|
|
Question : Problem: Windows 2003 Server to Server L2TP VPN troubleshooting and correct setup
|
|
I have been unsuccessful in setting up a L2TP VPN between two windows 2003 standard servers. I did make sure that the proper ports are open and such and was also able to generically test the connection from my PC with a PPTP VPN connection. The PPTP worked w/o problems.
The issue that I have run into is that the server is not responding to the remote server or client workstation when I switch to L2TP. And the problem with trying to fix this is that I have read so many different docs on setting up L2TP VPNs that I have been confused to the point that I am mixing up methods and can't determine the proper configuration.
For starters, these are NOT active directory computers which makes things instantly more difficult.
Nevertheless... Assume that Routing and Remote access is installed correctly and let's focus on just the security issues involved with L2TP. The same SSL cert is installed on both machines and is from a trusted root provider. This eliminates the setup of my own CAs from what I have read. In the RRAS properties I have allowed EAP and MS-CHAP v2. Both the Authentication and Accounting provider is Windows.
The RAS policy is setup for Encryption to allow any method and the Authentication is setup to allow EAP with PEAP configured to use the SSL cert installed and MS-CHAP v2 is also allowed.
The VPN adapter has been setup to use optional encryption and smart card/or/other cert with the use simple cert selection box checked.
The Dial -In Account was created and setup correctly.
The Error: A Demand Dial connection to the remote interface VPN_NY_U15197371 on port VPN3-241 was successfully initiated but failed to complete successfully because of the following error: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for this error number.
The Error Number: 20111
Thanks in advance for your help! --John
|
Answer : Problem: Windows 2003 Server to Server L2TP VPN troubleshooting and correct setup
|
|
You are a brave man John :-) I haven't done this as it can be quite difficult as you have found, especially without Active Directory accounts, I would assume. Since you are not getting a response from the remote site, I thought I would verify you have all the right ports open/forwarded: L2TP over IPSec To allow IKE forward UDP port 500. To allow IPSec NAT-T forward port UDP 4500. To allow L2TP forward port UDP 1701. Enable IPSec protocols 50 ESP & 51 AH pass-through (not ports 50 & 51). May be called VPN or L2TP and IPSec pass-through on most routers)
Have you considered a site to site hardware VPN solution? If you install 2 VPN routers it offloads the service to the routers, and increases security and performance. Now-a-days you can do so for less than $200 US per site with a very nice Linksys RV042 or a Cisco PIX 501 for about double that. They are very stable and much easier to configure. Just a thought, --Rob
|
|
|
|