Solved

VPN Messes up ARP tables in my routers?

Posted on 2001-08-24
23
1,431 Views
Last Modified: 2010-04-13
Hi,

I'm trying to configure VPN on a windows 2000 server (SP2).  The problem may be a result of trying to configure it over Terminal Server, but I don't know.

Basically, I go through the wizard and it says: "Starting Routing Service" (or whatever it tries to start) and then Terminal Server hangs and I can't get back in.  If I log on locally to the box, it can't talk to any of the other computers on the network.  The SMTP and POP servers running on my mail server (qmail running on linux) on the same segement of the network also fail to function properly.  Other services such as HTTP and SSH on that and other boxes continue to function properly.

I have to unconfigure VPN, reboot all servers and routers and clear all ARP tables before my network functions normally again.

Any Ideas?
0
Comment
Question by:kalliopi
  • 8
  • 7
  • 4
  • +1
23 Comments
 
LVL 25

Expert Comment

by:dew_associates
Comment Utility
Kalliopi,

This may help you straighten this out.

http://www.microsoft.com/ISN/whitepapers/configur_vpn_solution.asp

Dennis
0
 
LVL 6

Author Comment

by:kalliopi
Comment Utility
dew,

This was helpful, but the problem that I'm having a some sort of bug.  Simply configuring the VPN is causing immediate and serious interruptions on my network...

Thanx anyway though...
0
 
LVL 25

Expert Comment

by:dew_associates
Comment Utility
Have you validated the modem connections, network cards etc to insure that you have a valid network and the resources for VPN?
0
 
LVL 9

Expert Comment

by:gregcmcse
Comment Utility
I mentioned this in the other question too... but in case you're not tracking any longer:

You need to set the VPN dial-up connection NOT to use the default gateway on the remote network or it'll cut off your Internet (and/or local network) connection(s) for everything else.

Also, make sure your VPN connection is bound LAST -- right-click on "My Network Places" and select properties (in 2000) then select the "Advanced" drop down and then "Advanced Settings" and make sure your VPN connection is at the bottom.  Otherwise when you system tries to communicate outbound it'll try to use the VPN first.
0
 
LVL 6

Author Comment

by:kalliopi
Comment Utility
Greg,

I'm back again - still trying to configure my VPN - so far - unsuccessfully.

On the server - as soon as I complete the VPN setup wizard, the network interface is essentially disabled and I can no longer access any network resources.  If I try to ping anywhere outside of my machine I get:

Host or destination unreachable...

Two errors are logged in my event log:

Event Source:     RemoteAccess
Event ID:     20082
The Remote Access Server could not reset lana 9 (the error code is the data) and will not be active on it.

Event Source:     RemoteAccess
Event ID:     20192
A certificate could not be found. Connections that use the L2TP protocol over IPSec  require the installation of a machine certificate, also known as a computer  certificate. No L2TP calls will be accepted.

Any idea what might be going on?

0
 
LVL 9

Expert Comment

by:gregcmcse
Comment Utility
OK... let's check a few things.  First, do you have a critical need to use L2TP or IPSec?  If not, let's disable them for the moment and concentrate on PPTP -- it's easier and doesn't require a machine certificate (which you have to buy or you have to configure certificate server on a server for -- not exactly the world's lightest topic by itself).

Disable L2TP by going to the Routing and Remote Access management console (under Administrative Tools), under the server's name, right-click "ports", "properties", "Wan Miniport (L2TP)", "Configure" and set "Maximum Ports" to 0.  You may get a warning when you click OK.

Disable IPSec by going to the Network control panel, select an adapter, right-click TCP/IP, Properties, Advanced, Options (last) tab, IP security, Properties, and set it to client (Respond only) or None.  You may have to do this for each network adapter -- but I don't THINK so.

Check the network settings I mentioned earlier in this topic.  Make sure they're right.

If the machine has more than one network adapter, make sure ONLY ONE has a Default Gateway configured.  Your Internet connection should be the adapter with the default gateway configured (and set to the router, firewall, or gateway on that segment).

If the RRAS server at your corporate network isn't set up to be a DHCP server or a DHCP relay agent, you'll need to make it a DHCP relay agent or set your WINS and DNS settings manually on your remote VPN connection.  If the RRAS server isn't a DHCP relay agent, the remote machines will get the IP address only from your DHCP server and they'll get the DNS suffix, WINS servers, DNS servers, etc. from your RRAS server's settings.  That can frequently be a problem.

I'm not 100% clear on which machine(s) you're having trouble with -- if this doesn't take care of things, please elaborate a little more on the setup.  Most of these items assume you're running the VPN wizard on the corporate server and that's the machine you're having difficulty with (although I've thrown in a couple other things in case you get past that or in case that's not it).


0
 
LVL 6

Author Comment

by:kalliopi
Comment Utility
Here's what's going on.  The problem is ALL on the server - I never get as far as trying to have a client connect to it.  I have a brand new WIN2K server.  I select "Routing and Remote Access" and complete the wizard that pops up.  When the wizard completes it says "Completing final configuration" or something along those lines and then the service appears to be running - but all communication through the only network card on the box is disabled.  I can't get out and nothing else can get in.  I have disabled L2TP and IPSec and the problem persists.  I must be doing something wrong, cause I've tried it on different boxes and the problem is the same - but I can't for the life of me figure out what.  As far as I can tell, I'm doing everything "standard".  I'm relatively familiar with Network functionality and so forth - but I've never setup a VPN before.

A couple of specific questions:
1) Do I HAVE to use DHCP?
2) If so - how does need to be configured?
3) I'm selecting a specific block of IP's for VPN clients, do I need to bind those IP addresses to the server not?  I've actually tried it both ways and it doesn't effect my problem - but I don't know how it should be setup.

You can discard all of the previous information about my Routers and Mail - I think I've got that worked out (separate issue).  
0
 
LVL 9

Expert Comment

by:gregcmcse
Comment Utility
You don't have to use DHCP, but I always have.  I presume you have DHCP set up on your network SOMEWHERE.  If so, all you need to do is install the DHCP relay agent on the RRAS server (see noted exception below).  Since you have only one network card, I'm presuming VPN traffic is getting to the box from a firewall or gateway of some type.

Note: Your RRAS server should NOT be a DHCP client itself!  The RRAS server should use a statically assigned IP address.  It should also NOT use an address reservation from a DHCP server.

Your remote connections, if they use DHCP, will be EXACTLY as if they're local computers on your network -- the RRAS server will obtain the lease and handle communications for them just like they had a network card physically attached to that subnet.  If your RRAS server uses IP 192.168.1.200 with a 255.255.255.0 mask, your VPN client should obtain a dynamic address on the 192.168.1.x subnet.

You should NOT bind the addresses in your static pool to the RRAS server if you use the static address option.  I'm pretty sure they same rule applies that the static addresses should be in the same subnet.

Last note:  You should make sure all other protocols (IPX/SPX, NetBEUI, etc.) are disabled or removed.  They don't play nice with VPNs.

*** NOTED EXCEPTION to first paragraph ***
1. If your DHCP server is on a different subnet AND
2. You have a REALLY old router between the subnets OR your router is configured to not relay BOOTP broadcasts THEN
3. You ALSO need to install a DHCP relay agent on the DHCP server subnet.

Basically, if other machines on the RRAS server's subnet can use DHCP, you don't need to worry about the exception.
0
 
LVL 6

Author Comment

by:kalliopi
Comment Utility
As I understand it - DHCP is only involved when a client tries to connect.  I'm never getting that far - this issue is entirely server side.  The server that I'm testing this on a very simple network:

AT&T Digital Cable --> Cable Modem --> LinkSYS Router --> Single Network Card --> Windows 2000

There is only one other computer on the network and running windows 98.  

Everything works fine - I can browse the net, check email, everything works.  Then I complete the VPN wizard and immediately upon completion of the configuration, the network connection drops and I can't get out anymore.  If I ping a public IP - it VERY QUICKLY replies:

>Pinging 207.195.171.1 with 32 bytes of data:
>
>Destination host unreachable.
>Destination host unreachable.
>Destination host unreachable.
>Destination host unreachable.

It happens so fast - it's not like it's actually trying.  It's like the network cable is unplugged.  I removed the NetBEUI protocol but that didn't help either.  If I stop the RRAS service, the network connection comes back.  But as soon as I start it - it drops off again.

Does this behavior make any sense?
0
 
LVL 9

Expert Comment

by:gregcmcse
Comment Utility
Start RRAS, drop to a command prompt, issue a "ROUTE PRINT > routes.txt" command from the command prompt, open "routes.txt" with notepad, and cut and paste it here -- perhaps that will tell us what's going on.

Also, make sure the machine isn't set up to use itself as it's default gateway.
0
 
LVL 6

Author Comment

by:kalliopi
Comment Utility
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x4000002 ...00 20 78 e0 8a ea ...... PCI Bus Master Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.2       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0      255.255.0.0      192.168.1.2     192.168.1.2       1
      192.168.1.2  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.1.100  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.1.255  255.255.255.255      192.168.1.2     192.168.1.2       1
        224.0.0.0        224.0.0.0      192.168.1.2     192.168.1.2       1
  255.255.255.255  255.255.255.255      192.168.1.2     192.168.1.2       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

I am using non-internet routable IP addresses, but I should still be able to configure the server, no?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 9

Expert Comment

by:gregcmcse
Comment Utility
Okay... I think I've found your problem.

On your RRAS server, your subnet mask under TCP/IP settings is set to 255.255.0.0 for the IP address 192.168.1.2 -- correct?

Check the subnet mask on your router.  I think you'll find that it's 255.255.255.0 for the IP address 192.168.1.1.

If so, your system is using the wrong subnet mask.  Set your RRAS server's subnet mask to 255.255.255.0 and retry.
0
 
LVL 9

Expert Comment

by:gregcmcse
Comment Utility
Okay... I think I've found your problem.

On your RRAS server, your subnet mask under TCP/IP settings is set to 255.255.0.0 for the IP address 192.168.1.2 -- correct?

Check the subnet mask on your router.  I think you'll find that it's 255.255.255.0 for the IP address 192.168.1.1.

If so, your system is using the wrong subnet mask.  Set your RRAS server's subnet mask to 255.255.255.0 and retry.
0
 
LVL 1

Expert Comment

by:Moondancer
Comment Utility
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if they are still open in 14 days.  Experts, please post closing recommendations before that time.

Below are your open questions as of today.  Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.  

Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added.  When you grade the question less than an A, please comment as to why.  This helps all involved, as well as others who may access this item in the future.  PLEASE DO NOT AWARD POINTS TO ME.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.11825818.html
http://www.experts-exchange.com/questions/Q.20121920.html
http://www.experts-exchange.com/questions/Q.20163396.html
http://www.experts-exchange.com/questions/Q.20173685.html
http://www.experts-exchange.com/questions/Q.20176642.html
http://www.experts-exchange.com/questions/Q.20184412.html
http://www.experts-exchange.com/questions/Q.20277149.html
http://www.experts-exchange.com/questions/Q.20277150.html
http://www.experts-exchange.com/questions/Q.20278200.html



*****  E X P E R T S    P L E A S E  ******  Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643
POINTS FOR EXPERTS awaiting comments are listed in the link below
http://www.experts-exchange.com/commspt/Q.20277028.html
 
Moderators will finalize this question if in @14 days Asker has not responded.  This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
 
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
0
 
LVL 1

Expert Comment

by:Moondancer
Comment Utility
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101, Netminder or Mindphaser will return to finalize these if they are still open in 7 days.  Experts, please post closing recommendations before that time.

Below are your open questions as of today.  Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.  

Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added.  When you grade the question less than an A, please comment as to why.  This helps all involved, as well as others who may access this item in the future.  PLEASE DO NOT AWARD POINTS TO ME.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20121920.html
http://www.experts-exchange.com/questions/Q.20163396.html
http://www.experts-exchange.com/questions/Q.20173685.html
http://www.experts-exchange.com/questions/Q.20176642.html
http://www.experts-exchange.com/questions/Q.20184412.html
http://www.experts-exchange.com/questions/Q.20277149.html
http://www.experts-exchange.com/questions/Q.20277150.html
http://www.experts-exchange.com/questions/Q.11825818.html
http://www.experts-exchange.com/questions/Q.20300602.html



*****  E X P E R T S    P L E A S E  ******  Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643
POINTS FOR EXPERTS awaiting comments are listed in the link below
http://www.experts-exchange.com/commspt/Q.20277028.html
 
Moderators will finalize this question if in @7 days Asker has not responded.  This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
 
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
0
 
LVL 9

Expert Comment

by:gregcmcse
Comment Utility
I would wager that my answers solved the problem.  If you look at the ROUTE PRINT dump, it's clear that the netmask on the server was set to 255.255.0.0 and that's almost always wrong for a 192.168.x.y network.

My preference would be that kalliopi award the points to me and grade my efforts.  I don't know if that's likely, however.
0
 
LVL 6

Author Comment

by:kalliopi
Comment Utility
No - I tried both sub-net masks and NEVER GOT THIS WORKING.  I am litteraly in the process of getting a NetScreen 100 Firewall, which includes a built in VPN server BECAUSE I NEVER GOT THIS WORKING.  I really do appreciate your help on this - seriously, but if points and a grade are for answers that successfully solve the problem, I'm sorry to say that they are not due here.  If they were, I would happily award the points.

0
 
LVL 25

Expert Comment

by:dew_associates
Comment Utility
Well greg, had you dug into the problem at the basic level and not taken over the que, kalliopi might have faired better.
0
 
LVL 9

Expert Comment

by:gregcmcse
Comment Utility
dew_associates:  What would you have done differently?  I had no intention of taking over the queue -- my only aim was to help.  Is there an aspect of this problem you think I missed?

kalliopi:

I'm very sorry to hear you never got this working.  I agree with you 100% that you shouldn't award points or grades for problems not solved!  I merely assumed since you stopped responding that you had fixed the problem with the advice I gave you.

It sounds like it's too late to get it working for you now, but if that's wrong, or you'd like to take one more stab at it, try checking the following settings on the VPN server:

IP:  192.168.1.2
Mask:  255.255.255.0 (or whatever the router uses)
Gateway:  192.168.1.1 (which should be the IP address of the LinkSys router)

It looks like you have a secondary IP of 192.168.1.200 on this machine.  Did you try removing that?

Did you try making sure that you had all service packs and patches installed on the Windows 2000 server?
0
 
LVL 6

Author Comment

by:kalliopi
Comment Utility
Greg,

I do have all the lates service packs installed, and still no go.  I am confident that this is a simple problem and that if I had done this before I would know that I'm overlooking something simple.  

Anyway - I do appreciate all of your suggestions, even though they were not ultimately successfull. So...

ADMINISTRATORS,

Can you just split the points on this question between all of the participants?   Thanks and thank you all again for your help with this...
0
 
LVL 25

Accepted Solution

by:
dew_associates earned 75 total points
Comment Utility
Thank you kalliopi.

Some things to think about:

Setting up VPN is very straightforward on Windows 2000, as there is a wizard that does most of the work for you. Aside from granting permissions to users who need to dial in to the server, you must also decide the number of users who will be using VPM, the impact each will have on the server and the biggest concern, security. In answer to your earlier query, terminal server shouldn't be running (nor any other server types <generally> other than DNS) on the server to be used for VPN when there will be 5 or more users with a simultaneous connect. Another server impact issue is whether or not you intend to use EAP. EAP (Extensible Authentication Protocol) enables its security through Certificate Authority (CA) and SmartCard technologies, which provide mutual authentication of the client and the server.

Server/User impact is a large issue. You should be aware that when a client makes a VPN connection to a server, all (or almost all) TCP/IP traffic to and from that client will be routed through the server for the duration of the VPN connection. This WILL have an impact upon the performance of the server, dependant soley on the number of VPN connections and the way in which they are used.

When you decide on the maximum number of simultaneous connections you will allow, reserving a range of IP addresses within your subnet to accommodate them, bear in mind that you will need one more IP address than the maximum number, and is allocated to the server for its VPN interface. You can use several separate ranges if required and the addresses should be registered in the DNS in the usual way. It is also possible to use DHCP to allocate addresses, but it's not recommended.
 
You must ensure that the WINS and DNS configuration on the server that is being setup for VPN is correct before you start the actual VPN setup process. The reason for this is that when a user makes a VPN connection to your server, the VPN client PC will obtain and use WINS and DNS server details from the VPN server. In the case of WINS, the client will also register its NetBIOS name in the WINS database.
 
You should advise users to use computer names that are guaranteed unique (generally by incorporating part of your unit name in the computer name); renaming their computer if necessary.

While not essential, it is a good idea to give your VPN server an alias in the DNS, which will allow you to move it without affecting client configuration.
 
If you have your own departmental firewall, you need to allow the appropriate TCP port and specific IP protocol IDtraffic to and from your VPN server.

When time permits, you may want to review this URL:

http://216.239.39.100/search?q=cache:KvXZLDicxOIC:www.microsoft.com/serviceproviders/whitepapers/configuring%2520a%2520vpn%2520solution.doc+%22configuring+vpn%22&hl=en&ie=UTF8

Dennis

0
 
LVL 1

Expert Comment

by:Moondancer
Comment Utility
I am happy to split points for you, kalliopi, to all participants in this question thread and will do so shortly and report back with details.

Moondancer - EE Moderator
0
 
LVL 1

Expert Comment

by:Moondancer
Comment Utility
Points have been split, one half awarded here and the other half here:

Points for gregcmcse -> http://www.experts-exchange.com/jsp/qShow.jsp?qid=20301722

I am happy to see that the collaboration effort does continue and that everyone is working to ensure that you get the solution you need.  Thanks to all.

Moondancer - EE Moderator
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now