help needed with EAP

[Rian]

Hi,
I have this testconfiguration:
Win2000 / RRAS server, configured for VPN access with PPTP, authentication
both MS-CHAPv2 and EAP, also Certificate server and Active Directory.

Remote PC with User certificate.

From a remote PC I can access the server with MS-CHAPv2.
I requested with this connection a CA and a User certificate.

Now I changed authentication on the remote PC to EAP. But when trying to
connect I get this:
Verifying username and password...
...
Error 619: A connection to the remote computer could not be established.

Hopefully someone can help me.
However with

[Rian]

I just found there is no problem when the remote PC connects via a modem
connection.
First I tried to connect using a ADSL connection, via a router (Vigor 2200E)
which does NAT.
Can someone confirm NAT is the problem? There is no firewall in place. Are
there other factors to count for?

[Thomas W Shinder [MVP]]

IPSec does not like NAT.

HTH,
--
Tom
www.isaserver.org/shinder
Get the book!

<Rian> wrote in message news:uTsDLnhmBHA.1864@tkmsftngp04...

[Rian]

OK. I did'nt know EAP is compairable with IPsec.
Thought PPTP + EAP was NAT-trouble-free.

"Thomas W Shinder [MVP]" <tshi...@hotmail.com> wrote in message
news:ehNZXAjmBHA.2156@tkmsftngp07...

[Stefaan Pouseele]

Hi Rian,

PPTP + EAP should work through NAT. Because PPTP works with MS-CHAPV2, we
can assume that all the necessary ports are open (tcp port 1723 and IP
protocol 47/GRE). However there is one very important issue: when using
EAP-TLS (certificates) there will be ip-fragments during the negotiation
process (certificate chains exchange). So, check that all devices in the
path allow ip-fragments through.

PS: don't forget to disable ip fragment filtering on ISA!

Hope this helps,
Stefaan

<Rian> wrote in message news:eVNQkmnmBHA.2444@tkmsftngp03...

[Rian]

Stefaan,

Thanks very much for your reply. I think I have to do some study, but now I
know where to look for.
Do you know some documentation about this available on the web?

[Stefaan Pouseele]

Rian,

the best documentation I could fine (except of course www.isaserver.org) is:

- http://www.microsoft.com/vpn

- Thaddeus Fortenberry's book about W2K virtual private networking
(http://www.amazon.com/exec/obidos/ASIN/1578702461/qid=1005941322/sr=2-2/ref
=sr_2_11_2/103-5360793-3596659 highly recommended

- try it out and have a good monitor/sniffer at your disposal ;-)

Hope this helps,
Stefaan

<Rian> wrote in message news:uaZYuYomBHA.2084@tkmsftngp04...

[Rian]

I have bought the book. Thanks for info.

[Thomas W Shinder [MVP]]

Hi Stephaan,

You are correct! Actually, I recall that you did some excellent research on
the certificate fragmentation isssue several months ago, with MS telling you
that packets involved with certificate exchanges get fragmented.

Thanks!

--
Tom
www.isaserver.org/shinder
Get the book!

"Stefaan Pouseele" <stefaan....@cevi.be> wrote in message
news:O1RYu0omBHA.2520@tkmsftngp05...

[Stefaan Pouseele]

Tom,

that's right ;-)

However, I have always troubles to find back what I posted in the discussion
board. The search engine seems not to like a search on the basis of the
username of a post. Will that be fixed?

Greetings,
Stefaan

"Thomas W Shinder [MVP]" <tshi...@hotmail.com> wrote in message

news:eLiHOVsmBHA.1876@tkmsftngp03...

[Thomas W Shinder [MVP]]

Hi Stephen,

Not sure how I found the post. Oh yeah, I saved it! :-) Its was so good I
couldn't trust it to the Search engine :-)

Thanks!
--
Tom
www.isaserver.org/shinder
Get the book!

"Stefaan Pouseele" <stefaan....@cevi.be> wrote in message

news:OFK1$IvmBHA.2168@tkmsftngp05...