SP2: Strange VPN Problem

[Guest]

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Have two Windows Server 2003 VPN Servers:

- server1 behind NAT device
- server2 behind a router
- IAS for RAS/VPN authentication on server 3
- both VPN servers (and XP Clients) with same computer certificate from
internal Enterprise CA
- VPN client address assignement over DHCP (on server3)

The following works:
- L2TP/IPSec connection from XP SP1a client to server1
- L2TP/IPSec connection from XP SP1a client to server2
- L2TP/IPSec connection from XP SP2 client to server2

What doesn't work:
- L2TP/IPSec connection from XP SP2 client to server1: Getting "Error 678"
on the XPSP2 VPN client. There are no event log entries on the XPSP2 client,
nor on server1 nor on server3 (IAS). Windows Firewall is disabled on all
connections for testing. During the (unsuccessfull) try to establish the VPN
connection before error 678, the IPSecmon Policies shows two filter rules
from client to server1. 818043 NAT-T Traversal Update should be included in
SP2, so IPSec NAT-T Traversal should not be the problem.

- Does anybody have a clue where the problem is?
- Does anybody knows how to enable additional tracing/logging on the XPSP2
client and/or on Windows 2003 RRAS VPN server?

Thank you all in advance for any help!
Franz

 

[Guest]

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

"Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
news:OfwL7eIoEHA.592@TK2MSFTNGP11.phx.gbl...
> Have two Windows Server 2003 VPN Servers:
>
> - server1 behind NAT device
> - server2 behind a router
> - IAS for RAS/VPN authentication on server 3
> - both VPN servers (and XP Clients) with same computer certificate from
> internal Enterprise CA
> - VPN client address assignement over DHCP (on server3)
>
> The following works:
> - L2TP/IPSec connection from XP SP1a client to server1
> - L2TP/IPSec connection from XP SP1a client to server2
> - L2TP/IPSec connection from XP SP2 client to server2
>
> What doesn't work:
> - L2TP/IPSec connection from XP SP2 client to server1: Getting "Error 678"
> on the XPSP2 VPN client.

Making VPN connections from a client behind NAT or to a server behind NAT
has been disabled by default in XP SP2 (and this is nothing to do with IPSec
NAT traversal). To restore the previous functionality of SP1+NAT-T, you
need to make registry changes.

See http://news.zdnet.com/2100-1009_22-5321783.html for more details.

--
Robin Walker
rdhw@cam.ac.uk

 

[Guest]

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Hi Robin

Thank you very much for your help, the Registry Key in the ZDNET Article
solved our problem!

To Microsoft: A KB article about this subject or an addition to KB 818043
that the functionality described there is broken in XP SP2 (and can be
restored with a registry key) would be nice, saving me and probably a lot of
others hours of troubleshooting.

Franz



"Robin Walker" <rdhw@cam.ac.uk> schrieb im Newsbeitrag
news:cis14p$8bs$1@pegasus.csx.cam.ac.uk...
> "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
> news:OfwL7eIoEHA.592@TK2MSFTNGP11.phx.gbl...
> > Have two Windows Server 2003 VPN Servers:
> >
> > - server1 behind NAT device
> > - server2 behind a router
> > - IAS for RAS/VPN authentication on server 3
> > - both VPN servers (and XP Clients) with same computer certificate from
> > internal Enterprise CA
> > - VPN client address assignement over DHCP (on server3)
> >
> > The following works:
> > - L2TP/IPSec connection from XP SP1a client to server1
> > - L2TP/IPSec connection from XP SP1a client to server2
> > - L2TP/IPSec connection from XP SP2 client to server2
> >
> > What doesn't work:
> > - L2TP/IPSec connection from XP SP2 client to server1: Getting "Error
678"
> > on the XPSP2 VPN client.
>
> Making VPN connections from a client behind NAT or to a server behind NAT
> has been disabled by default in XP SP2 (and this is nothing to do with
IPSec
> NAT traversal). To restore the previous functionality of SP1+NAT-T, you
> need to make registry changes.
>
> See http://news.zdnet.com/2100-1009_22-5321783.html for more details.
>
> --
> Robin Walker
> rdhw@cam.ac.uk
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

A few questions here:

1. What type of NAT device is this? Or is server2 assigned a public
address and not a NAT'ed one?
2. Are you forwarding all of the required ports in the NAT Device
(i.e., UDP 4500, UDP 1701, UDP 500, Protocol 50)?
3. Does this same machine connect to server2 (I am not clear if the
problematic machine is the same as the one that you say can connect to
server2)
4. For server monitoring/troubleshooting, look at (# Rassrvmon.exe:
RAS Server Monitor) in the Windows 2003 Resource Kit tools
(http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en)

Jeffrey Randow (Windows Networking & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Wed, 22 Sep 2004 11:37:06 +0200, "Franz Schenk"
<franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote:

>Have two Windows Server 2003 VPN Servers:
>
>- server1 behind NAT device
>- server2 behind a router
>- IAS for RAS/VPN authentication on server 3
>- both VPN servers (and XP Clients) with same computer certificate from
>internal Enterprise CA
>- VPN client address assignement over DHCP (on server3)
>
>The following works:
>- L2TP/IPSec connection from XP SP1a client to server1
>- L2TP/IPSec connection from XP SP1a client to server2
>- L2TP/IPSec connection from XP SP2 client to server2
>
>What doesn't work:
>- L2TP/IPSec connection from XP SP2 client to server1: Getting "Error 678"
>on the XPSP2 VPN client. There are no event log entries on the XPSP2 client,
>nor on server1 nor on server3 (IAS). Windows Firewall is disabled on all
>connections for testing. During the (unsuccessfull) try to establish the VPN
>connection before error 678, the IPSecmon Policies shows two filter rules
>from client to server1. 818043 NAT-T Traversal Update should be included in
>SP2, so IPSec NAT-T Traversal should not be the problem.
>
>- Does anybody have a clue where the problem is?
>- Does anybody knows how to enable additional tracing/logging on the XPSP2
>client and/or on Windows 2003 RRAS VPN server?
>
>Thank you all in advance for any help!
>Franz
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

- The NAT device is a Netopia Caymen 3546 ADSL Router/GW/NAT/Firewall device
- server2 (without NAT) has an official Internet IP address
- server1 (with NAT) has a private IP address
- There is just NAT, no Firewall on the Netopia device (all Ports are
forwarded)

But our problem is solved: It's exactly the behaviour that is described
here: http://news.zdnet.com/2100-1009_22-5321783.html. We added the registry
key mentioned in the article and where able to connect with the XP SP2
machine to the VPN Server behind the NAT device (thanks to Robin Walker)

Franz

"Jeffrey Randow (MVP)" <jeffreyr-support@remotenetworktechnology.com>
schrieb im Newsbeitrag news:mu27l0pjdotu2v4lkltj6ttnqrll5ceraq@4ax.com...
> A few questions here:
>
> 1. What type of NAT device is this? Or is server2 assigned a public
> address and not a NAT'ed one?
> 2. Are you forwarding all of the required ports in the NAT Device
> (i.e., UDP 4500, UDP 1701, UDP 500, Protocol 50)?
> 3. Does this same machine connect to server2 (I am not clear if the
> problematic machine is the same as the one that you say can connect to
> server2)
> 4. For server monitoring/troubleshooting, look at (# Rassrvmon.exe:
> RAS Server Monitor) in the Windows 2003 Resource Kit tools
>
(http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7
-96ee-b18c4790cffd&displaylang=en)
>
> Jeffrey Randow (Windows Networking & Smart Display MVP)
> jeffreyr-support@remotenetworktechnology.com
>
> Please post all responses to the newsgroups for the benefit
> of all USENET users. Messages sent via email may or may not
> be answered depending on time availability....
>
> Remote Networking Technology Support Site -
> http://www.remotenetworktechnology.com
> Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
>
> On Wed, 22 Sep 2004 11:37:06 +0200, "Franz Schenk"
> <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote:
>
> >Have two Windows Server 2003 VPN Servers:
> >
> >- server1 behind NAT device
> >- server2 behind a router
> >- IAS for RAS/VPN authentication on server 3
> >- both VPN servers (and XP Clients) with same computer certificate from
> >internal Enterprise CA
> >- VPN client address assignement over DHCP (on server3)
> >
> >The following works:
> >- L2TP/IPSec connection from XP SP1a client to server1
> >- L2TP/IPSec connection from XP SP1a client to server2
> >- L2TP/IPSec connection from XP SP2 client to server2
> >
> >What doesn't work:
> >- L2TP/IPSec connection from XP SP2 client to server1: Getting "Error
678"
> >on the XPSP2 VPN client. There are no event log entries on the XPSP2
client,
> >nor on server1 nor on server3 (IAS). Windows Firewall is disabled on all
> >connections for testing. During the (unsuccessfull) try to establish the
VPN
> >connection before error 678, the IPSecmon Policies shows two filter rules
> >from client to server1. 818043 NAT-T Traversal Update should be included
in
> >SP2, so IPSec NAT-T Traversal should not be the problem.
> >
> >- Does anybody have a clue where the problem is?
> >- Does anybody knows how to enable additional tracing/logging on the
XPSP2
> >client and/or on Windows 2003 RRAS VPN server?
> >
> >Thank you all in advance for any help!
> >Franz
> >
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Glad you got it to work...

Jeffrey Randow (Windows Networking & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Mon, 27 Sep 2004 16:48:09 +0200, "Franz Schenk"
<franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote:

>- The NAT device is a Netopia Caymen 3546 ADSL Router/GW/NAT/Firewall device
>- server2 (without NAT) has an official Internet IP address
>- server1 (with NAT) has a private IP address
>- There is just NAT, no Firewall on the Netopia device (all Ports are
>forwarded)
>
>But our problem is solved: It's exactly the behaviour that is described
>here: http://news.zdnet.com/2100-1009_22-5321783.html. We added the registry
>key mentioned in the article and where able to connect with the XP SP2
>machine to the VPN Server behind the NAT device (thanks to Robin Walker)
>
>Franz
>
>"Jeffrey Randow (MVP)" <jeffreyr-support@remotenetworktechnology.com>
>schrieb im Newsbeitrag news:mu27l0pjdotu2v4lkltj6ttnqrll5ceraq@4ax.com...
>> A few questions here:
>>
>> 1. What type of NAT device is this? Or is server2 assigned a public
>> address and not a NAT'ed one?
>> 2. Are you forwarding all of the required ports in the NAT Device
>> (i.e., UDP 4500, UDP 1701, UDP 500, Protocol 50)?
>> 3. Does this same machine connect to server2 (I am not clear if the
>> problematic machine is the same as the one that you say can connect to
>> server2)
>> 4. For server monitoring/troubleshooting, look at (# Rassrvmon.exe:
>> RAS Server Monitor) in the Windows 2003 Resource Kit tools
>>
>(http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7
>-96ee-b18c4790cffd&displaylang=en)
>>
>> Jeffrey Randow (Windows Networking & Smart Display MVP)
>> jeffreyr-support@remotenetworktechnology.com
>>
>> Please post all responses to the newsgroups for the benefit
>> of all USENET users. Messages sent via email may or may not
>> be answered depending on time availability....
>>
>> Remote Networking Technology Support Site -
>> http://www.remotenetworktechnology.com
>> Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
>>
>> On Wed, 22 Sep 2004 11:37:06 +0200, "Franz Schenk"
>> <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote:
>>
>> >Have two Windows Server 2003 VPN Servers:
>> >
>> >- server1 behind NAT device
>> >- server2 behind a router
>> >- IAS for RAS/VPN authentication on server 3
>> >- both VPN servers (and XP Clients) with same computer certificate from
>> >internal Enterprise CA
>> >- VPN client address assignement over DHCP (on server3)
>> >
>> >The following works:
>> >- L2TP/IPSec connection from XP SP1a client to server1
>> >- L2TP/IPSec connection from XP SP1a client to server2
>> >- L2TP/IPSec connection from XP SP2 client to server2
>> >
>> >What doesn't work:
>> >- L2TP/IPSec connection from XP SP2 client to server1: Getting "Error
>678"
>> >on the XPSP2 VPN client. There are no event log entries on the XPSP2
>client,
>> >nor on server1 nor on server3 (IAS). Windows Firewall is disabled on all
>> >connections for testing. During the (unsuccessfull) try to establish the
>VPN
>> >connection before error 678, the IPSecmon Policies shows two filter rules
>> >from client to server1. 818043 NAT-T Traversal Update should be included
>in
>> >SP2, so IPSec NAT-T Traversal should not be the problem.
>> >
>> >- Does anybody have a clue where the problem is?
>> >- Does anybody knows how to enable additional tracing/logging on the
>XPSP2
>> >client and/or on Windows 2003 RRAS VPN server?
>> >
>> >Thank you all in advance for any help!
>> >Franz
>> >
>>
>