NAT-T and L2TP

[David Beaven]

Using L2TP, clients connect OK in from internet to private address range on
our network. I now want to allow these clients to get out to the internet
(assume that they have default gateway through vpn).
I loaded L2TP\IPSec NAT-T update on the client with the ras server hosted on
W2003 server. I changed routing tables to pass traffic from server, and
from the internet to this server through a cisco pix firewall 506E with
release 6.3(4) running NAT (and NAT-T enabled) and which is meant to fully
support NAT-T
Get IKE security assocation negotiation failed, mode: key exchange mode
(main mode) in server event log.
Any ideas how to fix this? (or create tunnel through non NAT, somehow (?ad
users and computers, dial-in, static routes) create a route after tunnel
formation through a NAT box)
Thanks
David

 

[Bob Qin [MSFT]]

Hi David,

Thanks for your posting here.

Would you please let me know the detailed error message? Please copy the
whole event log in your post and we will do further research.

In addition, please also refer to the following article for detailed
information about L2TP/IPSec NAT-T update.

818043 L2TP/IPSec NAT-T update for Windows XP and Windows 2000
http://support.microsoft.com/?id=818043

Best regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "David Beaven" <[email protected]>
Subject: NAT-T and L2TP
Date: Tue, 10 Aug 2004 17:40:57 +0100
Newsgroups: microsoft.public.win2000.ras_routing


Using L2TP, clients connect OK in from internet to private address
range on
our network. I now want to allow these clients to get out to the
internet
(assume that they have default gateway through vpn).
I loaded L2TP\IPSec NAT-T update on the client with the ras server
hosted on
W2003 server. I changed routing tables to pass traffic from server,
and
from the internet to this server through a cisco pix firewall 506E
with
release 6.3(4) running NAT (and NAT-T enabled) and which is meant to
fully
support NAT-T
Get IKE security assocation negotiation failed, mode: key exchange
mode
(main mode) in server event log.
Any ideas how to fix this? (or create tunnel through non NAT, somehow
(?ad
users and computers, dial-in, static routes) create a route after
tunnel
formation through a NAT box)
Thanks
David

 

[David Beaven]

I have already applied the update from q818043 to the w2k client
I think that this timeout means it isn't negotiating the NAT_T correctly

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 10/08/2004
Time: 17:08:40
User: NT AUTHORITY\NETWORK SERVICE
Computer: LARCH
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address [myipaddress]
Source IP Address Mask 255.255.255.255
Destination IP Address 62.252.68.136
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr [myipaddress]
IKE Peer Addr 62.252.68.136
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer IP Address: 62.252.68.136

Failure Point:
Me

Failure Reason:
Negotiation timed out

Extra Status:
Processed first (SA) payload
Responder. Delta Time 63
0x0 0x0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Regards
David

 

[Bob Qin [MSFT]]

Hi David,

I would like to recommend that you refer to the article of 818043 to check
the updated file version. In addition, let's confirm the following
information.

1. Does the problem occur on all the clients or just this certain computer?
2. Did you ever try on a Windows XP client?
3. Do you have ISA installed on the VPN server?
4. Did you get any problem in the system or security log of Windows 2003
Server?
5. Is your scenario like below?

<Client>---->Internet---- NAT ----><Server>
or
<Client>----> NAT ----Internet----> NAT ----> <Server>

6. Do you have to open the following ports and protocols in the NAT?

- L2TP - User Datagram Protocol (UDP) 500, UDP 1701
- NAT-T - UDP 4500
- ESP - Internet Protocol (IP) protocol 50

In addition, L2TP/IPSec NAT-T update is used to make IPSec to better
support VPN clients that are behind NAT devices. If you just want to access
the Internet from VPN clients, you can configure the clients to use the
default gateway setting on the local network for Internet traffic and a
static route on the remote network for VPN-based traffic.

Please refer to the following article for the detailed information.

You Cannot Connect to the Internet After You Connect to a VPN Server
http://support.microsoft.com/?id=317025

Have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "David Beaven" <[email protected]>
Subject: Re: NAT-T and L2TP
Date: Wed, 11 Aug 2004 10:33:27 +0100
Newsgroups: microsoft.public.win2000.ras_routing

I have already applied the update from q818043 to the w2k client
I think that this timeout means it isn't negotiating the NAT_T
correctly

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 10/08/2004
Time: 17:08:40
User: NT AUTHORITY\NETWORK SERVICE
Computer: LARCH
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address [myipaddress]
Source IP Address Mask 255.255.255.255
Destination IP Address 62.252.68.136
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr [myipaddress]
IKE Peer Addr 62.252.68.136
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer IP Address: 62.252.68.136

Failure Point:
Me

Failure Reason:
Negotiation timed out

Extra Status:
Processed first (SA) payload
Responder. Delta Time 63
0x0 0x0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Regards
David

 

[Angelo Aldrovandi]

Hi Bob!

I found this post and I have the same prb: WinXP clients can connect
L2TP on our LAN but they fail from the internet. I'm talking about the
same PCs with the same user account!

My configuration is like this:

[client with private IP] -> [NAT] -> [internet] -> [NAT/FW] ->
[server]

and/or like this:

[client with public IP] -> [internet] -> [NAT/FW] -> [server]

I'm using L2TP/IPSec since PPTP does not work through NAT. On my
firewall ("NAT/FW" in the above schema) I have opened all the needed
ports from the internet to my WS2003 "WAN" interface, as specified by
Microsoft: UDP/500, UDP/4500, ESP/IP50 and UPD/1701 (even if it's not
always said to be opened).

BTW, I have to admit I haven't understood the meaning and usage of the
"Internal interface" created by RRAS.. it has a LAN address which is
not accessible from the internet, so, can this be the problem?

I have Windows Server 2003 and XP SP1 clients. I have a CA and
everything is OK with certificates -- I wouldn't connect on the LAN
otherwise, I assume.

Nevertheless, on the server I get the following two errors (depending
on the PC that connects). The first error comes from a NATted client,
the second one from a client having a public IP address.

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address <Server LAN IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client NATted public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client NATted public IP address>
IKE Source Port 500
IKE Destination Port 6159
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer IP Address: <Client NATted public IP address>

Failure Point:
Me

Failure Reason:
Negotiation timed out

Extra Status:
Processed second (KE) payload
Responder. Delta Time 64
0x0 0x0

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address <Firewall public IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 17
Source Port 0
Destination Port 1701
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client public IP address>
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
.....
Peer IP Address: <public IP address>

Failure Point:
Me

Failure Reason:
No policy configured

***************************************************

What I notice is that on one case the error is in the "Main mode" IKE
negotiation, the second one on the "Quick mode".
The first one reveals the server LAN IP address, the second one
"stops" at the server's public IP address.
The first one is a "negotiation timeout" error, the second one a "no
policy configured" error (but since the same PC connects if it's
inside the LAN, I can assume the RRAS policy is correctly defined).

It's already two days I'm making experiments, reading stuff and trying
to solve this problem, but with no success! Thanx in advance for
your help, it's considered very precious!!

With my kindest regards,
* Angelo Aldrovandi

 

[Bob Qin [MSFT]]

Hi Angelo,

In RRAS, the Internal interface is for the internet clients virtual
connection. I would like to confirm the following information with you.

1. Did you have install the patch of 818043?

2. Does the problem still persists if you remove the NAT and connect the
RRAS server to the Internet?

3. Do you have ISA installed on the RRAS server or acting as NAT?

4. Is your NAT runing in NAT-T mode? I would like to recommend that you
contact manufacturer of the NAT device to verify if the NAT Transparency is
supported by this NAT device.

5. Is there any error on the Server?

Please run the MPS Reporting tool on both the client and the server to
collect the system information for further research.

1. Visit the following web page:

http://microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-88B7
-F9C79B7306C0&displaylang=en

2. Download the file MPSRPT_SETUPPerf.EXE

3. Double-click MPSRPT_SETUPPerf.EXE to run the tool.

4. On your system a CAB file will be generated for your convenience in the
%systemroot%\MPSReports\Setup\<Report Type>\Cab directory called
%COMPUTERNAME%_MPSReports.CAB. The CAB file will contain the reports
generated by the MPS Reporting Tool. Please send the cab file to me by
email. (where %systemroot% is the Windows system folder, such as C:\Windows
or C:\Winnt)

Please send the result of MPS Reporting tool to me directly at
(e-mail address removed)

Reference:

818043 L2TP/IPSec NAT-T update for Windows XP and Windows 2000
http://support.microsoft.com/?id=818043

Best regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: (e-mail address removed) (Angelo Aldrovandi)
Newsgroups: microsoft.public.win2000.ras_routing
Subject: Re: NAT-T and L2TP
Date: 18 Aug 2004 05:43:17 -0700

Hi Bob!

I found this post and I have the same prb: WinXP clients can connect
L2TP on our LAN but they fail from the internet. I'm talking about the
same PCs with the same user account!

My configuration is like this:

[client with private IP] -> [NAT] -> [internet] -> [NAT/FW] ->
[server]

and/or like this:

[client with public IP] -> [internet] -> [NAT/FW] -> [server]

I'm using L2TP/IPSec since PPTP does not work through NAT. On my
firewall ("NAT/FW" in the above schema) I have opened all the needed
ports from the internet to my WS2003 "WAN" interface, as specified by
Microsoft: UDP/500, UDP/4500, ESP/IP50 and UPD/1701 (even if it's not
always said to be opened).

BTW, I have to admit I haven't understood the meaning and usage of the
"Internal interface" created by RRAS.. it has a LAN address which is
not accessible from the internet, so, can this be the problem?

I have Windows Server 2003 and XP SP1 clients. I have a CA and
everything is OK with certificates -- I wouldn't connect on the LAN
otherwise, I assume.

Nevertheless, on the server I get the following two errors (depending
on the PC that connects). The first error comes from a NATted client,
the second one from a client having a public IP address.

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address <Server LAN IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client NATted public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client NATted public IP address>
IKE Source Port 500
IKE Destination Port 6159
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer IP Address: <Client NATted public IP address>

Failure Point:
Me

Failure Reason:
Negotiation timed out

Extra Status:
Processed second (KE) payload
Responder. Delta Time 64
0x0 0x0

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address <Firewall public IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 17
Source Port 0
Destination Port 1701
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client public IP address>
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
....
Peer IP Address: <public IP address>

Failure Point:
Me

Failure Reason:
No policy configured

***************************************************

What I notice is that on one case the error is in the "Main mode" IKE
negotiation, the second one on the "Quick mode".
The first one reveals the server LAN IP address, the second one
"stops" at the server's public IP address.
The first one is a "negotiation timeout" error, the second one a "no
policy configured" error (but since the same PC connects if it's
inside the LAN, I can assume the RRAS policy is correctly defined).

It's already two days I'm making experiments, reading stuff and trying
to solve this problem, but with no success! Thanx in advance for
your help, it's considered very precious!!

With my kindest regards,
* Angelo Aldrovandi