L2TP + NAT-T

Angelo Aldrovandi · Aug 18, 2004

Hi all!

I have the following problem.. my WinXP clients can
connect L2TP on our LAN, but they fail from the internet.
I'm talking about the same PCs with the same user account!

My configuration is like this:

[client with private IP] -> [NAT] -> [internet] ->
[NAT/FW] -> [server]

and/or like this:

[client with public IP] -> [internet] -> [NAT/FW] ->
[server]

I'm using L2TP/IPSec since PPTP does not work through NAT.
On my firewall ("NAT/FW" in the above schema) I have
opened all the needed ports from the internet to my
WS2003 "WAN" interface, as specified by Microsoft:
UDP/500, UDP/4500, ESP/IP50 and UPD/1701 (even if it's not
always said to be opened).

BTW, I have to admit I haven't understood the meaning and
usage of the "Internal interface" created by RRAS.. it has
a LAN address which is not accessible from the internet,
so, can this be the problem?

I have Windows Server 2003 and XP SP1 clients. I have a CA
and everything is OK with certificates -- I wouldn't
connect on the LAN otherwise, I assume.

Nevertheless, on the server I get the following two errors
(depending on the PC that connects). The first error comes
from a NATted client, the second one from a client having
a public IP address.

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address <Server LAN IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client NATted public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client NATted public IP address>
IKE Source Port 500
IKE Destination Port 6159
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer IP Address: <Client NATted public IP address>

Failure Point:
Me

Failure Reason:
Negotiation timed out

Extra Status:
Processed second (KE) payload
Responder. Delta Time 64
0x0 0x0

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address <Firewall public IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 17
Source Port 0
Destination Port 1701
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client public IP address>
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
......
Peer IP Address: <public IP address>

Failure Point:
Me

Failure Reason:
No policy configured

***************************************************

What I notice is that on one case the error is in
the "Main mode" IKE negotiation, the second one on
the "Quick mode". The first one reveals the server LAN IP
address, the second one "stops" at the server's public IP
address. The first one is a "negotiation timeout" error,
the second one a "no policy configured" error (but since
the same PC connects if it's inside the LAN, I can assume
the RRAS policy is correctly defined).

It's already two days I'm making experiments, reading
stuff and trying to solve this problem, but with no
success!

Thanx in advance for your help, it's
considered very precious!!

With my kindest regards,
* Angelo Aldrovandi

David Beder [MSFT] · Aug 20, 2004

please verify that the winxp client has the ipsec nat-t upgrade available
off windows update. the update is packaged with SP2, but sp1 clients need to
get it as a special package.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.

Angelo Aldrovandi said:
Hi all!

I have the following problem.. my WinXP clients can
connect L2TP on our LAN, but they fail from the internet.
I'm talking about the same PCs with the same user account!

My configuration is like this:

[client with private IP] -> [NAT] -> [internet] ->
[NAT/FW] -> [server]

and/or like this:

[client with public IP] -> [internet] -> [NAT/FW] ->
[server]

I'm using L2TP/IPSec since PPTP does not work through NAT.
On my firewall ("NAT/FW" in the above schema) I have
opened all the needed ports from the internet to my
WS2003 "WAN" interface, as specified by Microsoft:
UDP/500, UDP/4500, ESP/IP50 and UPD/1701 (even if it's not
always said to be opened).

BTW, I have to admit I haven't understood the meaning and
usage of the "Internal interface" created by RRAS.. it has
a LAN address which is not accessible from the internet,
so, can this be the problem?

I have Windows Server 2003 and XP SP1 clients. I have a CA
and everything is OK with certificates -- I wouldn't
connect on the LAN otherwise, I assume.

Nevertheless, on the server I get the following two errors
(depending on the PC that connects). The first error comes
from a NATted client, the second one from a client having
a public IP address.

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address <Server LAN IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client NATted public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client NATted public IP address>
IKE Source Port 500
IKE Destination Port 6159
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer IP Address: <Client NATted public IP address>

Failure Point:
Me

Failure Reason:
Negotiation timed out

Extra Status:
Processed second (KE) payload
Responder. Delta Time 64
0x0 0x0

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address <Firewall public IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 17
Source Port 0
Destination Port 1701
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client public IP address>
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
.....
Peer IP Address: <public IP address>

Failure Point:
Me

Failure Reason:
No policy configured

***************************************************

What I notice is that on one case the error is in
the "Main mode" IKE negotiation, the second one on
the "Quick mode". The first one reveals the server LAN IP
address, the second one "stops" at the server's public IP
address. The first one is a "negotiation timeout" error,
the second one a "no policy configured" error (but since
the same PC connects if it's inside the LAN, I can assume
the RRAS policy is correctly defined).

It's already two days I'm making experiments, reading
stuff and trying to solve this problem, but with no
success! Thanx in advance for your help, it's
considered very precious!!

With my kindest regards,
* Angelo Aldrovandi

TD · Aug 24, 2004

Once you get it figured out for WinXP SP1, it will stop working when
SP2 gets installed. So here's some advance info to remember for when
you do that upgrade.

The fix to this problem is discussed here
http://zdnet.com.com/2100-1105-5321783.html

Basically, Microsoft considers L2TP/IPSEC via NAT insecure. So
they've added a key and made it default to killing the functionality
of the SP1 NAT-T patch. And they don't give you any place to modify
this key value. So you have to import it by hand. And you MUST
reboot after installing this key.

Here's the regedit patch.
-------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

Guest · Aug 26, 2004

"I'm using L2TP/IPSec since PPTP does not work through NAT. "

Technically, neither does L2TP. The problem with any VPN technology is that
the encryption encrypts the packet, at which point the router (or whatever is
providing the NAT'ing for you) can't alter the packet (chaning the
address/port information) without invalidating the cryptographic checksum.

There are workarounds for this, but they tend to be vendor specific.
Microsoft provides basic VPN connectivity in Windows 2000/XP, and you can
configure it to use either PPTP or L2TP and they're NAT'able. The Cisco
client also works if you're connecting to a cisco VPN concentrator. It all
depends on what your company is running. I do this going from home to work
with no problems whatsoever using PPTP, have been for months while running
SP2 RC1 & RC2 and now final. YMMV.

Angelo Aldrovandi said:
Hi all!

I have the following problem.. my WinXP clients can
connect L2TP on our LAN, but they fail from the internet.
I'm talking about the same PCs with the same user account!

My configuration is like this:

[client with private IP] -> [NAT] -> [internet] ->
[NAT/FW] -> [server]

and/or like this:

[client with public IP] -> [internet] -> [NAT/FW] ->
[server]

I'm using L2TP/IPSec since PPTP does not work through NAT.
On my firewall ("NAT/FW" in the above schema) I have
opened all the needed ports from the internet to my
WS2003 "WAN" interface, as specified by Microsoft:
UDP/500, UDP/4500, ESP/IP50 and UPD/1701 (even if it's not
always said to be opened).

BTW, I have to admit I haven't understood the meaning and
usage of the "Internal interface" created by RRAS.. it has
a LAN address which is not accessible from the internet,
so, can this be the problem?

I have Windows Server 2003 and XP SP1 clients. I have a CA
and everything is OK with certificates -- I wouldn't
connect on the LAN otherwise, I assume.

Nevertheless, on the server I get the following two errors
(depending on the PC that connects). The first error comes
from a NATted client, the second one from a client having
a public IP address.

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address <Server LAN IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client NATted public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client NATted public IP address>
IKE Source Port 500
IKE Destination Port 6159
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer IP Address: <Client NATted public IP address>

Failure Point:
Me

Failure Reason:
Negotiation timed out

Extra Status:
Processed second (KE) payload
Responder. Delta Time 64
0x0 0x0

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address <Firewall public IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 17
Source Port 0
Destination Port 1701
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client public IP address>
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
......
Peer IP Address: <public IP address>

Failure Point:
Me

Failure Reason:
No policy configured

***************************************************

What I notice is that on one case the error is in
the "Main mode" IKE negotiation, the second one on
the "Quick mode". The first one reveals the server LAN IP
address, the second one "stops" at the server's public IP
address. The first one is a "negotiation timeout" error,
the second one a "no policy configured" error (but since
the same PC connects if it's inside the LAN, I can assume
the RRAS policy is correctly defined).

It's already two days I'm making experiments, reading
stuff and trying to solve this problem, but with no
success! Thanx in advance for your help, it's
considered very precious!!

With my kindest regards,
* Angelo Aldrovandi

Bill Grant · Aug 26, 2004

I might add that PPTP does in fact work through most NAT devices
(including W2k RRAS/NAT).

Michael Thompson said:
"I'm using L2TP/IPSec since PPTP does not work through NAT. "

Technically, neither does L2TP. The problem with any VPN technology is that
the encryption encrypts the packet, at which point the router (or whatever is
providing the NAT'ing for you) can't alter the packet (chaning the
address/port information) without invalidating the cryptographic checksum.

There are workarounds for this, but they tend to be vendor specific.
Microsoft provides basic VPN connectivity in Windows 2000/XP, and you can
configure it to use either PPTP or L2TP and they're NAT'able. The Cisco
client also works if you're connecting to a cisco VPN concentrator. It all
depends on what your company is running. I do this going from home to work
with no problems whatsoever using PPTP, have been for months while running
SP2 RC1 & RC2 and now final. YMMV.

Angelo Aldrovandi said:

Hi all!

I have the following problem.. my WinXP clients can
connect L2TP on our LAN, but they fail from the internet.
I'm talking about the same PCs with the same user account!

My configuration is like this:

[client with private IP] -> [NAT] -> [internet] ->
[NAT/FW] -> [server]

and/or like this:

[client with public IP] -> [internet] -> [NAT/FW] ->
[server]

I'm using L2TP/IPSec since PPTP does not work through NAT.
On my firewall ("NAT/FW" in the above schema) I have
opened all the needed ports from the internet to my
WS2003 "WAN" interface, as specified by Microsoft:
UDP/500, UDP/4500, ESP/IP50 and UPD/1701 (even if it's not
always said to be opened).

BTW, I have to admit I haven't understood the meaning and
usage of the "Internal interface" created by RRAS.. it has
a LAN address which is not accessible from the internet,
so, can this be the problem?

I have Windows Server 2003 and XP SP1 clients. I have a CA
and everything is OK with certificates -- I wouldn't
connect on the LAN otherwise, I assume.

Nevertheless, on the server I get the following two errors
(depending on the PC that connects). The first error comes
from a NATted client, the second one from a client having
a public IP address.

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address <Server LAN IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client NATted public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client NATted public IP address>
IKE Source Port 500
IKE Destination Port 6159
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer IP Address: <Client NATted public IP address>

Failure Point:
Me

Failure Reason:
Negotiation timed out

Extra Status:
Processed second (KE) payload
Responder. Delta Time 64
0x0 0x0

***************************************************

EVENT LOG ID 547
----------------
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address <Firewall public IP address>
Source IP Address Mask 255.255.255.255
Destination IP Address <Client public IP address>
Destination IP Address Mask 255.255.255.255
Protocol 17
Source Port 0
Destination Port 1701
IKE Local Addr <Server LAN IP address>
IKE Peer Addr <Client public IP address>
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
......
Peer IP Address: <public IP address>

Failure Point:
Me

Failure Reason:
No policy configured

***************************************************

What I notice is that on one case the error is in
the "Main mode" IKE negotiation, the second one on
the "Quick mode". The first one reveals the server LAN IP
address, the second one "stops" at the server's public IP
address. The first one is a "negotiation timeout" error,
the second one a "no policy configured" error (but since
the same PC connects if it's inside the LAN, I can assume
the RRAS policy is correctly defined).

It's already two days I'm making experiments, reading
stuff and trying to solve this problem, but with no
success! Thanx in advance for your help, it's
considered very precious!!

With my kindest regards,
* Angelo Aldrovandi

Click to expand...

Guest · Aug 28, 2004

[client with public IP] -> [internet] -> [NAT/FW] -> [server]

please verify that the winxp client has the ipsec nat-t upgrade available
off windows update. the update is packaged with SP2, but sp1 clients need to
get it as a special package.

Thanx David!

I thought the NAT-T update was automatic, and in fact it was not.. even if
the client had a public IP, the VPN server was behind NAT, so this update was
necessary!

I'm looking forward to test it at home, with a NATted IP client..

Thanx very much again, my "frustration" is ended with your support!! :-)

Guest · Aug 28, 2004

Once you get it figured out for WinXP SP1, it will stop working when

SP2 gets installed. So here's some advance info to remember for when
you do that upgrade.

Here's the regedit patch.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

Thanx mate! SP2 is not yet available in italian language so I haven't
experienced this problem yet.. I've saved the .reg file and I will patch it
as soon as SP2-ITA is out!

Thanx again!! :-)

Johannes R. · Aug 29, 2004

Thank you too, the reg-patch helped me too !

Greetings from Germany,

Johannes

L2TP + NAT-T

Angelo Aldrovandi

David Beder [MSFT]

TD

Guest

Bill Grant

Guest

Guest

Johannes R.