Hallo, i've a problem. I'm making a vpn between Windows server 2003 and Windows 2000 client. The configuration of my network is the follow: ServerVPN-->NAT(RTlinux)--->internet<---NAT<--Client ServerVPN has a private IPAddress , and a pubblic IPAddress. In "Tunnel Setting" on client must I write pubblic or private IPAddress ? And in "destination address" on "ip filter list"? Then, the Client has a private and a pubblic IPAddress. On Server I've the same problem. Could you help me? Thank You Tatiana

Each VPN device will have minimum two interfaces, 1) Internal (LAN) and 2) External (WAN). When creating a tunnel, VPN device #1 connects to device #2 across the WAN via the external interface. Each device in turn handles the internal routing for the LAN (internal) side. From the sounds of it though, you're not actually creating a tunnel. It sounds more like you're trying to achieve VPN passthrough with client access software. As to detailed setup, I would need to know more about what device you're using and what the client software is. However, from the looks of it, you're using a linux box between your server and your WAN connection and I work with Cisco routers so I'm afraid I won't be of much help in that case. But, there are probably a lot of people familiar with the linux setup you're using and providing the info (linux VPN endpoint and client software) I asked for will likely get you the help you need to set this up properly and get it working.

Thank You for your answer. I explain better. Hi, I'm making a VPN between Windows Server 2003 and Windows 2000 (VPN Client). I used L2TP/IPsec in tunnel mode. I used RAS on Windows Server 2003. I used Certificate for authentication. I don't have any problem in my LAN. The VPN works well. Now I'd like use internet and I've a new configuration. My new network's configuration is the follow: VPNServer---->NAT(RouterLinux)---> [red]Internet[/red] <--NAT(RouterCisco)<--VPNClient I'm working with NAT-Traversal. The Client is behind NAT, its pubblic IPAddress is PUBCLIENT and its private IPAddress is PRIVCLIENT. The Server is behind NAT, its pubblic IPAddress is PUBSERVER and its private IPAddress is PRIVSERVER. This IPAddress are static IPAddress. The client connects to internet with ADSL. I installed update 818043 on Windows 2000 (VPNClient). The RouterLinux configuration: IPTABLES: PREROUTING >iptables -t nat -A PREROUTING -p udp -i ethEXT -d $PUBSERVER --dport 500 -j DNAT --to-destination $PRIVSERVER:500 >idem with port 4500 >iptables -t nat -A PREROUTING -p 50 -i ethEXT -d $PUBSERVER -j DNAT --to-destination $PRIVSERVER >idem with protocol 51 POSTROUTING >iptables -t nat -A POSTROUTING -p udp -o ethEXT -s $PRIVSERVER --dport 500 -j SNAT --to-source $PUBSERVER:500 >idem with port 4500 FORWARD >iptables -A FORWARD -i ethINT -o ethEXT -j ACCEPT >iptables -A FORWARD -i ethEXT -o ethINT -j ACCEPT I think that Router Linux is configurated well. I think that this isn't the problem. The critical IPSEC Policy on Server are: In "Rule" I've only two rules: 1)ServerToClient 2)ClientToServer. 1)ServerToClient: "Tunnel Setting"--> "The tunnel endpoint..." is selected: PRIVCLIENT "Filter Action" --> "Require Security" --> "Negotiate Security" only selected, Security Method--->Custom--> ESP only "IP Filter List"--> "StoC" is selected-->Source Address: MYAddress, Destination Address: PUBCLIENT, no mirrored 2)ClientToServer "Tunnel Setting"--> "The tunnel endpoint..." is selected: PRIVSERVER "Filter Action" --> "Require Security" --> "Negotiate Security" only selected, Security Method--->Custom--> ESP only "IP Filter List"--> "CtoS" is selected-->Source Address: PRIVCLIENT, Destination Address: MyAddress, no mirrored The critical IPSEC Policy on Client are: In "Rule" I've only two rules: 1)ServerToClient 2)ClientToServer. 1)ServerToClient: "Tunnel Setting"--> "The tunnel endpoint..." is selected: PRIVCLIENT "Filter Action" --> "Require Security" --> "Negotiate Security" only selected, Security Method--->Custom--> ESP only "IP Filter List"--> "StoC" is selected-->Source Address: PRIVSERVER, Destination Address: Ip Address, no mirrored 2)ClientToServer "Tunnel Setting"--> "The tunnel endpoint..." is selected: PRIVSERVER "Filter Action" --> "Require Security" --> "Negotiate Security" only selected, Security Method--->Custom--> ESP only "IP Filter List"--> "CtoS" is selected-->Source Address: PRIVCLIENT, Destination Address: Ip Address, no mirrored On client on Remote Connection the destination ip address is PUBSERVER. The client doesn't connect to Server!! The message error is: 792 The L2TP Connection Attempt Failed Because Security Negotiation Timed Out On " http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299307#kb2" site the article tells "This behavior can occur because you have a preshared key that is configured on the client, but the key is not configured on the Routing and Remote Access Service server. If you set up this type of configuration, you can receive the error message even if valid certificates are configured on both the client and the server. " but I've installed the certificate on both the client and the server!!!!! Could you help me?? Thank you