VPN Connected with SBS 2011 but can't ping or access network resources

Did you enable VPN Access via the SBS console AND enable remote access for the relevant users via the SBS Console too?

On SBS 2011, I only see "server manager" and "Dashboard."  I think "Dashboard" replaced the SBS 2008 console.  I would think VPN is activated seeing that I can successfully connect remotely and obtain an IP.  I have granted each user "allow access" to the network foor dial in for each AD account.

This is SBS - you need to use the SBS console to enable VPN and VPN Access.  Manually setting things on SBS can open up a can of worms.

Start> All Programs> Windows SBS Console.

Enable VPN on the Network> Connectivity tab and then on the Users & Groups> Users Tab, select the relevant user you want to allow VPN Access for, double-click on them and on the Remote Access Tab, select User can access Virtual Private Network.

Windows SBS Console is not listed.  I don't think it's an option with SBS 2011 Essentials.  I have read that VPN is configured using "Routing and Remote Access."

I may have found something... Looking closer at the IPCONFIG /ALL, the subnet seems incorrect.  Will make some changes and update asap.  Thanks.

After doing some research, it seems like the subnet may be ok.  The internal IP of the network is 192.168.1.x with subnet 255.255.255.0.  The VPN IP config is getting a 192.168.1.x but the subnet of 255.255.255.255.  According to several forums, this is normal.  I also tried the article below.  I'm lost here, not sure what to look for next.

http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/03383f88-b124-4be8-b310-1d352e644aec/

I followed your blog step by step, with NPS.  The server only has 1 NIC.  Same issues though.  I connect successfully to the VPN from a remote computer (tried from my office and home) but as soon as I connect, I lose internet connectivity and cannot ping any devices on the VPN LAN.  Once I disconnect from the VPN, my internet is back.  I have been successful many times with the same configuration on previous versions of SBS.

I thought it may be an IP conflict as stated in your blog, my IP scheme was the same as the VPN LAN.  I updated my router at my office and did a flush DNS.  I tried the VPN again and still no luck.  Weird thing is that I'm getting a valid IP, subnet, GW, and DNS from the VPN LAN when I do an ipconfig /all.

Maybe I am not following correctly but I get the impression there are two issues:

Cannot connect to other resources on the SBS LAN:
If so this is usually due to one of two issues.  1)  a software firewall (windows or 3rd party) on the device (PC) allows only local subnet/domain access and therefore requires the exception's/firewall's rule scope be edited to allow the remote subnet access.  2) there is a duplicate subnet between client and host.  All subnets must be different in the path between client and host.  If not you can in some circumstances connect to the VPN server, but you will never be able to connect to other devices.

Cannot access local resources while connected to the VPN.
Loss of local LAN access is normal and by default.  VPN's have one major security flaw which is a wide open tunnel allowing ALL traffic, viruses, hackers, etc. between a remote uncontrolled PC/local network, and a remote corporate network.  The VPN in an effort to protect the corporate network blocks access to any local resources, including Internet, so that "Johny in the next room" cannot gain access to the corporate network through your PC.  In order to retain local and VPN access you have to enable split-tunneling.  On a business class VPN such as Cisco, Juniper, Watchguard, etc. you have no control over this it has to be enabled by the VPN appliance manager, but on a Windows VPN you can do so by unchecking “use remote default gateway”.   This is the correct way to do so, and has been the appropriate way to do so since NT4, but for some reason I have seen it not work on some Win 7 & 8 machines.  I am still trying to find out why.

To ‘uncheck remote default gateway’ on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"
For Vista: control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")
For Win 7: control panel | network & sharing center | change adapter settings | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")

Next issue; "I updated my router at my office "
Do you mean you changed the LAN subnet?  Not recommended with a DC/DHCP server, etc. but if doing so re-run the SBS network wizards to clean up.

I disabled the firewall both on my PC at my office and also the firewall on the new server at remote VPN location just for testing and still no go.

I have unchecked "remote default gateway" and now I have internet when logged into the VPN (thanks).

What I meant when I said I updated my router was that I'm at my office at a remote location on a small network using a standard Netgear router (not the VPN network).  I changed from 192.168.1.1 to 192.168.0.1 subnet.  It didn't help regardless.  

Anyways, I did an IP config /all while connected to the VPN and pasted below.  Not sure if it helps.

----------------------------------------------------------------

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\pc>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SERVER
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

PPP adapter HSI:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HSI
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.24(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.2
                                       192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controlle
r
   Physical Address. . . . . . . . . : 00-19-B9-31-87-40
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::281f:c1e6:2747:698b%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, January 31, 2013 9:39:40 AM
   Lease Expires . . . . . . . . . . : Friday, February 01, 2013 9:39:40 AM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 234887609
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-73-49-7A-00-19-B9-31-87-40

   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{52E66391-FABF-4679-866C-04F7FE1EED13}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:8dc:198c:b8f6:6dc9(Prefe
rred)
   Link-local IPv6 Address . . . . . : fe80::8dc:198c:b8f6:6dc9%11(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{CB1D894D-B0FB-4C9A-9E17-6510D58E0621}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\pc>

Can you post IPconfig /all from the server as well, and if possible while a VPN client is connected.
Thanks

Yes, but I will have to go there.  It's about 15 min away.  I was logged in through RDP from a logmein PC on there network.  After I disabled the firewall, I re-enabled it but restored the defaults and got kicked off RDP.  Now can't connect and VPN won't connect.  I'm going there now to physically sit in front of the server and will post the ipconfig /all of the server.  Thanks.

OK.  I am headed out for a couple of hours, but I will check back.

Here is the ipconfig /all from the server;

----------------------------------------------------------

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\HSIADMIN>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SERVER
   Primary Dns Suffix  . . . . . . . : HSI.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : HSI.local

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.24(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : D4-AE-52-C4-A3-D4
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1
                                       192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{2D566554-E0F9-40BE-B8BD-E0974CDC0D0B}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\HSIADMIN>

Also, I read this article; http://serverfault.com/questions/209139/sbs-2008-connected-via-vpn-but-cant-access-anything.  It looks like a similar issue that I'm having.

Those IP selections should work.  There are a couple of issue though, but should be unrelated to routing:
1) The SBS should point ONLY to itself for DNS.  Currently it points to 127.0.0.1 and the router.  The first is not wrong, but ideally should be 192.168.1.2, and remove the router.  With the router added local DNS will often fail and slow logons and file access will result
2) I would never use a local subnet of 192.168.0.x, 192.168.1.x, 192.168.2.x, 10.0.0.x, 10.x.x.x  These are far two common and mobile users will sooner or later run into conflicts with local LAN’s using defaults in places like hotels and Internet cafe’s.  In your case anyone visiting a site with a local subnet of 192.168.1.x will fail.
3) Presumably the SBS is the DHCP server? It should be.

The issue in the link you posted is again overlapping subnets.  I pointed out before that each site needs to use a different subnet (not subnet mask).  That is not actually accurate.  They need to use a different network ID so that no IP in the subnet overlaps with an IP.  The network ID is a function of the IP and the subnet mask.  Some examples:
192.168.1.1  /  255.255.255.0   subnet ID =  192.168.1.0  and encompasses  192.168.1.0  to  192.168.1.255
192.168.1.2  /  255.255.255.0   subnet ID =  192.168.1.0  and encompasses  192.168.1.0  to 192.168.1.255
192.168.2.1  /  255.255.255.0   subnet ID =  192.168.2.0  and encompasses  192.168.2.0  to  192.168.2.255
192.168.2.1  /  255.255.0.0   subnet ID =  192.168.0.0  and encompasses  192.168.2.0  to  192.168.255.255

VPN/PPP adapter  (they use a single IP in the local subnet)
192.168.1.24  /  255.255.255.255   subnet ID =  192.168.1.24  and encompasses  192.168.1.24 to 192.168.1.24

In the link you provided:
10.10.0.0  /  255.0.0.0        subnet ID =  10.0.0.0   and encompasses  10.0.0.0  to  10.255.255.255
10.1.1.0  /  255.255.255.0  subnet ID =   10.1.1.0  and encompasses  10.1.1.0  to  10.1.1.255
You can see one subnet is a subset of the other and thus overlap.
Network ID’s must be different, and not overlap, for routing to take place between different network segments.

Suggestions:
I assume for testing you are pinging by IP, not FQDN?
Also when you configured the VPN did you enable LAN routing as in the instructions; see image:
http://lantechca.files.wordpress.com/2012/01/image19.png
Try running a tracert to another IP on the SBS network from a remote client such as:
Tracert  192.168.1.101
Maybe we can see where it is failing.

Sorry for the delay... I went back and started from scratch again following your blog; http://blog.lan-tech.ca/2012/01/28/sbs-2011-essentials-configuring-vpn-access/, and there was one step I did not do.  "Under the IPv4 tab select Static Address Pool, Add, and then enter a range of IP’s to be assigned to the VPN clients" had resolved my problem!  Thank you so much.  Very strange, I have setup VPN in the past without doing this and it had worked before.  Thanks again!

Great advice.  Thank you.

Thanks TeddyZ83.  There are some minor differences with 2011, and more with 2012.
Glad to hear you were able to resolve.
Cheers!
--Rob