Easy RRAS VPN question

Discussion in 'Server Networking' started by Jarryd, Feb 18, 2005.

  1. Jarryd

    Jarryd Guest


    I am wanting to use Win Srvr 2003 as a VPN server. I only want to allow
    L2TP connections using MS-CHAP v2. I have configured this already on the
    server. Certificates are sorted as well. The only thing is the ports that
    need to be opened on the firewall and NAT on the router.

    As for the ports, do I only need to open up access to the server for
    MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I think I
    have to have IP protocols 50 and UDP port 1701 allowed on the router. But
    what about a port for MS-CHAPv2? Or is that tunnelled through 1701? And
    does that then handle everything? If so then I shouldn't have to enable 88
    for Kerberos or 443 for SSL because it is all tunnelled through?

    With regards to the router and NAT. I have a public address assigned to the
    LAN interface that is statically NATed to an address on our private range.
    To see the NAS from the internet I will configure it the same (static NAT
    public.IP private.IP). Is that going to cause any problems. I once read
    somewhere that it can and you use port forwarding. Is that the answer? If
    so, what do I forward to what? All L2TP and IP 50 packets to the server's
    IP, rather than set up NAT?

    Please help, TIA,

    Jarryd, Feb 18, 2005
    1. Advertisements

  2. Jarryd

    Jarryd Guest


    I have found the following article which answers all my questions in the
    last post. What I am not sure of now is if I need to enable outoing
    connections. Please see:

    As far as I know the firewall will block syn packets, so I am assuming that
    if I only to use my RRAS server to handle incoming connections then I should
    be OK just permitting inward traffic. The sessions are initiated by the
    clients and the server server piggy backs out. I don't necessarily want the
    server to initiate remote sessions, i.e. with other VPN servers. Is my
    thinking correct?

    Please help, TIA,

    Jarryd, Feb 18, 2005
    1. Advertisements

  3. You do not need to enable outgoing connections. The VPN server will listed
    for VPN clients that want to connect and then evaluate the connection based
    on Remote Access Policy conditions/profile. --- Steve
    Steven L Umbach, Feb 19, 2005
  4. Hi Steve,

    Thanks for your advice. So what you are saying is that I have assumed
    correctly, and to get this working all I should need to do is enable inbound
    traffic to my RRAS servers interface on UDP 500 and 4500 and IP Protocal 51?
    After that I should be laughing?


    Jefferey Simons, Feb 19, 2005
  5. The article you referenced has all the info. You may also need to allow
    access for port 1701 UDP and protocol 50 - not 51. Protocol 50 is for
    SP. --- Steve
    Steven L Umbach, Feb 19, 2005
  6. Jarryd

    Jarryd Guest

    Hi Steve,

    I have re-read the article. It says, "There are no filters required for
    L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall,
    including tunnel maintenance and tunneled data, is encrypted as an IPSec ESP
    payload." So why do I have to also allow port 1701?

    That was actually a co-incidental type-o; protocol 51 should be 50, but well
    done for noticing it.

    Please let me know about 1701 because I am getting stopped at every turn
    here. I have permitted any UDP 4500, UDP 500 and IP 50 to the servers
    address but I get Error: 789 "The L2TP connection attempt failed because
    the security layer encountered a processing error during initial
    negotiations with the remote computer". I don't see anything in event
    viewer but I probably have to set something in the audit policy. Will post
    any updates from my side, but if you know the answer to this one please
    please please let me know. Driving me nuts!!


    Jarryd, Feb 21, 2005
  7. I am a bit confused about that as I don't understand why there would be a
    difference where the VPN server is after all the firewall simply should
    allow the authorized traffic to pass. I have seen other documentation from
    MS that says that 1701 UDP needs to be allowed. I would open that port at
    least until you have your problem resolved and also examine the firewall
    logs for dropped packets for the IP address of the VPN client which often is
    the best bet for troubleshooting such problems. Since you are using NAT make
    sure the VPN client has the NAT-T update installed on it and if you are
    using XP SP2 see the KB link below on how it used the NAT-T client. L2TP
    also uses computer certificates on the VPN server and client. If you are
    using XP Pro client you might want to try to use pre shared key instead as a
    test to rule out problems with certificates/PKI. Also try to connect via
    L2TP to your VPN server from the LAN using the VPN servers LAN IP address to
    make sure it is correctly configured. --- Steve

    http://support.microsoft.com/kb/885348 --- KB on NAT-T and XP SP2
    --- also refers to the need to allow 1701 UDP
    Steven L Umbach, Feb 22, 2005
  8. Jarryd

    Jarryd Guest

    Hi Steve,

    I have been having this discussion with someone else as well. This is an
    excerpt of my most recent posting:

    "I am having trouble with this and it very well may be what
    you are saying. It just contradicts what I have read about stateful
    inspection. But i have added the IpSec monitor snap-in to an MMC and
    checked it out, with a connection made internally. Definately seems to do
    what you say, i.e. client listens on 1701 every time so it must be fixed.
    Even more weird it says that the destination port is ANY. How on earth is
    that supposed to work? Is that because it is tunneling through IPsec ESP
    payload (re: article) and therefore is not blocked? Then the VPN adaptor
    has to get a new IP address. Is this where things are not falling in-line
    with my understanding of how it should work, because I can see the IP and
    ports reversed at this point: starts source clientLAN-IP 1701 destination
    serverIP ANY, but then becomes source serverIP 1701 clientVPNAdaptor-IP ANY?

    I really thought this wouldn't be causing a problem but it really does seem
    to be. If I was in control of my firewall then I would just play around
    with it but I have to get the ISP to do it and it is a real pain. Please
    forgive me if I am coming across as though I think I know it all, it is not
    my intention. I am getting the following error:

    Error: 789 "The L2TP connection attempt failed because the security layer
    encountered a processing error during initial negotiations with the remote

    The way it set up at the moment is as follows:

    Client > Internet > Firewall > Router/NAT > RRAS

    The server has a static NAT from public to private address so that it can be
    accessed from the internet. The firewall rules are applied to the LAN
    interface of the router. It works fine when I use the private IP address to
    connect internally. If I use the public IP address it fails in exactly the
    same way as if I were coming in over the internet. So could it be the
    firewall, or is it a NAT problem. I have SP2 installed on the client so
    perhaps that could be the problem:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;818043. But I
    have added that to the registry
    (1)) and it still deosn't work. So now what could be going on. It is
    really doing my head in.

    Please let me know what you think. I am trying to get the ISP to change the
    router in accordance with your sugestion, but it is like trying to squeeze
    blood out of a stone to get them to do anything."

    I know it is a bit long winded. But now you are up to speed with everything
    I have done to date. I haven't tried the pre-shared key. I'll give it a
    go, but the thing works using the certificate I created with my CA when I
    use the private IP address of the server, so doens't that already prove that
    PKI is not a problem.

    Please let me know what you think.

    Thanks a mil for your help.

    Jarryd, Feb 22, 2005
  9. Well that is a huge disadvantage if you can not access the firewall to make
    changes or see the firewall logs for dropped traffic or other error
    messages. Since you can connect to the internal IP it sounds like your VPN
    is set correctly and it most likely is an issue with the firewall/router. I
    would try preshared key since it is easy enough to see what happens. The
    other thing I would try is to see if it works with pptp. Pptp is not subject
    to the same problems with NAT that l2tp is. Another thing to try is if you
    can connect your VPN server directly to the internet via an unfiltered
    public tcp/ip address. You could try to use the built in ICF firewall for
    Windows 2003 to protect the computer and create the exceptions for inbound
    l2tp. You can also turn on logging for the ICF Windows 2003 firewall so that
    you would be able to see what traffic is being blocked if any.A third party
    personal firewall such as Sygate would also be worth consideration. You can
    try it free for thirty days and it has very advanced loggin features. I
    would certainly push your ISP to allow 1701 UDP to your network to see what
    happens. Also check to see if the packet filters are correct on your
    interface for the VPN server if is configured as shown in the link below.
    You also may want to post in the win2000.ras_routing newsgroup to see if
    they have any words of wisdom there. --- Steve

    Steven L Umbach, Feb 22, 2005
  10. Oops. I forgot you can not enable the Windows 2003 ICF firewall on a RRAS
    server. A third party product should work however. --- Steve
    Steven L Umbach, Feb 22, 2005
  11. Here is another article that may help. When NAT-T is used port 1701 UDP
    traffic is wrapped in the port 4500 UDP traffic which is why the firewalls
    does not need port 1701 UDP to be opened when NAT-T is used. If l2tp is used
    to go through a firewall directly then port 1701 UDP needs to be open. If
    packet filtering is used on the network adapter in the VPN server, port 1701
    UDP and 4500 UDP need to be allowed. --- Steve

    Steven L Umbach, Feb 22, 2005
  12. Hi Steve,

    I have no idea what the hell is going on here, but it works now. It's
    crazy! I have tried so many things that it is hard to pin point what it
    might be, but perhaps it is just as "iskander" says, "strange things
    happen." Thank you so much for your help.

    Kindest regards

    Jefferey Simons, Feb 24, 2005
  13. OK! That is good to hear. --- Steve

    Steven Umbach, Feb 24, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.