Has anyone ever got XP SP2 or greater

By CG IT ·
L2TP IPSec VPN connection to work when the RRAS server and the XP client are both behind NAT devices?

Before anyone starts suggesting fixes, I've tried the IPSec AssumeUDPEncapsulationContextOnSendRule registry hack and that didn't work.

This is stictly a XP problem and not a RRAS server problem. The RRAS server accepts Windows Vista/7 L2TP IPsec remote clients with no problem. and if I use the RasMan ProhibitIpSec registry setting L2TP connects but without IPSec without issue but then there's no IPSec encryption.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by Jacky Howe In reply to Has anyone ever got XP SP ...

Do you have access to another XP System to test with. I don't know if it would make any difference to upgrade to SP3.

Collapse -

I did because SP3 is supposed to have some

by CG IT In reply to Bump

registry settings for IPSec NAT-T.

Still can't get XP to make a L2TP IPSec connection to a RRAS router behind a NAT router.

Windows 7 works great but the company doesn't want to trash all their peripherals.

I really don't want to expose the RRAS server to the Internet but I might not have a choice.

The only other option is remove XP SP2 because that is the SP that removes the L2TP IPSec NAT-T capability.

BTW congrats on the 1000+ thumbs

Collapse -

Thanks Mate

by Jacky Howe In reply to I did because SP3 is supp ...

but another option is to slip a Vista or W7 box in its place. That would solve the problem.

Collapse -


by Dedlbug In reply to I did because SP3 is supp ...

I have been down this road before. I thought I just didn't know what I was doing when I first tried RRAS with L2TP IPSec VPN to XP behind NAT. I couldn't get it to work, when it seemd like it should have worked. I assumed it was related to my NAT router and the lack of confirmed opening Protocol ID's 50-51. Unfortunately I have never tried it with Vista (or 7).

The work around I have been using since is to use a VPN router and VPN client software. (Netgear / SonicWall are my favs) IPSec seems to work fine then. Go figure. Also, putting RRAS directly on the internet of course will work too. Is there a security risk involved here?

I like J Howe's solution of upgrading to Win 7. Sometimes the fix is for the company to spend some of that money in the IT budget. lol Are the peripherals the main issue with regards to upgrading the XP workstations?

Wish I could be more helpful.

Collapse -

RRAS with packet filters

by CG IT In reply to familiar

isn't really a security risk because it only listens on L2TP and with rules, plus IPSec, there's really no way to sniff, decrypt to find user name and passwords as well as the digital certificates.

Can't upgrade to Windows 7 as there's no money to upgrade peripherals that don't have drivers for 7 and applications that don't work on 7. The remote users all have XP and they have to have XP because of some special applications.

I could use the VPN to the perimeter router and then also require authentication to the protected network segment seperate from the corporate network but didn't want to make it that complicated for users. Thinking about it, I would actually have to have them make 2 VPN connections. First one to the perimeter router, then a second one to the protected network.

Never tried that before, not sure it would work.

Collapse -

IIS HTTPS portal workaround to the problem

by CG IT In reply to Has anyone ever got XP SP ...

well found a workaround to the XP problem.

Had to create an Internet facing HTTPS portal site that provides authentication and local network addressing. Once I have that connection made, I can now use the L2TP IPSec VPN connection into RRAS and make a connection to it.

So I've got a SSL tunnel with an L2TP IPSec tunnel within that to a RRAS server which provides access to the protected network.

This doesn't work with Windows 7 but XP works great.

The portal virtual passage software for XP [crap generic active x control] doesn't work with Windows 7. So ...... really have two methods non portal and portal access. I simply don't want to go through the effort of making an active x control for virtual passage of a SSL portal for Windows 7. To much work....

Thanks guys just banging around ideas got me to thinking how to fix this and volia!

Collapse -

Now that's

by Jacky Howe In reply to IIS HTTPS portal workarou ...

good news. Glad to hear that you are successful.

Collapse -

well it's not quite what I wanted but it gets around the problem

by CG IT In reply to Now that's

and still provides end to end IPSec which is a regulatory requirement for them.

The easy fix was simply to put the RRAS server on the Internet, but I am just not comfortable having it naked when it's the only thing between the protected network and the Internet. Even when the only ports it will respond to is L2TP/IKE.

So with the https web site portal I've got a log of who uses it and when, and with intranetwork IPSec inside a SSL tunnel I've got security and logs to show who accessed what and when. With IPSec I've got the assurance that the data hasn't been changed between the two hosts...

Related Discussions

Related Forums