|
Home > Archive > VPN > April 2005 > L2TP/IPSec and NAT with 3Com Superstack 3 Firewall?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
L2TP/IPSec and NAT with 3Com Superstack 3 Firewall?
|
|
| Arlé Mooldijk 2005-01-09, 5:45 pm |
| Hi All,
I'm having problems with establishing a VPN connection using L2TP/IPSec and
the standard Microsoft VPN client with the 3Com Superstack 3 Firewall from
client PC's with Windows 2000/XP behind a NAT router.
Windows 2000 has been patched with the NAT-T fix and Windows XP SP2 has been
fixed with the NAT-T registry fix (see
http://support.microsoft.com/defaul...kb;en-us;885407). So they
both support NAT-T, atleast they should.
Ports 50, 500, 1701, 1723 and 4500 are being forwarded to the VPN client PC
behind the NAT router. The routers used in the home networks are a Thomson
SpeedTouch 510 and ZyXEL Prestige 650R-31. They both support VPN
passthrough.
When the client PC has a direct internet connection (with a public
ip-address) everything works ok, but when the client PC is behind the NAT
router, it gives the following error (in the firewall log):
IPSec Packet from an illegal host
SPI:<different codes>
lifeseconds=3600
remote range (192.168.1.2-192.168.1.2)
The ip-range used on the private home-network is not used on the company
LAN.
The ip-address the client PC should get is defined in the firewall, in the
L2TP-pool range (which is part of the company ip-range).
I have tried the SafeNet SoftRemoteLT VPN client and that works, but it has
the disadvantage that this costs (much) extra money and it doesn't support
L2TP the way I want. The Microsoft VPN client is much easier to configure
and use, so I prefer to use that if possible.
Anyone know a solution for this problem?
With Kind Regards,
Arlé
| |
| Richard Hayward 2005-04-01, 8:45 pm |
| Hi Arlé,
If you are still watching this thread, could I ask you some stuff
about how you get the xp->3com connection working, when the xp machine
is connected directly to the Internet with a public address?
regards
Richard
richard@tortoise.demon.co.uk
| |
| Arlé Mooldijk 2005-04-10, 5:46 pm |
| In news:8dlr41tb5pd6hb5jl5pg9cm9ljutujg9sv@
4ax.com,
Richard Hayward <richard@tortoise.demon.co.uk> typed:
> Hi Arlé,
>
> If you are still watching this thread, could I ask you some stuff
> about how you get the xp->3com connection working, when the xp machine
> is connected directly to the Internet with a public address?
Yes, you need to setup L2TP on the 3com and then setup a L2TP client on
Windows XP, that works when the Windows XP client has a public ip-address,
but not when it is behind a NAT router (atleast I couldn't get it to work).
I followed the documentation on the 3com site about setting up the client,
see http://support.3com.com/infodeli/sw...lient_guide.pdf
It can also be found in the download section.
See http://www.3com.com/ssfirewall for info about the 3com Superstack 3
firewall.
Regards,
Arlé
| |
| Richard Hayward 2005-04-12, 5:46 pm |
| On Sun, 10 Apr 2005 22:46:17 +0200, "Arlé Mooldijk"
<reply@to.newsgroup.please> wrote:
>
>Yes, you need to setup L2TP on the 3com and then setup a L2TP client on
>Windows XP, that works when the Windows XP client has a public ip-address,
>but not when it is behind a NAT router (atleast I couldn't get it to work).
Hi Arlé,
I'm assuming the 3com is itself doing NAT for a private range network,
is that right?
>I followed the documentation on the 3com site about setting up the client,
>see http://support.3com.com/infodeli/sw...lient_guide.pdf
I've followed that, but no luck yet. My remote client is XP sp2 , with
the registry alteration:
http://support.microsoft.com/defaul...kb;en-us;885407
applied. The 3com firmware is: 6.3.3.1
regards
Richard
richard@tortoise.demon.co.uk
| |
| Arlé Mooldijk 2005-04-17, 5:46 pm |
| In news:pvao51p8p58rbebhrfn3r9vgv3ho048vs5@
4ax.com,
Richard Hayward <richard@tortoise.demon.co.uk> typed:
> On Sun, 10 Apr 2005 22:46:17 +0200, "Arlé Mooldijk"
> <reply@to.newsgroup.please> wrote:
>
> I'm assuming the 3com is itself doing NAT for a private range network,
> is that right?
Yes
>
> I've followed that, but no luck yet. My remote client is XP sp2 , with
> the registry alteration:
> http://support.microsoft.com/defaul...kb;en-us;885407
> applied. The 3com firmware is: 6.3.3.1
If your client is behind a NAT router, then the Microsoft VPN client won't
work in combination with the 3Com firewall. 3Com is following it's own NAT-T
(NAT-Traversal) standards and they are incompatible with standard clients.
I've contacted 3Com in the past but they couldn't tell me what to do to make
it work. Somewhere 'hidden' on their site I've found that their NAT-T
implementation is different which makes it incompatible.
If you want to use VPN (behind a NAT router) with the 3Com SuperStack 3
Firewall you need a SafeNet SoftRemote (LT) client. It is included with the
firewall, but only a very old version which is incompatible with Windows XP.
A newer version is available from SafeNet, but you need to buy it. :-(
Regards,
Arlé
|
|
|
|
|