Can't get L2TP VPN working with NAT...PPTP works fine

[Ned]

I can only connect to my L2TP vpn if my home pc (XP sp2 with nat-t
registry edit) has a public ip address. I had the same problem when I
was at XP sp1. The second I put my pc behind a router with nat (netgear
fwag114) I get a timeout. PPTP works just fine either way (nat or
public ip)

At work I have a Windows 2003 server with the lastest service pack
behind a cisco 2600 router without NAT. The server has a public IP
address on its external nic and a private IP on the internal nic. The
external nic has a default gateway pointing to the cisco router and the
internal nic has static routes for my lan. I am using PSK with l2tp.

I have tried everything and I need to have this working tomorrow. Has
anyone gotten this to work? am I missing something?

 

[Kurt]

I can only connect to my L2TP vpn if my home pc (XP sp2 with nat-t
registry edit) has a public ip address. I had the same problem when I
was at XP sp1. The second I put my pc behind a router with nat (netgear
fwag114) I get a timeout. PPTP works just fine either way (nat or
public ip)

At work I have a Windows 2003 server with the lastest service pack
behind a cisco 2600 router without NAT. The server has a public IP
address on its external nic and a private IP on the internal nic. The
external nic has a default gateway pointing to the cisco router and the
internal nic has static routes for my lan. I am using PSK with l2tp.

I have tried everything and I need to have this working tomorrow. Has
anyone gotten this to work? am I missing something?

I have never got L2TP to work through a NAT. Some routers provide "NAT
Traversal" that is supposed to work, but I've never tried one. Even so,
you'd have to be able to guarantee one of those routers be available
everywhere you're connecting from. If this is for road warriors, I'd
stick with PPTP. IF this is for a fixed remote site, go with a hardware
IPSec solution.

I'm not any kind of authority here, if someone else knows how to
"dummy-down" the header authentication so that it will work through a
NAT, I'd like to know.

....kurt

 

[Ned]

This is insane. I can't believe that Microsoft can't get this to work.
My wife uses a VPN client over the same network connection that I use.
She uses VPN1 and while I am not 100% sure I would guess she uses IPSEC
because she works for a large organization that is big on security.
This is a joke. I'll just buy a vpn appliance so I can get back to
work and not have to continue playing with this mickeymouseware

 

[Kurt]

This is insane. I can't believe that Microsoft can't get this to work.
My wife uses a VPN client over the same network connection that I use.
She uses VPN1 and while I am not 100% sure I would guess she uses IPSEC
because she works for a large organization that is big on security.
This is a joke. I'll just buy a vpn appliance so I can get back to
work and not have to continue playing with this mickeymouseware

It's not Microsoft thing. It's an L2TP thing. Think about it - L2TP
requires an authentication header for both the "phase 1" and "Phase 2"
portions. This provides great security, but means that the outer layer
of encapsulation must not be tampered with. What does NAT do? It alters
the header. That's how it works. So the two would seem to be
incompatible. IPSec can be used with or without L2TP (tunnel mode vs
transport mode). Odds are your wife's VPN is not over an L2TP tunnel.
Besides L2TP requires a certificate where IPSec can use just a shared
secret. As far as Microsoft goes, their tunneling protocols work just
fine although a bit too slow for me. But if you put your hardware
tunneling device behind a NAT, it wouldn't work any better than the MS one.

....kurt

 

[Ned]

Thanks for the explanation.

It's not Microsoft thing. It's an L2TP thing. Think about it - L2TP
requires an authentication header for both the "phase 1" and "Phase 2"
portions. This provides great security, but means that the outer layer
of encapsulation must not be tampered with. What does NAT do? It alters
the header. That's how it works. So the two would seem to be
incompatible. IPSec can be used with or without L2TP (tunnel mode vs
transport mode). Odds are your wife's VPN is not over an L2TP tunnel.
Besides L2TP requires a certificate where IPSec can use just a shared
secret. As far as Microsoft goes, their tunneling protocols work just
fine although a bit too slow for me. But if you put your hardware
tunneling device behind a NAT, it wouldn't work any better than the MS one.

...kurt