View Issue Details

Jump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0000174Windows and other desktop OSDesktoppublic2015-11-10 23:152019-03-11 11:43
ReporterDigitalMy 
PrioritynormalSeveritytweakReproducibilityN/A
Status progressResolutionopen 
PlatformOSWindowsOS Version7x64
Summary0000174: L2TP connection make port reassignment to non-standard for client
DescriptionHave several VPN servers over the NAT+Firewall device.
NAT can reassign server TCPports, but not GRE.
Need to do changes on client OS and server OS.
TagsNo tags attached.
FinishDate2015-11-11
StartDate2015-11-10
WasteTime
PriorityIndex7
LaboriousnessIndex1

Relationships

related to 0000086 resolvedDigitalMy L2TP connection gives Error 809 
related to 0000244 resolvedDigitalMy VPN SSTP server fails to accept new certificate 
related to 0000267 assignedDigitalMy IP helper service fails to start with error 13 The data is invalid 

Activities

DigitalMy

2015-11-11 10:19

administrator   ~0000317

Last edited: 2016-08-25 19:12

View 2 revisions

 There are no registry mods for L2TP like for PPTP:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}
TcpPortNumber

DigitalMy

2016-08-22 14:00

administrator   ~0000416

Last edited: 2019-03-11 11:42

View 16 revisions

 So, it is better to use SSTP protocol for VPN in this case, at least for second server, because it utilizes only single TCP port.

RRAS SSL uses default port TCP443, but it is taken by IIS,
so change that port on vpnserver to 5000 in registry (during RRAS service is stopped):
HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\ListenerPort
>telnet can connect to server, but windows RAS client cannot take port.

>make certificate on vpnserver using SimpleAuthority application (free)
certificate CN must be = vpnserver name
>add this certificate to vpnserver by mmc
>choose this certificate in RRAS properties (rrasmgmt.msc) and restart server
>check that vpnserver is listening for new port 5000
> make port redirection to vpnserver on router
>so, for clients, we will need internal port forwarding set by:
netsh interface portproxy add v4tov4 listenport=443 connectport=5000 connectaddress=digitalmy.ru
> on each client and hosts rule, which fits certificate server name, pointing to localhost (C:\Windows\System32\drivers\etc)
127.0.0.1 vpnserver

>check local port on client and rule list
netstat -ano | findstr 443
netsh interface portproxy show all

>rule can be deleted later like ("listenaddress" is necessary in case it was set)
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=443

>check connection (successfully established)
telnet 127.0.0.1 5000
telnet digitalmy.ru 5000

>check connection from client (successfully established):
telnet vpnserver 443

DigitalMy

2016-08-24 16:55

administrator   ~0000418

Issue multiuser certificate for clients
or
Make server to give certificates automatically

DigitalMy

2016-08-29 11:14

administrator   ~0000419

Last edited: 2018-08-27 22:26

View 7 revisions

 > found that portproxy does not start working after computer restarted,
but configuration is there, can be seen by:
netsh interface portproxy show all
> worker process is
System32\svchost.exe (netsvcs)
with child: iphlpsvc
If stop "IP helper" service it will stop portproxy, if start - target port will start listening.

net stop iphlpsvc
net start iphlpsvc

DigitalMy

2018-08-27 12:21

administrator   ~0000682

Firewall exception for both in and out
C:\Windows\System32\svchost.exe -k NetSvcs

DigitalMy

2019-03-11 11:43

administrator   ~0000767

Last edited: 2019-03-11 11:58

View 3 revisions

 SSTP error 0x800704C9
remote computer refused connection

sc query remoteaccess
sc query sstpsvc

Couldn't open key 1 in System\CurrentControlSet\Services\RemoteAccess\Parameters\Ipv6\StaticPrefixPool error:2