Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall

From: Meron Lavie (lavie@net2vision.net.il)
Date: 06/29/02


From: "Meron Lavie" <lavie@net2vision.net.il>
Date: Sat, 29 Jun 2002 15:21:31 +0300


To be honest, I couldn't find where you select AH or ESP. Do you know where?

I think I set up my Linux ipchains firewall to allow everything and to
forward everything, but I'll check again.

--
TIA
Meron Lavie
lavie@net2vision.net.il
NOTE: THERE IS NO "2" IN MY REAL EMAIL ADDRESS: ANTI-SPAM!!!
"x y" <jamescagney90210@excite.com> wrote in message
news:eC2TzctHCHA.2420@tkmsftngp11...
> So enabling ESP instead of AH in the windows 2000 IPsec settings did not
> help?  Or was there no way to disable AH?
>
> If AH is being used in your VPN connection, you should see packets in your
> router log that are IP Protocol ID 51.  If you have no logging on your
> router, install Sygate free firewall or use windows 2000 network monitor
or
> use a sniffer such as windump [on your VPN client, not the server].  If
you
> see any of these packets, your VPN will not work through NAT unless your
NAT
> router has IPsec passthrough capabilities.  If you don't see any of these
> packets, then AH is not the problem.
>
> If your Linux firewall is acting as a gateway, is there any chance it
could
> be blocking packets out or back in?  I assume you've checked your firewall
> logs?  The protocols and ports that you have to enable to pass through
your
> firewall are listed here:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q233256
>
> You may also want to post to newsgroups for Redhat Linux.
>
>
> "Meron Lavie" <lavie@net2vision.net.il> wrote in message
> news:Os#geHrHCHA.1268@tkmsftngp08...
> >
> > I've been all over the web, and haven't found a solution. Am I the only
> > person in the universe who is using a Linux Firewall/Gateway with
NATting
> > who needs to allow Windows machines on the LAN to run VPN connections to
> > external VPN servers?
> >
> > Meron Lavie
> >
> > "x y" <jamescagney90210@excite.com> wrote in message
> > news:eSjcgwSHCHA.1600@tkmsftngp13...
> > > I did know you have Linux for NAT and my original suggestions still
> stand.
> > > I am assuming you are trying to use VPN from a windows 2000 client to
a
> > > Windows 2000 server through a Linux router with NAT.  Unless your NAT
> > > solution has IPsec passthrough, NAT breaks IPsec AH.  This is true
> > > regardless of what vendor you're using for NAT and VPN.  I think
Windows
> > > 2000 uses L2TP and PPTP for VPN encryption, but still uses IPSec
> including
> > > AH to establish SA connections and to sign packets.
> > >
> > > No matter what systems you are actually using, I would look in the VPN
> > > settings on your VPN client and attempt to disable AH, possibly
> replacing
> > it
> > > with ESP.  If your VPN client is Windows 2000, the links I posted are
a
> > > first step.
> > >
> > > "Meron Lavie" <a@b.com> wrote in message
> > > news:#FTWqISHCHA.2280@tkmsftngp12...
> > > > Thank you for your response. Actually, I have a Linux box (Redhat
7.0)
> > > > performing the gateway, routing and NATting. The Linux box itself is
> > > > connected to the Internet via a pptp connection through an ADSL
> > > connection,
> > > > if that helps explain what's going on. The W2K server doesn't do any
> > > NAtting
> > > > or forwarding - the gateway for all hosts in the network is the
Linux.
> > > >
> > > > Any more ideas given the above info?
> > > >
> > > > TIA - Lavie
> > > >
> > > >
> > > >
> > > > "x y" <jamescagney90210@excite.com> wrote in message
> > > > news:#26zFAQHCHA.1600@tkmsftngp12...
> > > > > You could try checking your firewall/router/sniffer logs at both
> ends
> > to
> > > > > confirm that traffic isn't being blocked.  My belief is that your
> NAT
> > > > > solution breaks the VPN.
> > > > >
> > > > > My understanding is that IPSec AH protocol does not work with NAT
> > > devices
> > > > > that do not have IPsec passthrough because the IP header and
packet
> > are
> > > > > hashed to confirm that they were not changed in transit.  I am not
> an
> > > > expert
> > > > > at Windows 2000 NAT, but it appears that it can or does use IPSec
> AH.
> > > I'm
> > > > > not sure in Windows 2000 if or how AH can be turned off and/or ESP
> > used
> > > > > instead.
> > > > >
> > > > > You could confirm whether NAT is the problem by moving your PC to
a
> > > > > different internet connection [such as a dialup modem
temporarily],
> > move
> > > > it
> > > > > outside the NATspace or disable NAT temporarily.  If this is the
> case,
> > > the
> > > > > only solution would be to use a different device for NAT.
> > > > >
> > > > > There is some further explanation of this at
> > > > > http://online.securityfocus.com/infocus/1519
> > > > > "Transports vs. Tunnels
> > > > > IPSec operates in either one of two modes - transport mode or
tunnel
> > > mode.
> > > > > Transport mode is meant primarily for protection of upper layer
> > > protocols,
> > > > > while tunnel mode protects the IP layer as well. In tunnel mode,
> used
> > > > > primarily between two gateways or a server and a gateway, the
packet
> > has
> > > > two
> > > > > IP headers, an outer and an inner. The outer header identifies the
> > > source
> > > > > and destination endpoints, while the inner contains the original
> > sender
> > > > and
> > > > > destination addresses, protected by IPSec.
> > > > > Tunnel Mode
> > > > > IPSec in Windows was meant mainly for interaction with routers or
> > other
> > > > > IPSec tunnel endpoints. However, as stated, it can be used with
L2TP
> > to
> > > > > provide a VPN remote access solution. When this is done, the L2TP
> > > headers
> > > > > are encapsulated and protected by IPSec, so if encryption is being
> > used
> > > > with
> > > > > IPSec, the L2TP headers will be encrypted. The only unencrypted
> > headers
> > > > will
> > > > > be the outer IP headers (with the destination endpoint IP address)
> and
> > > > lower
> > > > > layers.
> > > > >
> > > > > For details of setting up IPSec tunnels in Windows 2000 (most of
> which
> > > > > applies to XP also) please take a look at the Microsoft Support
> > Services
> > > > > document How to Configure IPSec Tunneling in Windows 2000. "
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > "Meron Lavie" <lavie@net2vision.net.il> wrote in message
> > > > > news:uYb5c5IHCHA.2580@tkmsftngp09...
> > > > > > Steven,
> > > > > >
> > > > > > I tried specifying pptp, but it didn't help.
> > > > > >
> > > > > > I have all outgoing traffic allowed, and also allow 47 (I
enabled
> > > > logging
> > > > > > and see that port 1723 and protocol 47 are succesfully
> connecting).
> > > > > >
> > > > > > Any other ideas? Has anyone ever succeeded in connecting a VPN
> > client
> > > in
> > > > a
> > > > > > NATted LAN to an external VPN server?
> > > > > >
> > > > > > --
> > > > > > Meron Lavie
> > > > > >
> > > > > >
> > > > > > "Steven L Umbach" <n9rou@attbi.com> wrote in message
> > > > > > news:MY3S8.319039$cQ3.17382@sccrnsc01...
> > > > > > >        Are you trying to use l2tp or pptp? L2tp for the most
> part
> > > does
> > > > > not
> > > > > > > work with NAT. In your vpn client connectoid properties select
> > pptp
> > > as
> > > > > > > server type instead of "auto" - W2K will try l2tp first by
> default
> > > > > > (assuming
> > > > > > > W2K vpn server is set up to allow pptp connections). If using
> pptp
> > > > your
> > > > > > > firewall has to allow protocol passage of port 1723 and
protocol
> > 47
> > > > > > gre. ---
> > > > > > > Steve
> > > > > > >
> > > > > > >
> > > > > > > "Meron Lavie" <lavie@net2vision.net.il> wrote in message
> > > > > > > news:urZ42DIHCHA.2364@tkmsftngp11...
> > > > > > > > I am trying to access a remote server via VPN.
> > > > > > > >
> > > > > > > > The server is W2K/SP2 running ISA.
> > > > > > > >
> > > > > > > > My local computer is W2K/Pro with SP2, on a LAN whose
gateway
> is
> > > > > Redhat
> > > > > > > > Linux v7.0 running an IPCHAINS-based firewall which also
> > performs
> > > > > > > > NATting/Forwarding. The Linux accesses the Internet through
> > ADSL.
> > > > > > > >
> > > > > > > > When I try to connect to the remote server, I get "Verifying
> > > > Username
> > > > > > and
> > > > > > > > Password", but after about 15 secs it fails with message
721.
> > The
> > > > > > firewall
> > > > > > > > log shows no violations.
> > > > > > > >
> > > > > > > > Everyone else succeeds in accessing from their ISP's dialup.
I
> > am
> > > > the
> > > > > > > first
> > > > > > > > person to try to access it from an external LAN.
> > > > > > > >
> > > > > > > > What am I doing wrong?
> > > > > > > >
> > > > > > > > --
> > > > > > > > TIA
> > > > > > > > Meron Lavie
> > > > > > > > lavie@net2vision.net.il
> > > > > > > > NOTE: THERE IS NO "2" IN MY REAL EMAIL ADDRESS: ANTI-SPAM!!!
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>


Relevant Pages

  • Re: [fw-wiz] Recommendation needed for a firewall appliance
    ... >>I was unsuccessful in getting an IPSec VPN going with a Win2K ... >There are several firewall specific linux distros, Astaro, Coyote ... >There are some small firewall units, and there are small Managed Security ... >> for Windows, OSX and Linux. ...
    (Firewall-Wizards)
  • Re: [SLE] Roadwarriors, VPN or pptp?
    ... > I'm using PPTP for some of our remote users, but that's because I have Win ... > poptop on a SnapGear firewall, though I'm planning to start moving to ipsec ... pptp is not as secure of a vpn ... Also recommended for consideration is Astaro Secure Linux. ...
    (SuSE)
  • Re: [opensuse] Interactive Firewall Needed
    ... That situation is impossible in Linux, as the firewall can not track to ... not to outgoing packets, and there is no info to link this to whatever ... application might have opened that port for listening. ...
    (SuSE)
  • Re: VPN setup suggestions?
    ... Linux and not be too hard to set up. ... Cisco RVL200 4-Port SSL/IPsec VPN Router ... OpenVPN has worked flawlessly for us for almost a year now. ... I say psuedo WAN because you will connect to the firewall. ...
    (sci.electronics.design)
  • Re: Firewall, VPN and SQL Server
    ... Is someone suggesting to put the Linux Firewall/VPN in DMZ? ... have a linux VPN in another location, if you already have a firewall ... Forwarding traffic to another server especially when you are ...
    (comp.security.firewalls)