L2TP VPN pass through behind cisco Firewall and Router
last couple of days we have been facing an issue for a remote branch where one client PC (windows XP service pack-2) needs to connect to a remote VPN server. The communication is L2TP/IPSEC. The client succesfully connect to the remote VPN server and achieve an IP address. But the failure occurs when client is connected to one remote local server on port 443. Then their is an error message shows "The server digital certificate key is not available. Contact your network administrator ". The network is build on the client side like this:
Windows client -> ASA firewall -> Cisco router - Internet - remote network unknown
On ASA firewall ACL allow list- udp/isakmp, esp, udp/1701, udp/4500
What we have got from the client side a netstat report from the client for two scenarios. One is behind cisco router+firewall and second is behind a linux router. When the client is behind the linux router it works perfectly.We have tried from the Microsoft article to change registry value 2 when both client and server behind NAT devices ( http://support.microsoft.com/kb/926179/en-us ). But it didn't worked out. Because I think the server isn't behind a NAT device.
I have attached netstat report. I wouldn't mind to send the packet capture report too. But I would prefer to send via email.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...