XP SP2, NAT-T & L2TP/IPSEC.

[Graeme Stow]

Can I just get this straight...

I've configured remote client connections to a w2k server (using L2TP and
Certificates) it works fine if the client has a public IP address but when
the client is NATed I get 'Error 789: The L2TP connection attempt failed
because the security layer encountered a processing error during initial
negotiations with the remote computer."

According to this: http://support.microsoft.com/default.aspx?kbid=818043

under Supported scenarios using IPsec NAT-T; it states the Win2K will not
work, my feeling is that it was NAT-T that was the issue...

So is it true this can't work as long as the client is behind a NATing
device (obviously unless I upgrade the server to 2K3)



Kind regards,

Graeme.

 

[David Beder [MSFT]]

That particular article seems to be confused. I've requested a review of the
text to clear things up, but don't know when that will happen.

The intent of the text should be that the update should be applied to
clients that are behind a nat. Win2k servers behind a nat are not supported.

 

[Graeme Stow]

That particular article seems to be confused. I've requested a review of
the text to clear things up, but don't know when that will happen.

The intent of the text should be that the update should be applied to
clients that are behind a nat. Win2k servers behind a nat are not
supported.

confused even more now..

My server has a public NIC accepting requests from roaming clients but
currently the clients can only connect if there is no NAT in the way..! My
understanding is that i have to upgrade to W2K3 for those clients to work!!
is this the case?

Client -> NAT router -> Internet -> Server > Private Network ------- NOT
WORKING

Same Client machine [tested by connecting directly to router on Internet]

Clilent -> Internet -> Server -> Private Networking --------- Same computer
WORKING

Regards,

Graeme.

 

[Doug Sherman [MVP]]

Hmmm.

http://support.microsoft.com/default.aspx?kbid=818043 seems to conflict
with:

http://support.microsoft.com/default.aspx?scid=kb;en-us;325034

"With the IPSec NAT-T support in the Microsoft L2TP/IPSec VPN client, IPSec
sessions can go through a NAT when the VPN server also supports IPSec NAT-T.
IPSec NAT-T is supported by Windows Server 2003. IPSec NAT-T is also
supported by Windows 2000 Server with the L2TP/IPSec NAT-T update for
Windows XP and for Windows 2000."

Doug Sherman
MCSE, MCSA, MCP+I, MVP

That particular article seems to be confused. I've requested a review of
the text to clear things up, but don't know when that will happen.

The intent of the text should be that the update should be applied to
clients that are behind a nat. Win2k servers behind a nat are not
supported.

confused even more now..

My server has a public NIC accepting requests from roaming clients but
currently the clients can only connect if there is no NAT in the way..! My
understanding is that i have to upgrade to W2K3 for those clients to work!!
is this the case?

Client -> NAT router -> Internet -> Server > Private Network ------- NOT
WORKING

Same Client machine [tested by connecting directly to router on Internet]

Clilent -> Internet -> Server -> Private Networking --------- Same computer

WORKING

Regards,

Graeme.


--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Bob I]

I don't follow your "conflict assessment", as the two articles apply to
different eras of operating systems.

Hmmm.

http://support.microsoft.com/default.aspx?kbid=818043 seems to conflict
with:

http://support.microsoft.com/default.aspx?scid=kb;en-us;325034

"With the IPSec NAT-T support in the Microsoft L2TP/IPSec VPN client, IPSec
sessions can go through a NAT when the VPN server also supports IPSec NAT-T.
IPSec NAT-T is supported by Windows Server 2003. IPSec NAT-T is also
supported by Windows 2000 Server with the L2TP/IPSec NAT-T update for
Windows XP and for Windows 2000."

Doug Sherman
MCSE, MCSA, MCP+I, MVP

That particular article seems to be confused. I've requested a review of
the text to clear things up, but don't know when that will happen.

The intent of the text should be that the update should be applied to
clients that are behind a nat. Win2k servers behind a nat are not
supported.

confused even more now..

My server has a public NIC accepting requests from roaming clients but
currently the clients can only connect if there is no NAT in the way..!
My

understanding is that i have to upgrade to W2K3 for those clients to
work!!

is this the case?

Client -> NAT router -> Internet -> Server > Private Network -------
NOT

WORKING

Same Client machine [tested by connecting directly to router on Internet]

Clilent -> Internet -> Server -> Private Networking --------- Same
computer

WORKING

Regards,

Graeme.


--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Doug Sherman [MVP]]

Well, one says that if the NAT-T enabled VPN client is behind a NAT device,
the VPN server must be Windows Server 2003 and cannot be Windows 2000
Server; and the other says that the server can be either Windows Server 2003
or Windows 2000 Server.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

I don't follow your "conflict assessment", as the two articles apply to
different eras of operating systems.

Hmmm.

http://support.microsoft.com/default.aspx?kbid=818043 seems to conflict
with:

http://support.microsoft.com/default.aspx?scid=kb;en-us;325034

"With the IPSec NAT-T support in the Microsoft L2TP/IPSec VPN client, IPSec
sessions can go through a NAT when the VPN server also supports IPSec NAT-T.
IPSec NAT-T is supported by Windows Server 2003. IPSec NAT-T is also
supported by Windows 2000 Server with the L2TP/IPSec NAT-T update for
Windows XP and for Windows 2000."

Doug Sherman
MCSE, MCSA, MCP+I, MVP

That particular article seems to be confused. I've requested a review of
the text to clear things up, but don't know when that will happen.

The intent of the text should be that the update should be applied to
clients that are behind a nat. Win2k servers behind a nat are not
supported.

confused even more now..

My server has a public NIC accepting requests from roaming clients but
currently the clients can only connect if there is no NAT in the way..!
My

understanding is that i have to upgrade to W2K3 for those clients to
work!!

is this the case?

Client -> NAT router -> Internet -> Server > Private Network -------
NOT

WORKING

Same Client machine [tested by connecting directly to router on Internet]

Clilent -> Internet -> Server -> Private Networking --------- Same
computer

WORKING

Regards,

Graeme.


--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Bob I]

I believe this statement explains why the difference:

"Note: If you apply update 818043 to a Windows 2000-based server that is
using Routing and Remote Access, the server cannot function as an
L2TP/IPsec server in this scenario."

Well, one says that if the NAT-T enabled VPN client is behind a NAT device,
the VPN server must be Windows Server 2003 and cannot be Windows 2000
Server; and the other says that the server can be either Windows Server 2003
or Windows 2000 Server.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

I don't follow your "conflict assessment", as the two articles apply to
different eras of operating systems.

Hmmm.

http://support.microsoft.com/default.aspx?kbid=818043 seems to conflict
with:

http://support.microsoft.com/default.aspx?scid=kb;en-us;325034

"With the IPSec NAT-T support in the Microsoft L2TP/IPSec VPN client,

IPSec

sessions can go through a NAT when the VPN server also supports IPSec

NAT-T.

IPSec NAT-T is supported by Windows Server 2003. IPSec NAT-T is also
supported by Windows 2000 Server with the L2TP/IPSec NAT-T update for
Windows XP and for Windows 2000."

Doug Sherman
MCSE, MCSA, MCP+I, MVP





That particular article seems to be confused. I've requested a review

of

the text to clear things up, but don't know when that will happen.

The intent of the text should be that the update should be applied to
clients that are behind a nat. Win2k servers behind a nat are not
supported.

confused even more now..

My server has a public NIC accepting requests from roaming clients but
currently the clients can only connect if there is no NAT in the way..!

My


understanding is that i have to upgrade to W2K3 for those clients to

work!!


is this the case?

Client -> NAT router -> Internet -> Server > Private Network -------

NOT


WORKING

Same Client machine [tested by connecting directly to router on

Internet]

Clilent -> Internet -> Server -> Private Networking --------- Same

computer


WORKING

Regards,

Graeme.



--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Graeme Stow]

<<<Sniped>>>

I believe this statement explains why the difference:

"Note: If you apply update 818043 to a Windows 2000-based server that is
using Routing and Remote Access, the server cannot function as an
L2TP/IPsec server in this scenario."

Cheers Doug & Bob for your replies!

In response; what other scenario can I engage if the server is the private
networks gateway on to the Internet?

Can my Win2k box be the gateway [from private to public networks] and exist
as a vpn endpoint [with L2TP/IPsec] without using R&RA?

Kind regards,
Graeme Stow.