Solved

Can't establish VPN Connection to Windows 2003 Server R2 via ADSL Modem/Router

Posted on 2006-11-26
5
360 Views
Last Modified: 2013-11-29
Hi All,

I've setup a Windows 2003 R2 Server with 2 NICs.

The "Downlink to LAN" NIC is at 192.168.0.128, and the "Uplink to Router" NIC is at 10.0.0.128. DHCP is setup to issue addys from 10.0.0.1 to 10.0.0.127, and is working perfectly. The server has a handfull of WinXP clients attached and is issuing IPs just fine - and these clients can access the outside world just fine through the router at 192.168.0.254

I setup Routing and Remote access to use L2TP & CHAP V2 (with a pre-shared key).

I setup the Router to pass on port TCP 1723 to my Server and (at this stage) I've turned off the firewall while I get to the bottom of this. Router is assigned a static IP addy by the ISP, and I've verified that I can ping the router through the internet (when firewall is switched off).

I've given myself dial in permissions, and those permissions will be bypassing any remote access policy.

If I configure my laptop with a 192.168.0.x address - plug it into the server's "uplink to Router" segment I can connect just fine - but when I try to establish a connection via the internet (dial up or ADSL) it basically just somes back with a message to the effect of "failed security negotiations at an early stage", although on the dial up connection I can see a "healthy" exchange of packets on the "modem lights" (in the tray area)

I suspected the router, but I'm having 2nd thoughts ... I've had a similar one work fine with only port 1723 forwarded, and at one stage (out of frustration) I told NAT to forward EVERYTHING to the server - still didn't work.

On the server side of things all firewalls are turned off, and the logs (event and R&RA) aren't showing anything - almost as if the server just isn't aware of the attempt - so I'm going in circles here.

Would be great if anyone could: (a) Come up with a good thought as to why it works when I hand a box off the same subnet, and (b) Tell me all the ports that need to be open and forwarded to authenticate successfully via only CHAP V2.

Many many thanks!!!

Cheers,

Mav.
0
Comment
Question by:The_Maverick
  • 3
  • 2
5 Comments
 
LVL 4

Expert Comment

by:maeb3
ID: 18018572
You need the following for setting up a L2TP-VPN:
 - IKE: UDP-Port 500  (UDP!!!)
 - IPSec-ESP: protocol 50  (this is not a TCP/UDP port number but a layer 3 protocol number)
 - IPSec-AH: protocol 51  (this is not a TCP/UDP port number but a layer 3 protocol number)

Port 1723 is needed for a PPTP-VPN (together with GRE, protocol 47)

Maybe you have forgotten to accept the layer-3-protocols.

maeb3
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 18023237
Thanks for that.

I think I'm a little out of my depth here ... can you please tell me how to check/change protocol numbers? (can't say I've ever come accross this before - is it some kind of new default to block these in 2003 R2?)

Many thanks,

Mav.
0
 
LVL 4

Accepted Solution

by:
maeb3 earned 500 total points
ID: 18026215
Since you can connect (via L2TP???) to the RRAS server when directly connected to the subnet I think the router (192.168.0.254) is blocking something.
What type of router do you use?
Does this router allow VPN passthrough?
Are there any debug options for this router?

maeb3
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 18026668
*Finally* got it sorted. Was 2 issues: (1) L2TP doesn't work through NAT type routers (see http://support.microsoft.com/kb/314831), and I finally stumbled accross a setting under ADUC that switched remote access to the server on or off (it defaults to off) regardless of what's set in the RRAS - I'm guessing that a PC with a similar IP address isn't considered to be a remote PC, and such wasn't blocked.

I'd like to give you the points anyway in appreciation of your efforts.
0
 
LVL 4

Expert Comment

by:maeb3
ID: 18027071
Thank you.

maeb3
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Skype for Business video calls drops 2 60
How to remotely connect to a pc that got stuck middle restart? 94 142
Cisco 3560 switches not seeing VTP V3 12 53
Nimble Storage 3 69
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question