2003 and L2TP

  • Thread starter Thread starter RB
  • Start date Start date
R

RB

Goal: To get L2TP connection to work to a VPN server
sitting behind a PIX firewall.

First setup: (This was to just get a grasp of the goal
and proceed from there)
- Windows 2000 Server setup with RRAS in
a workgroup
- Windows 2000 Server setup as a Stand Alone Root
CA
- Windows 2000 professional as the VPN client

Actions taken:
- IPSec certificate installed on RRAS
server through web based enrollment
into the local machine store
- IPSec certificate exported and imported
into Root Trust
- IPSec certificate installed on client
through web based enrollment
into the local machine store
- IPSec certificate exported and imported
into Root Trust

After creating a VPN connection and running it
everything worked great.

Second setup: (Using same systems)
- I upgraded the the 2000 RRAS server to 2003 for
NAT-T.
- As soon as I did this, the client could no
longer connect. I get a "Could not
negotiate encryption"

After looking over all the configs and not seeing
anything, I started from scratch. I setup a new 2003
server and configured it as both RRAS and a Stand alone
CA. Then I performed the same tasks I did in the first
setup on both the Server and the client. This still did
not work.

The ultimate use of this setup is for non domain computers
to be able to make L2TP VPN connections.
 
First of all, on your server, you should make sure that the certs are
present and valid in the machine store.

Next, you'll want to open a new mmc.exe and add the ipsec monitor. Add a
pre-shared key and restart RRAS and look for L2TP filters and policies - you
should see the preshared key and the local store certificates as valid
authentication methods. (You'll see what I mean when you click in the
snap-in.)

If the PIX is just firewalling and not NAT-ing you should see no difference.
Can you connect if you remove the PIX from the picture?
 
I was planning the same setup of a W2k VPN Server running Ipsec and L2TP behind a Pix firewall. I got it to work without the Pix. The VPN server has a static IP and the Pix is configured to pass AH, ESP and ISAKMP, but still could not get the traffic to pass through the PiX.

I will try Win 2003 and Pix 6.3. I will post if my results.

----- RB wrote: -----

Goal: To get L2TP connection to work to a VPN server
sitting behind a PIX firewall.

First setup: (This was to just get a grasp of the goal
and proceed from there)
- Windows 2000 Server setup with RRAS in
a workgroup
- Windows 2000 Server setup as a Stand Alone Root
CA
- Windows 2000 professional as the VPN client

Actions taken:
- IPSec certificate installed on RRAS
server through web based enrollment
into the local machine store
- IPSec certificate exported and imported
into Root Trust
- IPSec certificate installed on client
through web based enrollment
into the local machine store
- IPSec certificate exported and imported
into Root Trust

After creating a VPN connection and running it
everything worked great.

Second setup: (Using same systems)
- I upgraded the the 2000 RRAS server to 2003 for
NAT-T.
- As soon as I did this, the client could no
longer connect. I get a "Could not
negotiate encryption"

After looking over all the configs and not seeing
anything, I started from scratch. I setup a new 2003
server and configured it as both RRAS and a Stand alone
CA. Then I performed the same tasks I did in the first
setup on both the Server and the client. This still did
not work.

The ultimate use of this setup is for non domain computers
to be able to make L2TP VPN connections.
 
Back
Top