VPN help needed - XP client -> Internet -> Linux Gateway/Firewall -> Win 2000 Server

Hi everyone,

I need some help figuring out how to setup a VPN connection from home to a workplace.

This is what I've got:

I'm using XP Professional at home on ADSL.

At this workplace there is a Windows network (all are XP workstations logging onto a domain, and a Windows 2000 Server).
Protecting this network is a linux firewall/gateway, which is VPN ready according to the manufacturer's of the software.  It's Gateway Guardian VPN Edition from about a year ago.  So everything works in regards to the gateway (2 NIC's obviously).  There is no domain name for the company so I have the IP address only which is static on a cable modem.

What I need are some troubleshooting steps to help me figure out why I can't connect to it.  This is a new setup, nobody has ever even attempted to connect to it so it's not a matter of finding out why my home machine specifically won't connect.

To let you know, I haven't done anything for settings on the Windows 2000 Server machine, as it was just installed last week to replace an NT Server.  I've followed the steps on my XP Pro box here at home to create a new connection, to my  workplace, input the work IP address and it tries to connect but I get an Error 800 about the server is unreachable or security is not properly setup.

So if there's something I need to configure on the 2000 server machine to get VPN to work - that's what I'm after.  It's my belief that the Linux gateway simply allows the VPN connection through, but I'm foggy on what happens next.  I know my XP pro machine here would be assigned an IP address as if I was connected to that LAN.  My end goal is to use Terminal Services to remotely use MS Great Plains - but this VPN setup is first.

Any help would be appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A couple of questions first of all.

1) From having a quick look at the Gateway Guardian webpage it loks like all that does is a redirection or port foward to your W2K server. Is that right?

2) Did you want to set up VPN using PTPP (not encrypted) or L2TP (encrypted)?

PTPP is really easy to setup L2TP requires a fair bit of tinkering and you will need to get a set of IPSec certificates, and that requires to resolve domain names.

bigfish777Author Commented:
Thanks for you reply.

Yes, I believe you are right when you say Gateway Guardian just redirects or allows VPN traffic inside the network.  What I'm confused about is what happens after that.  I haven't set W2K server up in any way to deal with VPN connections - I'm thinking now that I should be doing this.

As for setting up PTPP or L2TP - if I can get the non encrpyted PPTP working I'd be happy.  Then I could maybe look into L2TP from there.  For now - I just want to get it to work.

So for that error message, maybe the GG firewall is set up fine and allowing the connection through, and then it's stopping at the W2K point because it's not setup to receive anything?

Again, my goal is run a terminal services session so I'm thinking I'll have to open a port or two on the GG box.  But first I'd like the VPN to work.

Thanks for any replies.
If you have active directory installed (your users logon to a domian) you need to use Routing and Remote access on your win2k server (located under administrative tools).  Once you have opend RAS you just right click on your server name and configure.  Its a step buy step process it will ask you if you would like to use a range of ip addresses or use DHCP (recommended) so that the server assigns the ip.  You will also need to reconfigure each individual usere that you would like to have Remote access.

Hope this helps.

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Hi Steve.

This is take two. I tried to post this before and explorer crashed :(

1) Go to Admin tool in Start and select Routing and Remote Access. On the left pane of the console that will open up you will have an icon representing your server. It has (local) written next to your server name.

On the Icon you will have either a red or green arrow. If it is Green Jump to step 3.

2) Right click on the server and choose the configure option. Here you can either use the wizard to setup your VPN (all 200 interfases) or you can choose Manual. I prefer manual cause the wizard has a tendency to do things you don'ty know about and may not like, eg: set up filters etc. I'm not going to go throught the wizard option as it is trivial to follow the instructions. Once you complete this part it will start up the services and you should have a green arror on your server icon.

3) Right click on the server again and select properties. Check the following tabs.

General: Router & LAN and demand -dial routing selected. Also select Remote access server.

Security: Both boxes should be on Windows (Authentification and Accounting)

IP: Enable IP routing Allow IP based remote access should both be ticked.

If you have previously set up RAS t6o dial in with a modem you may already have this setup. you may want to jump to 4 here. If you have a DHCP server already on the network it is probably best to choose DHCP in the IP assigment box. If not you need to decide what address you are going to use. you can use a block from the same subnet as your network is already using or you can use another subnet (like a 192.168.n.n address) but you may need to tinker with your firewall later and that is a completly different issue.

once you have add the address range in  or selected dhcp you can check the other tabs but nothing needs to be changed on them, and you can ok and return to the console.

4) If you expand the server tree on the left you will have a ports icon left click on in and you will see on the right pane that you have 5 PPTP and 5 L2TP ports automatically set up (200 if you used the wizard) Minimize the console for now.

5) You will now need to enable Dial-Up access for the user that you are going to use to dial in. You can do this from the user properties in Active Directories or on Managing Your Computer Local User and Groups. Normally ticking the Enable box will do.

6) Testing the VPN. Easiest way to do this is to set up a VPN client on the server itself Then you know that the VPN side of things works. Right Click My Network Places and select properties. Double click make a new connection and select on the wizard VPN throught the Internet. Enter your server ip. Choose everybody or just yourself (if you are greedy). Next. I don't recommend using Internet sharing and for this test you must choose no. done. Cancel the dialup box.

7) Right click on the new connection and choose Properties. Check the following tabs.

General: should have the IP of your server.

Security: Check advanced. Click on settings, Data Encryption should be Required (disconnect if server declines) you should have 2 ticks MS-CHAP and MS-CHAP v2.

Networking: Change the type of VPN to PPTP (this is just to force things)

You can now ok everything and try dialing up the VPN using the user account details that you have ok do dial up in step 5.

You will see the usual registering network etc that you get with a dial-up if all goes well. if you get an un-authorised or security type error double check your user setting in Active Directory or Managing your Computer

If all is well and you type ipconfig [enter] on a command prompt you will get something along the lines of:

Windows 2000 IP Configuration

Ethernet adapter Intel:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :

PPP adapter Virtual Private Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :

PPP adapter RAS Server (Dial In) Interface:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :

Once you get this you can kill the connection.

You can also test it from another computer on the ethernet network by doing steps 6 and 7.

Now this is the part where I speculate,  I can give you an idea but I'm not sure cause I havent used your firewall. From what I saw on the website you will need the IP of your ADSL connection at home (ie outside the firewall and hopefully it is static) and the one of your server on the inside of the firewall. When you set up your VPN client at home step 6 and 7 your server IP will be your external IP of the firewall.

NOTES: If you need to access the internet through your VPN connection (that means you VPN to the server and then throught the office network go back out to the internet through the firewall) and you have added a new subnet in step 3 you will most likely need to add new routes in your firewall so that it knows where to find the new subnets and also add rules saying that the new subnet is legitimate and should be allowed out.

I may have left something out but hopefully not. Let me know how it goes.


PS Wish me luck I'm about to hit the submit button again.
Just you don't waste your time, as of yet, Windows 2000 cannot be an L2TP over IPsec VPN server if it is on a NAT network.  Here is the reference:


Supposedly, they will fix this in Server 2003 or maybe a 2000 service pack, but for now it can't be done.  You should be able to get PPTP working though.
bigfish777Author Commented:
Thanks for the replies guys.  I am going to that workplace today and will try this stuff out.  I'll let you know what happens.

bigfish777Author Commented:
Ok here is the update:

Today I followed TroutOZ's instructions of configuring the W2K server.

Two things to note there.  When I was configuring it with the wizard to be a VPN server, I got to the screen where it asks which interface I wanted to use for the VPN server to access the Internet.  There were two options, no Internet available, or LAN and it described the NIC in the machine.  I chose LAN at first but it prompted an error saying that I needed two interfaces to be able to setup a VPN server.  Does that mean I need two NIC's in the machine?  Anyways, I chose the other option saying no Internet available and the wizard completed.

Then I tested a VPN connection on the server, as TroutOZ suggested, and was prompted with a Network Protcol connection result window.  It said TCP/IP connected successfully, but NetBEUI CP reported error 640, and error occurred involving NetBIOS - but I had the option of proceeding and clicked Accept.  It seemed to connect fine then and I was connected anc checked ipconfig /all settings and it looked similar to what TroutOZ had written.  One thing to note was I had a 169.x.x.x IP address for the VPN, not a 192.168.x.x.  Not sure about that.  Then I tested it from another PC on the LAN and this time I didn't get that NetBEUI error and it seemed to work fine, again with a 169.x.x.x address.

Now I'm at home and tried to connect but it won't work.  I get Error 678:  The remote computer did not respond.  So at least it's a different error  :-)

Anyways, that's the latest.  If anyone can help me that'd be great.

Thanks again.
mmm... As I said, I don't like the wizards cause it does strange things :)

You did the right thing on the card question. It's a bit confusing but what it is asking you is "if the machine is connected to the internet, which interface will get me there?" In your case you only have one interface so the choice is
- no internet or
- the internet is accessible through the interface.

The error 640 you are getting is because NetBEUI and Data Encryption apeers to be incompatible, or at least it was back on NT3.50. The only reference that made sence on MS Knowledge Base was Q132169. You could try unbinding it from the VPN stack on the clients that should stop the client from trying to negotiate it. See the following article for instructions, but basically you need to untick a couple of boxes in the Network Tab on your VPN connection properties for the client.


It sound like you can't get an IP address from dhcp or from the address range provided in the IP tab in the server properties. The 169.254.x.x is issued when it can't negotiate an IP from the server or DHCP times out (the address is part of the Automatic Private IP Addressing or APIPA block because it needs to bind an IP address to each IP adapter or fall in a heap it uses one from this block).

Double check the Server Properties and make sure you have all the settings right on the IP Tab (Step 3 on the previous post). If you chose DHCP. Make sure you have the right address for the server and make sure the DHCP server is running. If you did use DHCP and it is still playing up, try not using DHCP, use a fix block of IP addresses on a different subnet so if you are using 192.168.0.x for your office network try using a block of 192.168.1.x for your VPN. Once again set it up as per step 3 on the previous post.

Now the last problem and this will be the hardest to solve. From your home - the 678 error means the server didn't answer. This could mean the firewall could be dropping your packets or it is passing the packets to your office LAN but they get lost inside your network.

You need to double check your firewall rules.

If you have shell access to the firewall you can try either (depending what version of the linux kernel that is running):

1) ipchains -L -n |grep 1723
2) iptables -L -n |grep 1723

If the first one gives an error try the second one. Basically what the above command does is dump the firewall rules and looks for the number 1723 if it finds it, it will print the whole line to the screen. (sorry if you know *nix and this sounds stupid but I don't know how much you know). 1723 is the TCP port used by PTPP to set up the Tunel.

If your firewall does not have at least one rule that mentions 1723 then there is your problem, most firewall are set up to drop all packets by default (ie not answer) so it will need a rule to say "yes this packets are allowed"

If it does return one or more lines somewhere along it should say -j ACCEPT one would hope wich means the packet is allowed in.

If it dosn't return any rules you might want to read any documentation you have on Gateway Guardian VPN Ed.

Other things ytou can try to diagnose it are:

Depending on how well you know Linux, try using a packet sniffer (tcpdump) on the external interface. See if you can see any TCP packets on port 1723.

If you are going to try this you might want to set up a PC or a laptop with a modem at the office and dial up to an ISP. and start your VPN from that machine. Also you might want to do this after hours when there isn't too much traffic coming into the firewall (tcpdump can generate heaps of data).

If packets are getting to the external interface then you can try looking for the same packets in your server interface you will need network monitor on your server (it comes with the server disk and can be installed from add/remove window components under Management & Monitor tools.

I can walk you in more details if need be but I need to know how far you want to take this and what your level of knowhow is.

Best of luck Steve.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bigfish777Author Commented:
Hi everyone,

Well here is the latest...

It turns out this gateway/firewall called Gateway Guardian actually has a VPN server built in to it...so I've kind of been going at it the wrong way by configuring W2K as the VPN server.  I still haven't gotten it to work right yet, but I need to run a configuration tool called Inferno to build the floppy disks that loads up the Gateway Guardian.  In there are some settings like a 'shared secret' and stuff.  Then here at home I'm supposed to setup an IP Security Policy and hard-wire in IP addresses for the VPN server and my local machine (which I'm not sure how my dynamic ADSL IP address will work with).

So ya, if anyone knows anything about this Gateway Guardian VPN edition let me know.

As for the points, If nobody gives any useful comments in the next day or two I'll be awarding them then.

Hey Steve,

unfortunatelly I can't help you out with that specific product. At least you know now how to set up w2k :)

Best of luck.

bigfish777Author Commented:
Thanks for your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.