• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1836
  • Last Modified:

Windows VPN to a 2003 SBS server through a Vigor 2800g router

I have a Draytek Vigor 2800 as a home user gateway/ADSL router. They have a 2003 SBS server which is using RAS to terminate VPN for Windows clients using the builtin Windows VPN Miniport PPTP connector. The VPN works fine when you are sat outside the DSL router and from pleantly of other locations, just not behind this Vigor for some reason. Gets to the user authentication stage and times out.
Anyone got any ideas what could be stopping outgoing PPTP through this Draytek? Thanks in advance.
0
ajwuk
Asked:
ajwuk
  • 12
  • 6
  • 5
1 Solution
 
NeilParbrookCommented:
Can you clarify.

Is the Draytek router on the SBS system or on a teleworker?
0
 
ajwukAuthor Commented:
It's the default gateway for a home user (the teleworker). The SBS server is at the work place.
0
 
NeilParbrookCommented:
And your saying that the VPN connections goes pear shaped just on the draytek.

I have a Draytek 2800 myself and connect to SBS servers alot with no problems.  Thats doesn't help you much so lets see....

Assuming the server is using a pptp VPN conection have you tried going in to the server and disabling the built in PPTP server.  You can find it on the VPN and Remote Access > Remote Access control, here you can disable the built in VPN server's.  I have had to do this to allow the router to pass VPN through to my SBS server instead of doing it itself.  Might be worth a try in case the router's built in VPN server is trying to do wired things when you try to connect to the SBS server.

Got to be worth a try.

NeilParbrook

 
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
NeilParbrookCommented:
Sorry not....

Assuming the server is using a pptp VPN conection have you tried going in to the server and disabling the built in PPTP server

but

Assuming the server is using a pptp VPN conection have you tried going in to the ROUTER and disabling the built in PPTP server
0
 
ajwukAuthor Commented:
Yea, I came across that and tried disabling built in VPN connectivity to allow pass through but the VPN connection still doesn't authenticate for some reason (it does get to the auth stage of setting up the PPTP connection). I must be missing something.
Thinking about it, she does also have a VoIP phone going through the Vigor connecting to a BT Versatiltiy box providing the DSL connection at the work site. Could this have a bearing? Got the Vigor in the first place to guarantee QOS on the line for VoIP. Will test with the phone switched off (I've been troubleshooting it remotely so this had slipped my mind).
0
 
ajwukAuthor Commented:
Actually, the more I think about it now, it's down to the authentication stage. It could well be that damn VoIP phone again.
0
 
NeilParbrookCommented:
Possibly but I can't see why.  I have VoIP gateway attached to mine with no problems.  But give it a go.  Whats the IP address range of the the two sites?  

So the bt versitility is at the Office with a phone at the Teleworker?
0
 
NeilParbrookCommented:
I take it you are using the windows based VPN client?

Have you tried using the Router to permenantly connect to the server then just connect machines to the router?
0
 
ajwukAuthor Commented:
Yea, it's the Windows VPN client. Tried using the Vigor as the VPN initiator but wouldn't connect either. Will give it another go.

The IP range at the remote site (teleworker) is 192.168.10.* and 10.0.0.* at the main site.

The BT Versatility box is at the main site with the IP phone at the remote teleworker site. The IP phone is working away quite happily.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
While it seems a bit backwards... on the Vigor 2800G you actually have to UNCHECK the "Enable PPTP VPN Service" box to allow PPTP Passthrough to work:  http://www.draytek.com/support/support_note/router/faq/vpn/17.php

Jeff
TechSoEasy
0
 
ajwukAuthor Commented:
Yep, already been through that option. :) Still not working while pass through is enabled.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Actually, in rereading that support note:

          For VPN client to passthrough
         
          Network Topology:
              VPN client----Vigor router as NAT device----internet----VPN server
              While VPN client is behind the Vigor router, generally no special settings are required for Vigor router


So it doesn't seem as though you would need to do anything special with the router.

But you can connect from other locations with the same user account you are testing with at this one?

Are you creating a VPN connection manually on the remote machine? Or using the Small Business Server Connection Manager downloaded from the Remote Web Workplace (RWW) main menu?

Can this user log onto RWW?  (https://FQDN/remote)

Does the connection just hang or is an error message displayed?  If an error is displayed, what is the exact message?

If no error message is displayed, please review the connection logs on the SBS itself which you'll find at C:\Windows\System32\Logfiles\

Jeff
TechSoEasy

0
 
ajwukAuthor Commented:
Hey,
 The topology above is correct, I have RRAS configured as a PPTP VPN terminator on the SBS box (I don't like all the SBS wizards, I'm an old fashioned server engineer. ;-)) and I'm using the standard Windows VPN connector to create the VPN tunnel to the RRAS server.
I'm using the same username and password which works from other locations (which work straight away from other locations behind various Netgear and Belkin ADSL firewalls/routers).
It just seems to fail with error 721 during the authentication phase.. http://support.microsoft.com/kb/888201
This lead me down the route of trying to find somewhere in the Vigor to permit GRE protocol 47 but to no avail.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
"(I don't like all the SBS wizards, I'm an old fashioned server engineer. ;-))"

If you're an old fashioned server engineer then you would know that you should never install all of the components and services running in SBS on the same box.... UNLESS you were able to perfectly configure and synchronize those components and services to provide optimum performance and security.  The only way to do that is to use the "wizards" which are just scripts anyhow.  

So the problem with not running the Configure Remote Access wizard is that you have no other way of creating the Small Business Server Connection Manager (VPN Client).  

However, 721 is most always a GRE protocol issue... and according to their KB,
" You will probably still need to disable the router's own VPN function, as above, and in some circumstances use the DMZ"
reference: http://www.draytek.co.uk/support/kb_vigor_passthrough.html

Jeff
TechSoEasy
0
 
ajwukAuthor Commented:
I didn't say the wizards weren't used to set up the SBS server, they were.
I was just making a point that if I had it my way: Exchange, DCs and file/print services would all be on separate boxes along with a decent hardware firewall for VPN termination. I'm more used to designing networks for larger corporates is all. Sorry for the confusion.

Thanks for the link, am pretty sure I enabled the open port for passthrough but will double check tomorrow when I can get back on the router.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Sorry if I misunderstood.  Obviously though if all those things were on a separate box the costs would skyrocket.  The beauty of SBS is that it makes it possible to put them all in a single machine effectively.  

Jeff
TechSoEasy
0
 
ajwukAuthor Commented:
No worries, I badly worded that first comment. Will give this a go tomorrow, I appreciate all your help on this problem.
0
 
ajwukAuthor Commented:
Still no luck, have been monitoring the TCP packets on the machine beind the Vigor and ran the same on a machine which connects fine from a different location.
It seems that the packets which don't get through the Vigor are Configuration ACK, NAK, or rejection requests back from the RRAS Server. The client just sits there sending out configuration requests and eventually times out.

From a machine which isn't beind the Vigor, the normal configuration request/NAK/request/ACK in both directions goes straight through and then gets to the handshake challenge stage with no issues.

Any idea why the Vigor would drop these ACK/NAK packets back to the client? Is it changing the port in the TCP header and rejecting it I wonder?
0
 
ajwukAuthor Commented:
On further investigation, the EAP config request from the server back to the client behind the Vigor just never gets there. Obviously CHAP-V2 never takes place either as the first config phase times out.

Any idea where in the Vigor this might be blocked. I must be blind!
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Honestly, that's far beyond what I would ever get involved with... keeping myself focused on helping users be more productive is generally much more beneficial to both parties than troubleshooting something like this in an SBS environment... so if it were me at this point, I'd ditch the router and replace it with one that I know works for other users.

I do understand the desire to "figure it out" but in the small business space, that's almost always more costly for the customer than just making it work.

Jeff
TechSoEasy
0
 
ajwukAuthor Commented:
I know, unfortunately I advised getting the router in the first place due to it's advanced config options (which has solved the original problem with the IP phone dropping out now that QOS is working).
I've got this call open with Draytek's tech support and have sent them the TCP monitor logs so hopefully we'll come up with something between us seen as they develop the damn things. ;-)
Thanks anyway, will post if I find the resolution.

Cheers. Adrian.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The advanced config options do seem a bit much for home use... even with VOIP.  I tend to stick with simpler VOIP routers.  The Linksys WRTP54G, for example.  I believe that the Vigor 2100VG is similar, but we don't really use Vigor equipment in the US.

Jeff
TechSoEasy
0
 
ajwukAuthor Commented:
Fixed it,
 It was the BT Versatility ADSL gateway which was dropping some of the packets. The Draytek never receives any config ACK packets back from the server. God I hate BT equipment.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 12
  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now