Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall

From: Toto B. Goode (totobgoode@yahoo.com)
Date: 06/26/02 

From: "Toto B. Goode" <totobgoode@yahoo.com>
Date: Wed, 26 Jun 2002 08:45:13 -0700

I think I had a similar problem. The only dif. was the OS
and VPN client. However I had a Redhat 6.2 box inbetween
as a gateway, FW, etc. My problem turned out to be the
masquarading - the VPN was receiving my calls, but was
sending the replies back on ports 1723 and 500, so my FW
was bouncing them, since it had sent the requests at a
dif. port (i.e. 35678). Check if you have masq. on and
switch to NAT only ... that I think ought to work.

>-----Original Message-----
>Thank you for your response. Actually, I have a Linux box
(Redhat 7.0)
>performing the gateway, routing and NATting. The Linux
box itself is
>connected to the Internet via a pptp connection through
an ADSL connection,
>if that helps explain what's going on. The W2K server
doesn't do any NAtting
>or forwarding - the gateway for all hosts in the network
is the Linux.
>
>Any more ideas given the above info?
>
>TIA - Lavie
>
>
>
>"x y" <jamescagney90210@excite.com> wrote in message
>news:#26zFAQHCHA.1600@tkmsftngp12...
>> You could try checking your firewall/router/sniffer
logs at both ends to
>> confirm that traffic isn't being blocked. My belief is
that your NAT
>> solution breaks the VPN.
>>
>> My understanding is that IPSec AH protocol does not
work with NAT devices
>> that do not have IPsec passthrough because the IP
header and packet are
>> hashed to confirm that they were not changed in
transit. I am not an
>expert
>> at Windows 2000 NAT, but it appears that it can or does
use IPSec AH. I'm
>> not sure in Windows 2000 if or how AH can be turned off
and/or ESP used
>> instead.
>>
>> You could confirm whether NAT is the problem by moving
your PC to a
>> different internet connection [such as a dialup modem
temporarily], move
>it
>> outside the NATspace or disable NAT temporarily. If
this is the case, the
>> only solution would be to use a different device for
NAT.
>>
>> There is some further explanation of this at
>> http://online.securityfocus.com/infocus/1519
>> "Transports vs. Tunnels
>> IPSec operates in either one of two modes - transport
mode or tunnel mode.
>> Transport mode is meant primarily for protection of
upper layer protocols,
>> while tunnel mode protects the IP layer as well. In
tunnel mode, used
>> primarily between two gateways or a server and a
gateway, the packet has
>two
>> IP headers, an outer and an inner. The outer header
identifies the source
>> and destination endpoints, while the inner contains the
original sender
>and
>> destination addresses, protected by IPSec.
>> Tunnel Mode
>> IPSec in Windows was meant mainly for interaction with
routers or other
>> IPSec tunnel endpoints. However, as stated, it can be
used with L2TP to
>> provide a VPN remote access solution. When this is
done, the L2TP headers
>> are encapsulated and protected by IPSec, so if
encryption is being used
>with
>> IPSec, the L2TP headers will be encrypted. The only
unencrypted headers
>will
>> be the outer IP headers (with the destination endpoint
IP address) and
>lower
>> layers.
>>
>> For details of setting up IPSec tunnels in Windows 2000
(most of which
>> applies to XP also) please take a look at the Microsoft
Support Services
>> document How to Configure IPSec Tunneling in Windows
2000. "
>>
>>
>>
>>
>> "Meron Lavie" <lavie@net2vision.net.il> wrote in message
>> news:uYb5c5IHCHA.2580@tkmsftngp09...
>> > Steven,
>> >
>> > I tried specifying pptp, but it didn't help.
>> >
>> > I have all outgoing traffic allowed, and also allow
47 (I enabled
>logging
>> > and see that port 1723 and protocol 47 are
succesfully connecting).
>> >
>> > Any other ideas? Has anyone ever succeeded in
connecting a VPN client in
>a
>> > NATted LAN to an external VPN server?
>> >
>> > --
>> > Meron Lavie
>> >
>> >
>> > "Steven L Umbach" <n9rou@attbi.{wZ|-
r"LrO 6com> wrote in message
>> > news:MY3S8.319039$cQ3.17382@sccrnsc01...
>> > > Are you trying to use l2tp or pptp? L2tp for
the most part does
>> not
>> > > work with NAT. In your vpn client connectoid
properties select pptp as
>> > > server type instead of "auto" - W2K will try l2tp
first by default
>> > (assuming
>> > > W2K vpn server is set up to allow pptp
connections). If using pptp
>your
>> > > firewall has to allow protocol passage of port 1723
and protocol 47
>> > gre. ---
>> > > Steve
>> > >
>> > >
>> > > "Meron Lavie" <lavie@net2vision.net.il> wrote in
message
>> > > news:urZ42DIHCHA.2364@tkmsftngp11...
>> > > > I am trying to access a remote server via VPN.
>> > > >
>> > > > The server is W2K/SP2 running ISA.
>> > > >
>> > > > My local computer is W2K/Pro with SP2, on a LAN
whose gateway is
>> Redhat
>> > > > Linux v7.0 running an IPCHAINS-based firewall
which also performs
>> > > > NATting/Forwarding. The Linux accesses the
Internet through ADSL.
>> > > >
>> > > > When I try to connect to the remote server, I
get "Verifying
>Username
>> > and
>> > > > Password", but after about 15 secs it fails with
message 721. The
>> > firewall
>> > > > log shows no violations.
>> > > >
>> > > > Everyone else succeeds in accessing from their
ISP's dialup. I am
>the
>> > > first
>> > > > person to try to access it from an external LAN.
>> > > >
>> > > > What am I doing wrong?
>> > > >
>> > > > --
>> > > > TIA
>> > > > Meron Lavie
>> > > > lavie@net2vision.net.il
>> > > > NOTE: THERE IS NO "2" IN MY REAL EMAIL ADDRESS:
ANTI-SPAM!!!
>> > > >
>> > > >
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>> >
>> >
>>
>>
>
>
>.
>

Relevant Pages

  • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
    ... My belief is that your NAT ... My understanding is that IPSec AH protocol does not work with NAT devices ... IPSec operates in either one of two modes - transport mode or tunnel mode. ... provide a VPN remote access solution. ...
    (microsoft.public.win2000.security)
  • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
    ... something like "windows-2000 AH ESP VPN NAT" ... My belief is that your NAT ... > My understanding is that IPSec AH protocol does not work with NAT devices ... > IPSec operates in either one of two modes - transport mode or tunnel mode. ...
    (microsoft.public.win2000.security)
  • Re: IPsec and TLS
    ... :By using IPsec, you need no change to existing applications. ... :when using Tunnel mode, I heard people saying that in the real world, ... :there is no IPSec software for wireless PDAs. ... and scroll down to 'Adding VPN support'. ...
    (comp.security.misc)
  • Re: linksys gateway - vpn
    ... I have a Linksys WAG354G v2... ... I have enabled in the gateway, ipsec, etc... ... What kind of VPN? ...
    (alt.internet.wireless)
  • Re: vpn through linux gateway
    ... >> I would like to add functionality to be able to vpn through this linux ... >> gateway from a windows laptop client. ... >> also need ipsec. ... > VPN technologies available like PPTP, OpenVPN, CIPE, ... ...
    (comp.os.linux.networking)