RRAS L2TP Policy issue

Home Forums Server Operating Systems Windows Server 2008 / 2008 R2 RRAS L2TP Policy issue

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    jserink
    Member
    #164625

    Hi All:

    I have a stand alone 2008 R2 x64 machine in a DMZ behind a Cisco 1841. The 2008 server has a real IP NAT’s over to with the Cisco’s ACL in front. I have got L2TP setup in the Windows 2008 box as we are modeling a system that will be placed in the cloud (so we need to learn how to terminate IPSec tunnels in windows rather than Cisco). I have done the registry change to allow Windows to operate IPSec behind NAT and make NAT-T work properly (Article ID: 926179). I am connecting to windows using a Digi Transport WR21 router configured as an L2TP client. I have followed Digi’s AN26 app note and its up and working…..with one problem:
    Immediately upon the ppp being authenticated by RRAS, the Digi is immediately logged out again. The is the security event viewer:
    Audit Success 12/5/2014 9:54:10 PM Microsoft Windows security auditing. 4634 Logoff
    Audit Success 12/5/2014 9:54:10 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 12/5/2014 9:54:10 PM Microsoft Windows security auditing. 4648 Logon
    Audit Success 12/5/2014 9:54:10 PM Microsoft Windows security auditing. 4776 Credential Validation

    So in short, I have the IKE SAs, I have the 2 IPSec SAs, I have the L2TP tunnel up and PPP comes up….for a second, then is disconnected.

    This behavior is confirmed by the anappp.cap wireshark logs that the router keeps.
    The wireshark dump shows the PPP challenge from the server, the server’s name is sent, the Digi’s username and password are send and the server response with “Success”. Then there is two Conf Request packets send from the server and the Digi and two reject packets, then two conf packets and to conf ack packets then the server sends a termination request packet and the digi acks and its done, just to repeat again.

    I was getting RRAS event 20255, “CoId={NA}: The following error occurred in the Point to Point Protocol module on port: VPN2-9, UserName: remote1. The remote computer does not support the required data encryption type.” until I rebooted the 2008 R2 box and now there is no error from RRAS, just the same behavior.

    I have a Network Policy setup that is enabled to allow L2TP and ESP packets but this problem persists.

    Any ideas from the experts out there?

    Cheers,
    John

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.