Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VPN connection fails

Posted on 2014-09-06
9
Medium Priority
?
527 Views
Last Modified: 2014-09-19
Hi,
 
 I can't VPN into W2003 Server (running RRAS) on SBS2011 network. It used to work.
 When it failed to connect with Certificate related message, I discovered that SBS2011 self issued certificate has expired already on 5/31/2014. So I ran "Fix My Network" on SBS Console and it created a new certificate that expires 2019.
 I installed the newly issued certificate on both connecting PC and W2003 Server that is running RRAS and rebooted both computers, but I continue to see the errro "The Certificate's CN name does not match the passed value". The connection attempt fails at the tail end.

Thanks.
0
Comment
Question by:sglee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40308202
In http:Q_27504876.html and similar the solution was checking the new certificate and using it's full cn, including ant trailing full stop.
0
 

Author Comment

by:sglee
ID: 40308208
I read the article,  but I still do not understand what the problem is and how to fix it.
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40308226
To view certificates
http://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx
In details examine the issuer and subject
Is that your domain's root certificate authority (or was it different for the 2003 server when it was set up)
A full set of cert requirements is at
http://technet.microsoft.com/en-gb/library/cc759575(v=ws.10).aspx#cert_req
If the root ca has changed, with the client on the domain lan
http://technet.microsoft.com/en-gb/library/cc757207(v=ws.10).aspx
howto update the certs on the client off the lan over http
http://www.isaserver.org/img/upl/vpnkitbeta2/vpnclienteap.htm
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:sglee
ID: 40308890
VPN on SBSConsoleI noticed that Virtual Private Network on SBS2011 Console/Connectivity. So I decided to activate that and changed port forwarding to the IP address of SBS2011 computer.
Now it works.

I thought you are not supposed to run RRAS on the domain controller. In fact I remember running into a big problem when trying to activate RRAS on Windows 2008 Domain Controller.  I had to call Microsoft Engineer to resolve/clean up the mess that I created. He told me not to activate RRAS on DCs.

Going back to yesterday, I tried another W2003 Server as VPN/RRAS, but to no avail.  All the PCs that I manage on the network are already joined the domain.
It has been working fine for years too.
The only thing that I can see different is that SBS Certificate has expired.

That said, is it ok to use SBS2011/DC as VPN server? If it is not a good idea, Microsoft would not have made it available on SBS Console ... but then I am not sure if it is such a good idea based on my experience in the past.
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40309344
It works.  SBS allows several things normally not recommended.
Sorting the expired certificate on the 2k3 machine remains painful to fix.  Review the system and application logs for related errors as (if that identifies the problem)with the given eventid we may be able to request a hotfix.  Have root cert updates been applied to the 2k3  machine ond were there errors importing the cert?
0
 

Author Comment

by:sglee
ID: 40309833
@Joseph
"Have root cert updates been applied to the 2k3  machine ond were there errors importing the cert? " --> Yes I ran new certificate (generated by SBS2011 Console) on W2003 VPN Server, but the same problem.

What I will do is set up W2003 server (Virtual Machine in VMWare host)  on a separate network with PUBLIC IP and VPN into it directly.  I will post the result.
0
 

Accepted Solution

by:
sglee earned 0 total points
ID: 40315439
I have decided to use SBS2011 as VPN server;  therefore I will not try to setup W2003 server as vpn server anymore.

Thanks for your help.
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40315646
Mark your own post as the solution, and keep the points.
0
 

Author Closing Comment

by:sglee
ID: 40332188
I discovered that I can turn SBS2011 server as a VPN server and it actually worked.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question