Server2008R2 L2TP/IPSec VPN behind router

Our "pub" where you can post about things completely Off Topic or about non-silent PC issues.

Moderators: NeilBlanchard, Ralf Hutter, sthayashi, Lawrence Lee

Post Reply
m1st
Posts: 132
Joined: Sun Jan 31, 2010 6:43 pm
Location: US

Server2008R2 L2TP/IPSec VPN behind router

Post by m1st » Mon Apr 16, 2012 6:31 am

Hey!

I am trying to set up an L2TP/IPsec VPN server with a preshared key behind a firewall/router. The VPN server is running Windows Server 2008 R2. Microsoft recommends allowing the VPN server access to a public IP, but this is impractical in my situation. I'm able to establish a VPN connection from inside my house network, but trying to access from an external ip, I get errors (Error 789).

My router/firewall allows IPsec passthrough. What ports do I need to forward to the VPN appliance? I believe UDP 500 and UDP 4500 are all that are necessary. Noramlly, only UDP 500 is required, but since I'm NATing to the VPN appliance, it'll be doing NAT-T, and I believe I need to open UDP 4500. Additionally, Microsoft recommends that I do a registry change as outlined here: http://support.microsoft.com/kb/926179.

Again, I am able to access my VPN appliance from within my network (on the same subnet). Can't access from an outside IP, which leads me to believe I don't have the ports forwarding properly, and possibly having an issue with NAT Transversal. I will do the registry setting as soon as I get home. Are ports UDP 500 and UDP 4500 the only ones that I need to forward to my VPN appliance? There was some mention of UDP 1701, but I don't think this is necessary...

m1st
Posts: 132
Joined: Sun Jan 31, 2010 6:43 pm
Location: US

Re: Server2008R2 L2TP/IPSec VPN behind router

Post by m1st » Mon Apr 16, 2012 11:52 am

Creepy...I just posted this question 4 hrs ago, and the google crawler already picked it up. Anyways, I found a thread on Anandtech asking the same question, and it seems making the registry change and forwarding UDP 500 and UDP 4500 should fix the issue. I'll test it when I get home. Here's to hoping...

Post Reply