Solved

Can't establish VPN Connection to Windows 2003 Server R2 via ADSL Modem/Router

Posted on 2006-11-26
5
352 Views
Last Modified: 2013-11-29
Hi All,

I've setup a Windows 2003 R2 Server with 2 NICs.

The "Downlink to LAN" NIC is at 192.168.0.128, and the "Uplink to Router" NIC is at 10.0.0.128. DHCP is setup to issue addys from 10.0.0.1 to 10.0.0.127, and is working perfectly. The server has a handfull of WinXP clients attached and is issuing IPs just fine - and these clients can access the outside world just fine through the router at 192.168.0.254

I setup Routing and Remote access to use L2TP & CHAP V2 (with a pre-shared key).

I setup the Router to pass on port TCP 1723 to my Server and (at this stage) I've turned off the firewall while I get to the bottom of this. Router is assigned a static IP addy by the ISP, and I've verified that I can ping the router through the internet (when firewall is switched off).

I've given myself dial in permissions, and those permissions will be bypassing any remote access policy.

If I configure my laptop with a 192.168.0.x address - plug it into the server's "uplink to Router" segment I can connect just fine - but when I try to establish a connection via the internet (dial up or ADSL) it basically just somes back with a message to the effect of "failed security negotiations at an early stage", although on the dial up connection I can see a "healthy" exchange of packets on the "modem lights" (in the tray area)

I suspected the router, but I'm having 2nd thoughts ... I've had a similar one work fine with only port 1723 forwarded, and at one stage (out of frustration) I told NAT to forward EVERYTHING to the server - still didn't work.

On the server side of things all firewalls are turned off, and the logs (event and R&RA) aren't showing anything - almost as if the server just isn't aware of the attempt - so I'm going in circles here.

Would be great if anyone could: (a) Come up with a good thought as to why it works when I hand a box off the same subnet, and (b) Tell me all the ports that need to be open and forwarded to authenticate successfully via only CHAP V2.

Many many thanks!!!

Cheers,

Mav.
0
Comment
Question by:The_Maverick
  • 3
  • 2
5 Comments
 
LVL 4

Expert Comment

by:maeb3
ID: 18018572
You need the following for setting up a L2TP-VPN:
 - IKE: UDP-Port 500  (UDP!!!)
 - IPSec-ESP: protocol 50  (this is not a TCP/UDP port number but a layer 3 protocol number)
 - IPSec-AH: protocol 51  (this is not a TCP/UDP port number but a layer 3 protocol number)

Port 1723 is needed for a PPTP-VPN (together with GRE, protocol 47)

Maybe you have forgotten to accept the layer-3-protocols.

maeb3
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 18023237
Thanks for that.

I think I'm a little out of my depth here ... can you please tell me how to check/change protocol numbers? (can't say I've ever come accross this before - is it some kind of new default to block these in 2003 R2?)

Many thanks,

Mav.
0
 
LVL 4

Accepted Solution

by:
maeb3 earned 500 total points
ID: 18026215
Since you can connect (via L2TP???) to the RRAS server when directly connected to the subnet I think the router (192.168.0.254) is blocking something.
What type of router do you use?
Does this router allow VPN passthrough?
Are there any debug options for this router?

maeb3
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 18026668
*Finally* got it sorted. Was 2 issues: (1) L2TP doesn't work through NAT type routers (see http://support.microsoft.com/kb/314831), and I finally stumbled accross a setting under ADUC that switched remote access to the server on or off (it defaults to off) regardless of what's set in the RRAS - I'm guessing that a PC with a similar IP address isn't considered to be a remote PC, and such wasn't blocked.

I'd like to give you the points anyway in appreciation of your efforts.
0
 
LVL 4

Expert Comment

by:maeb3
ID: 18027071
Thank you.

maeb3
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now