can't connect to vpn thru win 2000pro dhcp

[rpiquette]

I cannot connect to my companies vpn using nortel's extranet client through my win 2000 pro dhcp server. I have no problem when I use a router. The routers I've tried (successfully)both have IPsec passthrough. I'm guessing this might be the problem. How do I fix this?

[DVNT1]

Is your W2K DHCP server doing NAT?

[rpiquette]

I have 4 machines behind the dhcp server that all work fine.as far as ip assignment, itranet activity and internet acess. So I assume it (NAT) is working fine. Is there a way to disable or enable NAT or is it embedded in the enabling and disabling of dhcp?

[DVNT1]

Sounds like W2K NAT is breakign the VPN because of the packet handling.

Three initial solutions come to mind.

1) If offered by the Nortel server software, change the VPN server to allow clients using NAT.

2) Buy another NAT compatible router

3) Put the NAT client on the W2K server and use port mappings to access some of the services on the company LAN.

[rpiquette]

why I can connect to the vpn using the NAT in a lynksys router...but not the NAT in my win2k server? I am trying to get away from using a router and solely rely on my win2k dhcp for my LAN administration.

[DVNT1]

As I understand it, standard IPSEC uses checksums to ensure the data packet was not altered while in route. The Address Header checksum is one item which gets changed via "normal" NAT devices. NAT also changes transport-layer checksums (since the source and destination addresses are included in the UDP and TCP checksums).

The routers you mentioned working must support IPSEC passthru (aka, they do not change the related checksums).

[rpiquette]

they do support ipsec passthru.....Is there a way to enable or configure the same passthru capability to win2k?

[DVNT1]

Maybe, but as I mentioned, it is heavily dependent on the VPN server. Read http://www.isaserver.org/articles/IP...ssthrough.html