l2tp/ipsec through a PIX

mauro.elias — Fri, 21 Feb 2020 06:40:09 GMT

hello,

the scenario is this:

I have a user in my network that needs to connect to a VPN server in the Internet, his VPN uses l2tp/ipsec, he uses the windows 2000/XP VPN Client. There is a PIX 535 6.2(2) between the user and his VPN server.

the problem is that this user can't establish a connection with his VPN, he can reach his VPN server, but cannot negotiate a successfull login, the VPN client says: "Remote server timeout" when the user tries to authenticate.

The VPN Client Logs a successfull VPN connection as follows:

******************************************************************

Operating System : Windows NT 5.1 Service Pack 1

Dialer Version : 7.2.2600.1106

Connection Name : ITG Connection Manager for Smart Cards

All Users/Single User : All Users

Start Date/Time : 4/1/2003, 16:43:33

******************************************************************

Module Name, Time, Log ID, Log Item Name, Other Info

For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up

******************************************************************

[cmdial32] 16:43:33 03 Pre-Init Event CallingProcess = C:\WINDOWS\System32\CMMON32.EXE

[cmdial32] 16:43:35 04 Pre-Connect Event ConnectionType = 1

[cmdial32] 16:43:35 09 Custom Action Exe ActionType = Pre-Connect Actions Description = Security Check before Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 16:43:35 06 Pre-Tunnel Event UserName = my_user@northamerica.corp.company.com Domain = DUNSetting = ITG Connection Manager for Smart Cards Tunnel DeviceName = TunnelAddress = CXN-REDMOND.COMPANY.COM

[cmdial32] 16:44:09 07 Connect Event

[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = Run additional cred harvesting for NTLM only aware apps ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = Security Check after Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = (none) ActionPath = CMDL32.EXE. The program was launched successfully.

[cmdial32] 16:44:09 08 Custom Action Dll ActionType = Connect Actions Description = to determine your proxy server ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\CMSAMPLE.DLL ReturnValue = 0x0

[cmdial32] 16:44:09 08 Custom Action Dll ActionType = Connect Actions Description = to configure your IE proxy settings ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\CMPROXY.DLL ReturnValue = 0x0

[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = (none) ActionPath = CMDL32.EXE. The program was launched successfully.

[cmdial32] 16:44:09 09 Custom Action Exe ActionType = Connect Actions Description = CM Version Checking ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\GETCM.EXE. The program was launched successfully.

[CMDL32] 16:44:26 26 Successful Phonebook download PhoneBookName = mscorppb RequestedPBVer = 73 PBServerUrl = cusredb11rad02

[CMDL32] 16:44:26 28 Phonebook successfully updated Type = No update required PhoneBookName = mscorppb OldPBVer = 73 NewPBVer = 73 PBServerUrl = cusredb11rad02

[CMDL32] 16:44:30 26 Successful Phonebook download PhoneBookName = Cisco RequestedPBVer = 73 PBServerUrl = cusredb11rad02

[CMDL32] 16:44:30 28 Phonebook successfully updated Type = No update required PhoneBookName = Cisco OldPBVer = 73 NewPBVer = 73 PBServerUrl = cusredb11rad02

[CMDL32] 16:44:36 27 Phonebook download failed ErrorCode = 204 PhoneBookName = MSROI PBServerUrl = phonebook.attglobal.net

[CMDL32] 16:44:37 27 Phonebook download failed ErrorCode = 204 PhoneBookName = MSPPP PBServerUrl = pbkMS.equant.com

[CMDL32] 16:44:48 27 Phonebook download failed ErrorCode = 502 PhoneBookName = UUpMSemp PBServerUrl = pbk.uudial.uu.net

[cmdial32] 17:01:15 12 Disconnect Event CallingProcess = C:\WINDOWS\explorer.exe

[CMMON32] 17:01:15 22 External Disconnect

[cmdial32] 17:01:15 08 Custom Action Dll ActionType = Disconnect Actions Description = to restore your previous IE proxy settings ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\CMPROXY.DLL ReturnValue = 0x0

[cmdial32] 17:01:15 09 Custom Action Exe ActionType = Disconnect Actions Description = Security Check after Disconnect ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 17:01:15 09 Custom Action Exe ActionType = Disconnect Actions Description = Install Updated CM Profile ActionPath = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\ITGRASSC\INSTCM.EXE. The program was launched successfully.

and the Log when trying to connect behind the PIX:

******************************************************************

Operating System : Windows NT 5.1 Service Pack 1

Dialer Version : 7.2.2600.1106

Connection Name : ITG Connection Manager for Smart Cards

All Users/Single User : All Users

Start Date/Time : 4/2/2003, 13:15:00

******************************************************************

Module Name, Time, Log ID, Log Item Name, Other Info

For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up

******************************************************************

[cmdial32] 13:15:00 03 Pre-Init Event CallingProcess = C:\WINDOWS\explorer.exe

[cmdial32] 13:15:09 04 Pre-Connect Event ConnectionType = 1

[cmdial32] 13:15:09 09 Custom Action Exe ActionType = Pre-Connect Actions Description = Security Check before Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 13:15:09 06 Pre-Tunnel Event UserName = my_user@northamerica.corp.company.com Domain = DUNSetting = ITG Connection Manager for Smart Cards Tunnel DeviceName = TunnelAddress = CXN-REDMOND.COMPANY.COM

[cmdial32] 13:15:37 19 On-Cancel Event

[cmdial32] 13:15:46 04 Pre-Connect Event ConnectionType = 1

[cmdial32] 13:15:46 09 Custom Action Exe ActionType = Pre-Connect Actions Description = Security Check before Connecting ActionPath = WSCRIPT.EXE. The program was launched successfully.

[cmdial32] 13:15:46 06 Pre-Tunnel Event UserName = my_user@northamerica.corp.company.com Domain = DUNSetting = ITG Connection Manager for Smart Cards Tunnel DeviceName = TunnelAddress = CXN-REDMOND.COMPANY.COM

[cmdial32] 13:16:29 20 On-Error Event ErrorCode = 721 ErrorSource = RAS

I have no access-lists in my PIX, and I use PAT.

Is there an additional configuration that I have to enter in the pix in order to permit this kind of traffic? Is it that I have to use NAT besides PAT? Do I need to permit trafic from the outside interface?

thank you in advance

Re: l2tp/ipsec through a PIX

afakhan — Sun, 06 Apr 2003 05:52:47 GMT

Hi,

you need to make sure that:

1 - you have a static NAT for the PC on the PIX (PAT wont work)

2 - open up UDP 500, UDP 1701, and ESP traffic for client NATed address on the PIX.

Thx

Afaq

topic Re: l2tp/ipsec through a PIX in Network Security

l2tp/ipsec through a PIX

Re: l2tp/ipsec through a PIX