NAT-T question...

John Smith · Nov 23, 2004

I have RAS up and running on a win2003 server, and have LT2P and IPSEC
running with certificates I have tested this directly and can connect. I am
now trying to connect over NAT-T from a XPSP2 client and it's not working
here is what I've done.

I have tried connecting from both of the below:

[client with public IP] -> [internet] -> [NAT/FW] -> [server] [client with
private IP] -> [NAT] -> [internet] -> [NAT/FW] -> [server]

I have also checked my firewall and all ports needed are open and I see
traffic going to and from the IP of the client on ports 500 and 4500.
Everything seams right but after about 40sec of the client connecting I get
an error of "Error 678 the remote computer did not respond" Does anyone have
any ideas or how I troubleshoot it farther?

Thanks

Jorge Coronel · Nov 25, 2004

That deploymen is not longer recomended by MS; in order to make it work
you'll need to check the following KB...

885407 The default behavior of IPSec NAT traversal (NAT-T) is changed in
Windows XP Service Pack 2

This will tell you what is the regkey you'll need to add to your XP box in
order to initiate to a server that is behind a NAT
I hope this helps
JC

John Smith · Nov 25, 2004

hum very interesting that this is no longer recommended.. but for now I
still need to do it..

I made the reg change and rebooted and now when I try to connect very
quickly it says "Error 651: The modem (or other connecting device) has
reported an error"

Is there a way to find what his error is? I looked in the even log and other
places but couldn't see anything. Everything is happening much faster now,
like the error comes up in a few seconds. I also can see UDP 500 and 4500
packets going both ways from the firewall. Right now 5 UDP 500 ISAKMP
packets followed by 6 4500 ESP and 2 more 500s for every time I try to
connect.

Jorge Coronel said:
That deploymen is not longer recomended by MS; in order to make it work
you'll need to check the following KB...

885407 The default behavior of IPSec NAT traversal (NAT-T) is changed in
Windows XP Service Pack 2

This will tell you what is the regkey you'll need to add to your XP box in
order to initiate to a server that is behind a NAT
I hope this helps
JC

John Smith said:

I have RAS up and running on a win2003 server, and have LT2P and IPSEC
running with certificates I have tested this directly and can connect. I
am now trying to connect over NAT-T from a XPSP2 client and it's not
working here is what I've done.

I have tried connecting from both of the below:

[client with public IP] -> [internet] -> [NAT/FW] -> [server] [client
with private IP] -> [NAT] -> [internet] -> [NAT/FW] -> [server]

I have also checked my firewall and all ports needed are open and I see
traffic going to and from the IP of the client on ports 500 and 4500.
Everything seams right but after about 40sec of the client connecting I
get an error of "Error 678 the remote computer did not respond" Does
anyone have any ideas or how I troubleshoot it farther?

Thanks

Click to expand...

Jorge Coronel · Nov 26, 2004

This error sounds related to the hardware; what is the modem brand and model
you are using to VPN?
thanks
JC

John Smith said:
hum very interesting that this is no longer recommended.. but for now I
still need to do it..

I made the reg change and rebooted and now when I try to connect very
quickly it says "Error 651: The modem (or other connecting device) has
reported an error"

Is there a way to find what his error is? I looked in the even log and
other places but couldn't see anything. Everything is happening much
faster now, like the error comes up in a few seconds. I also can see UDP
500 and 4500 packets going both ways from the firewall. Right now 5 UDP
500 ISAKMP packets followed by 6 4500 ESP and 2 more 500s for every time I
try to connect.

Jorge Coronel said:

That deploymen is not longer recomended by MS; in order to make it work
you'll need to check the following KB...

885407 The default behavior of IPSec NAT traversal (NAT-T) is changed in
Windows XP Service Pack 2

This will tell you what is the regkey you'll need to add to your XP box
in order to initiate to a server that is behind a NAT
I hope this helps
JC

John Smith said:

I have RAS up and running on a win2003 server, and have LT2P and IPSEC
running with certificates I have tested this directly and can connect. I
am now trying to connect over NAT-T from a XPSP2 client and it's not
working here is what I've done.

I have tried connecting from both of the below:

[client with public IP] -> [internet] -> [NAT/FW] -> [server] [client
with private IP] -> [NAT] -> [internet] -> [NAT/FW] -> [server]

I have also checked my firewall and all ports needed are open and I see
traffic going to and from the IP of the client on ports 500 and 4500.
Everything seams right but after about 40sec of the client connecting I
get an error of "Error 678 the remote computer did not respond" Does
anyone have any ideas or how I troubleshoot it farther?

Thanks

Click to expand...

Click to expand...

John Smith · Nov 26, 2004

it's just a network card... I have a VPN server with 2 network cards... one
connected to the the DMZ which has ports 500 and 4500 forwareded to it. If I
hook up the client computer to the DMZ with the same subnet as the VPNed NIC
I can connect, but not via NAT-T just normal L2TP/IPSEC, if I take the
client to the internet and connect through NAT-T I get this error..

Jorge Coronel said:
This error sounds related to the hardware; what is the modem brand and
model you are using to VPN?
thanks
JC

John Smith said:

hum very interesting that this is no longer recommended.. but for now I
still need to do it..

I made the reg change and rebooted and now when I try to connect very
quickly it says "Error 651: The modem (or other connecting device) has
reported an error"

Is there a way to find what his error is? I looked in the even log and
other places but couldn't see anything. Everything is happening much
faster now, like the error comes up in a few seconds. I also can see UDP
500 and 4500 packets going both ways from the firewall. Right now 5 UDP
500 ISAKMP packets followed by 6 4500 ESP and 2 more 500s for every time
I try to connect.

Jorge Coronel said:

That deploymen is not longer recomended by MS; in order to make it work
you'll need to check the following KB...

885407 The default behavior of IPSec NAT traversal (NAT-T) is changed in
Windows XP Service Pack 2

This will tell you what is the regkey you'll need to add to your XP box
in order to initiate to a server that is behind a NAT
I hope this helps
JC

I have RAS up and running on a win2003 server, and have LT2P and IPSEC
running with certificates I have tested this directly and can connect. I
am now trying to connect over NAT-T from a XPSP2 client and it's not
working here is what I've done.

I have tried connecting from both of the below:

[client with public IP] -> [internet] -> [NAT/FW] -> [server] [client
with private IP] -> [NAT] -> [internet] -> [NAT/FW] -> [server]

I have also checked my firewall and all ports needed are open and I see
traffic going to and from the IP of the client on ports 500 and 4500.
Everything seams right but after about 40sec of the client connecting I
get an error of "Error 678 the remote computer did not respond" Does
anyone have any ideas or how I troubleshoot it farther?

Thanks

Click to expand...

Click to expand...

John Smith · Nov 29, 2004

so does anyone have any insight to what may be going on? i've been tryint to
get this working for a lot time... I was having general IPsec poublems at
frist but got all thoes worked out as I can connect fine on the local
network viea Ipsec useing ports 500 and 1701 but as soon as I start trying
NAT-T it gives the below error...

John Smith said:
it's just a network card... I have a VPN server with 2 network cards...
one connected to the the DMZ which has ports 500 and 4500 forwareded to
it. If I hook up the client computer to the DMZ with the same subnet as
the VPNed NIC I can connect, but not via NAT-T just normal L2TP/IPSEC, if
I take the client to the internet and connect through NAT-T I get this
error..

Jorge Coronel said:

This error sounds related to the hardware; what is the modem brand and
model you are using to VPN?
thanks
JC

John Smith said:

hum very interesting that this is no longer recommended.. but for now I
still need to do it..

I made the reg change and rebooted and now when I try to connect very
quickly it says "Error 651: The modem (or other connecting device) has
reported an error"

Is there a way to find what his error is? I looked in the even log and
other places but couldn't see anything. Everything is happening much
faster now, like the error comes up in a few seconds. I also can see UDP
500 and 4500 packets going both ways from the firewall. Right now 5 UDP
500 ISAKMP packets followed by 6 4500 ESP and 2 more 500s for every time
I try to connect.

That deploymen is not longer recomended by MS; in order to make it work
you'll need to check the following KB...

885407 The default behavior of IPSec NAT traversal (NAT-T) is changed
in Windows XP Service Pack 2

This will tell you what is the regkey you'll need to add to your XP box
in order to initiate to a server that is behind a NAT
I hope this helps
JC

I have RAS up and running on a win2003 server, and have LT2P and IPSEC
running with certificates I have tested this directly and can connect.
I am now trying to connect over NAT-T from a XPSP2 client and it's not
working here is what I've done.

I have tried connecting from both of the below:

[client with public IP] -> [internet] -> [NAT/FW] -> [server] [client
with private IP] -> [NAT] -> [internet] -> [NAT/FW] -> [server]

I have also checked my firewall and all ports needed are open and I
see traffic going to and from the IP of the client on ports 500 and
4500. Everything seams right but after about 40sec of the client
connecting I get an error of "Error 678 the remote computer did not
respond" Does anyone have any ideas or how I troubleshoot it farther?

Thanks

Click to expand...

Click to expand...