VPN through firewal NAT

[eagriffin]

I am running I vpn server (Windows 2000) inside I netscreen firewall. The external address for the windows box is set up to a nat address on the firewall, we are using pptp and it is working fine. I am wondering if I switch this over to l2tp with ipsec is the nat going to cause problems with the AH protocol? Is there a way around this problem?
Thanks

 

[Ritch111]

Did you ever get the L2tp/IPSEC working through the netscreen? I am in the process of setting up what you already have. What do I have to open up on the Netscreen box for clients to get through to the MS VPN server. You can reach me at RSobin@ptfs.com

Thanks,
Rich

 

[eagriffin]

We are not yet using l2tp with ipsec. We are using PPTP with MPPE encryption. In order to support this you will need to do the following.

Install Routing and Remote Access on the Windows Server.
You will read that you need 2 network cards to do this, however you can use a nat address on the netscreen firewall. When you install Routing and Remote Access install it with the default configuration, do not select vpn server or you will have a lot of nic problems. Click start, programs, administrative tools, and click Routing and Remote Access. Right click the server name and select Configure and Enable Routing and Remote Access, select next, then select Manually configure Server. From there you will need to manually configure your ports, (pptp, l2tp, or modem ports), and configure your remote access policies and encryption requirements.

Configure the Firewall to NAT the traffic and to allow the traffic.

Click on Network in the Netscreen Firewall, then Interfaces. Click Edit, for the untrusted Interface. Select MIP on the top left of the screen and create a new NAT address for the RAS Server.

Create a new Policy by selecting, Policies, then from Untrust to Trust permit PPTP or L2TP from the new external Nat address to internal address of your RAS Server.

Hope this is helpful. I'll send contact info offline.