Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

RRAS sometimes cannot establish incoming IKE/L2TP-sessions when NAT/Basic-Firewall is enabled


Author: Thorsten Rood MVP

View products that this article applies to.

Symptoms

When using Routing and Remote Access with NAT/Basic-Firewall enabled, you can specify which services in your private network may be available to the public network ("exposed host feature"), including the option to expose a dedicated VPN server. Depending on business requirements, both NAT and VPN components might be installed on the same Windows Server 2003 box. For VPN typically you will navigate to the outside network interface (or dial-up connection) within NAT-protocol, select its properties and change the "services and ports"-tab to allow PPTP or IKE/NAT-T/L2TP connections. All these services are predefined and just need the private or internal IP completed. While PPTP-VPN will work, you may encounter IKE-drops when trying to establish a IPsec-VPN-tunnel. The outside client will report the remote server didn't answer. If you disable NAT for testing purposes, everything will work fine.

↑ Back to the top


Cause

Depending on the number of network devices installed in the�server used as a common software router and VPN-endpoint, a race condition may occur when IKE needs to establish the secure tunnel, resulting in a complete packet drop. An additional ISDN adapter or modem might cause the issue, too.

↑ Back to the top


Resolution

Navigate to the outside interface in NAT/Basic-Firewall, select its properties, select "services and ports" and ensure to configure the loopback IP address 127.0.0.1 instead of the NIC's private IP address. While�a private IP works fine for TCP-based PPTP-VPN, the UDP-based IPsec-VPN might bind to the wrong internal IP.

↑ Back to the top


More information

http://support.microsoft.com?kbid=324264
http://support.microsoft.com?kbid=816573
http://support.microsoft.com?kbid=816581

↑ Back to the top


Community solutions content disclaimer

Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.

↑ Back to the top


Keywords: KB555072, kbhowto, kbpubmvp, kbpubtypecca

↑ Back to the top

Article Info
Article ID : 555072
Revision : 1
Created on : 3/13/2004
Published on : 3/13/2004
Exists online : False
Views : 464