?
Solved

Problem with VPN Connections to SBS 2003 Server

Posted on 2007-10-20
8
Medium Priority
?
548 Views
Last Modified: 2013-12-23
We are having a problem with VPN connections to our SBS 2003 server.

We have a small office network with (1) SBS 2003 Server and (4) Windows 98SE workstations.  We also have a remote office with (1) Windows 98SE workstation.  All (5) of our Windows 98SE workstations have been updated with IE 6.0 and Active Directory Services Client setups, and all are fully functional with our SBS 2003 server.  Our remote office workstation also has DUNS 1.4 and Microsoft L2TP/IPSec installed (to allow for a L2TP/IPSec VPN connection on a Windows 98SE workstation).

Our SBS server (named SERVER), has (2) NIC's.  NIC #1 is used for our LAN, with an IP address of 192.168.16.2.  NIC #2 is used for connection to our 3-Com Office-Connect Secure Router (for connection to our ISP), with an IP address of 192.168.15.3.  Our 3-Com Office-Connect Secure Router has an IP address of 192.168.15.4.  Our router has a fulltime broadband connection to the internet, via (1) static IP address from our ISP of 69.220.176.179.  Our domain name is grecoelectric.com (with our simple 1-page website hosted by our ISP).

Our remote office Windows 98SE workstation (named REMOTE), has (1) NIC, with an IP address of 192.168.14.35, connected to our remote office 3-Com router (with the router IP address of 192.168.14.31).  Our remote office router has a fulltime broadband connection to the internet, via a dynamic IP address from our ISP.

We have configured Remote Access and Routing on our SBS 2003 server exactly in accordance with each step indicated the "Microsoft Administrator's Companion for Windows Small Business Server 2003" (including triple-checking each step).  We have also followed and triple-checked each step for configuring a L2TP/IPSec VPN connection on the server.  We have opted to use a Pre-Shared Key for authentication (initially using a very simple 9-character key until after the VPN connection has been set up and confirmed).  We have confirmed (5) PPTP WAN Miniports and (5) L2TP WAN Miniports in the Remote Access and Routing console (all listed with a status of "Listening").  We have opened all indicated ports in the SBS Basic Firewall (VPN Gateway (PPTP) - Port 1723;  VPN Gateway (L2TP) - Port 1701;  IP Security (IKE) - Port 500;  IP Security (IKE NAT Traversal) - Port 4500;  IPSec (ESP) - Port 50).  We have also configured VPN pass-through on the 3-Com Office-Connect Secure Router for each of the listed ports.

We have created (2) DUN connections on the remote office workstation (connection #1 for the PPTP VPN adapter, and connection #2 for the L2TP VPN adapter).  Our ISP tech support department has advised us to enter our static IP address for the host address for each VPN connection (69.220.176.179).  We have also configured L2TP/IPSec on our remote office workstation for using a Pre-Shared Key for authentication (triple-checking the above-noted simple 9-character key).  We have also confirmed 128-bit encryption capability on our remote office workstation (allowed with DUNS 1.4).  We have also configured VPN pass-through on our remote office 3-Com router for each of the above-listed ports.

As you can see, we have tried to be extremely meticulous in regards to setting up a textbook VPN connection.  Unfortunately, we have not been able to connect via either of the (2) listed VPN connections (either via PPTP or via L2TP).  For the PPTP connection, we continually receive "Error 678" after approx. (10) seconds.  For the L2TP connection, we continually receive "Error 629" after approx. (30) seconds.  For your reference, we are able to ping our main office static IP address (69.220.176.179), from our remote office workstation (by "temporarily" enabling ping from the internet, on our main office 3-Com Office-Connect Secure Router).

As much as we have triple-checked each step of the VPN setup, we are uncertain of our ISP advisement to use our static IP address for the host address for each VPN connection (69.220.176.179).  They have assured us that no other links or "A Records" need to be set up to establish the VPN connection.  Most Microsoft documentation only references entering "the address of the server network adapter used to connect to the internet", for the host address for the remote client VPN connection (with no clarification in regards to using the "public" or "private" address).  We were wondering if the ISP is supposed to create/register a reference to the "private" address of our NIC #2 (versus us using our "public" static IP address).  At this point we are desperate, and would gladly welcome any suggestions in regards to resolving our VPN connection problem.

0
Comment
Question by:GENET_ITREP
  • 3
  • 3
7 Comments
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 20116610
Please forward Ipconfig/all of server and workstation.
I also ran a test on your DNS. A few issues there. You need to get on to your ISP and ask them to create a new A and PTR record for (example only) external.grecoelectric.com pointing at 69.220.176.179.
Than run the internet connection wizard Server Management> To Do List> Point 2 and use external.grecoelectric.com for the certificate.
Than run Server Management> To Do List> Point 3.

From workstation (external): In the browser type in: https://external.grecoelectrical.com/remote> IMPORT the certificate and say yes to the Active X download> Download and install the Small Business Coneection from the RWW workplace. This will create an Icon on the desktop:"Small Business Server Connection". Clicking this Icon will create your VPN.

A few more things to check: On both routers make sure GRE or PPTP Pass through is enabled.
There have been known issues with Win98 SE. You might want to consider upgrading to XP Sp2.
Hope that helps,
Olaf
0
 

Author Comment

by:GENET_ITREP
ID: 20120256
Dear Olaf,

Thank you very much for your extremely prompt response.  As per your request, we have listed below the "ipconfig /all" results for our main office server (SERVER), and our remote office workstation (REMOTE).

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SERVER
Windows IP Configuration  (for Greco Electric Main Office Server, as of 10/21/07)
   Host Name . . . . . . . . . . . . : server
   Primary Dns Suffix  . . . . . . . : genet.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : genet.local

Ethernet adapter High-Speed Internet Connection:
   Connection-specific DNS Suffix. . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PT Desktop Adapter
   Physical Address. . . . . . . . . : 00-15-17-0B-F1-92
   DHCP Enabled. . . . . . . . . . . : No
   IP Address  . . . . . . . . . . . : 192.168.15.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway.  . . . . . . . . : 192.168.15.4
   DNS Servers . . . . . . . . . . . : 192.168.16.2
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server Local Area Connection:
   Connection-specific DNS Suffix. . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address .. . . . . . . . : 00-13-72-3D-84-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.16.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.16.2
   Primary WINS Server . . . . . . . : 192.168.16.2
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
REMOTE
Windows 98 IP Configuration  (for Greco Electric Remote Workstation, as of 10/21/07)
   Host Name . . . . . . . . . . . . : REMOTE.GENET
   DNS Servers . . . . . . . . . . . : 192.168.14.31
   Node Type . . . . . . . . . . . . : Broadcast
   NetBIOS Scope ID. . . . . . . . . :
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   NetBIOS Resolution Uses DNS . . . : Yes

0 Ethernet adapter:
   Description . . . . . . . . . . . : PPP Adapter
   Physical Address. . . . . . . . . : 44-45-53-54-00-00
   DHCP Enabled. . . . . . . . . . . : Yes
   IP Address. . . . . . . . . . . . : 0.0.0.0
   Subnet Mask . . . . . . . . . . . : 0.0.0.0
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 255.255.255.255
   Primary WINS Server . . . . . . . :
   Secondary WINS Server . . . . . . :
   Lease Obtained. . . . . . . . . . :
   Lease Expires . . . . . . . . . . :

1 Ethernet adapter:
   Description . . . . . . . . . . . : PPP Adapter
   Physical Address. . . . . . . . . : 44-45-53-54-00-01
   DHCP Enabled. . . . . . . . . . . : Yes
   IP Address. . . . . . . . . . . . : 0.0.0.0
   Subnet Mask . . . . . . . . . . . : 0.0.0.0
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 255.255.255.255
   Primary WINS Server . . . . . . . :
   Secondary WINS Server . . . . . . :
   Lease Obtained. . . . . . . . . . :
   Lease Expires . . . . . . . . . . :

2 Ethernet adapter:
   Description . . . . . . . . . . . : 3Com 3C90x Ethernet Adapter
   Physical Address. . . . . . . . . : 00-60-08-2A-DB-31
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.14.35
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.14.31
   Primary WINS Server . . . . . . . :
   Secondary WINS Server . . . . . . :
   Lease Obtained. . . . . . . . . . :
   Lease Expires . . . . . . . . . . :
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Also as per your recommendation, we will have our ISP create the noted "A" and "PTR" record for server.grecoelectric.com, pointing at our static IP address of 69.220.176.179.

In regards to creating a remote connection disk for our Windows 98SE remote office workstation, we were unaware that the remote connection disk was compatible with Windows 98SE (we were under the impression that same was only compatible with Windows 2000 or Windows XP).  Could you please confirm Windows 98SE compatibility with the remote connection disk, before we run same on our Windows 98SE remote office workstation?

We were also under the impression that if we used a Pre-Shared Key for authentication, a certificate would not be required for a L2TP VPN connection.  We would welcome your comments in regards to same.  Could you also please advise us if a certificate is required for a PPTP VPN connection.

Finally, please advise us as to the proper host address to enter if we were to manually create a remote client VPN connection on our Windows 98SE remote office workstation.  As we previously stated, most Microsoft documentation only references entering "the address of the server network adapter used to connect to the internet", for the host address for the remote client VPN connection (with no clarification in regards to using the "public" or "private" address).  Could you also please advise if same would a require our ISP to create another "A" and "PTR" record.

Thank you very much for all of your time and efforts in regards to this matter.  Your expertise is very greatly appreciated.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 20120496
http://support.microsoft.com/default.aspx?scid=kb;en-us;555038
----------
I haven't used win98 for a while but can't see why SBS connection would not work. I could well be wrong.
-------------------
If > [Note] If you manually created the VPN connection by using "Create a new
> connection" wizard on the client computer, please follow these steps to
> solve the issue.
>
> 1. Open Network Connections.
> 2. Right-click the VPN connection and click Properties.
> 3. Click the Networking tab and double-click Internet Protocol (TCP/IP).
> 4. Click Advanced and uncheck the "Use default gateway on remote network".
> 5. OKs to confirm the changes.doing a manual VPN:
-----------
On remote: Please disable the NICconnectors not used.
-----------
PPTP with certificate (You can use the SBS certificate ) seems to work better than L2TP.
You do not have to create a disk. You can get the file fron the RWW as explained in previous post and do all this over the internet.
-----------
Please use the permanent external IP for a manual VPN connection. (Make sure you cahnge the gateway).
From remote workstation from Cprompt:
1:Type ping 69.220.176.179 and tell me what the response is.
2:Type nslookup 69.220.176.179 and tell what the response is.
-----------
You could also use a VPN Tunnel (Need special hardware) that will certainely work even on 98.
Olaf



0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:GENET_ITREP
ID: 20136222
Dear Olaf,

Thank you again for your extremely prompt response.  As per your request, we have listed below the "ping" and "nslookup" results for our main office static IP address (69.220.176.179), from our remote office workstation (REMOTE).

-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
PING 69.220.176.179  (FROM REMOTE)
Only possible by temporarily "enabling ping from the internet", on our main office 3-Com Office-Connect Secure Router
(otherwise no response, with "ping from the internet disabled", on our main office 3-Com Office-Connect Secure Router)

Pinging 69.220.176.179 with 32 bytes of data:

Reply from 69.220.176.179: bytes=32 time=16ms TTL=253
Reply from 69.220.176.179: bytes=32 time=15ms TTL=253
Reply from 69.220.176.179: bytes=32 time=17ms TTL=253
Reply from 69.220.176.179: bytes=32 time=21ms TTL=253

Ping statistics for 69.220.176.179:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 15ms, Maximum = 21ms, Average = 17ms
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
NSLOOKUP 69.220.176.179  (FROM REMOTE)

DNS request timed out.
    timeout was 2 seconds.

DNS request timed out.
    timeout was 2 seconds.

Server:  UnKnown
Address:  85.255.116.61

Name:    69-220-176-179.ded.ameritech.net
Address:  69.220.176.179
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

As per your recommendation, we are in the process of having our ISP create the previously noted "A" and "PTR" record for server.grecoelectric.com, pointing at our static IP address of 69.220.176.179.

In regards to manually creating a remote client VPN connection on our Windows 98SE remote office workstation, you indicated that we should enter our permanent external IP address for the host address.  You also referenced that we should make sure that we change the gateway.  Could you possibly clarify if that is in reference to your recommendation to uncheck "Use default gateway on remote network", or is there another gateway setting that we need to confirm or revise?

We will look forward to your response to the "ping" and "nslookup" results, as well as the above-noted clarification request.  We are in the midst of completing a very large project within our office, and we may not be able to implement your recommendations for several days.  However, we will definitely advise you of the outcome.  Once again, thank you very much for all of your time and efforts in regards to this matter, and again, your expertise is indeed very greatly appreciated.
0
 

Accepted Solution

by:
GENET_ITREP earned 0 total points
ID: 20260020
Olaf,

As we have not received any response from you since our 10/23/07 response to you, we just wanted to advise you that we actually resolved this issue ourselves.  We revised all of the forwarded ports on our 3-Com Office Connect Secure Router (referred to as Virtual Servers by 3-Com), to the address of our external NIC (versus the originally set up address of our internal NIC).  This immediately resolved our VPN connection issue, and we now have a fully functional PPTP VPN connection from our server to our Windows 98SE remote office workstation.  We just wanted to thank you any way for your efforts.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 20261117
Glad you got it working. Sorry but have been busy.
That was one of the suggestions in my first post: Make sure "GRE or PPTP passthrough" is open on route.
Olaf
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20302666
Closed, 500 points refunded.
Computer101
EE Admin
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question