Link to home
Start Free TrialLog in
Avatar of Fred D
Fred DFlag for United States of America

asked on

Trouble setting up a new VPN on Windows 2003 Standard Server with one NIC

This is my first question so let me know if Im saying or asking the right things.
I have been having problems creating a new VPN on an existing W2K3 Standard Server, SP1.
I start out by using the Configure Your Server Wizard and select Remote Access / VPN Server. But initially I only had one NIC and during the configuration process, it would not let me specify an IP range.  So I installed a second NIC and it seemed happy although it told me that the second NIC was not connected  I continued.  BTW DHCP is provided by the Watchguard Firewall.

I select the Virtual Private Network access and NAT which then allows me to select the range I want.  However when I complete the wizard it locks out all of the local clients from any file sharing but the VPN seems to connect remotely.
I didnt think I needed the second NIC so I am stuck.

Thank you in advance for any assistance!
Avatar of Point-In-Cyberspace
Point-In-Cyberspace
Flag of Italy image

To use a VPN server with one nic you have to do a manual setup of RRAS.
Wizard mode can't handle 1 nic config.

Avatar of Fred D

ASKER

thank you for your quick reply.
So can I assume that it is possible with one NIC? And then is it a good idea - 5 local users and 4 remotes.
Since I added the second NIC already should I connect it?
 
I did try to do it manually but I could not find a way to set a range of IPs.
And then another question would be should this new range be within the current range of the DHCP scope from the WatchGuard firewall?

You sholud deconfigure RRAS and remove the second nic or disable it.
Then reconfig RRAS manually and set a range of ip addresses that you are sure that will never be used in your network.
If your net is 192.168.0.x give RRAS 192.168.0.50 to 192.168.0.60 for example . Give 2 o 3 more addresses than stritly needed cause rras use the first of them to provide routing.

To be sure that no issues on dhcp will happen create an exclusion for those ip addresses ok the watchguard.

Avatar of Fred D

ASKER

Sounds like a good plan.  I will give this a try tomorrow because I am now remote to the server.
Can this be done remotely without loosing a RDP terminal session? Or actually I can access the server's desktop via LogMeInRescue remote control.
But I think it will probably reset the connection and I might loose the remote access.
 
Connection are likely to be resset but it's possible that come online again in a few seconds.
Anyway is better to make this configs locally.
Avatar of Fred D

ASKER

I could not make the updates - got a cut on the cornea of my eye - better now.  Sorry for the delay.  Plan to try this again onsite tonight at 5 EST.
Agree with your statement.
Thanks!
Avatar of Fred D

ASKER

I'm at the server and uninstalled the second NIC because RRAS still finds it if it is disabled.  I then configured RRAS manually but it still forces me to use the custom configuration.  I'm not certain but I select VPN Access and LAN Routing.
I finish the configuration and although it allows me to connect remotely via the VPN all of the local access to the files and sharing are no longer available??
Help!
Detail "are not available".

If you can's see shares browsing the network, test again using \\servername mode.

Try with ip address too:

assuming your server has ip address 192.168.0.1
do \\192.168.0.1
assuming that you dhcp static pool in rras is 192.168.0.50 to 192.168.0.60
do \\192.168.0.50


Naturally this test must be done on a remote client connected with vpn.
Check it's ip address by using ipconfig in command prompt


For other test you can ping   .0.1  and .0.50 addresses
Avatar of Fred D

ASKER

After a few hours of frustration I found that DHCP must be done on the server instead of the firewall like I had it.  
After changing this it seems to allow me to connect the VPN remotely and ping the server but the IP address of the server is changed from 192.168.1.7 to 192.168.1.129 which is the range I specified in RRAS?  I think this is okay.
But another problem is that when I connect remotely to the VPN and map the drives, which now works, I can no longer browse the Internet or get Outlook email??  If I disconnect the VPN I can again access the Internet??  
How do I correct this?
You have to diasble the "use tdefault gateway on remote network"   option in vpn CLIENT configuration on advanced properties.


In rras, during config, you can assign a pool of address regard of the presence of dhcp.
Avatar of Fred D

ASKER

Great!  I made the change in the VPN client and will test it later.  You think it would default this way.
Another problem - I found that RRAS uses additonal users licenses on the WatchGuard firewall and now only supports 10 concurrent users so we are getting the upgrade to 25.
I actually did create the additional pool of IPs but when I tried to ping the server's name from the VPN client it would not reply and I didn't know the IP it assigned.  But it pinged the name after I recreated the DHCP on the server??
I removed the DHCP from the server today and will try this later too. What address should I get remotely when I ping the server name, the real address of 192.168.1.7 or an address in the pool of 192.168.1.90 - 192.168.1.99?  And what address would I get on a local client?
I think I just realized that all of my local mapping is done with \\servername\ instead of \\ipaddress\ and that is why the local shares will not work when RRAS changes the server to an address in the pool.  Is this right?
BTW I've increased the points because of the additional problems - seems fair.
Thanks.
In a Rras Vpn environment the ip address pool is assigned to Rras.

First address of this pool will be assigned to the Rras server.

Second address will be assigned to the first Vpn client.


For name and address resolution try to see if the Server correctly assign Dns address to the vpn client.

In Ipconfig /all  you should find that to the PPP connection is assigned as DNS server the first addtess of the pool.

In this way you can resolve server's hostname automatically.

Once connected try to ping the servername and check the answer

Avatar of Fred D

ASKER

After a great deal of trouble I believe I have found the reason why my RRAS has not been working correctly.
I did do what you mentioned and the PPP connection is assigned to the DNS and the server is the actually the second address in the pool??  And I can finally map a drive to either the server's IP address or the server's name but the real problem was not the RRAS.
The problem was in the DNS Forwarders - I know, go figure!  
I right clicked on the server in the DNS management console and looked in the properties, then clicked on the Forwarders tab.  And to my surprise I found a strange IP of 192.168.1.254???  So I removed this and added the DNS1 and DNS1 from the ISP provider.
Now the Internet is much faster and the RRAS seems to be working fine.
So you did help on many levels and especially the problem of being able to browse at the remote PC, so I will accept the solution and award the points.
Thanks again for your help!
ASKER CERTIFIED SOLUTION
Avatar of Point-In-Cyberspace
Point-In-Cyberspace
Flag of Italy image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Fred D

ASKER

You were a big help even though we actually went off in another direction. Thanks!