?
Solved

Can't establish VPN Connection to Windows 2003 Server R2 via ADSL Modem/Router

Posted on 2006-11-26
5
Medium Priority
?
369 Views
Last Modified: 2013-11-29
Hi All,

I've setup a Windows 2003 R2 Server with 2 NICs.

The "Downlink to LAN" NIC is at 192.168.0.128, and the "Uplink to Router" NIC is at 10.0.0.128. DHCP is setup to issue addys from 10.0.0.1 to 10.0.0.127, and is working perfectly. The server has a handfull of WinXP clients attached and is issuing IPs just fine - and these clients can access the outside world just fine through the router at 192.168.0.254

I setup Routing and Remote access to use L2TP & CHAP V2 (with a pre-shared key).

I setup the Router to pass on port TCP 1723 to my Server and (at this stage) I've turned off the firewall while I get to the bottom of this. Router is assigned a static IP addy by the ISP, and I've verified that I can ping the router through the internet (when firewall is switched off).

I've given myself dial in permissions, and those permissions will be bypassing any remote access policy.

If I configure my laptop with a 192.168.0.x address - plug it into the server's "uplink to Router" segment I can connect just fine - but when I try to establish a connection via the internet (dial up or ADSL) it basically just somes back with a message to the effect of "failed security negotiations at an early stage", although on the dial up connection I can see a "healthy" exchange of packets on the "modem lights" (in the tray area)

I suspected the router, but I'm having 2nd thoughts ... I've had a similar one work fine with only port 1723 forwarded, and at one stage (out of frustration) I told NAT to forward EVERYTHING to the server - still didn't work.

On the server side of things all firewalls are turned off, and the logs (event and R&RA) aren't showing anything - almost as if the server just isn't aware of the attempt - so I'm going in circles here.

Would be great if anyone could: (a) Come up with a good thought as to why it works when I hand a box off the same subnet, and (b) Tell me all the ports that need to be open and forwarded to authenticate successfully via only CHAP V2.

Many many thanks!!!

Cheers,

Mav.
0
Comment
Question by:The_Maverick
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 4

Expert Comment

by:maeb3
ID: 18018572
You need the following for setting up a L2TP-VPN:
 - IKE: UDP-Port 500  (UDP!!!)
 - IPSec-ESP: protocol 50  (this is not a TCP/UDP port number but a layer 3 protocol number)
 - IPSec-AH: protocol 51  (this is not a TCP/UDP port number but a layer 3 protocol number)

Port 1723 is needed for a PPTP-VPN (together with GRE, protocol 47)

Maybe you have forgotten to accept the layer-3-protocols.

maeb3
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 18023237
Thanks for that.

I think I'm a little out of my depth here ... can you please tell me how to check/change protocol numbers? (can't say I've ever come accross this before - is it some kind of new default to block these in 2003 R2?)

Many thanks,

Mav.
0
 
LVL 4

Accepted Solution

by:
maeb3 earned 2000 total points
ID: 18026215
Since you can connect (via L2TP???) to the RRAS server when directly connected to the subnet I think the router (192.168.0.254) is blocking something.
What type of router do you use?
Does this router allow VPN passthrough?
Are there any debug options for this router?

maeb3
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 18026668
*Finally* got it sorted. Was 2 issues: (1) L2TP doesn't work through NAT type routers (see http://support.microsoft.com/kb/314831), and I finally stumbled accross a setting under ADUC that switched remote access to the server on or off (it defaults to off) regardless of what's set in the RRAS - I'm guessing that a PC with a similar IP address isn't considered to be a remote PC, and such wasn't blocked.

I'd like to give you the points anyway in appreciation of your efforts.
0
 
LVL 4

Expert Comment

by:maeb3
ID: 18027071
Thank you.

maeb3
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month13 days, 15 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question