RRAS IPSec on W2003 Server behind NAT

Discussion in 'Windows Networking' started by D Rasmussen, Nov 13, 2009.

  1. D Rasmussen

    D Rasmussen Guest

    trying to get L2TP IPSec VPN remote connections to a W2003 RRAS server behind
    a NAT firewall. While PPTP VPN works fine, we would like to use L2TP IPSec.

    The trouble we are coming up against is that we continually get 789 errors
    on remote clients. While L2TP IPSec connections work fine behind the
    perimeter router, VPN remote clients can't make a connection. UDP ports 1701
    is directed to the RRAS server, IPSec Protocol passthrough and L2TP
    passthrough are all enabled on the perimeter router, but even using a
    preshared key, remote clients can not connect. UDP 1701 is listening on the
    RRAS server externat interface. RRAS is setup as NAT-T.

    Any suggestions would be appreciated.
    D Rasmussen, Nov 13, 2009
    1. Advertisements

  2. You need TCP 1701 opened.

    L2TP IPSec ports:
    TCP 7101
    UDP 500 (for the SA)
    Protocol ID 50 (ESP)
    Protocol ID 51 (EH)

    PPTP ports:
    TCP 1723 (GRE)
    Protocol ID 47

    Keep in mind that a "Protocol ID" is not a port. Each router and firewall
    handles it differently with their own terminology.


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
    2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
    Ace Fekay [MCT], Nov 13, 2009
    1. Advertisements

  3. D Rasmussen

    D Rasmussen Guest

    Well so far after a month of trying to get IPSec on a W2003 Server using a
    preshared key we have failed to get this working.

    Clients are Windows XP SP2 or later and have found out that with SP2, IPSec
    behind a NAT device has been turned off [MS KB 818043] While we have tried
    the fixes on this KB article we still can not get XP SP2 or later or Windows
    Vista/7 clients to be able to connect to a Windows 2003 VPN server [not
    behind a NAT device].

    Any suggestions to get a VPN Server and XP SP2 clients to connect using L2TP
    IPSec are appreciated
    D Rasmussen, Dec 3, 2009
  4. Have you tried using a simple password instead of a pre-shared key?

    KB818043 was for pre-SP2 and not needed if you have any service packs

    Whether L2TP/IPSec can go across a NAT or not depends on the NAT device.
    What type of device? Also, if it doesn't work on the same subnet, try it
    with a simple password, like "1234". If that doesn't work, then there's
    either an issue in your VPN config on the server, and/or on the client.

    Does a simple PPTP VPN work?

    I don't know what articles or books you've followed to setup the VPN, but
    here are additional resources.

    How to setup VPNYou may have two options to setup VPN server on Windows
    2003. ... 47 [GRE - Generic Routing Encapsulation]) or L2TP over IPSec (UDP
    Port 500 and IP Protocol ...

    How To Configure IPSec Tunneling in Windows Server 2003In Windows Server
    2003, client remote access VPN connections are protected .... and Remote
    Access automatically creates IPSec filters for L2TP traffic). ...

    Virtual Private NetworksGet an overview of the VPN technologies supported by
    Windows Server 2003 and ... Download the Microsoft L2TP/IPSec VPN client,
    which enables computers ...

    L2TP-based remote access VPN deployment: Virtual Private Network ...
    Applies To: Windows Server 2003, Windows Server 2003 R2, ...

    Administrator's Guide to Microsoft L2TP/IPSec VPN Client
    Microsoft L2TP/IPSec VPN Client setup process creates a Microsoft IPSec VPN

    Ace Fekay [MCT], Dec 3, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.