2003 and L2TP

R

RB

Goal: To get L2TP connection to work to a VPN server
sitting behind a PIX firewall.

First setup: (This was to just get a grasp of the goal
and proceed from there)
- Windows 2000 Server setup with RRAS in
a workgroup
- Windows 2000 Server setup as a Stand Alone Root
CA
- Windows 2000 professional as the VPN client

Actions taken:
- IPSec certificate installed on RRAS
server through web based enrollment
into the local machine store
- IPSec certificate exported and imported
into Root Trust
- IPSec certificate installed on client
through web based enrollment
into the local machine store
- IPSec certificate exported and imported
into Root Trust

After creating a VPN connection and running it
everything worked great.

Second setup: (Using same systems)
- I upgraded the the 2000 RRAS server to 2003 for
NAT-T.
- As soon as I did this, the client could no
longer connect. I get a "Could not
negotiate encryption"

After looking over all the configs and not seeing
anything, I started from scratch. I setup a new 2003
server and configured it as both RRAS and a Stand alone
CA. Then I performed the same tasks I did in the first
setup on both the Server and the client. This still did
not work.

The ultimate use of this setup is for non domain computers
to be able to make L2TP VPN connections.
 
C

Carl DaVault [MSFT]

First of all, on your server, you should make sure that the certs are
present and valid in the machine store.

Next, you'll want to open a new mmc.exe and add the ipsec monitor. Add a
pre-shared key and restart RRAS and look for L2TP filters and policies - you
should see the preshared key and the local store certificates as valid
authentication methods. (You'll see what I mean when you click in the
snap-in.)

If the PIX is just firewalling and not NAT-ing you should see no difference.
Can you connect if you remove the PIX from the picture?
 
G

Guest

I was planning the same setup of a W2k VPN Server running Ipsec and L2TP behind a Pix firewall. I got it to work without the Pix. The VPN server has a static IP and the Pix is configured to pass AH, ESP and ISAKMP, but still could not get the traffic to pass through the PiX.

I will try Win 2003 and Pix 6.3. I will post if my results.

----- RB wrote: -----

Goal: To get L2TP connection to work to a VPN server
sitting behind a PIX firewall.

First setup: (This was to just get a grasp of the goal
and proceed from there)
- Windows 2000 Server setup with RRAS in
a workgroup
- Windows 2000 Server setup as a Stand Alone Root
CA
- Windows 2000 professional as the VPN client

Actions taken:
- IPSec certificate installed on RRAS
server through web based enrollment
into the local machine store
- IPSec certificate exported and imported
into Root Trust
- IPSec certificate installed on client
through web based enrollment
into the local machine store
- IPSec certificate exported and imported
into Root Trust

After creating a VPN connection and running it
everything worked great.

Second setup: (Using same systems)
- I upgraded the the 2000 RRAS server to 2003 for
NAT-T.
- As soon as I did this, the client could no
longer connect. I get a "Could not
negotiate encryption"

After looking over all the configs and not seeing
anything, I started from scratch. I setup a new 2003
server and configured it as both RRAS and a Stand alone
CA. Then I performed the same tasks I did in the first
setup on both the Server and the client. This still did
not work.

The ultimate use of this setup is for non domain computers
to be able to make L2TP VPN connections.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

L2TP IPSec error 789 & 792 0
L2TP/IPSEC - Please help - I'm losing it!! 12
How to use certificates for L2TP VPN connection 2
L2TP connection 1
PLEASE HELP ! L2TP & Certificates 3
L2TP VPN connections 1
L2TP Question 1
vpn & ipsec problems 1

Top