• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1068
  • Last Modified:

Error 678 when attempting to VPN through Speedtouch pro ADSL modem/router to SBS2003

Hi all,

I have got a really tight timeframe on getting this resolved (as I'm leaving on a plane this week and must be able to VPN back in!) so any immediate help will be most appreciated!!

PROBLEM: When attempting to VPN from a notebook PC through to a SBS 2003 server I am getting "Error 678: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for the error number".

A brief overview of my setup includes:
SBS Server 2003 with RAS VPN setup using the inbuilt wizards. The server has two network cards. The external card for the internet is set at 10.0.0.8. The default gateway is set to the Alcatel Speed Touch Pro ADSL router which is at 10.0.0.1. The Speed Touch also has an external static IP of 61.9.247.216. The internal network on the other NIC is set to 192.168.2.8. with all local workstations on this subnet who get their IP's and DNS through automatic DHCP assigment. The DNS gets set to 192.168.2.8.

For testing purposes I took a notebook and configured it with a static IP of 10.0.0.100 with a default gateway of 10.0.0.1 and a DNS that points to bigpond (external ISP)'s DNS server. I then plugged it directly into the Speedtouch pro so that it would be "on the external side of the network" just as it would if I was physically remote. I confirmed that I was able to access the internet direct through the speedtouch and not through my SBS 2003 server. I setup a VPN connection on the notebook (Win XP Pro) pointing to 61.9.247.216 and checked the additional box under properties, options for "Include Windows login domain" in accordance with Microsoft's knowledge base (I also tried without this with no difference in result). When attempting to connect i get the Error 678.

My thoughts were that the problem was probably with the Speedtouch ADSL router so I turned my attention and research into that. AFter researching many threads around the net I realised that I needed to punch a few holes in the router through NAT to be properly setup for VPN.

I telnetted into the speed touch pro (through 10.0.0.1) and did a NAT LIST. I found that neither port 1723 was setup nor protocol 47 for GRE. I added both to the NAT successfully and saved. There was no change to the error however.

I checked the SBS2003 server RAS VPN settings and all looked OK. Three policies were setup as default and I deleted two of them which I don't need. The other one related to users being in the remote security group to gain access via VPN. I checked to make sure that my user was part of that group which it was. Therefore there were no other policies to restrict access so I could rule out a policy causing the problem.

Even though I have SBS 2003 Premium I do not have Internet Security Installed and further have the basic Firewall in SBS turned off for the purpose of testing this issue. I further disabled the firewall in the Speed touch adsl router (although this was a command that I found on the internet but made no sense to me as NAT is still setup and functioning?) and also disabled the Trend firewall on the client notebook PC to ensure that from all accounts that there was no firewall issues causing the error. However even with all this protection turned off the problem still remains.

I thought I would try setting up https web access to exchange and remote services however when attempting to put in both (https://) URL's for these they also failed. (I had already punched more holes in the firewall for these servies including port 80, 443 and 4125).

I find it suspicious that web access doesn't work either. It's almost like the Speedtouch is simply refusing to reroute these ports and the protocol 47 correctly. I read up on a technique of turning the speed touch into a transparent bridge and then setting up SBS2003 to do the ADSL dialing however I'd rather not go down this route as I'd like to keep the firewall features of the speedtouch in place (although I appreciate that through an 'IP' command I 'apparently' have the firewall off on the Speedtouch at present).

By the way normal pinging to 61.9.247.216 is successful but again this is just to the Speedtouch ADSL router so I feel like the forwarding to the SBS2003 box is not happening for some reason.

Here is the detailed setup of the Speedtouch which I believe to be the issue here although I'm open to suggestions!!!

Alcatel Speedtouch Pro setup as follows (From Web interface):

Initial Setup:
IP address: 10.0.0.1
subnetmask 255.255.255.0

Phonebook:
Bigpond  VPI:8 VCI:35 Type:PPP Usage:Confirmed

PPP Dial-in Connections:
(None).

Routing:
IP ADDRESS TABLE
Intf          Address             Netmask           Type     Transl    
BigPond   61.9.247.216      255.0.0.0          Auto      pat  
eth0        10.0.0.1             255.255.255.0   User      none  
loop        127.0.0.1           255.0.0.0          Auto      none  

IP ROUTE TABLE:
Destination                  Source          Gateway         Intf  
10.0.0.0/24                 10.0.0.0/24    10.0.0.1         eth0  
61.9.247.216/32          any                61.9.247.216 BigPond  
10.0.0.1/32                 any               10.0.0.1         eth0  
127.0.0.1/32               any               127.0.0.1       loop  
255.255.255.255/32     any               10.0.0.1        eth0  
10.0.0.0/24                 any               10.0.0.1         eth0  
default                       10.0.0.8/0      61.9.247.216  BigPond  

PPP:
Name       Encap    Mode         State    Status  
BigPond    vc-mux  always-on   up       on        

PPP CONFIG:
Authentication
 User :   (myname@static.bigpond)
 Password :  *******
 
Routing
 Connection Sharing:  Everybody
 Destination networks All networks
 Specific network  (Blank)
 Address translation (NAT-PAT)  (checked)
 Primary DNS  10.0.0.8   Secondary DNS  (none)
 
Options
 Local IP:   none
 Remote IP:  none
 Mode : always-on
 Idle time limit : (none)
 LCP echo(currently enabled)
 PAP(currently disabled)
 ACCOMP(currently enabled)

 CIP Interfaces:
(none)

CIP Connections:
(none)

PPTP Connections:
(None)

Bridging Ports:
(none)
 Aging: 300 seconds

DHCP:
NO DHCP

DNS Server Configuration
Server active (Checked)
Domain Name (My internal domain)

DNS hostname table:
[Hostname]        [address]
SpeedTouch       own address

Upgrade:
Active software version : GV8BAA3.290 (1007669)
Passive software version : GV8BAA3.290 (1007669)

When telnetting in to the SPeed touch router and doing a NAT LIST you get the following:
Indx   Prot   Inside-address:Port     Outside-address:Port    Foreign-address:Port    Flgs        Expir   State    Control
   1    6       0.0.1.187:10               61.9.247.216:443         0.0.0.0:0                     instance
   2    6       10.0.0.8:1723             61.9.247.216:1723        0.0.0.0:0                     instance
   3    17     10.0.0.1:4672             61.9.247.216:4672        0.0.0.0:0                     instance
   4    6       10.0.0.1:4711             61.9.247.216:4711        0.0.0.0:0                    instance
   5   6        10.0.0.8:4125             61.9.247.216:4125        0.0.0.0:0                    instance
   6   6        10.0.0.1:4662             61.9.247.216:4662         0.0.0.0:0                  instance
   7  17        10.0.0.100:1029         61.9.247.216:10019     61.9.240.14:53             1             20      10
   8   6        10.0.0.1:4661             61.9.247.216:4661        0.0.0.0:0                   instance
   9  17        10.0.0.1:4665            61.9.247.216:4665        0.0.0.0:0                  instance
  10   6        10.0.0.8:61953           61.9.247.216:10026     67.19.96.18:80              1           1        6
  11  47        10.0.0.8:1                  61.9.247.216:1             0.0.0.0:0                 instance
  12  17        10.0.0.1:4672             0.0.0.0:4672               0.0.0.0:0               template
  13   6        10.0.0.1:4662             0.0.0.0:4662          0.0.0.0:0               template
  14   6        10.0.0.1:4661            0.0.0.0:4661          0.0.0.0:0          template
  15  17        10.0.0.1:4665           0.0.0.0:4665          0.0.0.0:0          template
  16   6        10.0.0.1:4711           0.0.0.0:4711          0.0.0.0:0         template
  17   6        10.0.0.8:1723           0.0.0.0:1723          0.0.0.0:0          template
  18  47        10.0.0.8:1               0.0.0.0:1             0.0.0.0:0            template
  19   6        10.0.0.8:4125          0.0.0.0:4125          0.0.0.0:0         template
  20   6        0.0.1.187:10           0.0.0.0:443           0.0.0.0:0          template

That's it. I don't know what else I can tell you. So far this problem has got me stumped - so much that I joined up to experts exchange when normally i would persevere searching on the net! So here goes let's hope my membership purchase was money well spent!

Cheers.








0
slater27
Asked:
slater27
1 Solution
 
stressedout2004Commented:
In my opinion, you are testing your setup incorrectly. From your description, I gather your topology looks something
like this:




(192.168.2.8)-SBS-(10.0.0.8)------(10.0.0.1)-Router-(61.9.247.216)---internet
                                                             |
                                                   |
            test_laptop(10.0.0.100)------------|

From the SBS's perspective, your notebook is external. But from the router's perspective,
its still internal. To test, you should connect the VPN to 10.0.0.8 and not 61.9.247.216,
Right now, you are trying to do a U turn on the packet.

a) Test laptop initiate a VPN connection, source IP: 10.0.0.100 ; destination IP: 61.9.247.216
b) Router receives the packet and do a PAT and add all the IP header, source IP: 61.9.247.216:1723 ; destination IP: 61.9.247.216:1723

So as you can see, you are using the same IP for source and destination, its like connecting to yourself. The router is probably dropping it.

All the other test that you are doing such as HTTPS, remote services etc on the SBS from your test laptop should point to 10.0.0.8 using the topology above and not to the public IP.

I have the same setup as you are, except that the hardware I use is different.


(10.1.1.1)--ISA 2004--(192.168.100.215)------(192.168.100.1)-PIX-(1.1.1.1)---internet-------PPTP_client
                                                                                            |
                                                                                  |
           PPTP_Client-(192.168.100.5)--------------------------------|


I have a static NAt on the PIX and I can connect from both externally (internet) using the Public IP assigned to the
ISA 2004 and from the 192.168.100.x network using the 192.168.100.215 address.

I would say that you try the connection first to 10.0.0.8, then if it doesnt work then that means we need to look
more on the SBS config. Once that works, then the real test would be from the internet or from a test laptop connected
on the external interface of your ADSL router.
0
 
TechDaddyTCommented:
Having been to many forums for a similar problem (error 678), I ultimately found this rather obscure fix which helped many folk. Hope it does for yours. It may be that your connection is timing out due to the following change in Win XP SP2:

Summary;
"By default, computers that run Windows XP with Service Pack 2 and that initiate IPsec-secured communications ... no longer support using IPsec NAT-T to remote computers that respond to requests for IPsec-secured communication ... that are located behind a network address translator. This is to avoid potential security issues as discussed in the following Microsoft Knowledge Base article:
885348 (http://support.microsoft.com/kb/885348/) IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators"

The fix... add the following registry value on the client;
     - Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
     - Add a new DWORD Value "AssumeUDPEncapsulationContextOnSendRule" (case sensitive)
          - A value of 0 (zero/default) configures Windows XP SP2 so that it cannot initiate IPsec-secured
         communications with responders that are located behind network address translators
          - A value of 1 configures Windows XP SP2 so that it can initiate IPsec-secured communications
          with responders that are located behind network address translators.
          - A value of 2 configures Windows XP SP2 so that it can initiate IPsec-secured communications
         when both the initiators and the responders are behind network address translators.

"After you configure AssumeUDPEncapsulationContextOnSendRule with a value of 1 or a value of 2, Windows XP SP2 can connect to a responder that is located behind a network address translator. This behavior applies to connections to a VPN server that is running Windows Server 2003."

Reference;
KB885407 - The default behavior of IPsec NAT traversal (NAT-T) is changed in Windows XP Service Pack 2
http://support.microsoft.com/kb/885407

Good luck...
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now