Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
From: Meron Lavie (lavie@net2vision.net.il)
Date: 06/29/02
- Next message: x y: "Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall"
- Previous message: konstantinos fragkos: "Low security on windows 2000?"
- In reply to: x y: "Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall"
- Next in thread: x y: "Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall"
- Reply: x y: "Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Meron Lavie" <lavie@net2vision.net.il> Date: Sat, 29 Jun 2002 15:21:31 +0300
To be honest, I couldn't find where you select AH or ESP. Do you know where?
I think I set up my Linux ipchains firewall to allow everything and to
forward everything, but I'll check again.
-- TIA Meron Lavie lavie@net2vision.net.il NOTE: THERE IS NO "2" IN MY REAL EMAIL ADDRESS: ANTI-SPAM!!! "x y" <jamescagney90210@excite.com> wrote in message news:eC2TzctHCHA.2420@tkmsftngp11... > So enabling ESP instead of AH in the windows 2000 IPsec settings did not > help? Or was there no way to disable AH? > > If AH is being used in your VPN connection, you should see packets in your > router log that are IP Protocol ID 51. If you have no logging on your > router, install Sygate free firewall or use windows 2000 network monitor or > use a sniffer such as windump [on your VPN client, not the server]. If you > see any of these packets, your VPN will not work through NAT unless your NAT > router has IPsec passthrough capabilities. If you don't see any of these > packets, then AH is not the problem. > > If your Linux firewall is acting as a gateway, is there any chance it could > be blocking packets out or back in? I assume you've checked your firewall > logs? The protocols and ports that you have to enable to pass through your > firewall are listed here: > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q233256 > > You may also want to post to newsgroups for Redhat Linux. > > > "Meron Lavie" <lavie@net2vision.net.il> wrote in message > news:Os#geHrHCHA.1268@tkmsftngp08... > > > > I've been all over the web, and haven't found a solution. Am I the only > > person in the universe who is using a Linux Firewall/Gateway with NATting > > who needs to allow Windows machines on the LAN to run VPN connections to > > external VPN servers? > > > > Meron Lavie > > > > "x y" <jamescagney90210@excite.com> wrote in message > > news:eSjcgwSHCHA.1600@tkmsftngp13... > > > I did know you have Linux for NAT and my original suggestions still > stand. > > > I am assuming you are trying to use VPN from a windows 2000 client to a > > > Windows 2000 server through a Linux router with NAT. Unless your NAT > > > solution has IPsec passthrough, NAT breaks IPsec AH. This is true > > > regardless of what vendor you're using for NAT and VPN. I think Windows > > > 2000 uses L2TP and PPTP for VPN encryption, but still uses IPSec > including > > > AH to establish SA connections and to sign packets. > > > > > > No matter what systems you are actually using, I would look in the VPN > > > settings on your VPN client and attempt to disable AH, possibly > replacing > > it > > > with ESP. If your VPN client is Windows 2000, the links I posted are a > > > first step. > > > > > > "Meron Lavie" <a@b.com> wrote in message > > > news:#FTWqISHCHA.2280@tkmsftngp12... > > > > Thank you for your response. Actually, I have a Linux box (Redhat 7.0) > > > > performing the gateway, routing and NATting. The Linux box itself is > > > > connected to the Internet via a pptp connection through an ADSL > > > connection, > > > > if that helps explain what's going on. The W2K server doesn't do any > > > NAtting > > > > or forwarding - the gateway for all hosts in the network is the Linux. > > > > > > > > Any more ideas given the above info? > > > > > > > > TIA - Lavie > > > > > > > > > > > > > > > > "x y" <jamescagney90210@excite.com> wrote in message > > > > news:#26zFAQHCHA.1600@tkmsftngp12... > > > > > You could try checking your firewall/router/sniffer logs at both > ends > > to > > > > > confirm that traffic isn't being blocked. My belief is that your > NAT > > > > > solution breaks the VPN. > > > > > > > > > > My understanding is that IPSec AH protocol does not work with NAT > > > devices > > > > > that do not have IPsec passthrough because the IP header and packet > > are > > > > > hashed to confirm that they were not changed in transit. I am not > an > > > > expert > > > > > at Windows 2000 NAT, but it appears that it can or does use IPSec > AH. > > > I'm > > > > > not sure in Windows 2000 if or how AH can be turned off and/or ESP > > used > > > > > instead. > > > > > > > > > > You could confirm whether NAT is the problem by moving your PC to a > > > > > different internet connection [such as a dialup modem temporarily], > > move > > > > it > > > > > outside the NATspace or disable NAT temporarily. If this is the > case, > > > the > > > > > only solution would be to use a different device for NAT. > > > > > > > > > > There is some further explanation of this at > > > > > http://online.securityfocus.com/infocus/1519 > > > > > "Transports vs. Tunnels > > > > > IPSec operates in either one of two modes - transport mode or tunnel > > > mode. > > > > > Transport mode is meant primarily for protection of upper layer > > > protocols, > > > > > while tunnel mode protects the IP layer as well. In tunnel mode, > used > > > > > primarily between two gateways or a server and a gateway, the packet > > has > > > > two > > > > > IP headers, an outer and an inner. The outer header identifies the > > > source > > > > > and destination endpoints, while the inner contains the original > > sender > > > > and > > > > > destination addresses, protected by IPSec. > > > > > Tunnel Mode > > > > > IPSec in Windows was meant mainly for interaction with routers or > > other > > > > > IPSec tunnel endpoints. However, as stated, it can be used with L2TP > > to > > > > > provide a VPN remote access solution. When this is done, the L2TP > > > headers > > > > > are encapsulated and protected by IPSec, so if encryption is being > > used > > > > with > > > > > IPSec, the L2TP headers will be encrypted. The only unencrypted > > headers > > > > will > > > > > be the outer IP headers (with the destination endpoint IP address) > and > > > > lower > > > > > layers. > > > > > > > > > > For details of setting up IPSec tunnels in Windows 2000 (most of > which > > > > > applies to XP also) please take a look at the Microsoft Support > > Services > > > > > document How to Configure IPSec Tunneling in Windows 2000. " > > > > > > > > > > > > > > > > > > > > > > > > > "Meron Lavie" <lavie@net2vision.net.il> wrote in message > > > > > news:uYb5c5IHCHA.2580@tkmsftngp09... > > > > > > Steven, > > > > > > > > > > > > I tried specifying pptp, but it didn't help. > > > > > > > > > > > > I have all outgoing traffic allowed, and also allow 47 (I enabled > > > > logging > > > > > > and see that port 1723 and protocol 47 are succesfully > connecting). > > > > > > > > > > > > Any other ideas? Has anyone ever succeeded in connecting a VPN > > client > > > in > > > > a > > > > > > NATted LAN to an external VPN server? > > > > > > > > > > > > -- > > > > > > Meron Lavie > > > > > > > > > > > > > > > > > > "Steven L Umbach" <n9rou@attbi.com> wrote in message > > > > > > news:MY3S8.319039$cQ3.17382@sccrnsc01... > > > > > > > Are you trying to use l2tp or pptp? L2tp for the most > part > > > does > > > > > not > > > > > > > work with NAT. In your vpn client connectoid properties select > > pptp > > > as > > > > > > > server type instead of "auto" - W2K will try l2tp first by > default > > > > > > (assuming > > > > > > > W2K vpn server is set up to allow pptp connections). If using > pptp > > > > your > > > > > > > firewall has to allow protocol passage of port 1723 and protocol > > 47 > > > > > > gre. --- > > > > > > > Steve > > > > > > > > > > > > > > > > > > > > > "Meron Lavie" <lavie@net2vision.net.il> wrote in message > > > > > > > news:urZ42DIHCHA.2364@tkmsftngp11... > > > > > > > > I am trying to access a remote server via VPN. > > > > > > > > > > > > > > > > The server is W2K/SP2 running ISA. > > > > > > > > > > > > > > > > My local computer is W2K/Pro with SP2, on a LAN whose gateway > is > > > > > Redhat > > > > > > > > Linux v7.0 running an IPCHAINS-based firewall which also > > performs > > > > > > > > NATting/Forwarding. The Linux accesses the Internet through > > ADSL. > > > > > > > > > > > > > > > > When I try to connect to the remote server, I get "Verifying > > > > Username > > > > > > and > > > > > > > > Password", but after about 15 secs it fails with message 721. > > The > > > > > > firewall > > > > > > > > log shows no violations. > > > > > > > > > > > > > > > > Everyone else succeeds in accessing from their ISP's dialup. I > > am > > > > the > > > > > > > first > > > > > > > > person to try to access it from an external LAN. > > > > > > > > > > > > > > > > What am I doing wrong? > > > > > > > > > > > > > > > > -- > > > > > > > > TIA > > > > > > > > Meron Lavie > > > > > > > > lavie@net2vision.net.il > > > > > > > > NOTE: THERE IS NO "2" IN MY REAL EMAIL ADDRESS: ANTI-SPAM!!! > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: x y: "Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall"
- Previous message: konstantinos fragkos: "Low security on windows 2000?"
- In reply to: x y: "Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall"
- Next in thread: x y: "Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall"
- Reply: x y: "Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
