Solved

Server 2003 VPN issues I have read ALL the other post on this and am still stuck..help please

Posted on 2006-11-29
29
355 Views
Last Modified: 2012-06-21
I have Server 2003 with 2 NICs one with a static IP for the ISP the other NIC with a local IP behind a router that has static from the ISP. I have read all the posts here about setting up RRAS and have tried repeatedly. First with just the one nic behind the route with port forwarding...in that instance client would just claim to be verifying user/pass but end up with a failure to connect error. I then went to using 2 NICs and set it up to go straight from the modem to my Static NIC only. I was sure this would sovle the issue but instead I unable to contact errors. I must be missing something and I really want to know what. This will probably take actual help as opposed to link posting since I have already read those to no avail. Thanks. Also YES I did configure users for vpn access and no I am no using radius.
0
Comment
Question by:avaris4069
  • 15
  • 12
  • 2
29 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
When connecting, if not complete you should get an error number such as 691, 721, 800. Can you advise of what that is if any.

Below is an outline of how to configure with a single network adapter, though the process is basically the same with 2, should you wish to confirm. I assume you configured port forwarding on the router, and enabled GRE/PPTP pass-through ?

Please advise if you are using SBS 2003 rather than Server 2003, if so you will need to use the wizards.

The basic server and client configurations can be found at the following sites with good detail:
Server 2003 configuration:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
Windows XP client configuration:
http://www.onecomputerguy.com/networking/xp_vpn.htm
You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
http://www.portforward.com/english/applications/port_forwarding/PPTP/PPTPindex.htm
The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office , the remote should be something like 192.168.2.x

Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name. Using the IP address is less problematic such as \\192.168.1.111\SharenName. If you want to resolve NetBIOS names we can elaborate on how to "fix" that, if not working properly.
0
 
LVL 2

Expert Comment

by:romlopez
Comment Utility
RobWill said pretty much everything.
I would recommend running VPN in something else but not a Windows machine.
I've used Cyberguard and Astaro VPN/firewalls (unlimited licenses for every appliance, cheap!)
0
 

Author Comment

by:avaris4069
Comment Utility
Port forwarding should not be an issue b/c the vpn nic card is straight from the modem to the nic with a static from the isp. I am not sure about the errors and with post when i have them. Also a new oddity pertaining to this issue...I can connect from my local network TO the vpn nic card that is outside of my local...but not from outside to the vpn. I am so confused.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
So long as the external NIC has a true public IP, and not NATed that should be fine, though there can be some security concerns with this. I am assuming you are not running ISA server ?

>>"I can connect from my local network TO the vpn nic card that is outside of my local...but not from outside to the vpn "
Not sure I understand what you are saying. You can connect to the external/public NIC ? if so how have you made the physical connection?
0
 

Author Comment

by:avaris4069
Comment Utility
But i can't connect from outside my local network...again I can connect to my static IP VPN card that is straight from the modem to the card as long as I am inside my network (which is of course pointless since  I am vpn'ing into the network I am already in) The error i am getting is 800.
0
 

Author Comment

by:avaris4069
Comment Utility
sorry I forgot...no isa either. LEt's jsut start at the begining to make this work. I have an ambit cable modem router from time warner wit ha business class connection with 2 static ip's. 1 static ip goes into my router and supplies the network with internet access the other goes straight from the ISP's modem/router into my server's 2nd nic. So my server has 2 nics one local and one WAN. With that said I am trying to get from outside my local to inside my local using vpn but I am not having any success. Hopefully this gives you some useful info to help me cuz I need it.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Now I am confused :-)
Above you mentioned; "Port forwarding should not be an issue b/c the vpn nic card is straight from the modem to the nic "  and now you state; "other goes straight from the ISP's modem/router into my server's 2nd nic"

"modem/router" ???  If there is a routing device between your server and the Internet port forwarding needs to be enabled. However, as you say, lets start from the beginning.
You mentioned you can connect from your side or the modem. Not sure exactly how you are connected, but that should indicate the server is configured correctly for a VPN connection. Sou it is a routing and protocol issue.

From the VPN server go to   http://www.canyouseeme.org  and see what it shows for "your IP". Just to keep things straight, could you post the first 2 octets here such as 66.123.x.x (for security reasons, do not post the whole IP). If this IP starts with 192.168, 10.x, or 172.16-32  you have a NAT (Network Address Translation) device in between, which needs to have port forwarding configured. The IP shown on canyouseeme is the IP you need to connect to with your VPN client. This must be tested from off site by the way. You cannot test the external IP from the same site.

While you are on the canyouseeme page, also test for port 1723, to see if the VPN PPTP packets are being forwarded to the server.

Let us know how you make out.
--Rob
0
 

Author Comment

by:avaris4069
Comment Utility
My isp assured me that my 4 port modem/router is acting as only a passthru for the configured static ip's but if you plug into one of the otehr 2 available ports on "their" router it will give a dynamic private address. This is what the email they sent me said
 "ROUTER CONFIGURATION PROCESS:
Your two IPs are configuerd as well as NAT and DHCP to 192.168.1.1/24.  Please
call if any other configuration is desired."

It is my understanding the NAT is telling ALL traffic directed to my static to pass straight through with no filtering.  I just checked the canyouseeme.org site and everything shows up correctly. My vpn nic is showing up as 70.62.x.x and my other nic which is behind "my" router show's the router's ip which is my other static. This site may have answered my question anyway....How reliable would you say the Open Port Check Tool is? Because it say's that port 1743 can't be reach along witha slew of others. Which is odd since i have a commercial class account and should not have anything blocked. If you could let me know if this Open Port tool is to be trusted I would appreciate it.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Port 1723 by the way not 1743 as you noted. Maybe a typo.

>>"If you could let me know if this Open Port tool is to be trusted I would appreciate it."
I have never had it fail.
You can also check using telnet from a remote site. (cannot be the same site). If you want to test for a given port, from a command line use:
telnet  70.62.x.x  1723
If it is open you will get a blank screen with a flashing cursor. If it is closed/blocked you will get an error or time out.

I assume you must have a firewall of some sort in place. You wouldn't want all traffic forwarded directly to the server. The firewall may be blocking the traffic. There is the Windows firewall, but it is usually disabled when RRAS is enabled. Check any others. RRAS has a basic NAT firewall that could be blocking traffic other than that destined for port 1723. Also it is possible your ISP does not support PPTP/port 1723 traffic. A few don't.

Sounds like you are on the right track though.
0
 

Author Comment

by:avaris4069
Comment Utility
No known firewall is in place I was having so much trouble that I couldn't explain that I decided to take out any possible hinderence. I was checking the wrong port with the Open Port Tool however the right port is also coming up blocked. Which brings me to the conclusion that my ISP has fowled something. I will post as soon as I have finished asking them what's going on. As long as I have you helping RobWill do you think the Option of allowing only VPN traffic in RRAS is enough of a security measure or should i go beyond that and what would you recommend? Again I will post the response I get from the ISP to let everyone know if it ends up being their issue and not mine. Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Personally I would never have a anything other than a web or mail server assigned a public IP, unless ISA was installed, but the risk is minimal with only port 1723 open. However, you sound surprised that the other ports were blocked. If all ports were open I doubt your server would survive the day without being attacked.
Most combined router/modems I have come across are used in NAT or bridge mode. It sounds like your unit is offering a combination of services. I would talk to the supplier and see if there is some required configuration on that unit. Also as mentioned earlier they could be blocking PPTP traffic, but that is not very common.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Out of curiosity, what make and model is the modem?
0
 

Author Comment

by:avaris4069
Comment Utility
I only know that it is an ambit 4 port modem/router. It has no labels aside from MAC and S/N. I am still on hold with my ISP. They said that when all things are working right the majority of ports should be wide open with some exceptions however 1723 is not supposed to be one of those blocked exceptions. They are also blocking port 25 and a hand full of other ports that according to them should not be blocked. I have been on the phone with tech support for 2.5 hours now and they haven't even begun addressing the problem..still trying to figure out who gets me. I will let you know as soon as they give me something concrete.
0
 

Author Comment

by:avaris4069
Comment Utility
OK the ISP say that the port is open on at the modem so it must be something on my end. This completely perplexes me since I am going straight from their modem to my NIC and according to Server 03 "Windows Firewall cannot run b/c the Windows Firewall/Internet Connection Sharing service is not running" meaning that it is not ON. I am more lost than ever now.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:avaris4069
Comment Utility
Latest update. I am now able to connect (or so it seems) but then the service stalls and verifing user/pass and i get error 721. I have researched this error online and have found no conclusive solutions other than a firewall issue which to the best of my knowledge shouldn't be a factor.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
Sorry, stepped away for a while.
Ah, that sounds like progress.
A 721 error almost always indicates blocked GRE protocol. On most units (i.e. your modem) there is an option to enable "PPTP pass-through" or "VPN pass-through". This is often turned off by default. Again where you were able to connect from the LAN side of your modem I doubt the server is the problem. That leaves the ISP or modem. My guess is the latter. Just to warn you a few modems, mostly older ones, don't support GRE.

So, it sounds like the http://www.canyouseeme.org  should be working as, in order to get a 721 error an initial connection to the server has to be made. There is a way to test GRE if you like, but I would look into the enable option first.

Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
0
 

Author Comment

by:avaris4069
Comment Utility
Well the client to server test shows responsive but I still cannot connect. I thought perhaps that the 2 nics were getting confused as far as coming in one nice and trying to go out the other. If that is the case i have no idea how to prove it or fix it. So to recap.....port 1723 is showing as good now....GRE is showing good on client side to server.....I can connect to the vpn from my private network but not outside of it......I am totally lost still.
0
 

Author Comment

by:avaris4069
Comment Utility
Addendum to last post. Using pptpclnt and pptpsrv, the client shows communication for port 1723 and the server confirms it on it's end. The Client sends the GRE and the server never recieves it. The ISP insists that they are not blocking it and that the passthrough is setup. Is there some way that my NIC is blocking GRE?
0
 
LVL 2

Expert Comment

by:romlopez
Comment Utility
Who's your ISP and what model of router you are using?
I know for prior experience some ISP's are dumb enough to give you a modem/router/firewall and it messes up everything! (Comcast with static IP)
If you do not have Windows Firewall running, it should not be blocking anything; don't you have to "bridge" both networks in order to VPN to work?
0
 

Author Comment

by:avaris4069
Comment Utility
It is a AMBIT modem/router DOCSIS 1.0/1.1/2.0 Compliant that is all the info  Ican get from it ...it is not marked or labeled in any way. As far as bridging goes I believe RRAS handles that for me.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Your server and NIC should be fine since you can connect from inside the modem. The problem must be the ISP or more likely the modem/router unit.
0
 

Author Comment

by:avaris4069
Comment Utility
So at this point you would suggest I press the issue with the isp and even push for a new modem?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I would say so if you can connect and the GRE test works from the LAN side of the modem and not the WAN side. However, looking at the Ambit site all the modems I looked at have VPN pass-through capability, but they also have the ability to manage traffic and block it by configuration. Perhaps it is just a configuration issue.
0
 

Author Comment

by:avaris4069
Comment Utility
I hadn't tested the pptpclnt and pptpsrv. I get the same results in house....the GRE doesn't show...but i can connect the vpn still.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>' I get the same results in house....the GRE doesn't show...but i can connect the vpn still."
Sorry, thought you had. When connected "in house" can you connect to shares, even if by IP such as  \\192.168.123.123\ShareName ?  That will confirm it is working. It  is actually possible for the VPN client to show connected, but you can not view any resources, if GRE is blocked, though usually you get a 721 error.
If that all works OK but the pptpxxx tools don't perhaps a problem with the tool or how it is being used. It is a little crude.
0
 

Author Comment

by:avaris4069
Comment Utility
I just got home and got angry so i unpluged everything and then plugged it all back in the exact same way and now it is working...and I mean EXACT same way. Now if i can just solve my pop3 issues I'll be set. Needless to say RobWill takes the prize for being the most attentive and usefull. Side note Robwill...if you are any good with server 03's built in POP3 you can snag a quick 250 points more by helping my only other open question. Thanks again.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Very interesting. I have seen that happen with some cheap home routers when you keep making changes. Eventually they seem to show the change but not apply it until reboot. But in your case you were not doing that.
Regardless, wonderful. I was running out of ideas :)
Thanks avaris4069.
I'll have a look at the other question, but my Mail Server knowledge is pretty limited, and what little I have is more Exchange and SMTP and RPC/HTTP.
Cheers,
--Rob
0
 

Author Comment

by:avaris4069
Comment Utility
Follow up...I know I accepted and closed this but just wanted to let you know that my luck ran out...I got 1 sucessfull connection from outside in. I then disconnected and attempted again...now i get error 800...I give up I think.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Very interesting. The 800 error can be anything, and most often indicates there is no communication what soever. The 721 error indicates the "handshaking" has started, but the encapsulated packets are being blocked (i.e.GRE)

What was "everything" when you unplugged the equipment. Wonder if it is a flaky modem/router, rather than a router configuration issue. Can the ISP update it's firmware?
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now