L2TP/IPsec, Win98SE, NAT-T, Win2k3 failure after a firewall

O

ocheung

I setup
1) a Windows 2003 Server as a DC and DNS.
2) a Windows 2003 Server as a VPN server (member server).
The VPN server also as certificate server included with Win2k3.
3) a XP client with patch(818043) from microsoft.
4) a Windows 98 client with "Windows 98 SE DUN v1.4","ie6"
and "Windows 98 L2TP/IPSec client v1.0"

Everything works fine, WinXP and Win98SE machines can connect without
any problems.

But when I put a checkpoint 4.1 firewall in between the vpn server and
the clients.
(For the firewall rules, any<=>any,any,accept.
same as for the interfaces' rule.)

Result: XP works on both l2tp and pptp,
Win98SE fail on L2tp(error 629) but works on pptp.

Can someone help ? I need the win98se connect via l2tp!

Here is the isakmp.log from the Win98SE computer:
5-25: 15:27:41.430
5-25: 15:27:41.430 Microsoft IPsec VPN\L2TP/IPsec - Generic entry
match with remote address 68.166.96.198.
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE
Phase 2 with Client IDs (message id: E0AAF7F1)
5-25: 15:27:42.590 Initiator = IP ADDR=68.166.96.214, prot = 17
port = 1701
5-25: 15:27:42.590 Responder = IP ADDR=68.166.96.198, prot = 17
port = 1701
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>>
ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NAT-OA)
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Local ID
Received from NAT Peer: IP ADDR=68.166.96.214 (prot = 17, port = 1701)
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Remote ID
Received from NAT Peer: DOMAIN=vpn.domain.www.test.com (prot = 17,
port = 1701)
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Indeterminate
remote internal address.
5-25: 15:27:42.590 Microsoft IPsec VPN\L2TP/IPsec - Error validating
Proxy IDs.
5-25: 15:27:43.470 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:27:43.470 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
E0AAF7F1)
5-25: 15:27:45.440 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:27:45.440 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
E0AAF7F1)
5-25: 15:27:49.450 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:27:49.450 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
E0AAF7F1)
5-25: 15:27:54.450 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:27:54.450 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
30AB1649)
5-25: 15:27:57.470 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:27:57.470 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
E0AAF7F1)
5-25: 15:28:13.460 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
ISAKMP OAK QM *(HASH, )
5-25: 15:28:13.460 Microsoft IPsec VPN\L2TP/IPsec - Received
malformed message or negotiation no longer active (message id:
E0AAF7F1)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top