topic Microsoft 2016 Server VPN in Network Security

Microsoft 2016 Server VPN

sprocket10 — Wed, 08 Jul 2020 14:33:00 GMT

We are rolling out a Microsoft 2016 VPN Server to replace our Cisco AnyConnect (various reasons why).

The issue we are hitting is that PPTP and SSTP VPNs connect with no issue, but we want to use L2TP which isnt hitting the server.

We believe the ASA is having trouble with passing ESP.

The 2016 VPN is sitting on a DMZ interface behind the ASA. For testing I have forwarded all traffic on a secondary public IP to the server until I have it fully working and then I will restrict ports.

Is there a reason the L2TP isnt connecting but PPTP is.

Re: Microsoft 2016 Server VPN

Marius Gunnerud — Wed, 08 Jul 2020 19:05:44 GMT

Are you doing NAT or PAT for the public IP? What ports have you allowed to the Microsoft server? Are you allowing protocol 50, UDP 1701, UDP 500 and/or UDP 4500 in the access rules (I am assuming you are using IPSec)?

Re: Microsoft 2016 Server VPN

sprocket10 — Thu, 09 Jul 2020 09:39:14 GMT

I have a NAT rule for any ports and a firewall rule for any ports while testing.

PPTP and SSTP VPNs both work in tests but L2TP doesnt. Nothing even logs on the 2016 server for this.

Re: Microsoft 2016 Server VPN

Marius Gunnerud — Thu, 09 Jul 2020 20:31:46 GMT

Could you post the configuration you are using for NAT and access rules? Remember to remove any public IPs