unable to complete a VPN connection with Windows 2003 Server using RRAS

Hey everyone,

I've set our domain server that is running internally in our office to allow VPN connections remotely.  I have not done this before today.  I’ve got a Cisco 2610 that I’m routing with and I’ve forwarded ports 3389, 1723, 500, along with others to the 2003 server.  I have remote desktop access but want to allow VPN access to reduce license costs.  

I have the server set as a DHCP server with a scope of 10.0.0.50 – 10.0.0.75.  Most internal users are static assigned to their phone extension, so only having a handful of addresses is okay.  We’ll have about 6 people that are going to need the remote access, So when I set up the RRAS with the wizard, for this server named ICARUS, I told it to use Ips 10.0.0.70 – 75, since we won’t ever have that many DHCP clients in use at any one given time.  

I Remote Desktopped from the office back to my home and set a VPN connection up on the XP desktop.  It zzzzzoooms to the office and says that it’s verifying the username and password, but then disconnects.

Disconnected:
Error 721.  The remote computer did not respond….blabla.

Well it looks like it made it through the ports on the router, or did it?

I’m testing this with the administrator account for the server.  I haven’t added any permissions to the administrator’s account, nor have I messed with the GP objects, nor have I started anything in the RRAS management console.

I don’t want to go clicking on a lot of things because this server is the DNS server and domain controller for the office.

What might I be doing wrong here.

Thanks a ton for you help,
Inverted_2000
LVL 2
inverted_2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TheCleanerCommented:
Are you using IPSEC or PPTP?
MazaraatCommented:
If VPN traffic is traveling through a router or firewall, configure the router or firewall to pass PPTP (TCP Port 1723 and IP Protocol ID 47 [GRE - Generic Routing Encapsulation]) or L2TP over IPSec (UDP Port 500 and IP Protocol ID 50 [Encapsulating Security Payload]) traffic to and from the VPN server

found this reference on:
http://www.chicagotech.net/Q&A/vpn40.htm

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
inverted_2000Author Commented:
I think that both the server and test client are set to auto.  I would like to start with PPTP and when I get better with it use IPSec, but lets stick with the PPTP first please.

VPN traffice will be passing through the router.  Port 1723 is forwarded to the server's internal 10.0.0.152 address.

The server has some dual port NICs on it...so the one that the local LAN users use for DNS and domain is on 10.0.0.151...then I enabled one and placed 10.0.0.152 on the card and it works on the network.  In RRAS I said that NIC 10.0.0.151 is how the server gets online and NIC 10.0.0.152 is the interface for the VPN traffic.

Was that right?
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

inverted_2000Author Commented:
I think I should have stated that NIC 10.0.0.152 is how the server gets online and 10.0.0.151 is how VPN accesses the LAN
MazaraatCommented:
on the cisco router have you also forwarded IP protocol 47(GRE)?
inverted_2000Author Commented:
no...but I can...should I port forward to the NIC on the server that I have 10.0.0.152 set as or the 10.0.0.151 NIC?
MazaraatCommented:
same place the VPN is forwarding to...make sure and read that link I attached above...it walks through what is needed to configure windows 2003 as vpn server
TheCleanerCommented:
inverted_2000Author Commented:
I'm followoing it...but do I don't have a NIC with a public IP address on the server.  Both are behind the router.  Is it going to work to have one of the NICs accept the VPN traffice while it is on the same Subnet as the server's internal NIC?

MazaraatCommented:
I had the same situation at a client location =)

Couldn't create the #&*^%@ connection so I asked a friend of mine (CCIE?) and he explained that in addition to forwarding the port I needed to forward the IP protocol 47 also....on any of the cheapo best buy routers you don't have to configure this, but on the better routers you do =)
MazaraatCommented:
forward GRE to the same IP as you are forwarding port 1723

TheCleanerCommented:
yeah, by default from what I understand the Cisco routers don't forward GRE packets with the PPTP packets.

See the sub-article from the above link:

How to use PPTP through a Cisco PIX

In order to use PPTP through a PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723.

inverted_2000Author Commented:
Okay then...I'm forwarding port 1723 to 10.0.0.152, since that is what I told RRAS I am going to use.

How is GRE forwarded...is it a port?  I'm not familiar with it.
TheCleanerCommented:
Forgot to mention, if you can get in and connected, but cannot get anywhere on the LAN then you may have to reconfigure your multihomed computer with the proper routes / IP forwarding.
inverted_2000Author Commented:
I got connected from within the LAN.  I had to check off for the administrator in AD that the user could use VPN.

Now if I can just tweeke the router (o:
MazaraatCommented:
Thanks! have a good weekend =)
TheCleanerCommented:
So i'm guessing it is working now?  Thanks for the points...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.