I have got a really tight timeframe on getting this resolved (as I'm leaving on a plane this week and must be able to VPN back in!) so any immediate help will be most appreciated!!
PROBLEM: When attempting to VPN from a notebook PC through to a SBS 2003 server I am getting "Error 678: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for the error number".
A brief overview of my setup includes:
SBS Server 2003 with RAS VPN setup using the inbuilt wizards. The server has two network cards. The external card for the internet is set at 10.0.0.8. The default gateway is set to the Alcatel Speed Touch Pro ADSL router which is at 10.0.0.1. The Speed Touch also has an external static IP of 184.108.40.206. The internal network on the other NIC is set to 192.168.2.8. with all local workstations on this subnet who get their IP's and DNS through automatic DHCP assigment. The DNS gets set to 192.168.2.8.
For testing purposes I took a notebook and configured it with a static IP of 10.0.0.100 with a default gateway of 10.0.0.1 and a DNS that points to bigpond (external ISP)'s DNS server. I then plugged it directly into the Speedtouch pro so that it would be "on the external side of the network" just as it would if I was physically remote. I confirmed that I was able to access the internet direct through the speedtouch and not through my SBS 2003 server. I setup a VPN connection on the notebook (Win XP Pro) pointing to 220.127.116.11 and checked the additional box under properties, options for "Include Windows login domain" in accordance with Microsoft's knowledge base (I also tried without this with no difference in result). When attempting to connect i get the Error 678.
My thoughts were that the problem was probably with the Speedtouch ADSL router so I turned my attention and research into that. AFter researching many threads around the net I realised that I needed to punch a few holes in the router through NAT to be properly setup for VPN.
I telnetted into the speed touch pro (through 10.0.0.1) and did a NAT LIST. I found that neither port 1723 was setup nor protocol 47 for GRE. I added both to the NAT successfully and saved. There was no change to the error however.
I checked the SBS2003 server RAS VPN settings and all looked OK. Three policies were setup as default and I deleted two of them which I don't need. The other one related to users being in the remote security group to gain access via VPN. I checked to make sure that my user was part of that group which it was. Therefore there were no other policies to restrict access so I could rule out a policy causing the problem.
Even though I have SBS 2003 Premium I do not have Internet Security Installed and further have the basic Firewall in SBS turned off for the purpose of testing this issue. I further disabled the firewall in the Speed touch adsl router (although this was a command that I found on the internet but made no sense to me as NAT is still setup and functioning?) and also disabled the Trend firewall on the client notebook PC to ensure that from all accounts that there was no firewall issues causing the error. However even with all this protection turned off the problem still remains.
I thought I would try setting up https web access to exchange and remote services however when attempting to put in both (https://
) URL's for these they also failed. (I had already punched more holes in the firewall for these servies including port 80, 443 and 4125).
I find it suspicious that web access doesn't work either. It's almost like the Speedtouch is simply refusing to reroute these ports and the protocol 47 correctly. I read up on a technique of turning the speed touch into a transparent bridge and then setting up SBS2003 to do the ADSL dialing however I'd rather not go down this route as I'd like to keep the firewall features of the speedtouch in place (although I appreciate that through an 'IP' command I 'apparently' have the firewall off on the Speedtouch at present).
By the way normal pinging to 18.104.22.168 is successful but again this is just to the Speedtouch ADSL router so I feel like the forwarding to the SBS2003 box is not happening for some reason.
Here is the detailed setup of the Speedtouch which I believe to be the issue here although I'm open to suggestions!!!
Alcatel Speedtouch Pro setup as follows (From Web interface):
IP address: 10.0.0.1
Bigpond VPI:8 VCI:35 Type:PPP Usage:Confirmed
PPP Dial-in Connections:
IP ADDRESS TABLE
Intf Address Netmask Type Transl
BigPond 22.214.171.124 255.0.0.0 Auto pat
eth0 10.0.0.1 255.255.255.0 User none
loop 127.0.0.1 255.0.0.0 Auto none
IP ROUTE TABLE:
Destination Source Gateway Intf
10.0.0.0/24 10.0.0.0/24 10.0.0.1 eth0
126.96.36.199/32 any 188.8.131.52 BigPond
10.0.0.1/32 any 10.0.0.1 eth0
127.0.0.1/32 any 127.0.0.1 loop
255.255.255.255/32 any 10.0.0.1 eth0
10.0.0.0/24 any 10.0.0.1 eth0
default 10.0.0.8/0 184.108.40.206 BigPond
Name Encap Mode State Status
BigPond vc-mux always-on up on
User : (firstname.lastname@example.org)
Password : *******
Connection Sharing: Everybody
Destination networks All networks
Specific network (Blank)
Address translation (NAT-PAT) (checked)
Primary DNS 10.0.0.8 Secondary DNS (none)
Local IP: none
Remote IP: none
Mode : always-on
Idle time limit : (none)
LCP echo(currently enabled)
Aging: 300 seconds
DNS Server Configuration
Server active (Checked)
Domain Name (My internal domain)
DNS hostname table:
SpeedTouch own address
Active software version : GV8BAA3.290 (1007669)
Passive software version : GV8BAA3.290 (1007669)
When telnetting in to the SPeed touch router and doing a NAT LIST you get the following:
Indx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs Expir State Control
1 6 0.0.1.187:10 220.127.116.11:443 0.0.0.0:0 instance
2 6 10.0.0.8:1723 18.104.22.168:1723 0.0.0.0:0 instance
3 17 10.0.0.1:4672 22.214.171.124:4672 0.0.0.0:0 instance
4 6 10.0.0.1:4711 126.96.36.199:4711 0.0.0.0:0 instance
5 6 10.0.0.8:4125 188.8.131.52:4125 0.0.0.0:0 instance
6 6 10.0.0.1:4662 184.108.40.206:4662 0.0.0.0:0 instance
7 17 10.0.0.100:1029 220.127.116.11:10019 18.104.22.168:53 1 20 10
8 6 10.0.0.1:4661 22.214.171.124:4661 0.0.0.0:0 instance
9 17 10.0.0.1:4665 126.96.36.199:4665 0.0.0.0:0 instance
10 6 10.0.0.8:61953 188.8.131.52:10026 184.108.40.206:80 1 1 6
11 47 10.0.0.8:1 220.127.116.11:1 0.0.0.0:0 instance
12 17 10.0.0.1:4672 0.0.0.0:4672 0.0.0.0:0 template
13 6 10.0.0.1:4662 0.0.0.0:4662 0.0.0.0:0 template
14 6 10.0.0.1:4661 0.0.0.0:4661 0.0.0.0:0 template
15 17 10.0.0.1:4665 0.0.0.0:4665 0.0.0.0:0 template
16 6 10.0.0.1:4711 0.0.0.0:4711 0.0.0.0:0 template
17 6 10.0.0.8:1723 0.0.0.0:1723 0.0.0.0:0 template
18 47 10.0.0.8:1 0.0.0.0:1 0.0.0.0:0 template
19 6 10.0.0.8:4125 0.0.0.0:4125 0.0.0.0:0 template
20 6 0.0.1.187:10 0.0.0.0:443 0.0.0.0:0 template
That's it. I don't know what else I can tell you. So far this problem has got me stumped - so much that I joined up to experts exchange when normally i would persevere searching on the net! So here goes let's hope my membership purchase was money well spent!