Link to home
Create AccountLog in
Avatar of Adrian Wilson
Adrian WilsonFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Windows VPN to a 2003 SBS server through a Vigor 2800g router

I have a Draytek Vigor 2800 as a home user gateway/ADSL router. They have a 2003 SBS server which is using RAS to terminate VPN for Windows clients using the builtin Windows VPN Miniport PPTP connector. The VPN works fine when you are sat outside the DSL router and from pleantly of other locations, just not behind this Vigor for some reason. Gets to the user authentication stage and times out.
Anyone got any ideas what could be stopping outgoing PPTP through this Draytek? Thanks in advance.
Avatar of NeilParbrook
NeilParbrook
Flag of United Kingdom of Great Britain and Northern Ireland image

Can you clarify.

Is the Draytek router on the SBS system or on a teleworker?
Avatar of Adrian Wilson

ASKER

It's the default gateway for a home user (the teleworker). The SBS server is at the work place.
And your saying that the VPN connections goes pear shaped just on the draytek.

I have a Draytek 2800 myself and connect to SBS servers alot with no problems.  Thats doesn't help you much so lets see....

Assuming the server is using a pptp VPN conection have you tried going in to the server and disabling the built in PPTP server.  You can find it on the VPN and Remote Access > Remote Access control, here you can disable the built in VPN server's.  I have had to do this to allow the router to pass VPN through to my SBS server instead of doing it itself.  Might be worth a try in case the router's built in VPN server is trying to do wired things when you try to connect to the SBS server.

Got to be worth a try.

NeilParbrook

 
Sorry not....

Assuming the server is using a pptp VPN conection have you tried going in to the server and disabling the built in PPTP server

but

Assuming the server is using a pptp VPN conection have you tried going in to the ROUTER and disabling the built in PPTP server
Yea, I came across that and tried disabling built in VPN connectivity to allow pass through but the VPN connection still doesn't authenticate for some reason (it does get to the auth stage of setting up the PPTP connection). I must be missing something.
Thinking about it, she does also have a VoIP phone going through the Vigor connecting to a BT Versatiltiy box providing the DSL connection at the work site. Could this have a bearing? Got the Vigor in the first place to guarantee QOS on the line for VoIP. Will test with the phone switched off (I've been troubleshooting it remotely so this had slipped my mind).
Actually, the more I think about it now, it's down to the authentication stage. It could well be that damn VoIP phone again.
Possibly but I can't see why.  I have VoIP gateway attached to mine with no problems.  But give it a go.  Whats the IP address range of the the two sites?  

So the bt versitility is at the Office with a phone at the Teleworker?
I take it you are using the windows based VPN client?

Have you tried using the Router to permenantly connect to the server then just connect machines to the router?
Yea, it's the Windows VPN client. Tried using the Vigor as the VPN initiator but wouldn't connect either. Will give it another go.

The IP range at the remote site (teleworker) is 192.168.10.* and 10.0.0.* at the main site.

The BT Versatility box is at the main site with the IP phone at the remote teleworker site. The IP phone is working away quite happily.
ASKER CERTIFIED SOLUTION
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Yep, already been through that option. :) Still not working while pass through is enabled.
Actually, in rereading that support note:

          For VPN client to passthrough
         
          Network Topology:
              VPN client----Vigor router as NAT device----internet----VPN server
              While VPN client is behind the Vigor router, generally no special settings are required for Vigor router


So it doesn't seem as though you would need to do anything special with the router.

But you can connect from other locations with the same user account you are testing with at this one?

Are you creating a VPN connection manually on the remote machine? Or using the Small Business Server Connection Manager downloaded from the Remote Web Workplace (RWW) main menu?

Can this user log onto RWW?  (https://FQDN/remote)

Does the connection just hang or is an error message displayed?  If an error is displayed, what is the exact message?

If no error message is displayed, please review the connection logs on the SBS itself which you'll find at C:\Windows\System32\Logfiles\

Jeff
TechSoEasy

Hey,
 The topology above is correct, I have RRAS configured as a PPTP VPN terminator on the SBS box (I don't like all the SBS wizards, I'm an old fashioned server engineer. ;-)) and I'm using the standard Windows VPN connector to create the VPN tunnel to the RRAS server.
I'm using the same username and password which works from other locations (which work straight away from other locations behind various Netgear and Belkin ADSL firewalls/routers).
It just seems to fail with error 721 during the authentication phase.. http://support.microsoft.com/kb/888201
This lead me down the route of trying to find somewhere in the Vigor to permit GRE protocol 47 but to no avail.
"(I don't like all the SBS wizards, I'm an old fashioned server engineer. ;-))"

If you're an old fashioned server engineer then you would know that you should never install all of the components and services running in SBS on the same box.... UNLESS you were able to perfectly configure and synchronize those components and services to provide optimum performance and security.  The only way to do that is to use the "wizards" which are just scripts anyhow.  

So the problem with not running the Configure Remote Access wizard is that you have no other way of creating the Small Business Server Connection Manager (VPN Client).  

However, 721 is most always a GRE protocol issue... and according to their KB,
" You will probably still need to disable the router's own VPN function, as above, and in some circumstances use the DMZ"
reference: http://www.draytek.co.uk/support/kb_vigor_passthrough.html

Jeff
TechSoEasy
I didn't say the wizards weren't used to set up the SBS server, they were.
I was just making a point that if I had it my way: Exchange, DCs and file/print services would all be on separate boxes along with a decent hardware firewall for VPN termination. I'm more used to designing networks for larger corporates is all. Sorry for the confusion.

Thanks for the link, am pretty sure I enabled the open port for passthrough but will double check tomorrow when I can get back on the router.
Sorry if I misunderstood.  Obviously though if all those things were on a separate box the costs would skyrocket.  The beauty of SBS is that it makes it possible to put them all in a single machine effectively.  

Jeff
TechSoEasy
No worries, I badly worded that first comment. Will give this a go tomorrow, I appreciate all your help on this problem.
Still no luck, have been monitoring the TCP packets on the machine beind the Vigor and ran the same on a machine which connects fine from a different location.
It seems that the packets which don't get through the Vigor are Configuration ACK, NAK, or rejection requests back from the RRAS Server. The client just sits there sending out configuration requests and eventually times out.

From a machine which isn't beind the Vigor, the normal configuration request/NAK/request/ACK in both directions goes straight through and then gets to the handshake challenge stage with no issues.

Any idea why the Vigor would drop these ACK/NAK packets back to the client? Is it changing the port in the TCP header and rejecting it I wonder?
On further investigation, the EAP config request from the server back to the client behind the Vigor just never gets there. Obviously CHAP-V2 never takes place either as the first config phase times out.

Any idea where in the Vigor this might be blocked. I must be blind!
Honestly, that's far beyond what I would ever get involved with... keeping myself focused on helping users be more productive is generally much more beneficial to both parties than troubleshooting something like this in an SBS environment... so if it were me at this point, I'd ditch the router and replace it with one that I know works for other users.

I do understand the desire to "figure it out" but in the small business space, that's almost always more costly for the customer than just making it work.

Jeff
TechSoEasy
I know, unfortunately I advised getting the router in the first place due to it's advanced config options (which has solved the original problem with the IP phone dropping out now that QOS is working).
I've got this call open with Draytek's tech support and have sent them the TCP monitor logs so hopefully we'll come up with something between us seen as they develop the damn things. ;-)
Thanks anyway, will post if I find the resolution.

Cheers. Adrian.
The advanced config options do seem a bit much for home use... even with VOIP.  I tend to stick with simpler VOIP routers.  The Linksys WRTP54G, for example.  I believe that the Vigor 2100VG is similar, but we don't really use Vigor equipment in the US.

Jeff
TechSoEasy
Fixed it,
 It was the BT Versatility ADSL gateway which was dropping some of the packets. The Draytek never receives any config ACK packets back from the server. God I hate BT equipment.