RRAS IPSec on W2003 Server behind NAT

trying to get L2TP IPSec VPN remote connections to a W2003 RRAS server behind
a NAT firewall. While PPTP VPN works fine, we would like to use L2TP IPSec.

The trouble we are coming up against is that we continually get 789 errors
on remote clients. While L2TP IPSec connections work fine behind the
perimeter router, VPN remote clients can't make a connection. UDP ports 1701
is directed to the RRAS server, IPSec Protocol passthrough and L2TP
passthrough are all enabled on the perimeter router, but even using a
preshared key, remote clients can not connect. UDP 1701 is listening on the
RRAS server externat interface. RRAS is setup as NAT-T.

Any suggestions would be appreciated.

"D Rasmussen" <> wrote in message
news:1B662482-FB64-4DFE-B87A-...
> trying to get L2TP IPSec VPN remote connections to a W2003 RRAS server
> behind
> a NAT firewall. While PPTP VPN works fine, we would like to use L2TP
> IPSec.
>
> The trouble we are coming up against is that we continually get 789 errors
> on remote clients. While L2TP IPSec connections work fine behind the
> perimeter router, VPN remote clients can't make a connection. UDP ports
> 1701
> is directed to the RRAS server, IPSec Protocol passthrough and L2TP
> passthrough are all enabled on the perimeter router, but even using a
> preshared key, remote clients can not connect. UDP 1701 is listening on
> the
> RRAS server externat interface. RRAS is setup as NAT-T.
>
> Any suggestions would be appreciated.
>
>



You need TCP 1701 opened.

L2TP IPSec ports:
TCP 7101
UDP 500 (for the SA)
Protocol ID 50 (ESP)
Protocol ID 51 (EH)

PPTP ports:
TCP 1723 (GRE)
Protocol ID 47

Keep in mind that a "Protocol ID" is not a port. Each router and firewall
handles it differently with their own terminology.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Well so far after a month of trying to get IPSec on a W2003 Server using a
preshared key we have failed to get this working.

Clients are Windows XP SP2 or later and have found out that with SP2, IPSec
behind a NAT device has been turned off [MS KB 818043] While we have tried
the fixes on this KB article we still can not get XP SP2 or later or Windows
Vista/7 clients to be able to connect to a Windows 2003 VPN server [not
behind a NAT device].

Any suggestions to get a VPN Server and XP SP2 clients to connect using L2TP
IPSec are appreciated

Fekay [MCT]" wrote:

> "D Rasmussen" <> wrote in message
> news:1B662482-FB64-4DFE-B87A-...
> > trying to get L2TP IPSec VPN remote connections to a W2003 RRAS server
> > behind
> > a NAT firewall. While PPTP VPN works fine, we would like to use L2TP
> > IPSec.
> >
> > The trouble we are coming up against is that we continually get 789 errors
> > on remote clients. While L2TP IPSec connections work fine behind the
> > perimeter router, VPN remote clients can't make a connection. UDP ports
> > 1701
> > is directed to the RRAS server, IPSec Protocol passthrough and L2TP
> > passthrough are all enabled on the perimeter router, but even using a
> > preshared key, remote clients can not connect. UDP 1701 is listening on
> > the
> > RRAS server externat interface. RRAS is setup as NAT-T.
> >
> > Any suggestions would be appreciated.
> >
> >
>
>
>
> You need TCP 1701 opened.
>
> L2TP IPSec ports:
> TCP 7101
> UDP 500 (for the SA)
> Protocol ID 50 (ESP)
> Protocol ID 51 (EH)
>
> PPTP ports:
> TCP 1723 (GRE)
> Protocol ID 47
>
> Keep in mind that a "Protocol ID" is not a port. Each router and firewall
> handles it differently with their own terminology.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
> .
>

"D Rasmussen" <> wrote in message
news:80BD1DFB-9B1D-4FA9-BC11-...
> Well so far after a month of trying to get IPSec on a W2003 Server using a
> preshared key we have failed to get this working.
>
> Clients are Windows XP SP2 or later and have found out that with SP2,
> IPSec
> behind a NAT device has been turned off [MS KB 818043] While we have tried
> the fixes on this KB article we still can not get XP SP2 or later or
> Windows
> Vista/7 clients to be able to connect to a Windows 2003 VPN server [not
> behind a NAT device].
>
> Any suggestions to get a VPN Server and XP SP2 clients to connect using
> L2TP
> IPSec are appreciated
>

Have you tried using a simple password instead of a pre-shared key?

KB818043 was for pre-SP2 and not needed if you have any service packs
installed.

Whether L2TP/IPSec can go across a NAT or not depends on the NAT device.
What type of device? Also, if it doesn't work on the same subnet, try it
with a simple password, like "1234". If that doesn't work, then there's
either an issue in your VPN config on the server, and/or on the client.

Does a simple PPTP VPN work?

I don't know what articles or books you've followed to setup the VPN, but
here are additional resources.

How to setup VPNYou may have two options to setup VPN server on Windows
2003. ... 47 [GRE - Generic Routing Encapsulation]) or L2TP over IPSec (UDP
Port 500 and IP Protocol ...
www.howtonetworking.com/Windows/vpnsetup.htm

How To Configure IPSec Tunneling in Windows Server 2003In Windows Server
2003, client remote access VPN connections are protected .... and Remote
Access automatically creates IPSec filters for L2TP traffic). ...
http://support.microsoft.com/kb/816514

Virtual Private NetworksGet an overview of the VPN technologies supported by
Windows Server 2003 and ... Download the Microsoft L2TP/IPSec VPN client,
which enables computers ...
http://technet.microsoft.com/en-us/n.../bb545442.aspx

L2TP-based remote access VPN deployment: Virtual Private Network ...
Applies To: Windows Server 2003, Windows Server 2003 R2, ...
http://technet.microsoft.com/en-us/l...15(WS.10).aspx

Administrator's Guide to Microsoft L2TP/IPSec VPN Client
Microsoft L2TP/IPSec VPN Client setup process creates a Microsoft IPSec VPN
....
http://technet.microsoft.com/en-us/l.../bb742553.aspx


Ace