View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000174 | Windows and other desktop OS | Desktop | public | 2015-11-10 23:15 | 2019-03-11 11:43 |
Reporter | DigitalMy | ||||
Priority | normal | Severity | tweak | Reproducibility | N/A |
Status | progress | Resolution | open | ||
Platform | OS | Windows | OS Version | 7x64 | |
Summary | 0000174: L2TP connection make port reassignment to non-standard for client | ||||
Description | Have several VPN servers over the NAT+Firewall device. NAT can reassign server TCPports, but not GRE. Need to do changes on client OS and server OS. | ||||
Tags | No tags attached. | ||||
FinishDate | 2015-11-11 | ||||
StartDate | 2015-11-10 | ||||
WasteTime | |||||
PriorityIndex | 7 | ||||
LaboriousnessIndex | 1 | ||||
|
There are no registry mods for L2TP like for PPTP: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} TcpPortNumber |
|
So, it is better to use SSTP protocol for VPN in this case, at least for second server, because it utilizes only single TCP port. RRAS SSL uses default port TCP443, but it is taken by IIS, so change that port on vpnserver to 5000 in registry (during RRAS service is stopped): HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\ListenerPort >telnet can connect to server, but windows RAS client cannot take port. >make certificate on vpnserver using SimpleAuthority application (free) certificate CN must be = vpnserver name >add this certificate to vpnserver by mmc >choose this certificate in RRAS properties (rrasmgmt.msc) and restart server >check that vpnserver is listening for new port 5000 > make port redirection to vpnserver on router >so, for clients, we will need internal port forwarding set by: netsh interface portproxy add v4tov4 listenport=443 connectport=5000 connectaddress=digitalmy.ru > on each client and hosts rule, which fits certificate server name, pointing to localhost (C:\Windows\System32\drivers\etc) 127.0.0.1 vpnserver >check local port on client and rule list netstat -ano | findstr 443 netsh interface portproxy show all >rule can be deleted later like ("listenaddress" is necessary in case it was set) netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=443 >check connection (successfully established) telnet 127.0.0.1 5000 telnet digitalmy.ru 5000 >check connection from client (successfully established): telnet vpnserver 443 |
|
Issue multiuser certificate for clients or Make server to give certificates automatically |
|
> found that portproxy does not start working after computer restarted, but configuration is there, can be seen by: netsh interface portproxy show all > worker process is System32\svchost.exe (netsvcs) with child: iphlpsvc If stop "IP helper" service it will stop portproxy, if start - target port will start listening. net stop iphlpsvc net start iphlpsvc |
|
Firewall exception for both in and out C:\Windows\System32\svchost.exe -k NetSvcs |
|
SSTP error 0x800704C9 remote computer refused connection sc query remoteaccess sc query sstpsvc Couldn't open key 1 in System\CurrentControlSet\Services\RemoteAccess\Parameters\Ipv6\StaticPrefixPool error:2 |