L2TP/IPSec VPN Conection

Carlos Jones · Mar 8, 2006

Hello all,

I am trying to enable VPN conections to a W2K3 domain for employees,
here are the facts:

- Windows Server 2003 Standard Edition (DC, DNS Server, RRAS)
- 2Wire 1701HG Gateway for internet acces with static IP (Routing
disabled)
- 3Com OfficeConnect VPN Firewall (DHCP, VPN Server)
- Windows XP Pro clients with no additional VPN software.

I am able to conect via PPTP but with poor performance, when I change
the protocol to L2TP/IPSec with preshared key I get an error, the following
is from the firewall log:

Mar 8 10:57:57 localhost kernel: IKE: IKE -- MainMode -- responder received
message1 from 148.221.140.224, port 500->500.
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Proposal 1 -- protocol
PROTO_ISAKMP, with 5 transforms
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Transform 1 -- KEY_IKE, index =
1
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Encryption -- TRIPLEDES_CBC
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Hash -- SHA_HASH
Mar 8 10:57:57 localhost kernel: IKE: IKE -- GroupDescription -- MODP_2048
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Authentication -- PRESHARED_KEY
Mar 8 10:57:57 localhost kernel: IKE: IKE -- LifeType -- SECONDS
Mar 8 10:57:57 localhost kernel: IKE: IKE -- LifeDuration -- 28800
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Transform 2 -- KEY_IKE, index =
2
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Encryption -- TRIPLEDES_CBC
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Hash -- SHA_HASH
Mar 8 10:57:57 localhost kernel: IKE: IKE -- GroupDescription -- MODP_1024
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Authentication -- PRESHARED_KEY
Mar 8 10:57:57 localhost kernel: IKE: IKE -- LifeType -- SECONDS
Mar 8 10:57:57 localhost kernel: IKE: IKE -- LifeDuration -- 28800
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Transform 3 -- KEY_IKE, index =
3
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Encryption -- TRIPLEDES_CBC
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Hash -- MD5_HASH
Mar 8 10:57:57 localhost kernel: IKE: IKE -- GroupDescription -- MODP_1024
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Authentication -- PRESHARED_KEY
Mar 8 10:57:57 localhost kernel: IKE: IKE -- LifeType -- SECONDS
Mar 8 10:57:57 localhost kernel: IKE: IKE -- LifeDuration -- 28800
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Transform 4 -- KEY_IKE, index =
4
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Encryption -- DES_CBC
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Hash -- SHA_HASH
Mar 8 10:57:57 localhost kernel: IKE: IKE -- GroupDescription -- MODP_768
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Authentication -- PRESHARED_KEY
Mar 8 10:57:57 localhost kernel: IKE: IKE -- LifeType -- SECONDS
Mar 8 10:57:57 localhost kernel: IKE: IKE -- LifeDuration -- 28800
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Transform 5 -- KEY_IKE, index =
5
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Encryption -- DES_CBC
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Hash -- MD5_HASH
Mar 8 10:57:57 localhost kernel: IKE: IKE -- GroupDescription -- MODP_768
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Authentication -- PRESHARED_KEY
Mar 8 10:57:57 localhost kernel: IKE: IKE -- LifeType -- SECONDS
Mar 8 10:57:57 localhost kernel: IKE: IKE -- LifeDuration -- 28800
Mar 8 10:57:57 localhost kernel: IKE: IKE -- Peer supports NAT-T, on draft 2
Mar 8 10:57:57 localhost kernel: IKE: IKE --PHASE1_STARTED_BY_PEER -- peer
148.221.140.224
Mar 8 10:57:57 localhost kernel: IKE: IKE -- MainMode -- responder sent out
response message1 to 148.221.140.224, port 500->500.
Mar 8 10:57:58 localhost kernel: IKE: IKE -- MainMode -- responder received
message2 from 148.221.140.224, port 500->500.
Mar 8 10:57:58 localhost kernel: IKE: IKE -- Peer IP seen: 148.221.140.224
Mar 8 10:57:58 localhost kernel: IKE: IKE -- Local IP: 201.155.x.y (here
goes my static IP, I purposely changed it to submmit it here)
Mar 8 10:57:58 localhost kernel: IKE: IKE -- MainMode -- responder sent out
response message2 to 148.221.140.224, port 500->500.
Mar 8 10:57:58 localhost kernel: IKE: IKE -- MainMode -- responder received
message3 from 148.221.140.224, port 500->500.
Mar 8 10:57:58 localhost kernel: IKE: IKE --INVALID_PAYLOAD_LENGTH
(0x2004) -- peer 148.221.140.224
Mar 8 10:58:37 localhost kernel: IKE: IKE --PHASE1_NEGOTIATION_ABORT -- peer
148.221.140.224
Mar 8 10:59:02 localhost kernel: IKE: IKE --INVALID_COOKIE (0x4) -- peer
148.221.140.224

I really appreciate your help.
Thank you in advance.

Carlos Jones.

Carlos Jones · Mar 9, 2006

Sorry, I guess I wasn't clear abaout my problem,

The error on the client side says something like "the remote server can´t be
reached" and the conection process is canceled. Examining the log I found
the lines

Mar 8 10:57:58 localhost kernel: IKE: IKE --INVALID_PAYLOAD_LENGTH
(0x2004) -- peer 148.221.140.224

Could anybody help me to understand and fix my problem?
Thanks.

Carlos Jones

beb · Mar 9, 2006

Check the firmware on your firewall/vpn device and update it.

Carlos Jones · Mar 9, 2006

The upgrade didn´t work.

beb said:
Check the firmware on your firewall/vpn device and update it.

Janani [MSFT] · Mar 13, 2006

Have you taken care of the following?
1) Is IPSEC service running on both the client and server?
2) Is the preshared key set correctly on the server?
3) I dont actually get your configuration properly. If you have a NAT in
front of your client, check if this is the issue
http://support.microsoft.com/kb/818043
http://support.microsoft.com/default.aspx?scid=kb;en-us;885348

L2TP/IPSec VPN Conection

Carlos Jones

Carlos Jones

beb

Carlos Jones

Janani [MSFT]