L2TP/IPSec and end-to-end security

From: SanjayG (agsanjay@email.com)
Date: 07/29/02


From: agsanjay@email.com (SanjayG)
Date: 29 Jul 2002 10:28:04 -0700


Hello,
   As a curiosity exercise, I am trying to get a secure end-to-end
IPSec connection from my VPN client (C1) to a remote client (C2).
Though I thought this to be a simple 2-step (indicated below) process,
I am having problems :(. Would appreciate any pointers that indicate
what I could be missing

Step1:
 My VPN client (XP-Pro) connects to my RAS server (a .Net server)
using L2TP with IPSec.
     C1<----------------->RAS-Server<------------>C2
         <-(L2TP/IPSec)->

          
Step2:
  I create a end-to-end (transport) IPSec policy from C1 to C2
     C1<----------------->RAS-Server<------------>C2
         <-(L2TP/IPSec)->
         <--------------(Transport IPSec)------->

   Step1 works fine, I see L2TP pkts (both directions) between the C1
and the RAS-Server encrypted (ESP-3DES) and the session itself
authenticated. However I have had no success with Step2. After I
activate the transport policy, if I ping from C2 to C1, I see the
"Negotiating IP Security" message only. I traced (with a sniffer) the
IKE session request pkt to actually arrive at C1, which however seems
to ignore it. I am sure the policy setup is fine. I am not sure why
the response from C1 for the IKE is missing. On the flip-side if I
ping from C1 to C2, the transport policy is totally ignorned and no
IKE session is initiated at all before the ping requests!!

  Based on IPSec spec such a combination of SAs is possible. Does MS's
IPSec implementation support it? Any pointers??
-Sanjay



Relevant Pages

  • Re: ISA VPN mit IPSec/L2TP Problem
    ... Hab mal die Dienste vom Lancom VPN Client ... Den IPSec Dienst gestartet und schon gings. ... Prev by Date: ... Next by Date: ...
    (microsoft.public.de.german.isaserver)
  • Re: how to configure a FreeBSD firewall to pass IPSec?
    ... >> I have a FreeBSD box acting as a firewall and NAT gateway ... IPSEC can't be passed through a NAT. ... I have succesfully used Nortel VPN client on a NATed ...
    (FreeBSD-Security)
  • Re: Ciscos VPN client in Fedora 7?
    ... Packager: Fedora Project ... IPSec VPN client compatible with Cisco equipment ... A VPN client compatible with Cisco's EasyVPN equipment. ... Supports IPSec with Mode Configuration and Xauth. ...
    (Fedora)
  • Re: IPSec and Sonicwall
    ... At the time there's no IPSEC standard available, ... Best advice is to get the newest Sonicwall firmware for the SOHO2. ... Checkpoint following Sonicwall's instructions to the point. ... prompted to authenticte from the VPN Client then nothing happens. ...
    (comp.security.firewalls)
  • Re: Netgear vpn client
    ... I have a Netgear Prosafe FVG318. ... The Netgear VPN client is a licensed version of the ... It does IPSec which is rather standard. ... The built in XP VPN client will do PPTP, IPSec, or L2TP. ...
    (alt.internet.wireless)