Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Can't establish VPN Connection to Windows 2003 Server R2 via ADSL Modem/Router

Posted on 2006-11-26
5
Medium Priority
?
370 Views
Last Modified: 2013-11-29
Hi All,

I've setup a Windows 2003 R2 Server with 2 NICs.

The "Downlink to LAN" NIC is at 192.168.0.128, and the "Uplink to Router" NIC is at 10.0.0.128. DHCP is setup to issue addys from 10.0.0.1 to 10.0.0.127, and is working perfectly. The server has a handfull of WinXP clients attached and is issuing IPs just fine - and these clients can access the outside world just fine through the router at 192.168.0.254

I setup Routing and Remote access to use L2TP & CHAP V2 (with a pre-shared key).

I setup the Router to pass on port TCP 1723 to my Server and (at this stage) I've turned off the firewall while I get to the bottom of this. Router is assigned a static IP addy by the ISP, and I've verified that I can ping the router through the internet (when firewall is switched off).

I've given myself dial in permissions, and those permissions will be bypassing any remote access policy.

If I configure my laptop with a 192.168.0.x address - plug it into the server's "uplink to Router" segment I can connect just fine - but when I try to establish a connection via the internet (dial up or ADSL) it basically just somes back with a message to the effect of "failed security negotiations at an early stage", although on the dial up connection I can see a "healthy" exchange of packets on the "modem lights" (in the tray area)

I suspected the router, but I'm having 2nd thoughts ... I've had a similar one work fine with only port 1723 forwarded, and at one stage (out of frustration) I told NAT to forward EVERYTHING to the server - still didn't work.

On the server side of things all firewalls are turned off, and the logs (event and R&RA) aren't showing anything - almost as if the server just isn't aware of the attempt - so I'm going in circles here.

Would be great if anyone could: (a) Come up with a good thought as to why it works when I hand a box off the same subnet, and (b) Tell me all the ports that need to be open and forwarded to authenticate successfully via only CHAP V2.

Many many thanks!!!

Cheers,

Mav.
0
Comment
Question by:The_Maverick
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 4

Expert Comment

by:maeb3
ID: 18018572
You need the following for setting up a L2TP-VPN:
 - IKE: UDP-Port 500  (UDP!!!)
 - IPSec-ESP: protocol 50  (this is not a TCP/UDP port number but a layer 3 protocol number)
 - IPSec-AH: protocol 51  (this is not a TCP/UDP port number but a layer 3 protocol number)

Port 1723 is needed for a PPTP-VPN (together with GRE, protocol 47)

Maybe you have forgotten to accept the layer-3-protocols.

maeb3
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 18023237
Thanks for that.

I think I'm a little out of my depth here ... can you please tell me how to check/change protocol numbers? (can't say I've ever come accross this before - is it some kind of new default to block these in 2003 R2?)

Many thanks,

Mav.
0
 
LVL 4

Accepted Solution

by:
maeb3 earned 2000 total points
ID: 18026215
Since you can connect (via L2TP???) to the RRAS server when directly connected to the subnet I think the router (192.168.0.254) is blocking something.
What type of router do you use?
Does this router allow VPN passthrough?
Are there any debug options for this router?

maeb3
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 18026668
*Finally* got it sorted. Was 2 issues: (1) L2TP doesn't work through NAT type routers (see http://support.microsoft.com/kb/314831), and I finally stumbled accross a setting under ADUC that switched remote access to the server on or off (it defaults to off) regardless of what's set in the RRAS - I'm guessing that a PC with a similar IP address isn't considered to be a remote PC, and such wasn't blocked.

I'd like to give you the points anyway in appreciation of your efforts.
0
 
LVL 4

Expert Comment

by:maeb3
ID: 18027071
Thank you.

maeb3
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question