPsec). Then there seems to be no
> problem with NAT and the remote clients. I have tested this VPN setup
> using
> windows 2000, windows XP pro, and windows XP home edition. All three OSs
> respond the same.
>
> I am wondering if there is some type of setting I need to modify in
> windows
> that will allow IPsec to function in "transport mode" or at least apply
> nat-t
> to the L2TP connection. Thanks in advance, Adam
>

---

• Next message: Ashish Chetal [MSFT]: "RE: PKI"
• Previous message: Phillip Windell: "Re: L2TP over IPsec VPN and nat-t"
• In reply to: Adam: "L2TP over IPsec VPN and nat-t"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: IPSEC VPN NAT ... ISA/VPN and try to reproduce the setup, ... There are a number of problems with using IPsec over NAT devices. ... All VPN clients must be using the IPsec NAT-T VPN client. ... (microsoft.public.isaserver) Re: IPSEC VPN NAT ... So I cannot pre-configure the Clients for differnet ... ISA/VPN and try to reproduce the setup, ... NAT Traversal ... There are a number of problems with using IPsec over NAT devices. ... (microsoft.public.isaserver) Re: Routing to remote office... ... one enable GRE protocol through the NAT setup? ... >> have got your VPN setup running! ... >> clients, But I am not able to connect to the VPN from the internet. ... (microsoft.public.backoffice.smallbiz2000) Re: DSL internet connection via server - routing ... You will run into problems with double NAT only with some multiplayer games and some older VoIP clients, or with some VPN clients where the client would be in your LAN and trying to VPN to a remote VPN endpoint with an outdated configuration. ... (microsoft.public.windows.server.sbs) Re: RDP Connections to VPN Users ... Do these remote clients have File and Printersharing enabled on the VPN ... >>> Business Connection Status). ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2004-11