slater27
asked on
Error 678 when attempting to VPN through Speedtouch pro ADSL modem/router to SBS2003
Hi all,
I have got a really tight timeframe on getting this resolved (as I'm leaving on a plane this week and must be able to VPN back in!) so any immediate help will be most appreciated!!
PROBLEM: When attempting to VPN from a notebook PC through to a SBS 2003 server I am getting "Error 678: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for the error number".
A brief overview of my setup includes:
SBS Server 2003 with RAS VPN setup using the inbuilt wizards. The server has two network cards. The external card for the internet is set at 10.0.0.8. The default gateway is set to the Alcatel Speed Touch Pro ADSL router which is at 10.0.0.1. The Speed Touch also has an external static IP of 61.9.247.216. The internal network on the other NIC is set to 192.168.2.8. with all local workstations on this subnet who get their IP's and DNS through automatic DHCP assigment. The DNS gets set to 192.168.2.8.
For testing purposes I took a notebook and configured it with a static IP of 10.0.0.100 with a default gateway of 10.0.0.1 and a DNS that points to bigpond (external ISP)'s DNS server. I then plugged it directly into the Speedtouch pro so that it would be "on the external side of the network" just as it would if I was physically remote. I confirmed that I was able to access the internet direct through the speedtouch and not through my SBS 2003 server. I setup a VPN connection on the notebook (Win XP Pro) pointing to 61.9.247.216 and checked the additional box under properties, options for "Include Windows login domain" in accordance with Microsoft's knowledge base (I also tried without this with no difference in result). When attempting to connect i get the Error 678.
My thoughts were that the problem was probably with the Speedtouch ADSL router so I turned my attention and research into that. AFter researching many threads around the net I realised that I needed to punch a few holes in the router through NAT to be properly setup for VPN.
I telnetted into the speed touch pro (through 10.0.0.1) and did a NAT LIST. I found that neither port 1723 was setup nor protocol 47 for GRE. I added both to the NAT successfully and saved. There was no change to the error however.
I checked the SBS2003 server RAS VPN settings and all looked OK. Three policies were setup as default and I deleted two of them which I don't need. The other one related to users being in the remote security group to gain access via VPN. I checked to make sure that my user was part of that group which it was. Therefore there were no other policies to restrict access so I could rule out a policy causing the problem.
Even though I have SBS 2003 Premium I do not have Internet Security Installed and further have the basic Firewall in SBS turned off for the purpose of testing this issue. I further disabled the firewall in the Speed touch adsl router (although this was a command that I found on the internet but made no sense to me as NAT is still setup and functioning?) and also disabled the Trend firewall on the client notebook PC to ensure that from all accounts that there was no firewall issues causing the error. However even with all this protection turned off the problem still remains.
I thought I would try setting up https web access to exchange and remote services however when attempting to put in both (https://) URL's for these they also failed. (I had already punched more holes in the firewall for these servies including port 80, 443 and 4125).
I find it suspicious that web access doesn't work either. It's almost like the Speedtouch is simply refusing to reroute these ports and the protocol 47 correctly. I read up on a technique of turning the speed touch into a transparent bridge and then setting up SBS2003 to do the ADSL dialing however I'd rather not go down this route as I'd like to keep the firewall features of the speedtouch in place (although I appreciate that through an 'IP' command I 'apparently' have the firewall off on the Speedtouch at present).
By the way normal pinging to 61.9.247.216 is successful but again this is just to the Speedtouch ADSL router so I feel like the forwarding to the SBS2003 box is not happening for some reason.
Here is the detailed setup of the Speedtouch which I believe to be the issue here although I'm open to suggestions!!!
Alcatel Speedtouch Pro setup as follows (From Web interface):
Initial Setup:
IP address: 10.0.0.1
subnetmask 255.255.255.0
Phonebook:
Bigpond VPI:8 VCI:35 Type:PPP Usage:Confirmed
PPP Dial-in Connections:
(None).
Routing:
IP ADDRESS TABLE
Intf Address Netmask Type Transl
BigPond 61.9.247.216 255.0.0.0 Auto pat
eth0 10.0.0.1 255.255.255.0 User none
loop 127.0.0.1 255.0.0.0 Auto none
IP ROUTE TABLE:
Destination Source Gateway Intf
10.0.0.0/24 10.0.0.0/24 10.0.0.1 eth0
61.9.247.216/32 any 61.9.247.216 BigPond
10.0.0.1/32 any 10.0.0.1 eth0
127.0.0.1/32 any 127.0.0.1 loop
255.255.255.255/32 any 10.0.0.1 eth0
10.0.0.0/24 any 10.0.0.1 eth0
default 10.0.0.8/0 61.9.247.216 BigPond
PPP:
Name Encap Mode State Status
BigPond vc-mux always-on up on
PPP CONFIG:
Authentication
User : (myname@static.bigpond)
Password : *******
Routing
Connection Sharing: Everybody
Destination networks All networks
Specific network (Blank)
Address translation (NAT-PAT) (checked)
Primary DNS 10.0.0.8 Secondary DNS (none)
Options
Local IP: none
Remote IP: none
Mode : always-on
Idle time limit : (none)
LCP echo(currently enabled)
PAP(currently disabled)
ACCOMP(currently enabled)
CIP Interfaces:
(none)
CIP Connections:
(none)
PPTP Connections:
(None)
Bridging Ports:
(none)
Aging: 300 seconds
DHCP:
NO DHCP
DNS Server Configuration
Server active (Checked)
Domain Name (My internal domain)
DNS hostname table:
[Hostname] [address]
SpeedTouch own address
Upgrade:
Active software version : GV8BAA3.290 (1007669)
Passive software version : GV8BAA3.290 (1007669)
When telnetting in to the SPeed touch router and doing a NAT LIST you get the following:
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs Expir State Control
1 6 0.0.1.187:10 61.9.247.216:443 0.0.0.0:0 instance
2 6 10.0.0.8:1723 61.9.247.216:1723 0.0.0.0:0 instance
3 17 10.0.0.1:4672 61.9.247.216:4672 0.0.0.0:0 instance
4 6 10.0.0.1:4711 61.9.247.216:4711 0.0.0.0:0 instance
5 6 10.0.0.8:4125 61.9.247.216:4125 0.0.0.0:0 instance
6 6 10.0.0.1:4662 61.9.247.216:4662 0.0.0.0:0 instance
7 17 10.0.0.100:1029 61.9.247.216:10019 61.9.240.14:53 1 20 10
8 6 10.0.0.1:4661 61.9.247.216:4661 0.0.0.0:0 instance
9 17 10.0.0.1:4665 61.9.247.216:4665 0.0.0.0:0 instance
10 6 10.0.0.8:61953 61.9.247.216:10026 67.19.96.18:80 1 1 6
11 47 10.0.0.8:1 61.9.247.216:1 0.0.0.0:0 instance
12 17 10.0.0.1:4672 0.0.0.0:4672 0.0.0.0:0 template
13 6 10.0.0.1:4662 0.0.0.0:4662 0.0.0.0:0 template
14 6 10.0.0.1:4661 0.0.0.0:4661 0.0.0.0:0 template
15 17 10.0.0.1:4665 0.0.0.0:4665 0.0.0.0:0 template
16 6 10.0.0.1:4711 0.0.0.0:4711 0.0.0.0:0 template
17 6 10.0.0.8:1723 0.0.0.0:1723 0.0.0.0:0 template
18 47 10.0.0.8:1 0.0.0.0:1 0.0.0.0:0 template
19 6 10.0.0.8:4125 0.0.0.0:4125 0.0.0.0:0 template
20 6 0.0.1.187:10 0.0.0.0:443 0.0.0.0:0 template
That's it. I don't know what else I can tell you. So far this problem has got me stumped - so much that I joined up to experts exchange when normally i would persevere searching on the net! So here goes let's hope my membership purchase was money well spent!
Cheers.
I have got a really tight timeframe on getting this resolved (as I'm leaving on a plane this week and must be able to VPN back in!) so any immediate help will be most appreciated!!
PROBLEM: When attempting to VPN from a notebook PC through to a SBS 2003 server I am getting "Error 678: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for the error number".
A brief overview of my setup includes:
SBS Server 2003 with RAS VPN setup using the inbuilt wizards. The server has two network cards. The external card for the internet is set at 10.0.0.8. The default gateway is set to the Alcatel Speed Touch Pro ADSL router which is at 10.0.0.1. The Speed Touch also has an external static IP of 61.9.247.216. The internal network on the other NIC is set to 192.168.2.8. with all local workstations on this subnet who get their IP's and DNS through automatic DHCP assigment. The DNS gets set to 192.168.2.8.
For testing purposes I took a notebook and configured it with a static IP of 10.0.0.100 with a default gateway of 10.0.0.1 and a DNS that points to bigpond (external ISP)'s DNS server. I then plugged it directly into the Speedtouch pro so that it would be "on the external side of the network" just as it would if I was physically remote. I confirmed that I was able to access the internet direct through the speedtouch and not through my SBS 2003 server. I setup a VPN connection on the notebook (Win XP Pro) pointing to 61.9.247.216 and checked the additional box under properties, options for "Include Windows login domain" in accordance with Microsoft's knowledge base (I also tried without this with no difference in result). When attempting to connect i get the Error 678.
My thoughts were that the problem was probably with the Speedtouch ADSL router so I turned my attention and research into that. AFter researching many threads around the net I realised that I needed to punch a few holes in the router through NAT to be properly setup for VPN.
I telnetted into the speed touch pro (through 10.0.0.1) and did a NAT LIST. I found that neither port 1723 was setup nor protocol 47 for GRE. I added both to the NAT successfully and saved. There was no change to the error however.
I checked the SBS2003 server RAS VPN settings and all looked OK. Three policies were setup as default and I deleted two of them which I don't need. The other one related to users being in the remote security group to gain access via VPN. I checked to make sure that my user was part of that group which it was. Therefore there were no other policies to restrict access so I could rule out a policy causing the problem.
Even though I have SBS 2003 Premium I do not have Internet Security Installed and further have the basic Firewall in SBS turned off for the purpose of testing this issue. I further disabled the firewall in the Speed touch adsl router (although this was a command that I found on the internet but made no sense to me as NAT is still setup and functioning?) and also disabled the Trend firewall on the client notebook PC to ensure that from all accounts that there was no firewall issues causing the error. However even with all this protection turned off the problem still remains.
I thought I would try setting up https web access to exchange and remote services however when attempting to put in both (https://) URL's for these they also failed. (I had already punched more holes in the firewall for these servies including port 80, 443 and 4125).
I find it suspicious that web access doesn't work either. It's almost like the Speedtouch is simply refusing to reroute these ports and the protocol 47 correctly. I read up on a technique of turning the speed touch into a transparent bridge and then setting up SBS2003 to do the ADSL dialing however I'd rather not go down this route as I'd like to keep the firewall features of the speedtouch in place (although I appreciate that through an 'IP' command I 'apparently' have the firewall off on the Speedtouch at present).
By the way normal pinging to 61.9.247.216 is successful but again this is just to the Speedtouch ADSL router so I feel like the forwarding to the SBS2003 box is not happening for some reason.
Here is the detailed setup of the Speedtouch which I believe to be the issue here although I'm open to suggestions!!!
Alcatel Speedtouch Pro setup as follows (From Web interface):
Initial Setup:
IP address: 10.0.0.1
subnetmask 255.255.255.0
Phonebook:
Bigpond VPI:8 VCI:35 Type:PPP Usage:Confirmed
PPP Dial-in Connections:
(None).
Routing:
IP ADDRESS TABLE
Intf Address Netmask Type Transl
BigPond 61.9.247.216 255.0.0.0 Auto pat
eth0 10.0.0.1 255.255.255.0 User none
loop 127.0.0.1 255.0.0.0 Auto none
IP ROUTE TABLE:
Destination Source Gateway Intf
10.0.0.0/24 10.0.0.0/24 10.0.0.1 eth0
61.9.247.216/32 any 61.9.247.216 BigPond
10.0.0.1/32 any 10.0.0.1 eth0
127.0.0.1/32 any 127.0.0.1 loop
255.255.255.255/32 any 10.0.0.1 eth0
10.0.0.0/24 any 10.0.0.1 eth0
default 10.0.0.8/0 61.9.247.216 BigPond
PPP:
Name Encap Mode State Status
BigPond vc-mux always-on up on
PPP CONFIG:
Authentication
User : (myname@static.bigpond)
Password : *******
Routing
Connection Sharing: Everybody
Destination networks All networks
Specific network (Blank)
Address translation (NAT-PAT) (checked)
Primary DNS 10.0.0.8 Secondary DNS (none)
Options
Local IP: none
Remote IP: none
Mode : always-on
Idle time limit : (none)
LCP echo(currently enabled)
PAP(currently disabled)
ACCOMP(currently enabled)
CIP Interfaces:
(none)
CIP Connections:
(none)
PPTP Connections:
(None)
Bridging Ports:
(none)
Aging: 300 seconds
DHCP:
NO DHCP
DNS Server Configuration
Server active (Checked)
Domain Name (My internal domain)
DNS hostname table:
[Hostname] [address]
SpeedTouch own address
Upgrade:
Active software version : GV8BAA3.290 (1007669)
Passive software version : GV8BAA3.290 (1007669)
When telnetting in to the SPeed touch router and doing a NAT LIST you get the following:
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs Expir State Control
1 6 0.0.1.187:10 61.9.247.216:443 0.0.0.0:0 instance
2 6 10.0.0.8:1723 61.9.247.216:1723 0.0.0.0:0 instance
3 17 10.0.0.1:4672 61.9.247.216:4672 0.0.0.0:0 instance
4 6 10.0.0.1:4711 61.9.247.216:4711 0.0.0.0:0 instance
5 6 10.0.0.8:4125 61.9.247.216:4125 0.0.0.0:0 instance
6 6 10.0.0.1:4662 61.9.247.216:4662 0.0.0.0:0 instance
7 17 10.0.0.100:1029 61.9.247.216:10019 61.9.240.14:53 1 20 10
8 6 10.0.0.1:4661 61.9.247.216:4661 0.0.0.0:0 instance
9 17 10.0.0.1:4665 61.9.247.216:4665 0.0.0.0:0 instance
10 6 10.0.0.8:61953 61.9.247.216:10026 67.19.96.18:80 1 1 6
11 47 10.0.0.8:1 61.9.247.216:1 0.0.0.0:0 instance
12 17 10.0.0.1:4672 0.0.0.0:4672 0.0.0.0:0 template
13 6 10.0.0.1:4662 0.0.0.0:4662 0.0.0.0:0 template
14 6 10.0.0.1:4661 0.0.0.0:4661 0.0.0.0:0 template
15 17 10.0.0.1:4665 0.0.0.0:4665 0.0.0.0:0 template
16 6 10.0.0.1:4711 0.0.0.0:4711 0.0.0.0:0 template
17 6 10.0.0.8:1723 0.0.0.0:1723 0.0.0.0:0 template
18 47 10.0.0.8:1 0.0.0.0:1 0.0.0.0:0 template
19 6 10.0.0.8:4125 0.0.0.0:4125 0.0.0.0:0 template
20 6 0.0.1.187:10 0.0.0.0:443 0.0.0.0:0 template
That's it. I don't know what else I can tell you. So far this problem has got me stumped - so much that I joined up to experts exchange when normally i would persevere searching on the net! So here goes let's hope my membership purchase was money well spent!
Cheers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Summary;
"By default, computers that run Windows XP with Service Pack 2 and that initiate IPsec-secured communications ... no longer support using IPsec NAT-T to remote computers that respond to requests for IPsec-secured communication ... that are located behind a network address translator. This is to avoid potential security issues as discussed in the following Microsoft Knowledge Base article:
885348 (http://support.microsoft.com/kb/885348/) IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators"
The fix... add the following registry value on the client;
- Locate HKEY_LOCAL_MACHINE\SYSTEM\
- Add a new DWORD Value "AssumeUDPEncapsulationCon
- A value of 0 (zero/default) configures Windows XP SP2 so that it cannot initiate IPsec-secured
communications with responders that are located behind network address translators
- A value of 1 configures Windows XP SP2 so that it can initiate IPsec-secured communications
with responders that are located behind network address translators.
- A value of 2 configures Windows XP SP2 so that it can initiate IPsec-secured communications
when both the initiators and the responders are behind network address translators.
"After you configure AssumeUDPEncapsulationCont
Reference;
KB885407 - The default behavior of IPsec NAT traversal (NAT-T) is changed in Windows XP Service Pack 2
http://support.microsoft.com/kb/885407
Good luck...