L2TP VPN for servers behind NAT

I have two 2012 R2 servers, both behind NAT, which I'm trying to connect via VPN. I have no problem connecting them via PPTP, but when connecting them via L2TP (with shared key for testing), the dialing server never connects to other server.
I assume that the problem is that they're both behind NAT. In Windows Server 2008, you were able to set a registry value to get the L2TP connections to work under NAT, see
http://support.microsoft.com/kb/926179 by setting the environment variable AssumeUDPEncapsulationContextOnSendRule.
I tried using this with the two servers, but it didn't seem to help. Is there some other way to get the L2TP connection for the two 2012 R2 servers working behind NAT?

Hi,
Thanks for your pointer and sorry for replying so late.
I am sorry to say that I haven’t found any documents to ensure whether NAT-T is supported in Windows server 2012 R2 or not. In addition,
VPN servers that are located behind NAT is not recommended. When a server is behind a network address translator, and the server uses NAT-T, unintended behavior might occur because
of the way NAT translate network traffic.
Best regards,
Susie

Similar Messages

OEAP602 - Support for APs behind NAT

Support for APs behind NAT
In the 7.2.103.0 release, you can deploy up to 3 OfficeExtend access points (OEAPs) behind a NAT device. You can deploy up to 50 FlexConnect access points (with or without Data DTLS) behind a NAT device.
Source: http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html
I'm confused, does it mean I can't have more than 3 OEAP602s deployed in the same remote site (let say, a Hotel) with the same Public IP back to my OEAP-WLC ?

I know on 7.0 MR1 only supports 1. I learned that the hard way doing a meeting at a hotel for our staff.
One thing we did was hook up a switch to port 4 and did HREAP with 2 other aps.. Not ideal but I like to test limits ..
Sent from Cisco Technical Support iPhone App

Time Capsule port mapping is broken for L2TP Servers behind NAT config.

I'm hoping that someone here can refute the below bug assertion... am I missing something?
There is a bug with Apple’s Time Capsule/Airport Express Base Station (TC/AEBS) rendering L2TP servers on the LAN unusable:
When TC/AEBS is used as a router providing NAT services to the LAN, it will NOT under any circumstance provide port mapping services for 500/UDP, 1701/UDP, & 4500/UDP making L2TP VPN servers on the LAN side of TC/AEBS are unreachable from the WAN/Internet side.
*The conditions for my tests*:
3 different external networks used for all tests: MacBook Air at home on TWC network, the Air on AT&T mobile dongle, & CentOS server at ThePlanet.
MobileMe configuration was removed from both the TC/AEBS & Snow Leopard Server on the LAN.
I used port 501 for my control-test; spot checks of other ports worked as well, though they were all < 10000.
Simultaneous local and server monitoring of port traffic using
tcpdump -vvv -i en0 -s 0 -X port 500 or port 1701 or port 4500 or port 501
The TC/AEBS was configured to forward UDP ports 501, 500, 1701, & 4500 received from the WAN interface to the Snow Leopard Server on the LAN.
The port forwarding was accomplished both 1) manually via AirPort Utility, and 2) automatically via Snow Leopard Server’s Server Preferences utility. Each was tested separately.
*The tests*:
Netcat with the following commands, in turn, on the server:
nc -l -u 501
nc -l -u 500
nc -l -u 1700
nc -l -u 4500
which causes traffic to the udp port specified to be dumped to std out. Provides a confirmation of the tcpdump output.
On the various external networks, nc -u WAN-address-of-AEBS.example.com 501 to send UDP packets on port 501. The output of the nc -l 501 command and the server-run tcpdump confirmed that packets left the client and made it to the server as expected. Remember, 501 is the control-test.
For each test permutation on ports 500, 1700, & 4500, no packets made it to the server.
Based on some web research, I’m not the only one to have found trouble with this configuration, but I haven’t been able to find any conclusive tests.
I’ve filed a bug with Apple (#7720101) and encourage you to do the same.
Message was edited by: WebMarc

Confirmed here. This only seems to be a problem with Airport 7.5.x firmware though - I find the older TCs running 7.4.2 work as expected even with BTMM / MobileMe services active.
I'm so glad you posted this - I haven't found it mentioned anywhere else and was beginning to feel very alone with this problem. I also found that having two TC 7.5s in the mix - one at both ends - also results in no response to SSH or Remote Desktop ports.

Private vpn tunnel from behind NAT

Hello all,
Our provider suddenly refuses to give us public ip addresses. Instead we get a private one and the provider does nat.
Problem is this site has an IPSEC tunnel towards a public ip address for connectivity to main offices, the tunnel also runs BGP as routing protocol (so dynamic).
Is there a way to make this work ? I guess the client side needs to be forced into setting up the tunnel always and the tunnel must be kept alive with hello packets or something like that...
Any link to some good documentation would be appreciated ?
regards,
Geert

Trying to establish a vpn tunnel from a windows vpn client to a watchguard Firebox X700 VPN.
Thanks.

Dealing with client access to servers behind NAT

It depends on your firewall configuration. This is normally known as 'loopback' - a client internal to the network accessing a service on a WAN IP address will be directed to the correct server if loopback is enabled.
I remember, some years ago, dealing with firewalls which explicitly would not allow this to happen, requiring a split DNS strategy. I don't recall needing to regularly flush the DNS cache in this case.

Hi there,This is just a general question about "best practice".Imagine this scenario:a network protected by firewall, all LANs using private IP address, e.g. 10.x.x.x and/or 192.168.x.xaccess to the server from external (www/ftp/etc) will need to go through firewallsetup the firewall with 1-1 NAT
for example: access to 1.2.3.4 on port 8080 goes to the server 10.0.0.10 on port 8765using Windows Server 2008 as DC/DNS
My question is ... how the client deal with that?
I mean, let's say someone grab a laptop and goes to another country.
From the above scenario, accessing the server would be 1.2.3.4 as the destination IP address.But what happen when the laptop goes back to the office? accessing the same server will still give 1.2.3.4 as the destination since it's still cached, right?
does it mean that we need to set up a script to always flush...
This topic first appeared in the Spiceworks Community

Servers behind CSS Browse the Internet

Can anyone show me how to configure on CSS for servers behind CSS 11000 browse the Internet ? I am using NAT.
thanks in advance
Andy

if you need the CSS to nat the servers ip addresses when they go out to the Internet, all you need is a group.
ie:
service server1
ip 10.x.x.x
active
servoce server2
ip 10.x.x.x
active
group natservers
vip address x.x.x.x
add service server1
add service server2
active
If you already had a group using these services, you will need something a little more tricky.
Just start with the above and let us know if it works.
Gilles.

Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

Hi,
I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
I have 3 web servers behind a router.
Public interface: 3 public ip adresses
Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
I would to know the best way to redirect http traffic to the right server.
My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration. I could also redirect via Policy-map and filter by url content.
So if you have some advise for this case, it would be really appreciated.
Thank you.
Chris.

Hello Christophe,
As I understand you want 1st that ;
if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network.
That means, you need static mapping between your public @ip address and your local ip address.
for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface.
that is the config for the Web Server1. You can do the same with the remaining servers:
interface fa0/0.1
ip nat inside
interface serial0/0
ip nat outside
ip nat inside source static 192.168.1.10 172.1.2.3
static mapping from local to public.
I suppose you have done the dns mapping in your network and the ISP have done the same in his network.
ip route 171.1.2.3 interface serial0/0
or
ip route 0.0.0.0 0.0.0.0 interface serial0/0.
After these step for each web server, you will get the mapping.
Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network
like
ip access-list extended ACL_WebServer1
permit ip any 192.168.1.10 eq www
deny ip any 192.168.1.10
exit
interface fa0/0.1
ip acess-group ACL_WebServer1 in
no shut
exit
That is the first step.
Second step : you want to filter traffic by url, that means layer 5 to 7 filtering.
I am not sure that it is possible using cisco router with (ZBF + Regex).
Check the first step and let us know !
Please rate and mark as correct if it is the case.
Regards,

NAT and Servers behind CSS 11501

All,
Please forgive my asking this question again. I was injured shortly after asking the last time and out of work for a long period of time.
My problem stems from needing to allow my web servers to initiate traffic to the outside world from behind our CSS boxes.
The web servers sit behind a pair of CSS 11501 content switches in Active-Passive ASR with fate sharing. We are only interested at this time with load balancing HTTP and HTTPS.
Everything works inbound no problem.
What I need to do is setup some type of NAT for my 3 web servers to initiate HTTP/HTTPS for patches, send SMTP from the web apps, and initiate HTTPS for credit card validation.
I have setup NAT on PIX units and routers no problem, but I seem to be unable to do it on these boxes. :(
In reality something as simple as a PAT translation on the outside of the CSS boxes should be sufficient.
Is this possible with our setup? Does anyone have some code examples?
Thanks in advance.
Addresses changed to protect the innocent:
Load Balancer 1:
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
sntp server 1.1.1.41 version 1
snmp community noway read-only
snmp community noway read-write
app session 1.1.1.252
app
logging subsystem netman level info-6
dns primary 2.2.2.41
dns secondary 2.2.2.42
ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
description "Connect to Primary DMZ 1 3550 Switch"
interface e2
bridge vlan 2
phy 100Mbits-FD
description "Connected to Primary LB Server Switch"
interface e8
description "Inter Switch Communication (ISC) Port"
isc-port-one
!************************** CIRCUIT **************************
circuit VLAN1
description "DMZ 1 Subnet (1.1.1.x/24)"
ip address 1.1.1.251 255.255.255.0
ip virtual-router 1 priority 254 preempt
ip redundant-interface 1 1.1.1.250
ip redundant-vip 1 1.1.1.161
ip redundant-vip 1 1.1.1.162
ip redundant-vip 1 1.1.1.70
ip redundant-vip 1 1.1.1.71
ip redundant-vip 1 1.1.1.72
ip critical-service 1 upstream_downstream
circuit VLAN2
description "Load Balanced Servers Subnet"
ip address 2.2.2.2 255.255.255.0
ip virtual-router 2 priority 254 preempt
ip redundant-interface 2 2.2.2.1
ip critical-service 2 upstream_downstream
Various Services, Owners and Content
Load Balancer 2:
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
sntp server 1.1.1.41 version 1
snmp community noway read-only
snmp community noway read-write
app session 1.1.1.251
app
logging subsystem netman level info-6
dns primary 2.2.2.41
dns secondary 2.2.2.42
ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
description "Connect to Secondary DMZ 1 3550 Switch"
interface e2
bridge vlan 2
phy 100Mbits-FD
description "Connected to Secondary LB Server Switch"
interface e8
description "Inter Switch Communication (ISC) Port"
isc-port-one
!************************** CIRCUIT **************************
circuit VLAN1
description "DMZ 1 Subnet (1.1.1.x/24)"
ip address 1.1.1.252 255.255.255.0
ip virtual-router 1
ip redundant-interface 1 1.1.1.250
ip redundant-vip 1 1.1.1.161
ip redundant-vip 1 1.1.1.162
ip redundant-vip 1 1.1.1.70
ip redundant-vip 1 1.1.1.71
ip redundant-vip 1 1.1.1.72
ip critical-service 1 upstream_downstream
circuit VLAN2
description "Load Balanced Servers Subnet"
ip address 2.2.2.3 255.255.255.0
ip virtual-router 2
ip redundant-interface 2 2.2.2.1
ip critical-service 2 upstream_downstream
Various Services, Owners and Content.

Gilles,
I added the following commands, and things seem to be working.
To circuit VLAN1
ip redundant-vip 1 1.1.1.80
!*************************** GROUP ***************************
group natout
vip address 1.1.1.80
add service nat_web_servers
active
service nat_web_servers
ip address 192.168.1.10 range 3
active
I do have a question about the above service commands.
I have 3 servers behind the CSS. Let's call them 192.168.1.10, 192.168.1.11 and 192.168.1.12. Am I correct in my thinking that adding range 3 then allows a match on all 3 of those servers and the CSS will then PAT these servers from the VIP address assigned to the group?
Otherwise, I think you have resolved this problem for us. Thank you.

Check router for VPN Throughput - L2TP VPN

I am working on setting up a VPN for our office. I have the PPTP version working but am unable to get L2TP to function. Through various testing methods (setting up our Mac Yosemite server as a VPN and testing it in and out of the office), I am leaning towards an issue with the router not allowing some of the protocols required by an L2TP through. The reason being I am able to create a L2TP VPN connection with my Mac server when using the internal IP address, but not when using the outside IP address (which to me means the signal is being blocked at the router.)
The server is receiving the SCCRQ from the client and trying to send the SCCRP which the client is not receiving when trying to connect from outside the office.
I have checked all the ports required and they are open (show ip ports), but can not figure out how to check for ESP Protocol 50? Does anyone know how to check this protocol? And if this isn't the solution, does any have other methods I can use to find the issue?
Thank you,
Chris

I think 2811 can handle this task
2811 supports up to 1500 VPN tunnels with the AIM-EPII-PLUS Module
http://www.cisco.com/en/US/products/ps5881/index.html
So no problem with 165 VPNs...
If you speaking about huge traffic volume - you should focus on speed of Internet connectivity in head office - If you have 10 Mbit line for head office you get only 60Kbit per tunnel (10Mbit/165)
M.
Hope that helps rate if it does

VPN Problems - The L2TP-VPN server did not respond

Okay, so I read quite a few threads about this and can't really figure it out. Would be great if I can get some handholding.
I'm a complete newbie, trying to set up Server for home use. The VPN service seems to be running fine, but I just can't connect from the clients, it just keeps saying "The L2TP-VPN server did not respond". Here is a glimpse at my settings:
- I have opened up all the relevant ports for UDP (500,1701,4500) and TCP (1723). But this is only required for the Server, right?
- I don't have a domain name yet so just using my external IP. This is what I put in under VPN Host name in the Server and Client settings.
- I login with username and password credentials for one of my network users as created in the Server. Format is [email protected] and the password is the same as the login password.
** I seem to get a 'authentication failed' error if I just use my local IP address... Not sure whats happening their, but before that I need to be able to connect to Server with the external IP!
Am I missing something? Why won't my client connect and that too when I'm at home?

To run a public VPN server behind an NAT gateway, you need to do the following:
1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
Allow incoming IPSec authentication
if it's not already checked, and save the change.
With a third-party router, there may be a similar setting.
4. Configure any firewall in use to pass this traffic.
5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.
6. "Back to My Mac" on the server is incompatible with the VPN service.
If the server is directly connected to the Internet, see this blog post.

Cisco ASA 5505 L2TP VPN cannot access internal network

Hi,
I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
Can you jhelp me to find out the issue?
I have Cisco ASA:
inside network - 192.168.1.0
VPN network - 192.168.168.0
I have router 192.168.1.2 and I cannot ping or get access to this router.
Here is my config:
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 198.X.X.A 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network net-all
subnet 0.0.0.0 0.0.0.0
object network vpn_local
subnet 192.168.168.0 255.255.255.0
object network inside_nw
subnet 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool sales_addresses 192.168.168.1-192.168.168.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic net-all interface
nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
object network vpn_local
nat (outside,outside) dynamic interface
object network inside_nw
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd dns 75.75.75.75 76.76.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy sales_policy internal
group-policy sales_policy attributes
dns-server value 75.75.75.75 76.76.76.76
vpn-tunnel-protocol l2tp-ipsec
username ----------
username ----------
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
: end
Thanks for your help.

You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
policy-map global_policy
class inspection_default
inspect icmp
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

PAT with a single public IP and several servers behind firewall

Hi,
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
Single static public IP: 16.2.3.4
Need to PAT several ports to three separate servers behind firewall
One server houses email, pptp server, ftp server and web services: 10.1.20.91
One server houses drac management (port 445): 10.1.20.92
One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.
Here is what I have. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
ASA Version 8.4(4)1
hostname kaa-pix
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.20.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 16.2.3.4 255.255.255.0
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network server_smtp
host 10.1.20.91
object service Port_25
service tcp source eq smtp
object service Port_3389
service tcp source eq 3389
object service Port_1723
service tcp source eq pptp
object service Port_21
service tcp source eq ftp
object service Port_443
service tcp source eq https
object service Port_444
service tcp source eq 444
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit icmp any any echo-reply
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any interface outside eq pptp
access-list acl-out extended permit tcp any object server_smtp eq smtp
access-list acl-out extended permit tcp any object server_smtp eq pptp
access-list acl-out extended permit tcp any object server_smtp eq 3389
access-list acl-out extended permit tcp any object server_smtp eq ftp
access-list acl-out extended permit tcp any object server_smtp eq https
access-list acl-out extended permit tcp any object server_smtp eq 444
access-list acl-out extended permit tcp any object drac eq 445
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server_smtp interface service Port_25 Port_25
nat (inside,outside) source static server_smtp interface service Port_3389 Port_
3389
nat (inside,outside) source static server_smtp interface service Port_1723 Port_
1723
nat (inside,outside) source static server_smtp interface service Port_21 Port_21
nat (inside,outside) source static server_smtp interface service Port_443 Port_4
43
nat (inside,outside) source static server_smtp interface service Port_444 Port_4
44
nat (inside,outside) source static drac interface service Port_445 Port_445
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
no call-home reporting anonymous

Thanks Lcambron...I got PPTP to work. Everything else works fine. I can access email, access my web server, FTP server, and PPTP server. However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445. So I have th following lines:
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit tcp any object drac eq 445
nat (inside,outside) source static drac interface service Port_445 Port_445
Am I missing something here? Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening. However, externally, i cannot telnet to my external ip address of the ASA through port 445.
Thanks

RA VPN into ASA5505 behind C871 Router with one public IP address

Hello,
I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname router
boot-start-marker
boot-end-marker
enable password 7 xxxx
aaa new-model
aaa session-id common
clock timezone UTC -8
clock summer-time PDT recurring
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp pool dhcp-vlan2
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
ip cef
ip domain name xxxx.local
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
username xxxx password 7 xxxx
ip ssh version 2
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
no ip address
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
ip access-list extended nat-pat
deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 169.255.0.0 0.0.255.255 any
deny   ip 255.0.0.0 0.255.255.255 any
deny   ip 224.0.0.0 31.255.255.255 any
deny   ip host 0.0.0.0 any
deny   icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny   ip any any log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
scheduler max-task-time 5000
end
ASA:
ASA Version 9.1(2)
hostname asa
domain-name xxxx.local
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxx encrypted
names
ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
interface Ethernet0/0
switchport trunk allowed vlan 2,10
switchport mode trunk
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
ftp mode passive
clock timezone UTC -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxx.local
object network vlan2-mapped
subnet 192.168.2.0 255.255.255.0
object network vlan2-real
subnet 192.168.2.0 255.255.255.0
object network vpn-192.168.100.0
subnet 192.168.100.0 255.255.255.224
object network lan-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
object network vlan2-real
nat (inside,outside) static vlan2-mapped
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 10.10.10.1 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpn internal
group-policy vpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
default-domain value xxxx.local
username xxxx password xxxx encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpn-pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key xxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
: end

Hi,
I think, that you want control all outbound traffic from the LAN to the outside by ASA.
I suggest some modifications as shown below.
C871:
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.2 255.255.255.0
no ip nat inside
no ip proxy-arp
ip virtual-reassembly
ip access-list extended nat-pat
no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
no permit ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ASA 5505:
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
Try them out and response.
Best regards,
MB

Native iOS L2TP VPN not working on Lion Server

Hi Folks,
I have a very strange issue concerning making VPN work on two iOS devices I have. I have recently setup Lion Server on a MacMini here in the office with L2TP VPN using a shared secrert phrase and a password authentication.
I have Lion running on an a MacBook Air (which I setup VPN using the provisioning profile "VPN.mobileprovision") and Snow Leopard running on an iMac. (VPN was set up manually). Both systems have been tested to work both inside and outsideof my internal network as I have tested with an air card.
I also have an iPhone running 4.3.4/4.3.5 that I setup by emailing the provisioning profile and and iPad 1 running iOS 5 beta 4 setup with the vpn provisioning profile. Neither the iPad nor iPhone seem to work at all either internally nor externally. In fact I never see any activity in the vpnd.log when I attempt to connect to with these devices. All I get is the standard "The L2TP-VPN server did not respond. Try reconnecting. ..."
Based on my success with the OSX Clients both inside and outside my local network I feel it is safe to say that I do not think the issue resides on the Lion Server nor the network/firewall configuration. I am running a Time Capsule with FW 7.5.2/7.4.2. There was no change in behavior with either version of the Time capsule firmware for the clients whether they were OSX or iOS. I must be clearly missing something here and I don't know what. Any help any of you could provide would be greatly appreciated. Thanks!
Please see the below settings for my VPN Settings on the host and iOS client
root# serveradmin settings vpn
vpn:vpnHost = ""
vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains:_array_index:0 = "ri.cox.net"
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.15.1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.pptp:enabled = no
vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP"
vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA"
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE"
vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.15.224"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.15.254"
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4"
vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0
vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains:_array_index:0 = "ri.cox.net"
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.15.1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.l2tp:enabled = yes
vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"
vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp"
vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret"
vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <>
vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.15.241"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.15.249"
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array
vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"

Issue is resolved. I used the initial random generated shared secret that was generated by Lion Server. The shared secret has special characters. IOS did not like the special characters. See iPhone Console Log below:
Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/)
Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: Reading configuration from "/etc/racoon/racoon.conf"
Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: /var/run/racoon/68.9.232.78.conf:6: "?gLA" syntax error
Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: fatal parse failure (1 errors)
That is why I never saw any attempt to connect. The actual process would bomb out before attempting to make a connection to the server.
The shared secret key was:
Y|WNwvM_O"?gLA$F@adT
Looks like it was the " or the ? symbols.
Once I changed the shared secret key the issue went away and the iPhone and iPad could connect to vpn without issue.
Figured I'd let you all know

[Mac OS X] Problems setting up L2TP VPN Connection

I recently moved from Windows to Mac OS X (10.6.6). Unfortunately this move was not so smoothly as I hoped for and I am currently facing some issues with the VPN-connection to the company I work for. As with many companies they do not have a Mac-guide and I am trying to solve this issue, but so far unsuccesful.
To access my data on the company’s server (MS TS Environment) I need to establish a L2TP-IPsec VPN connection. I used Mac OS X built in network tool and filled out all the necessary information such as vpn address, shared secret/key, password and accountname. I even double checked the information various times so no spelling errors occurred. After some seconds I receive the message that the L2TP-VPN-server does not respond.
I checked other posts already and I checked the box that sents all traffic via this VPN-connection but without any results. For a moment I doubted that the cause of this issue might be my home-network: MBA <-> Timecapsule <-> Thomson TG789 … however when I make a L2TP VPN connection using a Windows XP or Vista pc this can be done without problems (using the same network structure) so I guess it is a mac-related problem either with my MBA (Mac OSX) or with the companies servers…
I found out that using the console.app can provide me with some more information about the connection process:
- L2TP connecting to server
- IPSec connection started
- IKE Packet: transmit success.
- IKE Packet: receive success.
After a couple of attemps from the 6th message it suddenly shows:
- IKE Packet: receive failed.
- IKE Packet: transmit success.
- IKE Packet: receive failed.
-IKEv1 Phase1: maximum retransmits.
-IKE Packets Receive Failure-Rate Statistic.
And this finally results in ' IPSec connection failed'
Does anyone has an idea of what the problem might be (e.g. the settings of the MAC or the settings of the companies VPN or ???) and maybe a solution for this problem?
Many thanks from a newbie but satisfied Mac-user!

Hi, I have the same problem with the establishing VPN connection using L2TP without IPsec.

L2TP VPN for servers behind NAT

Similar Messages

Maybe you are looking for