VPN

unable to establish a VPN connection, the server has routing and remote enabled, users have dial-in access it looks like it is getting blocked on the firewall which is the linksysy by Cisco port forwarding is enabled not sure where to check as i can telnet internally but unable to telnet externally
IT_TechnoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

radrooCommented:
Ensure the VPN ports are enabled on the router.
1723
0
IT_TechnoAuthor Commented:
already done that on the router that was the 1st step
0
RPPreacherCommented:
That is one long run on sentence.

(1)  What is the VPN server?  Microsoft, Linux, other?
(2)  Are you able to connect to the VPN server inside the firewall?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

IT_TechnoAuthor Commented:
it is a microsoft server 2003 with sp 2 also acts as a terminal server for users down in capetown and durban ,
yes we are able to connect to the server
0
IT_TechnoAuthor Commented:
they are using a cisco firewall all prots have been opened and it used to be able to Vpn using there static ip address it recently stopped working
0
RPPreacherCommented:
If you are running firewall infront of your RRAS server (i.e. between internet and RRAS), then following are the relevant ports which needs to be opened on the firewall for VPN connectivity to be successful:

a) PPTP tunnel based VPN uses TCP Port number 1723 and IP Protocol number 47 (GRE). Please note: The 47 is IP protocol number of GRE and not a port number inside TCP or UDP header.

b) L2TP tunnel based VPN uses IPSec: UDP Port 500 (IKE) and 4500 (NAT-T), and IP protocol 50 number (ESP) . Note: Same comment as above - it is IP protocol 50 and not port number inside TCP or UDP.

c) SSTP tunnel uses TCP port 443 (SSL)

On the RRAS server, if you are running Windows firewall (which is not interface specific), then following ports need to be opened: -

a)  VPN tunnel ports as given above. In addition in this scenario when firewall is running on RRAS server - UDP port 1701 need to be enabled for L2TP packets.

b) If you are running DHCPv4 relay agent on RRAS, to have proper relay of DHCPv4 inform packets,  UDP port number 67 and 68 need to be opened..

c) If you are running DHCPv6 relay agent on RRAS, to have proper relay of DHCPv6  inform packets,  UDP port number 547 need to be opened..

d) If you are using RQS based quarantine service on RRAS, the default port is 7250 (not a standard port) which needs to be opened. If the port number is changed during runtime, the service would take care of opening the appropriate port on the firewall.

e) If you are using Radius server based authentication, UDP port 1812 need to be opened.

On the RRAS server, if you are running RRAS static inbound/outbound filters (which are interface specific), then following ports need to be opened: -

a)  VPN tunnel ports as given above "for the internet facing interface on both inbound/outbound direction". In addition in this scenario when static filters is running on RRAS server - UDP port 1701 need to be enabled for L2TP packets on RRAS Internet facing interface in both inbound/outbound direction.

b) If you are running DHCPv4 relay agent on RRAS, to have proper relay of DHCPv4 inform packets,  UDP port number 67 and 68 need to be opened on RRAS internal interface and LAN interface (towards DHCPv4 server) in inbound/outbound direction.

c) If you are running DHCPv6 relay agent on RRAS, to have proper relay of DHCPv6  inform packets,  UDP port number 547 need to be opened on RRAS internal interface and LAN interface (towards DHCPv6 server) in inbound/outbound direction.

d) If you are using RQS based quarantine service on RRAS, the default port is 7250 (not a standard port) which needs to be opened on RRAS internal interface in inbound direction. If the port number is changed during runtime, the service would take care of opening the appropriate port on the firewall.

e) If you are using Radius server based authentication, UDP port 1812 need to be opened on LAN interface (towards Radius server) in inbound/outbound direction.

f)  If you are running IPv6 on top of VPN tunnel, then you need to enable ICMPv6 (i.e. IPv6 next header type = 58) on RRAS internal interface and LAN interface in inbound/outbound direction to ensure ICMPv6 packets are relayed correctly. ICMPv6 are required for neighbor discovery.

Note: To enable inbound/outbound ports on RRAS internal interface - you need to change the filter settings inside the remote access policies (and not on RRAS MMC snap-in).

Note: On security perspective, you should be to allow only specific packets (i.e. deny rest) coming in from the internet interface (i.e. allow only tunnel packets). On the RRAS internal interface, you need can enable everything (i.e. all packets from/to the remote access clients over the VPN tunnel) or you can restrict (like based upon client health state or user-id etc).  This can be done by changing the filter settings inside remote access  policy. On the LAN adapter (towards intranet) - assuming two NIC scenario, you can allow all traffic or again can be restrictive based upon your deployment needs.

References:
0
IT_TechnoAuthor Commented:
all ports are open that require to be open , and the windows firewall on the server is disabled
0
RPPreacherCommented:
Enable NAT-T on firewall (if your firewall supports it).

http://en.wikipedia.org/wiki/NAT_traversal for a description of the issue.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT_TechnoAuthor Commented:
when we vpn we get the error 800 i enabled nat already
0
RPPreacherCommented:
Punctuation, dude.  Your replies are just about impossible to understand.

Did you enable NAT or NAT-T?  They are two different things.
0
IT_TechnoAuthor Commented:
NAT-T is enabled not sure if i have selected the correct option, attached is a screen shot
firewall.jpg
0
RPPreacherCommented:
Then its a firewall issue.  100%.  You either have your linksys configured wrong or your windows firewall or both.

Check out this link
http://tiny.cc/kqvx3
0
IT_TechnoAuthor Commented:
don't have a windows firewall, I agree that i have the linksys configured wrong for VPN that is why I need help with it
0
IT_TechnoAuthor Commented:
was not completely resolved
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.