Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IPSEC VPN over NAT

16 views
Skip to first unread message

Craig Box

unread,
Mar 20, 2003, 9:54:19 PM3/20/03
to
Got IPSEC working today.

Connecting to a VPN from inside my network works fine.

The VPN server is behind NAPT on a DSL router and NAT on a masquerading
firewall. I've opened up protocol 50, UDP port 500 and even experimented
with L2TP port 1701/UDP, even though it seems it should all be handled by
ESP over protocol 50.

Now my belief is that this should be possible

When I try and connect from outside the network, I get DUN error 791: 791
The L2TP connection attempt failed because security policy for the
connection was not found.

I assume this means traffic is stopping at the router or firewall because
there is nothing logged on the VPN server (running Win2k Server.)

Short of upgrading to Windows Server 2003, which seems to support the new
NAT'able IPSEC implementation, is there a solution?

Cheers
Craig


Bill Grant

unread,
Mar 20, 2003, 10:48:02 PM3/20/03
to
Upgrading to Windows 2003 won't help you if the problem is at the
firewall/router. And the problem may well be at the client end. Is the
client behind a NAT router?

"Craig Box" <cr...@munged-email-address.itpartners.co.nz> wrote in message
news:uNbytU17...@TK2MSFTNGP11.phx.gbl...

Oliver Saal [MS]

unread,
Mar 21, 2003, 8:22:47 PM3/21/03
to
Currently, MS will be releasing a NAT update for L2TP/IPSEC. The provisional
expected schedule for RTM is April 2003. You may also be interested in the
following page if you want to support downlevel clients using L2TP/IPSEC:

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpcl
ient.asp

--
Oliver
This posting is provided "AS IS", with NO warranties and confers NO rights


"Bill Grant" <bill_...@bigpond.com> wrote in message
news:#mC59L27...@TK2MSFTNGP10.phx.gbl...

Ray

unread,
Mar 24, 2003, 4:00:44 PM3/24/03
to
Hi Oliver,

Is NAT traversal only going to be in Windows 2003 server or will it be made
available for earlier server versions as well?

Thanks,

Ray

"Oliver Saal [MS]" <oliv...@online.microsoft.com> wrote in message
news:#MujNGB8...@TK2MSFTNGP11.phx.gbl...

Dusty Harper {MS}

unread,
Mar 24, 2003, 7:26:46 PM3/24/03
to
Plans are to release it for Server 2003 and then include it in a Service
Pack at a later date ( SP5?) or as an add-in

--
--
Dusty Harper
Microsoft Corporation
----------------------------------------------------------------------------


This posting is provided "AS IS", with NO warranties and confers NO rights

----------------------------------------------------------------------------

"Ray" <repl...@newsgroup.only> wrote in message
news:OSVbzhk8...@TK2MSFTNGP10.phx.gbl...

BobS

unread,
Jun 5, 2003, 5:04:53 PM6/5/03
to
I would like to know the answer to that question myself. Does anyone know
the answer to this question, or are we going to round, and round about NAT-T
again.

The question is why cant an external L2TP/IPSEC client create an L2TP/IPSEC
connection through an external Firewall (Linksys for example) to the
internel VPN server on a back to back DMZ when PPTP works fine, IPSEC pass
through is enabled, and port filters are enabled (1701, 500) on the external
firewall???

"Craig Box" <cr...@munged-email-address.itpartners.co.nz> wrote in message
news:uNbytU17...@TK2MSFTNGP11.phx.gbl...

Ray

unread,
Jun 5, 2003, 8:34:41 PM6/5/03
to
As far as PPTP goes, it's a different animal. PPTP does not care if
anything, like NAT, tampers with the message packets. IPSec does care as a
method of assuring that a packet has not been maliciously modified. Other
vendors use a technique where they encapsulate the IPSec traffic in UDP, so
the UDP gets its packet tampered with, but the underlying IPSec packet is
untouched when it is finally decrypted.

As for Linksys, I understand their latest firmware fixes some IPSec
problems.

Ray

"BobS" <bo...@itproscorp.com> wrote in message
news:uWLGeY6K...@tk2msftngp13.phx.gbl...

0 new messages