Solved

Can't get RRAS VPN to work

Posted on 2012-03-23
10
475 Views
Last Modified: 2012-07-03
I'm trying to set up a new VPN server using RRAS and I cannot get a client to connect.

Here's the environment:  Server 2003, two nics,  one on LAN and one on Internet.

Here's what I observe:  Client tries to connect,  but receives error 800.  Tunnel unable to be created...

Here's what I done so far to diagnose:

I've verified server is listening on port 1723,  RRAS server is active,  PPTP and L2TP ports are active in RRAS console.

I'm running network monitor and I can see the TCP packets from the client,  but the Server does not respond.  I've have observed other TCP traffic receive responses.

For security,  I've unchecked "Client for Microsoft Networks" and "File and Printer Sharing" on network adapter.  I did enable "Client for Microsoft Networks" to see if that made a difference and it did not.  

Any ideas would be helpful.

Ron
0
Comment
Question by:PasoRon
  • 5
  • 5
10 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 37767477
MS Networks and Sharing have nothing to do with it.

Use only PPTP until you get it working.  Add L2TP after you know it works.

Clients must be able to get an IP Config from either an RRAS Static Address Pool or via DHCP.  Even if you use DHCP the Client still gets it from RRAS because RRAS "pre-fetches" the address from DHCP in blocks of 5 (or is it 10?,..whatever) and then gives them to clients as they connect.  The only way to get other specs (beyond just the IP) from DHCP is to add the DHCP Relay Agent to RRAS,...it is considered a "protocol" and is added by choosing to add a New Protocol.
0
 

Author Comment

by:PasoRon
ID: 37787594
Thanks,

Actually the problem turned out to be I had the LAN gateway configured on the LAN interface.  When I removed that connection are made without any problems.

Only problem now is getting DHCP relay agent to work correctly,  I think it's configured correctly,  but Gateway and subnet mask are not configured property on the Tunnel Network Interface.  Subnet mask is 255.255.255.255 and gateway is 0.0.0.0  

As I said, dhcp relay is configured,  rras has obtained taken 5 addresses from the dhcp server,  but the additional dhcp info isn't transferring.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37789223
Actually the problem turned out to be I had the LAN gateway configured on the LAN interface.  When I removed that connection are made without any problems.

The LAN Interface is supposed to have the LAN's Default Gateway.

but Gateway and subnet mask are not configured property on the Tunnel Network Interface.  Subnet mask is 255.255.255.255 and gateway is 0.0.0.0  

Those are supposed to be that way.  They don't come from DHCP,...they come from RRAS.   VPN is a Dialup Technology,...therefore the V-Interface is a Dialup Interface.  Dialup Interfaces always become the Default Route for the Machine once they go active (0.0.0.0).  The Mask-255.255.255.255 and the Route-0.0.0.0 combined together tells the machine that anything destined for any address that does not exactly match the received IP# of the V-Interface gets passed on to the currently established VPN Connection,...which is what it is supposed to do.
0
 

Author Comment

by:PasoRon
ID: 37789304
I do appreciate your feedback,  I've been researching everything I can find.

Let me be specific on the NIC configurations.  There are two NICs on the machine,  

I'm hiding the first 2 octals for security.

VPN:    IP 000.000.9.179 Mask 255.255.255.248 Gateway 000.000.9.177
LAN     IP 192.168.1.7  Mask 255.255.255.0  Gateway 192.168.1.1

I could never get the connection when I had the Gateway on the LAN,  with it removed I can connect without issue consistently,  but with no outside connection.   Some of my remote clients have to use the LAN gateway outside for smtp authentication reasons.  Every time I've put the LAN gateway in place I could not connect.  I made this change because I had read that the response was probably being returned on the LAN gateway and IP mismatch may be causing the non connection.  

I'm looking for ideas,  Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37789425
VPN:    IP 000.000.9.179 Mask 255.255.255.248 Gateway 000.000.9.177
LAN     IP 192.168.1.7  Mask 255.255.255.0  Gateway 192.168.1.1


I can't troubleshoot fake IP#s.

I could never get the connection when I had the Gateway on the LAN,  with it removed I can connect without issue consistently,  but with no outside connection.

Then we have to troubleshoot why it isn't working.  But it is not a reason to "do it wrong" because it seemed to kinda-sorta work when you "do it wrong".  It has to be done correctly,...and then figure out what is really happening with whatever subsequent problem that comes up.

To get back to "normal".....

1. Setup the LAN Nic the way it is supposed to be.
2. Delete the VPN DUN completely on the Client Machine.
3. Recreate the VPN DUN on the Client Machine.  Choose the correct connection Protocol (PPTP or L2TP).  Leave everything else on the Default.   Leave all the TCP IP stuff on Automatic.

I'm leaving for the day, but will be back Monday,...However Experts-Exchange is not my "job", so I can't say I will be sitting here staring at the PC screen all day,...Monday is going to be a bit busy around here,...but I'll try to watch for your Posts.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:PasoRon
ID: 37793512
Well,  first I'm not posting on an open forum my actual IP address.  I've put zeros for the first two octals.  That's the only change.  They are not pertinent to the problem.

I didn't just dream up removing the LAN Gateway,  That's the explicit configuration recommendation from Microsoft.  Their configuration Technote explicitly says to Not have a gateway on the LAN interface.

So here I am,  I can connect to the VPN without the LAN gateway,  but cannot access the internet though the gateway of my network.  I have verified that if I add the LAN gateway after connection to the server, I can access the internet without issue but cannot connect in that configuration.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37796017
I didn't just dream up removing the LAN Gateway,  That's the explicit configuration recommendation from Microsoft.  Their configuration Technote explicitly says to Not have a gateway on the LAN interface

I'd have to see that documented.  In all the years I've been doing this I have never heard of that.  I have VPNs "all over the place" and have never done that,...the local gateway is a requirement for my equipment.

Well I anyone else wants to jump in then jump in.  I'm not going to have a lot of time today to deal with it.
0
 

Author Comment

by:PasoRon
ID: 37796156
Here's the specific note:

Important
When you configure IPv4 for the intranet interface of the VPN server, do not configure the default gateway on the intranet connection. This will prevent default route conflicts with the default route pointing to the Internet.
http://technet.microsoft.com/en-us/library/dd469687(v=ws.10).aspx

I had also seen other references on other forums to remove the default gateway because on login connection the login response would go back to the client by the default gateway and the client would detect the IP missmatch and believe the server was being spoofed.

So I'm really confused on what to do!  If the default gateway in on the LAN connection the client cannot connect,  If I remove it clients connect without issue.  While connected I can modify the server adding the default gateway and the client can then have access to the internet.

Help Anyone!
0
 

Author Comment

by:PasoRon
ID: 37796230
Update for everyone.  I appear to have it working for now.  Based upon my research that the login problem is caused by the response being sent on the default gateway rather than the original internet interface, I changed the preference order of the interfaces to set the VPN Internet interface as the preference.  The client connected and also has internet access.

I'm sure I've read that the LAN interface is suppose to be the preference,  but it seems to be working now.

The next step will be to see what happens when I add a Server to Server connection over another interface.

Thanks everyone for your input.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 37796999
That makes sense.  Although I never had to put it first,...I believed it was supposed to move to the top dynamically,....but we live in an imperfect world. In any case this I would consider this an acceptable way for it to work.

Server to Server?

Do you mean a Site-to-Site VPN (aka Router-to-Router VPN) as opposed to a Remote Access VPN that we were previously dealing with?   Apart from these both containing the letters "V"  "P"  "N",..these are entirely different technologies and operate by different principles
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now