Solved

RRAS VPN Setup on widows server 2003, behind a firewall Watchguard

Posted on 2009-04-09
8
818 Views
Last Modified: 2012-05-06
HI ALL

could some one help me troubleshoot my problem with rras vpn setup server.

our network has two servers, both are windows server 2003 , and are domain controllers.  I have setup rras on one of the servers with a dedicated nic for it. I have opened up firewall which is provided by Watchguard router. we only have one public ip. on the firewall I have opened up the port of pptp and assigned the host address as the ip address of the nic I am using for rras. ( I don't think , this device watchguard, has explicti natting available).

When I try test by creating a vpn connection using a computer from my home it hangs at verifying user name and password for a bit, then gives the error message ' error 691: access was denied becuase the username and or password was invalid on the domian.'

I have gave the user account I am using to connect access as allow in the properties of AD for dial and remote access connection ( something like that, i don't remember the name of the option /tab).

am I mising something really obvious here. how do I troubleshoot this issue and hopefully resolve it.
0
Comment
Question by:ashjuv
8 Comments
 
LVL 3

Expert Comment

by:haldoxp
ID: 24111148
you must allow also GRE protocol on your router

http://support.microsoft.com/kb/241251
0
 
LVL 6

Expert Comment

by:mickeyfan
ID: 24111207
This really depends on which watchguard you are using. If you are using a firebox and not the soho. you can setup a direct one to one NAT with out a prob.

Which Watchguard are you using?
0
 
LVL 4

Accepted Solution

by:
dj_relentless earned 250 total points
ID: 24111395
Try it with full upn user@domain.local. If no go enable security auditing on the vpn box if not already and see if your getting failure events on the username and password.
0
 

Author Comment

by:ashjuv
ID: 24111409
this is the watchguard info

version 6.4.1
build 15
boot rom 5.6
Watchguard SOHO 6TC
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:ashjuv
ID: 24111435
when i specify pptp as the service should it not automatically take care of both the tcp port and protocol on the firewall.??

I actually did try creating my own service and specifying the the rras port as well as protocol, it gave the same result
0
 

Author Comment

by:ashjuv
ID: 24111501
Actually I tried logging on using full name user@domain.com and it worked.

thanks so much.
0
 
LVL 6

Assisted Solution

by:mickeyfan
mickeyfan earned 250 total points
ID: 24111515
I would use the MUVPN Software for mobile users with any watchguard hardware. The software is free and setting it up is pretty easy.

We have had issue with using MS VPN through the watchguard hardware. We have had zero problem when we switched over to the watchguard software. The software is more secure and does compression as well.

http://watchguard.custhelp.com/cgi-bin/watchguard.cfg/php/enduser/std_adp.php?p_faqid=1709&p_created=1226697977&p_sid=ggh4xWuj&p_accessibility=0&p_redirect=&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9Nyw3JnBfcHJvZHM9MjU3LDI1OCZwX2NhdHM9JnBfcHY9Mi4yNTgmcF9jdj0mcF9wYWdlPTEmcF9zZWFyY2hfdGV4dD1hbGxvdyBwcHRwIHR1bm5lbA**&p_li=&p_topview=1#soho

MUVPN client connects to a SOHO 6
Determine the software version your SOHO 6 runs

To see what version your SOHO 6 has, go to the main System Status page and look for "Firewall Version" above the picture of the SOHO:





If your SOHO 6 has software version 6.4 or later

Send the MUVPN installation file, the client configuration file, and the Shared Key to the MUVPN user

1. Where to find the client configuration file.

Every Mobile User VPN account you configure has a client configuration file called a "wgx file". You get the wgx file from the SOHO 6 Web management page, in the main VPN area:





Click on the hyperlink for a user's wgx file. Follow the prompts to save the file locally:



2. Copy these files to the user's computer:

The MUVPN installation file, MUVPN.exe or MUVPNLite.exe
The wgx file
3. Give the user the Shared Key.

The shared key is sensitive information. You should not send this to the user with email. Give the user the shared key by telling it to the user, or by some other method that does not allow an unauthorized person to get the shared key
Install the MUVPN software

Note:  Do not install this software if there is another IPSec VPN program on the user's computer. Uninstall any other VPN software, including any previous version of WatchGuard's MUVPN software before installing this software.
Note:  You must have local administrative rights on the computer to install the software. You do not have to have administrative rights to use the program after it is installed.

Installation of the MUVPN software is exactly the same for a user connecting to a Firebox III or Firebox X. Follow the steps at "Install the MUVPN Program" listed in the previous section. Ignore any mention of certificates. The SOHO 6 can not use certificates for MUVPN connections.

The SOHO 6 also has a Remote Management feature that is very similar to an MUVPN client account. You get the wgx file for the Remote Management account from the SOHO 6 Administration page:




0
 

Author Comment

by:ashjuv
ID: 24111727
thanks, mickey, the information would really be helpful if I run into vpn problems. So far with ms it looks good ( still in test ). when I start rolling out i i will find out what are the other issues. In the mean time i will close the case and open a new one whent the issues happen again. thanks for all your hlep guys who responded to this mesage in timely manner.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Learn about cloud computing and its benefits for small business owners.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now