Solved

VPN server - client setup

Posted on 2006-11-13
22
2,402 Views
Last Modified: 2012-06-27
Hello

I'm trying to setup a VPN server - client connection to join remote computer to my local domain. I have Win2k3 locally and on the remote side I have XP Pro machine. I'm using so called "static IP" service from DNS2GO.com to point  www.server2.dns2go.com requests to my server. I installed RRAS on my server with 2 NIC cards and created new VPN connection on my remote machine. I created a user in AD and enabled Dial-in in this user properties in AD as well as enabled that option for the remote computer account

However I can't connect

Which ports should I have open for this basic VPN solution?

How do I configure those two NIC cards? which one is for what? I'm using 2wire modem/router and both cards are plugged to my router. Is that correct configuartion

Please gimme so advise how to acomplish this task

Thanks a bunch!

Peter

0
Comment
Question by:piotrmikula108
  • 12
  • 10
22 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17935226
There is no need to use 2 network adapters however if you wish to do so you would normally have one connected to your WAN/router in one subnet and the other connected to your LAN/Switch in another subnet. Keep in mind when choosing subnet s that a VPN normally requires that there are no duplicate subnets within the configuration locally or remotely. Thus to avoid conflicts with remote networks, for mobile clients, you want to choose office subnets that are less common. i.e. not 192.168.0.x, 192.168.1.x, 192.168.2.x, 10.0.0.x
If you use 2 adapters RRAS has to be configured for routing. I would recommend sticking to 1 if you have a router in place. On the router you need to forward TCP port 1723, and enable GRE by choosing PPTP pass-through or similar on your router. When connecting from the remote site try using the IP first to rule out any potential problems with the DNS2go service. If using the DNS2go client you will also have to set up port forwarding for it on UDP port 1227 as well.

Following is a good outline for configuring. If you have Small Business Server please advise as it is important to use the wizards for this.
Server 2003 configuration:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
Windows XP client configuration:
http://www.onecomputerguy.com/networking/xp_vpn.htm
You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
http://www.portforward.com/english/applications/port_forwarding/PPTP/PPTPindex.htm
The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office , the remote should be something like 192.168.2.x

Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name. Using the IP address is less problematic such as \\192.168.1.111\SharenName. If you want to resolve NetBIOS names we can elaborate on how to "fix" that, if not working properly.
0
 
LVL 1

Author Comment

by:piotrmikula108
ID: 17936400
Hello

Thank you for all the valuable info, however I'm still not connection although getting closer :-)

So on the clients side
- I have setup a connection like shown in the online tutorial you gave me,
- I tried connecting using my temporary static IP assigned by my ISP (at that time it was 75.41.74.24) and also with my DNS2GO forwarder domain (server2.dns2go.com) and the connection status windows says: "Veryfing User Name and Password and after10 seconds it's says: "Error 619: Connection to Remote Computer could not be estabilished......."

On the server side
- I have removed the 2nd NIC and setup RRAS again according the tutorial with only one NIC  
- I have changed the local subnet so it's different from the remote (remote is 192.168.0.1, local 172.16.0.1, is 172.xx.xx.xx OK? or it should be 192.168.1.xxx?)
- In my 2wire router I have forwarded TCP port 1723 and UDP 1227 to my server, in manual for that device it said I dont need to enable VPN or PPTP pass-through, it allows automatically

In one of the tutorials it said to do this: " Note: To make browsing work a little easier, you might want to edit the HOSTS and LMHOSTS files. These are in the C:\Windows\System32\drivers\etc directory for XP. Just add a line with the IP address of the server followed by it's name. Also, make sure the workgroup name is the same on all computers"

is this relevant?

If that is accomplished how do log in to my local domain on the server?

Thank you

Peter
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17939943
619 error:
Can you try connecting the client directly to the modem and bypassing your router (if 2 separate devices). Make sure the Windows firewall is enabled when doing so, and you should virus protection.
Also, do you by any chance use SBC at the client site for a service provider? If so try un-installing the connection client they provide. It can can cause this error. Finally, to confirm your user has a valid active directory user account, with a non-blank password, and "allow access" checked on the users dial-in tab of their profile.

>>" is 172.xx.xx.xx OK?"
That is fine. Good choice as there is less chance of a conflict.

>>"I dont need to enable VPN or PPTP pass-through, it allows automatically"
OK

>>"you might want to edit the HOSTS and LMHOSTS files.........is this relevant?"
Using the LMHosts file is an excellent choice for allowing proper name resolution, but it will not help with your basic connection. Once connected try connecting to resources using the IP address such as  \\172.16.123.123\ShareName   If that works then you can deal with name resolution.

If you are using the 2 network adapters, make sure the router is pointing to the WAN NIC. Test your port forwarding. Log on to the VPN server and go to  http://www.canyouseeme.org and test for port 1723.

0
 
LVL 1

Author Comment

by:piotrmikula108
ID: 17943598
Hello

Actually my local device is modem & router in one, so that I can't test. I don't use SBC software to manage the DSL connection, I got rid of it long time ago :-) I have created a user in AD with Dial-in checked, do they need to assigned to Remote Users group? I'm using only one NIC on my server. I used www.canyouseeme.org and it said port 1723 is visible from outside

any other ideas you can think of?

Peter
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17959817
>>" I don't use SBC software to manage the DSL connection, I got rid of it long time ago"
If you did have it make sure the SBC connection client software has been removed from the connecting PC

>>"I have created a user in AD with Dial-in checked, do they need to assigned to Remote Users group?"
You can uses groups and policies but the simpler way, at least for now, is to just check the option under dial-in called "allow access"

Also have a look at the suggestions on the following page:
http://www.howtonetworking.com/vpnissues/error691.htm

It could be that GRE, protocol 47 (not port 47) is being blocked. This is common, but you should be getting a 721 error if that is the case. If you wish to test you could try to configure and test the VPN by connecting from the same local network , rather than over the Internet. If you do this connect to the local IP of the server, not the public IP.
The other way to test GRE is to use Microsoft's pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/
Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.
Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx


0
 
LVL 1

Author Comment

by:piotrmikula108
ID: 17962390
Hello

thanks again for tons of good advice!!! :-)

SBC agent thing was never actually used so we don't need to worry about that, I was able to VPN locally !!! but the GRE test didnt work, server didnt receive any packets sent by the client,

on the client side I get

---------------------------
error 10054 calling rcv ()
WSAECONNRESET: Connection reset by peer,
'Creating a scoket to test GRE protocol 47
Total packets sent = 1
Total packets sent = 2
....
.... etc.

Check Server to see if GRE packets were received successfully

closing socket
------------------------------

on the server side I get

----------------------
error 10048 Binding Scoket WSAEADDDIRINUSE : Adres already in use Create scoket for GRE protocol test  Listening on Protocol 47 for incoming FRE oackets
----------------------

so this is not working I guess??? any solution to that?

Peter
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17962502
As mentioned a 619 error is not common for blocked GRE, but blocked GRE is very common, and it looks from your tests that may be the case. GRE can be blocked due to configuration errors, unsupported by the hardware, or unsupported by the ISP. I have seen no problems with your configuration. There was a a recent post;
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_22052156.html#a17895696
where they could not get GRE/PPTP working with a 2wire, though I checked their site and it is supposed to support it. In that case they replaced the 2wire, which they felt was defective, and it resolved the situation, however, I still wonder if it supports it.

Next;
a) can you test your connection by connecting from another client site, using different hardware and service provider?
b) If not, I am happy to test from here. I have done similar for others on lots of occasions, but I hate logging on to someone's server, due to security. If you should want me to, do not post any private information here, but rather send to the e-mail address on my profile (click on RobWill). Also don't send any information right now as I will not be around until tomorrow 3:00pm GMT  (11:00am AST  here).  Glad to give it a shot though, if you need a hand.
0
 
LVL 1

Author Comment

by:piotrmikula108
ID: 17962554
I sent you an email
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17962599
Received, and replied :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17962661
I tried to connect with the suplied connection information and I received the same 619 error.
At least that narrows down the problem. Your server end works because you can connect from the local network, and the remote site is not the problem, as we have now tried from elsewhere, with different equipment and ISP. This connectionworks by the way, I just tested it to another site. So something between the Internet and your server must be the problem.
-You tested with canyouseeme, so port forwarding is OK.
-Do you have a software firewall on the server enabled, such as the Windows firewall? The Windows, and most others, can be configured to allow local connections, but not those from other subnets. It does this by default under some conditions. If so I would try disabling, so long as there is a router (hardware firewall) between your server and the Internet.
-If no firewall, I am very suspicious of the 2wire unit. Feel like transporting your server to another site :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17971852
Peter, I should be around for the next 4+ hours. I am not at my computer, but I will check every 1/2 hour or so.

If you like I can remotely log on to "check" things, but I don't think it will help. Your VPN is configured correctly as you can connect locally, so the next thing to check is firewalls on the server which you have done, and then port 1723 and GRE access. It seems the latter is the problem. That I cannot really diagnose, other than using the PPTPsrv/clnt tools which you have also done.
You can add a router and put the 2wire in bridge mode, but I cannot guarantee that will work. I am thinking you might need to try with a replacement for the 2wire or temporarily take the server to another site, as crazy as that sounds.

One other thought, rather than risk the server, you can create a VPN to accept incoming connections with a Windows workstation.  Set one up, switch the 2wire to forward PPTP traffic to it, and test. You should get the same 691 error.
Then put the 2wire in bridge mode and configure the XP machine's network adapter with the ISP connection information. This should allow the 2wire to pass all traffic. Test now and see if you can connect. If so it is definitely the 2 wire blocking traffic. If not, it still could be the problem, it doesn't prove anything :-)
By the way, you will also need to configure the Windows firewall ( It should be on for security when doing the second test above) to allow port 1723. At the same time on the widows firewall, go to exceptions | highlight your PPTP rule and choose edit | highlight the port # 1723 and choose change scope | make sure "allow connections from anyone (including the Internet" is selected.

What model 2wire do you have ? I can look into any known problems.
--Rob
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 1

Author Comment

by:piotrmikula108
ID: 17972098
Hello Rob

thanks, one thing that is weird on my server is that when the RRAS is setup I can't edit settings for Windows firewall, it says:

"..Windows Firewall cannot run because another program or service that might be using the network addess translation component (ipnat.sys).." but just for testing purposes I have disabled temporarily the Windows Firewall before settinng up RRAS

how do I setup to have XP accept VPN connection, don't I need RRAS? I know I can setup dial-up modem connection is that what you want me to do?

I will try to get a regular DSL modem to connect directly to Internet and also with another router

I have 2Wire 1701HG Gateway

Peter
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17972133
>>"when the RRAS is setup I can't edit settings for Windows firewall"
Correct. When RRAS is configured, for any reason, VPN, routing etc. it blocks you from configuring the firewall. I forgot about that, but it is normal. I believe it also disables the firewall. I don't think you need to but if you wanted to check, you would have to unintsall RRAS by right clicking on your server and choosing disable, verify the windows firewall is off, and then re-configure RRAS. But, I forgot about it automatically disabling, so I wouldn't worry about that.

>>"how do I setup to have XP accept VPN connection, don't I need RRAS?"
http://www.onecomputerguy.com/networking/xp_vpn_server.htm
Client is the same:
http://www.onecomputerguy.com/networking/xp_vpn.htm

I'll see what I can find out about the 2Wire 1701HG
--Rob
0
 
LVL 1

Author Comment

by:piotrmikula108
ID: 17972174
Thanks Rob,

my Windows Firewall was disabled b4 a setup RRAS

Peter
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17972199
>>"Windows Firewall was disabled b4 a setup RRAS"
Good. That again points back to the 2wire

I have done a little reading. Though the 1701HG advertises it is PPTP pass-through capable, it might be that that is only for out going client connections. A few routers are like that. There are several articles saying it has that capability, but I have found non to say it will support incoming PPTP connections, that is not to say it won't.

Also, when configuring the port forwarding it seems you do so in it's firewall configuration. Is there a default rule for PPTP ? I know with the Netgears if you use the built in rule, it automatically enables GRE, but if you manually create a rule for port 1723, there is no way to enable GRE.

Just thinking out loud :-)
0
 
LVL 1

Author Comment

by:piotrmikula108
ID: 17972243
Hello Rob

We're getting closer !!!! I found default rule for PPTP so I used that along with my manually created UPD 1227 and 1723, now I'm getting error 733, it's trying to register on the network but says that TCP/IP settings on this (I guess it means the remote computer, not the server) need to be adjusted. But the GRE test still is not working though

Peter
0
 
LVL 1

Author Comment

by:piotrmikula108
ID: 17972274
at the begining you said to have them on separate subnets so the remote machine is on 172.xx.xx.xx (assigned dynamically) and server on 198.xx.xx.xx isn't this part of the problem and things need to be adjusted around here?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 17972431
>>"We're getting closer !!!! I found default rule for PPTP so I used that along with my manually created UPD 1227 and 1723"
You could run into problems if you have two 1723 rules, the built-in and the manually created one. I would restrict it to the built-in. a separate rule for 1227 or any other services is fine.

>>"733, it's trying to register on the network but says that TCP/IP settings on this "
Sounds like it might not be getting a TCP/IP address from DHCP. Confirm on the following link 2/3 of the way down the page you have your address pool configured correctly. See "New address range"
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm

>>"the remote machine is on 172.xx.xx.xx (assigned dynamically) and server on 198.xx.xx.xx isn't this part of the problem "
No, they should be different, that is fine. The VPN/PPP adapter on the client should automatically be assigned an address in the same subnet as the server if the above is configured correctly. However, is the server site actually 198.x.x.x ? or is that a typo and it is 192.168.x.x
0
 
LVL 1

Author Comment

by:piotrmikula108
ID: 17972547
Hello Rob

BINGO, you're a legend :-) !!!!!!!!!!!! it's working finally, that IP pool thing wasn't setup, thanks so much for all your help I wish I could give you 1000000000 points for this answer

My 2nd remote machine is XP home (my remote XP Pro is down temp) so I wasn't able to browse my servers network, also it would have to join the domain first right? Can XP pro be setup that while logging in it will dial VPN as well, join to the remote domain to acquire all the Group Policy settings? What is the right sequence,do you have any good resource about that? If you want I can open new question so I can give you more points for your hard work...

Peter
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17972834
Excellent !!!
You must have been getting frustrated.

There are often problems with accessing resources on the remote network. This is due to the fact that NetBIOS names are not routable, and therefore not broadcast over a VPN. There are lots of ways around this. I'll post my list below. Most common solution is just to use the IP such as \\192.168.123.123\ShareName. However see below.
In order to actually browse the network, which is not usually necessary, you need a WINS server. They do not actually have to join the domain.

As for being able to logon to the VPN and remote network for group policy and logon scripts applied, the Windows VPN is not the best solution. A site to site VPN with 2 VPN routers works better as the tunnel is up and running when the user logs on. However, there are a couple of possibilities, but I must say I have never used them as I primarily use hardware VPN's. You  can give them a try but 2 points; a) the user must be of course be a member of the domain to have group policy applied, b) avoid roaming profiles, especially if they are large as it will make for very slow logons.
The two methods I have heard of for connecting the VPN before logon 1) create the VPN connection, then when you log onto the machine, in the logon box click options and then enable the "log on using a dial-up connection". I have heard this will give you the VPN as an option, but not tried.  2) the other is to try to automatically connect the VPN before logon using RASDial or AutoDial:
http://technet2.microsoft.com/WindowsServer/en/Library/c3f953ab-2af4-4811-9c70-9a67e5237e121033.mspx?mfr=true
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21855010.html#16864544
It will require some tinkering, but give it a try.

------------------------------------------
NetBIOS names  (computer names) are not broadcast over most VPN's.
You can resolve this in several ways:
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as;   \\123.123.123.123\ShareName   or map a drive at a  command prompt using  
 Net  Use  U:  \\123.123.123.123\ShareName
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfd_lmh_qxqq.mspx?mfr=true
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]

0
 
LVL 1

Author Comment

by:piotrmikula108
ID: 17975575
Hello Rob,

I wasn't actually getting frustrated... I had hope we can figure this out :-)

I need to figure out now how to configure WINS server so I can actually browse the network, does it matter that the remote computer is XP Home or Pro?

thanks for all your help, I will have more questions soon :-)

Peter



0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17976613
To set up WINS you first need to install it. To do so, go to: control panel | add/remove programs | Windows components | Networking Services | check - " Windows Internet Name Service (WINS)"

Once installed you can mange the service by opening the WINS management console under Administrative Tools in the control panel. Assuming you do not have any old Windows 9x clients, you don't need to configure anything, at least not there.
Assuming your server is the DHCP server; open the DHCP management console | expand your server | expand the scope | right click on scope options (you usually have to click on it twice) | choose configure options | on the general tap scroll down to option #044 | check the box and add the IP of the WINS server (probably the same server)
This will assign the WINS IP to your DHCP clients. If you have any client machines assigned static addresses, you will have to manually add the WINS server IP to them, if you wish them to us this service.
The catch !  DHCP works differently for VPN clients. I am not 100% sure it will assign them the WINS server IP. This is a great solution with hardware to hardware VPN's.

For the record, it is not often you really need to browse the network. Most often you are connecting to specific shares.

As for XPhome vs Pro you can use either, but home cannot join the domain. Each time the XPhome user logs into the VPN and connects to a resource, they will be required to supply their user name and password, however that information will be saved for the duration of the session. If not a member of the domain they usually have to supply their user name in the form  domainname\userename

Sounds like you are making progress Peter  :-)

--Rob
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now