Registered users    
MembershipMembership:
Latest New UserLatest:jenisa villarin
New TodayNew Today:13
New YesterdayNew Yesterday:9
User CountOverall:23322
Private messaging    
You must be logged in to use this module.
Top 10 posters    
NamePosts
Mariette Knap12890
Marina Roos12507
Eriq Neale2114
Stan Guinn1913
Michael Patrick1912
Robert Pearman1770
Nick Pieters1425
Stewart Brown616
william warren598
Kevin D.579
Welcome unauthorized visitor    
If you want to join us in the discussions on this forum you need to register first. Registration is free! If you are already a registered user please login to join the forum.
Small Business Server Support Forum    
Forums > Microsoft Small Business Server 2003 & 2000 > ISA Server 2004
Subject: L2TP over IPSec VPN Probs
Prev Next
You are not authorized to post a reply.

Author Messages
Ian Wilson User is Offline
United Kingdom
Member since
2/9/2006

Registered Users
Posts: 178
12/12/2007 04:46 PM  
Hi,
 
Im trying to setup a VPN so I can remote in and do work after hours and at weekends, I want the VPN to be as secure a possible so im trying to setup a L2TP over IPSec, can't seem to get it working which is frustrating as i've set it up in the past in a test environment.
 
Im getting error 789 when I try and connect, this is when I try to VPN from an external machine and when I try to VPN with an internal one I have been testing with.
 
I have setup the certificate services, created a certificate and exported it and imported it to my trusted root authority.
 
I have enabled L2TP connections in the VPN properties of ISA.
 
What seems to be the main problem though is that ISA doesn't appear to be listening for incoming L2TP requests, I have my hardware firewall forwarding all VPN services to the external IP of the ISA but when I try to connect I don't see it being blocked or even making a connection to ISA, I thought this may be my firewall blocking it which is why I setup a VPN from a domain machine to the external IP of the ISA but this doesn't display in the logs either??
 
If I run netstat -a then it doesn't show it as listening 1701.
 
PPTP is working fine in all the above cases.
 
Ian
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1770
12/12/2007 05:26 PM  
can you confirm within ISA Managment you enabled l2tp in the protocols section of the vpn configuration?
Ian Wilson User is Offline
United Kingdom
Member since
2/9/2006

Registered Users
Posts: 178
12/12/2007 05:32 PM  
ISA Server Management
 
Configure VPN Access Page
 
VPN Client Properties Page - Protocols - Ticked Enable L2TP/IPSec
 
Ian 
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1770
12/12/2007 05:39 PM  
i assumed you would have done that, but had to ask ;-)

ok so, what kind of router are you using?
Ian Wilson User is Offline
United Kingdom
Member since
2/9/2006

Registered Users
Posts: 178
12/12/2007 05:48 PM  
D-Link DFL 700 with all VPN related traffic forwarded to the external IP of my ISA
 
I have the following forwarded;-
 
IP 47, 50, 51, 115,
UDP 4500, 500 , 1701, 1723
 
Even if my external firewall was blocking it then surely I could create a connection from the internal network to it? This works with PPTP?
 
Ian
 
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1770
12/12/2007 06:24 PM  
well that would depend on wether your firewall policy allows outbound vpns - but the whole idea of vpning to the external interface of your server, to create a vpn to the internal network - doesnt sit right with me somehow.

I never managed to get an l2tp vpn working from an external non domain member pc because the pc itself cant authenticate using a certificate.

if somone can correct me on that i would be hugley greatful.

does the dlink have its own built in VPN service?

i use the draytek vigor series mainly and you can port forward as much as you like but if you dont switch off the built in vpn server then the vpns will never be passed.
Steve Moss User is Offline
Telford, U.K.
Member since
8/30/2006

Registered Users
Posts: 112
12/12/2007 08:57 PM  
I don't know the D-Link DFL 700, is it a domestic-grade router? Although most domestic grade routers claim to support VPN passthrough, some of them just don't do it properly.

The only ports you need to forward to your server's external NIC for an L2TP/IPsec VPN are:

TCP 550
UDP 500, 4500 and 1701

The others you mention are not necessary (and therefore should be closed).

Assuming you have ISA fully configured for the VPN - maybe we should go through that? - and that you have the right certificates in place both on your server and client, are you by any chance testing from a client machine running XP Pro with SP2? In that case, there may be a configuration change you need to make on the client, as described here:
http://support.microsoft.com/kb/885407/
Ian Wilson User is Offline
United Kingdom
Member since
2/9/2006

Registered Users
Posts: 178
12/13/2007 12:16 PM  
Thanks for your help guys.
 
Good news, got this working this morning !
 
Not sure why I didn't do it yesterday, had a headace all day though so wasn't really enjoying staring at a screen all day so im sure that didn't help.
 
Steps I took this morning where as follows
 
Step 1 - Domain PC
 
I'd already made the reg mod described at http://support.microsoft.com/kb/885407/.
  1. Changed the IP I was trying to connect to from the servers external IP to our public IP (which is forwarding traffic from the firewall to the external IP anyway).
  2. Setup a PSK.
  3. Clicked connect - worked first time.
I now knew that the firewall and ISA where working fine for L2TP connections.
 
Step 2 - Non-Domain Laptop
 
I already had PPTP working on this and I had previously connected and used Certificate Services to request and install a Certifcate.
  1. Carried out the reg mod described in http://support.microsoft.com/kb/885407/.
  2. Setup to use L2TP and a PSK.
  3. Clicked connect - worked fine.
  4. Disabled PSK on ISA and removed it from laptop connection.
  5. Connected using the certificate
Thanks for the help again
Ian
Steve Moss User is Offline
Telford, U.K.
Member since
8/30/2006

Registered Users
Posts: 112
12/13/2007 03:47 PM  
Posted By Ian Wilson on 12/13/2007 12:16 PM
  1. Changed the IP I was trying to connect to from the servers external IP to our public IP (which is forwarding traffic from the firewall to the external IP anyway).
Ha, yes, trying to use the internal IP from outside would definitely cause the problem you encountered! Glad you got it sorted.
You are not authorized to post a reply.
Forums > Microsoft Small Business Server 2003 & 2000 > ISA Server 2004 > L2TP over IPSec VPN Probs


ActiveForums 3.7
Forum policy    
These Discussion Forums are dedicated to the discussion of the Small Business Server and related server and client software. For the benefit of the community please observe the following posting guidelines:
  1. No Advertising. This includes promotion of commercial products and non-commercial products which are not directly related to Small Business Server and related server and client software.
  2. No Flaming or Trolling.
  3. No Profanity, Racism, or Prejudice.
  4. Site Moderators have the final word on approving/removing a thread or post or comment.
Copyright 2002-2008 Concentrix b.v.    :   Page generated in 0.3281271 seconds.   :   Terms Of Use   :   Privacy Statement