| Author |
Message |
ChuckM
Guest
|
 Posted:
Fri Oct 28, 2005 4:51 pm Post subject:
VPN client behind Windows 2003 NAT problem |
|
|
Hi all,
I have a third party VPN client on an XP workstation on a private LAN. The
Win 2003 server is the router/nat. The NAT service must be corrupting or
blocking the IPSEC packets because the handshaking is successful up to the
moment that the VPN is established and then times out waiting on the remote
server. If I connect the workstation directly to the internet, it works.
I've tried a number of different settings in RRAS to make this work.
Any ideas?
Chuck |
|
| Back to top |
|
 |
Robert L [MS-MVP]
Guest
|
| Posted:
Fri Oct 28, 2005 4:51 pm Post subject:
Re: VPN client behind Windows 2003 NAT problem |
|
|
If this is IPSec VPN, you may need to open the port UDP 500. these web pages may help,
IPSec The ports need to open for IPSec The IPSec Policy storage container could not be opened Time out when using ping command Troubleshooting IPSec ...
www.chicagotech.net/ipsec.htm
NAT and Firewall In the Select Routing Protocol dialog box, click NAT/Firewall, and then click OK. How to enable NAT name resolution Open Routing and Remote Access>server ...
www.chicagotech.net/nat.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message news:C44329EA-DCF1-49F7-A272-8320D024BAAA@microsoft.com...
Hi all,
I have a third party VPN client on an XP workstation on a private LAN. The
Win 2003 server is the router/nat. The NAT service must be corrupting or
blocking the IPSEC packets because the handshaking is successful up to the
moment that the VPN is established and then times out waiting on the remote
server. If I connect the workstation directly to the internet, it works.
I've tried a number of different settings in RRAS to make this work.
Any ideas?
Chuck |
|
| Back to top |
|
|
ChuckM
Guest
|
| Posted:
Fri Oct 28, 2005 4:51 pm Post subject:
Re: VPN client behind Windows 2003 NAT problem |
|
|
Thanks Robert,
I looked through the information at the site you recommended. However, I
didn't find anything that fixes this.
Port 500 is open on the WAN side in the NAT properties panel. I tried both
localhost(default) and the internal client IP addresses with no luck.
"Robert L [MS-MVP]" wrote:
| Quote: | If this is IPSec VPN, you may need to open the port UDP 500. these web pages may help,
IPSec The ports need to open for IPSec The IPSec Policy storage container could not be opened Time out when using ping command Troubleshooting IPSec ...
www.chicagotech.net/ipsec.htm
NAT and Firewall In the Select Routing Protocol dialog box, click NAT/Firewall, and then click OK. How to enable NAT name resolution Open Routing and Remote Access>server ...
www.chicagotech.net/nat.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message news:C44329EA-DCF1-49F7-A272-8320D024BAAA@microsoft.com...
Hi all,
I have a third party VPN client on an XP workstation on a private LAN. The
Win 2003 server is the router/nat. The NAT service must be corrupting or
blocking the IPSEC packets because the handshaking is successful up to the
moment that the VPN is established and then times out waiting on the remote
server. If I connect the workstation directly to the internet, it works.
I've tried a number of different settings in RRAS to make this work.
Any ideas?
Chuck |
|
|
| Back to top |
|
|
Robert L [MS-MVP]
Guest
|
| Posted:
Sat Oct 29, 2005 4:50 pm Post subject:
Re: VPN client behind Windows 2003 NAT problem |
|
|
Then you can use IP Security Monitor to troubleshoot it. More IPSec troubleshooting tools can be found this web page,
IPSec Audit Policy: To troubleshoot IPSec when it does not behave the way that you expect it to, first check the results of the Phase One and Phase Two exchanges ...
www.chicagotech.net/ipsec.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message news:EC4137FF-7BAB-4550-B80C-C036FA90E48E@microsoft.com...
Thanks Robert,
I looked through the information at the site you recommended. However, I
didn't find anything that fixes this.
Port 500 is open on the WAN side in the NAT properties panel. I tried both
localhost(default) and the internal client IP addresses with no luck.
"Robert L [MS-MVP]" wrote:
| Quote: | If this is IPSec VPN, you may need to open the port UDP 500. these web pages may help,
IPSec The ports need to open for IPSec The IPSec Policy storage container could not be opened Time out when using ping command Troubleshooting IPSec ...
www.chicagotech.net/ipsec.htm
NAT and Firewall In the Select Routing Protocol dialog box, click NAT/Firewall, and then click OK. How to enable NAT name resolution Open Routing and Remote Access>server ...
www.chicagotech.net/nat.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message news:C44329EA-DCF1-49F7-A272-8320D024BAAA@microsoft.com...
Hi all,
I have a third party VPN client on an XP workstation on a private LAN. The
Win 2003 server is the router/nat. The NAT service must be corrupting or
blocking the IPSEC packets because the handshaking is successful up to the
moment that the VPN is established and then times out waiting on the remote
server. If I connect the workstation directly to the internet, it works.
I've tried a number of different settings in RRAS to make this work.
Any ideas?
Chuck |
|
|
| Back to top |
|
|
Neteng
Guest
|
| Posted:
Mon Oct 31, 2005 5:50 pm Post subject:
Re: VPN client behind Windows 2003 NAT problem |
|
|
I don't think that MS supports NAT-T, which sounds like the issue.
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message
news:8DC77670-CC90-48CD-8A90-E6EEBEB8BA32@microsoft.com...
| Quote: | Thanks Robert.
I installed the tools and watched via IPSec Monitor. It really didn't
tell
me anything. The client and the remote machine connect and exchange
packets,
but as soon as the connection becomes secure, the replies from the remote
server never make it to the client. The tools don't tell why they are
being
blocked.
One thing that did occur to me, though is that the VPN client hides the
LAN
from the client, overriding settings with those of the remote network. I
wonder if this is preventing the client from communicating with the 2003
server NAT service.
Like I said earlier, this worked with our Linksys router acting as the NAT
firewall, but not windows 2003 server acting as the NAT firewall. I think
we
will just buy another hardware firewall and blow off the Microsoft
solution.
"Robert L [MS-MVP]" wrote:
Then you can use IP Security Monitor to troubleshoot it. More IPSec
troubleshooting tools can be found this web page,
IPSec Audit Policy: To troubleshoot IPSec when it does not behave the
way that you expect it to, first check the results of the Phase One and |
Phase Two exchanges ...
| Quote: | www.chicagotech.net/ipsec.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message
news:EC4137FF-7BAB-4550-B80C-C036FA90E48E@microsoft.com...
Thanks Robert,
I looked through the information at the site you recommended.
However, I
didn't find anything that fixes this.
Port 500 is open on the WAN side in the NAT properties panel. I tried
both
localhost(default) and the internal client IP addresses with no luck.
"Robert L [MS-MVP]" wrote:
If this is IPSec VPN, you may need to open the port UDP 500. these
web pages may help,
IPSec The ports need to open for IPSec The IPSec Policy storage
container could not be opened Time out when using ping command |
Troubleshooting IPSec ...
| Quote: | www.chicagotech.net/ipsec.htm
NAT and Firewall In the Select Routing Protocol dialog box,
click NAT/Firewall, and then click OK. How to enable NAT name resolution |
Open Routing and Remote Access>server ...
| Quote: | www.chicagotech.net/nat.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message
news:C44329EA-DCF1-49F7-A272-8320D024BAAA@microsoft.com...
Hi all,
I have a third party VPN client on an XP workstation on a private
LAN. The
Win 2003 server is the router/nat. The NAT service must be
corrupting or
blocking the IPSEC packets because the handshaking is successful
up to the
moment that the VPN is established and then times out waiting on
the remote
server. If I connect the workstation directly to the internet, it
works.
I've tried a number of different settings in RRAS to make this
work.
Any ideas?
Chuck |
|
|
| Back to top |
|
|
ChuckM
Guest
|
| Posted:
Mon Oct 31, 2005 5:50 pm Post subject:
Re: VPN client behind Windows 2003 NAT problem |
|
|
Thanks Robert.
I installed the tools and watched via IPSec Monitor. It really didn't tell
me anything. The client and the remote machine connect and exchange packets,
but as soon as the connection becomes secure, the replies from the remote
server never make it to the client. The tools don't tell why they are being
blocked.
One thing that did occur to me, though is that the VPN client hides the LAN
from the client, overriding settings with those of the remote network. I
wonder if this is preventing the client from communicating with the 2003
server NAT service.
Like I said earlier, this worked with our Linksys router acting as the NAT
firewall, but not windows 2003 server acting as the NAT firewall. I think we
will just buy another hardware firewall and blow off the Microsoft solution.
"Robert L [MS-MVP]" wrote:
| Quote: | Then you can use IP Security Monitor to troubleshoot it. More IPSec troubleshooting tools can be found this web page,
IPSec Audit Policy: To troubleshoot IPSec when it does not behave the way that you expect it to, first check the results of the Phase One and Phase Two exchanges ...
www.chicagotech.net/ipsec.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message news:EC4137FF-7BAB-4550-B80C-C036FA90E48E@microsoft.com...
Thanks Robert,
I looked through the information at the site you recommended. However, I
didn't find anything that fixes this.
Port 500 is open on the WAN side in the NAT properties panel. I tried both
localhost(default) and the internal client IP addresses with no luck.
"Robert L [MS-MVP]" wrote:
If this is IPSec VPN, you may need to open the port UDP 500. these web pages may help,
IPSec The ports need to open for IPSec The IPSec Policy storage container could not be opened Time out when using ping command Troubleshooting IPSec ...
www.chicagotech.net/ipsec.htm
NAT and Firewall In the Select Routing Protocol dialog box, click NAT/Firewall, and then click OK. How to enable NAT name resolution Open Routing and Remote Access>server ...
www.chicagotech.net/nat.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message news:C44329EA-DCF1-49F7-A272-8320D024BAAA@microsoft.com...
Hi all,
I have a third party VPN client on an XP workstation on a private LAN. The
Win 2003 server is the router/nat. The NAT service must be corrupting or
blocking the IPSEC packets because the handshaking is successful up to the
moment that the VPN is established and then times out waiting on the remote
server. If I connect the workstation directly to the internet, it works.
I've tried a number of different settings in RRAS to make this work.
Any ideas?
Chuck |
|
|
| Back to top |
|
|
ChuckM
Guest
|
| Posted:
Mon Oct 31, 2005 9:50 pm Post subject:
Re: VPN client behind Windows 2003 NAT problem |
|
|
That sure seems like the problem, but MS advertises NAT-T as the default for
Windows 2003 server.
"Neteng" wrote:
| Quote: | I don't think that MS supports NAT-T, which sounds like the issue.
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message
news:8DC77670-CC90-48CD-8A90-E6EEBEB8BA32@microsoft.com...
Thanks Robert.
I installed the tools and watched via IPSec Monitor. It really didn't
tell
me anything. The client and the remote machine connect and exchange
packets,
but as soon as the connection becomes secure, the replies from the remote
server never make it to the client. The tools don't tell why they are
being
blocked.
One thing that did occur to me, though is that the VPN client hides the
LAN
from the client, overriding settings with those of the remote network. I
wonder if this is preventing the client from communicating with the 2003
server NAT service.
Like I said earlier, this worked with our Linksys router acting as the NAT
firewall, but not windows 2003 server acting as the NAT firewall. I think
we
will just buy another hardware firewall and blow off the Microsoft
solution.
"Robert L [MS-MVP]" wrote:
Then you can use IP Security Monitor to troubleshoot it. More IPSec
troubleshooting tools can be found this web page,
IPSec Audit Policy: To troubleshoot IPSec when it does not behave the
way that you expect it to, first check the results of the Phase One and
Phase Two exchanges ...
www.chicagotech.net/ipsec.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message
news:EC4137FF-7BAB-4550-B80C-C036FA90E48E@microsoft.com...
Thanks Robert,
I looked through the information at the site you recommended.
However, I
didn't find anything that fixes this.
Port 500 is open on the WAN side in the NAT properties panel. I tried
both
localhost(default) and the internal client IP addresses with no luck.
"Robert L [MS-MVP]" wrote:
If this is IPSec VPN, you may need to open the port UDP 500. these
web pages may help,
IPSec The ports need to open for IPSec The IPSec Policy storage
container could not be opened Time out when using ping command
Troubleshooting IPSec ...
www.chicagotech.net/ipsec.htm
NAT and Firewall In the Select Routing Protocol dialog box,
click NAT/Firewall, and then click OK. How to enable NAT name resolution
Open Routing and Remote Access>server ...
www.chicagotech.net/nat.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message
news:C44329EA-DCF1-49F7-A272-8320D024BAAA@microsoft.com...
Hi all,
I have a third party VPN client on an XP workstation on a private
LAN. The
Win 2003 server is the router/nat. The NAT service must be
corrupting or
blocking the IPSEC packets because the handshaking is successful
up to the
moment that the VPN is established and then times out waiting on
the remote
server. If I connect the workstation directly to the internet, it
works.
I've tried a number of different settings in RRAS to make this
work.
Any ideas?
Chuck
|
|
|
| Back to top |
|
|
Neteng
Guest
|
| Posted:
Mon Oct 31, 2005 9:50 pm Post subject:
Re: VPN client behind Windows 2003 NAT problem |
|
|
There is an update you need to install if you haven't already (on the
client). You'll also see in the article that you'll have to open UDP 4500
for NAT-T.
http://support.microsoft.com/default.aspx?scid=kb;en-us;818043#XSLTH4187121122120121120120
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message
news:17050FA4-C113-4C72-AA5B-9F9840EA27F0@microsoft.com...
| Quote: | That sure seems like the problem, but MS advertises NAT-T as the default
for
Windows 2003 server.
"Neteng" wrote:
I don't think that MS supports NAT-T, which sounds like the issue.
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message
news:8DC77670-CC90-48CD-8A90-E6EEBEB8BA32@microsoft.com...
Thanks Robert.
I installed the tools and watched via IPSec Monitor. It really didn't
tell
me anything. The client and the remote machine connect and exchange
packets,
but as soon as the connection becomes secure, the replies from the
remote
server never make it to the client. The tools don't tell why they are
being
blocked.
One thing that did occur to me, though is that the VPN client hides
the
LAN
from the client, overriding settings with those of the remote network.
I
wonder if this is preventing the client from communicating with the
2003
server NAT service.
Like I said earlier, this worked with our Linksys router acting as the
NAT
firewall, but not windows 2003 server acting as the NAT firewall. I
think
we
will just buy another hardware firewall and blow off the Microsoft
solution.
"Robert L [MS-MVP]" wrote:
Then you can use IP Security Monitor to troubleshoot it. More IPSec
troubleshooting tools can be found this web page,
IPSec Audit Policy: To troubleshoot IPSec when it does not behave
the
way that you expect it to, first check the results of the Phase One and
Phase Two exchanges ...
www.chicagotech.net/ipsec.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message
news:EC4137FF-7BAB-4550-B80C-C036FA90E48E@microsoft.com...
Thanks Robert,
I looked through the information at the site you recommended.
However, I
didn't find anything that fixes this.
Port 500 is open on the WAN side in the NAT properties panel. I
tried
both
localhost(default) and the internal client IP addresses with no
luck.
"Robert L [MS-MVP]" wrote:
If this is IPSec VPN, you may need to open the port UDP 500.
these
web pages may help,
IPSec The ports need to open for IPSec The IPSec Policy storage
container could not be opened Time out when using ping command
Troubleshooting IPSec ...
www.chicagotech.net/ipsec.htm
NAT and Firewall In the Select Routing Protocol dialog
box,
click NAT/Firewall, and then click OK. How to enable NAT name resolution
Open Routing and Remote Access>server ...
www.chicagotech.net/nat.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"ChuckM" <ChuckM@discussions.microsoft.com> wrote in message
news:C44329EA-DCF1-49F7-A272-8320D024BAAA@microsoft.com...
Hi all,
I have a third party VPN client on an XP workstation on a
private
LAN. The
Win 2003 server is the router/nat. The NAT service must be
corrupting or
blocking the IPSEC packets because the handshaking is
successful
up to the
moment that the VPN is established and then times out waiting
on
the remote
server. If I connect the workstation directly to the
internet, it
works.
I've tried a number of different settings in RRAS to make this
work.
Any ideas?
Chuck
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in