| Author |
Message |
Pr3z
Guest
|
 Posted:
Tue Oct 25, 2005 4:51 pm Post subject:
Creating IPSec Policy for Pre-Share Key in VPN not working. |
|
|
Server 2003
I am trying to create a IPSec Policy that will allow the use of a
Pre-Share key for VPN only. I have created a VPN Security Policy in
Local Security settings under the IPSEC Policies on Local Computer.
I have it set up to permit traffic for remote acces using a pre-share
key. Filter action is to negotiate security. Connection type is Remote
Access. I have the pre-share key in.
Now it doesn't work. It blocks all traffic because when I VPN, I cannot
map drives. If I change the filter action to Permit then it leaves it
open and I can VPN and map drives without using a pre-share key. I
guess I am lost or missing a step as to where I tell it to ask or look
for the pre-share key.
Can anyone point me in the right direction? I bought a book and have
spent days searching groups and the internet. |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Tue Oct 25, 2005 4:51 pm Post subject:
Re: Creating IPSec Policy for Pre-Share Key in VPN not worki |
|
|
You don't give a lot of details on how you have your VPN setup but ipsec
will not work if NAT is used in the path between the client and server.
There is a NAT-T client that can be used which primarily is for l2tp/ipsec.
Also if there is a firewall protecting your server then the correct ports
need to be open in the firewall to the VPN server. You may also want to try
pptp which is secure as long as you use complex passwords [say at least 8
characters in length with complexity enabled] and fairly easy to configure.
The security log on the server may have events recorded that may also give a
clue as to what is going on if the traffic ever reached the VPN server. If
the VPN client is protected by a NAT device it needs to be configured to
allow ipsec passthrough in it's configuration options. --- Steve
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043 ---
NAT-T
http://support.microsoft.com/default.aspx?scid=kb;en-us;885348 --- more
NAT-T info
http://support.microsoft.com/default.aspx?kbid=885407 --- NAT-T and XP SP2
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/428c1bbf-2ceb-4f76-a1ef-0219982eca10.mspx
--- VPN firewall rules.
"Pr3z" <jboysen@gmail.com> wrote in message
news:1130247072.131408.146870@g44g2000cwa.googlegroups.com...
| Quote: | Server 2003
I am trying to create a IPSec Policy that will allow the use of a
Pre-Share key for VPN only. I have created a VPN Security Policy in
Local Security settings under the IPSEC Policies on Local Computer.
I have it set up to permit traffic for remote acces using a pre-share
key. Filter action is to negotiate security. Connection type is Remote
Access. I have the pre-share key in.
Now it doesn't work. It blocks all traffic because when I VPN, I cannot
map drives. If I change the filter action to Permit then it leaves it
open and I can VPN and map drives without using a pre-share key. I
guess I am lost or missing a step as to where I tell it to ask or look
for the pre-share key.
Can anyone point me in the right direction? I bought a book and have
spent days searching groups and the internet.
|
|
|
| Back to top |
|
|
Pr3z
Guest
|
| Posted:
Tue Oct 25, 2005 4:51 pm Post subject:
Re: Creating IPSec Policy for Pre-Share Key in VPN not worki |
|
|
Well the VPN works as long as I disbale it to negotiate security on the
new policy. You still have to have a user/pass to get into the VPN and
it works fine. The firewall is open on the ports it needs to be to
allow traffic to the server for the VPN. A third-party handles the
firewall right now whcih is about to change.
We are mailly setting up the VPN so users can map the network drives
from home and access the files on it and thats all. We have a couple 98
machines that need to connect so using the pre-share key would be nice.
We are not using NAT right now. Every machines has a static IP here
which is about to change as a cisco pix is route.
I guese I am lost, I'm just needing to add a pre-share key so when a
user tries to remote access the server it requires the pre-share key or
it locks them out, and I cannot find any Server 2003 help or how-to on
this. |
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Oct 25, 2005 8:51 pm Post subject:
Re: Creating IPSec Policy for Pre-Share Key in VPN not worki |
|
|
You need to configure the pre-shared key in the Remote Access Management
console in the properties of the server in the security page - allow custom
ipsec policy for l2tp. However this will only work for XP Pro/W2003
computers if using the built in VPN client for l2tp where the PSK is
configured in the connectoid properties in the security page - ipsec
settings. For Windows 2000 and Windows 98 computers you will need to use
pptp or use l2tp with certificates in which case all your operating systems
would work. Windows 2003 Server can easily become a Certificate Authority
to issue computer certificates that are needed for both the client and VPN
server for l2tp. Without a computer certificate a computer could not access
your VPN server [assuming pre-shared is disabled on the VPN server] if it
was the only VPN method accepted which you can configure in Remote Access
Policy. L2tp is very secure since it requires both user and computer
authentication to access your VPN server. The link below has articles on
VPN that may help. -- Steve
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx
"Pr3z" <jboysen@gmail.com> wrote in message
news:1130249201.596201.35050@z14g2000cwz.googlegroups.com...
| Quote: | Well the VPN works as long as I disbale it to negotiate security on the
new policy. You still have to have a user/pass to get into the VPN and
it works fine. The firewall is open on the ports it needs to be to
allow traffic to the server for the VPN. A third-party handles the
firewall right now whcih is about to change.
We are mailly setting up the VPN so users can map the network drives
from home and access the files on it and thats all. We have a couple 98
machines that need to connect so using the pre-share key would be nice.
We are not using NAT right now. Every machines has a static IP here
which is about to change as a cisco pix is route.
I guese I am lost, I'm just needing to add a pre-share key so when a
user tries to remote access the server it requires the pre-share key or
it locks them out, and I cannot find any Server 2003 help or how-to on
this.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in