Connect Win 7 VPN client to a SBS 2003 server

I saw a couple of fixes in this BLOB

enabling the spi firewall. That is unchecking "Disable SPI Firewall" under wan setup. Go figure.

Then the other

I have resolved it by explicitly setting the Type of VPN property on Security tab to Point to Point Tunneling Protocol (PPTP). It seems that when this property is set to Automatic the WAN Miniport defaults to IKEv2 (and gets stuck if this is not the VPN type used). You can both observe and change this for any VPN connection by going to Control Panel > Network and Internet > Network Connection

These guys and gals had the discussion on it -
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/32c5e5b5-b2a2-43d3-b702-9cd0c8ef2c67

I also am aware of an issue with the joining of the domain. If the windows 7 box is having trouble- you clould try rejoining the domain manually. This has its own issues but it may resolve others.

I hope this helps.

L

Here is an excellent link to troubleshoot your VPN issue with Error 800

http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx

Are you using the SBS connection manage? If so it will not work on Win 7 64 bit, you have to manually create the client on the connecting PC similar to:
http://www.onecomputerguy.com/networking/vista_vpn_client.htm

Also there were two recent similar posts here where it was solved by editing the VPN client on the connecting C and changing the VPN type from auto to PPTP. This surprised me but seemed to work.

One other thought, Win 7 an Vista will not connect using MSChap V1, where XP will. The sever should automatically be set to allow both MSChap V1 and V2, but if anyone was 'tinkering'.

Okay, so I have tried most of what has been suggested with no positive results. However, I decided to try to connect to a couple of other servers I have out with this laptop, docked, wireless. In both cases it connected without hesitation. So now I am completed befuddled! These other two server are also SBS 2003 server with two nics and are set up pretty much the same way with the exception of the domain name and IP address, although the laptop was physically connected at one point to the domain of the original server (we'll call it Server A) and not part of the other two.

Also, I just connected to Server A with this computer through a VPN connection with no issues. This computer is an XP Pro SP3 System.

One more thing - RobWill, can you give me a heads up on checking the status of the MSChap so I can see if it is set to allow MSChap 2 asl well as how to change it it if not? Thanks,

Hope that all makes sense.

To check protocols the SBS will accept go to RRAS console | right click on server name and choose properties | security | Authentication methods
Default should be; EAP, MS Chap V2, MS Chap

Do you get an error # when the connection fails such as 800, 691, 721 ?

Error 806. The VPN connecton between your computer and the VPN server could not be completed.

806 on Vista and Win 7 machines often means blocked GRE.

Obviously it is not blocked at the server site because others can connect.
It can be blocked by the client site router or ISP, but I am guessing you have tried from more than one location.
Thus, if GRE is the issue I would suspect something installed on the laptops. Is there any security software installed? TrendMicro, Symantec with "Internet work protection", some AVG versions, McAfee Firewall, Microsoft OneCare, and a few others are all known to block GRE.

Just to double check, in most cases you cannot connect to the WAN IP of the server from the LAN side of the SBS. You need to test from off-site.

Actually this is the first offsite location we have used this particular laptop. We got in on Friday and the owner took out of town that evening. I barely had time to get it setup on the domain! That said it could be an issue with the router at the location he is at which I will check.

We also have Symantec Endpoint Protection loaded on the computer too.

I just remembered. We have another computer connected remotely at this site but it is an XP Pro system and has no problem connecting.

What about the fact that I can connect thru this laptop to one of my other clients SBS servers without an problem.

>>"What about the fact that I can connect thru this laptop to one of my other clients SBS servers without an problem."
Kind of shoots my security software theory down doesn't it :-)

For many years 99% of the time GRE errors 721 error. Since Vista and Win7 many but no where near that high a percentage of people that have reported 806 errors have reported the source of the problem was blocked GRE. If you are ambitious and want to see if GRE is the issue or not you can test that theory. From an earlier post of mine:

Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx

Sorry first line should read; For many years 99% of the time GRE issues returned 721 errors.

If it was a GRE issue wouldn't the other system I have connecting the Server A's VPN have the same issue too? Like I said I am befuddled.

I agree, as stated earlier. I just provided the tools it you wanted to rule it out, if there was still any doubt. Those tools will check from client to server. Doubtful now though that is the issue.

It still sounds like an authentication protocol issue. Did you check the server?
The reason I say that is XP could be authenticating to the server with MS Chap. Win7 is trying to use MS Chap V2 which should be enabled on the server, but if not fails. They can connect to other servers because it is enabled there.

OKay, so I figured one aspect out in that I had another system in the remote logon to the VPN. When I logged it off I was able to logon with the Window 7 laptop. So it seems to be an issue with multiple VPN logons to my Server. Any suggestion?

May be the number of ports allocated. The default with SBS is 5, and server std is 128, but you can have up o 128. To set it go to: RRAS console | expand server name | ports | on the right you can see the number of active/inactive ports (# of connections)
If you right click on ports and choose properties | highlight PPTP and click configure | you can increase/decrease this under "Maximum ports"

It could also be a shortage of DHCP addresses. If you have used wizards and defaults that won't be a problem, but check that the DHCP scope has lots of room for LAN and VPN clients.
If you manually created the VPN and used a static address pool make sure that is large enough for VPN clients. The later is under: RRAS console | right click on server name -properties | IPv4 | static address pool (this would normally on an SBS be empty and unchecked but if used make sure enough addresses allocated)

Thanks for helping to troubleshoot this RobWill!