MelvinSE
asked on
VPN Server/connection issues with VPN
I've got a few issues, so I'll just rattle them all off in hopes for some help.
Running a Win 2K Server as a domain MEMBER of an NT4 domain. Active Directory is NOT running. The 2K Server has ONE NIC. Our firewall is configured to allow PPTP packets (GRE AND PPTP) packets through to the Win 2K machine. The 2K box is running RAS and it is configured (i think) properly according to all the white papers I've read. On the NT4 PDC, I give the user account dial-in priviledges. When I try to connect from the internet, I get an "Ërror 721" message. From what I've read, this is probably caused by the server not being able to assign the client an IP address. I did set up a static address pool. I can ping the public IP address from the internet. The VPN Client connection finds the server and asks for a user name and password. Once those are entered, I get the error after about 20 seconds. I know this is a relatively common problem, but I haven't found and sites with an actual solution. Maybe I'm not configured correctly considering my situation with one NIC, no Active Directory and an NT 4 network. My IP address pool is a group of addresses on my company's LOCAL subnet. Is that wrong? Should I make the VPN address pool it's own subnet? I don't even know if that's the problem. This configuration is a first for me, so any help is appreciated.
Running a Win 2K Server as a domain MEMBER of an NT4 domain. Active Directory is NOT running. The 2K Server has ONE NIC. Our firewall is configured to allow PPTP packets (GRE AND PPTP) packets through to the Win 2K machine. The 2K box is running RAS and it is configured (i think) properly according to all the white papers I've read. On the NT4 PDC, I give the user account dial-in priviledges. When I try to connect from the internet, I get an "Ërror 721" message. From what I've read, this is probably caused by the server not being able to assign the client an IP address. I did set up a static address pool. I can ping the public IP address from the internet. The VPN Client connection finds the server and asks for a user name and password. Once those are entered, I get the error after about 20 seconds. I know this is a relatively common problem, but I haven't found and sites with an actual solution. Maybe I'm not configured correctly considering my situation with one NIC, no Active Directory and an NT 4 network. My IP address pool is a group of addresses on my company's LOCAL subnet. Is that wrong? Should I make the VPN address pool it's own subnet? I don't even know if that's the problem. This configuration is a first for me, so any help is appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Would setting up a L2TP VPN work in this scenario? The documentation on the FlowPoint firewall doesn't mention PPTP, but it does say L2TP.
Yes... If you are using RRAS on Win2K / 2k3 server, then L2TP is also supported. It is a little bit harder to configure, which is why I mentioned PPTP instead.
- Info
- Info
ASKER
As I start reading up on L2TP installs, I'm reading that using L2TP with NAT (L2TP/IPSec NAT-T) is NOT supprted on Win 2K Server. At least, that's what one of the Microsoft White Papers said.
Now, there is an update from Microsoft reagarding L2TP/IPSec NAT-T, but it only mentions "Windows 2000" as a target operationg system. Should I assume they mean Server versions as well, or is it just from the workstation versions. I'm thinking it's only for workstations. Which, of course, is a problem.
Now, there is an update from Microsoft reagarding L2TP/IPSec NAT-T, but it only mentions "Windows 2000" as a target operationg system. Should I assume they mean Server versions as well, or is it just from the workstation versions. I'm thinking it's only for workstations. Which, of course, is a problem.
PPTP or ISPEC is the way to go here.
You are correct in using a pool from the LOCAL subnet, otherwise clients wouldn't know where to route to.
Do the events logs shed any light ?
Also, what firewall do you use, as most come with VPN functionality these days so we could hammer out a solution based around that maybe ?
You are correct in using a pool from the LOCAL subnet, otherwise clients wouldn't know where to route to.
Do the events logs shed any light ?
Also, what firewall do you use, as most come with VPN functionality these days so we could hammer out a solution based around that maybe ?
ASKER
I'm using CheckPoint VPN-1/Firewall-1, which indicates it supports IPSec/IKE. As long as that L2TP/IPSec NAT-T update works on Windows 2000 Server, then I think I'll be able to get it working.
When testing the PPTP/GRE VPN, I would get one inbound PPTP and one inbound GRE packet that was passed from the router interface to the external IP interface of the VPN server. I'm pretty sure that's where it got stuck (when NAT took over to translate the packet and send it to the internal network) because there were not other PPTP packets after that.
When testing the PPTP/GRE VPN, I would get one inbound PPTP and one inbound GRE packet that was passed from the router interface to the external IP interface of the VPN server. I'm pretty sure that's where it got stuck (when NAT took over to translate the packet and send it to the internal network) because there were not other PPTP packets after that.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah, that's right. I'm leaning towards not setting up an IPSec VPN, though. While it may be secure and possible through our current hardware, it needs some serious configuration time (certificate servers and the like). Plus, the fact that I'm not running AD on the Win2K Server box that is serving the VPN may be a problem (although I'm not sure). The PDC is still NT4 SP6.
I looked at the SecuRemote software for the CheckPoint box, but a) the software I have to work with is old (v4.1), b) I can't find the original CD since the previous IT director left and c) to get all the probable upgrades to the software, CheckPoint charges an overabundance of money. No something the higher-ups will enjoy hearing. I'm having such a fun time with this, can't you tell?
I'm thinking about just giving up and going with OWA at this point. It's my third option and even though it's limited at least it will be simple for the end users and all they really want at this point is to read and send their mail.
I looked at the SecuRemote software for the CheckPoint box, but a) the software I have to work with is old (v4.1), b) I can't find the original CD since the previous IT director left and c) to get all the probable upgrades to the software, CheckPoint charges an overabundance of money. No something the higher-ups will enjoy hearing. I'm having such a fun time with this, can't you tell?
I'm thinking about just giving up and going with OWA at this point. It's my third option and even though it's limited at least it will be simple for the end users and all they really want at this point is to read and send their mail.
You don't need certs for IPSEC - you can use pre-shared secrets !
If users only need email, then OWA is fine. No need to overdo it.. and besides, opening up your network to VPN clients mean that VPN clients can back-infect or hack your core networks if they become compromised.
Only give users what they need !
If users only need email, then OWA is fine. No need to overdo it.. and besides, opening up your network to VPN clients mean that VPN clients can back-infect or hack your core networks if they become compromised.
Only give users what they need !
ASKER
Of course, this means taking on the different headaches of installing IIS on the server. Did I mention I love Microsoft?
Here's a link for you:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;240262
According to this Microsoft article, Microsoft does not openly "support" L2TP because they think IPSec is the way to go. HOWEVER, you can do it using a preshared key for L2TP if you follow their instructions.
- Info
http://support.microsoft.com/default.aspx?scid=kb;EN-US;240262
According to this Microsoft article, Microsoft does not openly "support" L2TP because they think IPSec is the way to go. HOWEVER, you can do it using a preshared key for L2TP if you follow their instructions.
- Info
ASKER
I'm calling in the ISP consultant, but both of you guys helped. I know quite a bit about VPNs, but with the equipment and software being so much older, it's time to get some outside help. I split the points as evenly as possible, giving the extra to Tim for the pretty diagram. ;-)
Thanks guys!
Thanks guys!
Any chance you got this resolved? I am having the same problem, and have spent days searching the internet for any clues.
At home I have my test Windows 2003 server box hosting remote access services
At home I have an ADSL connection, connected via a d-link 504 router which supports IPSec and PPTP passthrough.
The router has ports
3389 for terminal services
1723 for PPTP
21 for FTP
110 for POP
25 for SMTP
open
UPnP is enabled
Establishing a VPN connection via PPTP on the internal LAN works fine, as does connecting from the outside with the DMZ configured and pointing to my server
However, when I remove the DMZ the VPN connection only gets as far as "verifying username and password" the connection then times out
I am testing this connection from a Windows XP Pro laptop from another site, the laptop connects via a Belkin router. No ports are forwarded on the Belkin router and UPnP is enabled. enabling DMZ on the Belkin router makes no difference, it still hangs at the same place.
All of this leads me to beleive its something to do with packet routing on my home router, the router to which the windows 2003 is connected to
I am connecting from
At home I have my test Windows 2003 server box hosting remote access services
At home I have an ADSL connection, connected via a d-link 504 router which supports IPSec and PPTP passthrough.
The router has ports
3389 for terminal services
1723 for PPTP
21 for FTP
110 for POP
25 for SMTP
open
UPnP is enabled
Establishing a VPN connection via PPTP on the internal LAN works fine, as does connecting from the outside with the DMZ configured and pointing to my server
However, when I remove the DMZ the VPN connection only gets as far as "verifying username and password" the connection then times out
I am testing this connection from a Windows XP Pro laptop from another site, the laptop connects via a Belkin router. No ports are forwarded on the Belkin router and UPnP is enabled. enabling DMZ on the Belkin router makes no difference, it still hangs at the same place.
All of this leads me to beleive its something to do with packet routing on my home router, the router to which the windows 2003 is connected to
I am connecting from
I am also experiencing the same problem with d-likn di-604 broadband router. error 721 is return after i get verifying username and password. i have no problem at all if i used remote desktop to that same rras server. vpn can be establised on the internal ip of the rras server easily. i have been seeing permit ip 47 gre. how do you permit or enable it on the broadband router?
ASKER
I have read that the "721" error could be caused by the router not forwarding GRE packets properly. However, in the router log, it says it saw and accepted the GRE protocol packets and forwarded them to the proper address (from the router IP to the VPN public IP). The router correctly caught them when they hit the router and forwarded them to the VPN server's public address. But, the router is running NAT, so I'm thinking that maybe the packets don't get translated properly to the INTERNAL address of the VPN server and remain unforwarded. Is this a correct assumption?