Solved

VPN Client Windows - set priority / order of VPN connection type to try, when left on 'Automatic' (e.g. 1st L2TP, 2nd SSTP)

Posted on 2016-10-19
6
118 Views
Last Modified: 2016-10-25
I'm running RRAS on two servers inside my network, currently able to offer L2TP (via shared key), SSTP and PPTP connections. All three VPN types are working and accessible (as an aside, I'll be ditching PPTP shortly, owing to its lacking security).

I would like to know if there is an easy way to setup on the server side (most ideal) or client side a priority of which connection type to try first, when iniating a VPN connection from client to server. I'd like L2TP to be used as a priority, and if it doesn't work for some reason (like protocol 50 is being block outbound on the remote client side) it switches across to attempting SSTP connection as a secondary choice.

At present, when left on 'automatic' on the Windows VPN client settings, the client just connects up to the PPTP VPN by default (despite having the L2TP shared key in place), utlising the weakest of the VPN technologies we're offering.

Many thanks!
0
Comment
Question by:bluemercury
  • 3
  • 2
6 Comments
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 250 total points
ID: 41850210
when VPN Type is left "Automatic" then PPTP is tried first then L2TP and SSTP in that order.

FYI - I believe below link is something you like to read further.
https://blogs.technet.microsoft.com/rrasblog/2007/05/30/how-vpn-automatic-tunnel-type-works/

I would never recommend to leave VPN Type as Automatic as it basically cause a lengthy logon and you have no any control on protocols. use specific protocol instead.
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
ID: 41850368
I would rather set up two different connections on each client, each with one specific protocol, and instruct to use them in sequence.
You can't do anything on the server side, as the server cannot know of issues with the connection ;-).
0
 
LVL 1

Author Comment

by:bluemercury
ID: 41850606
Thanks, Bing - I guessed so much but was hopeful I was wrong.... :-( L2TP then SSTP if that fails is actually what I want, along with getting rid of the PPTP, so I might play around with that, and see how it performs (i.e. how quickly it gives up trying to make a PPTP connection and then tries L2TP). That said, from a security stand point, it probably makes sense to remove PPTP from the table altogether.

Qlemo - this is how we're configured at present. I wanted to try and create a seamless solution for my colleagues, as one user in particular is a menace, and an automated failover would have been great. Also we have two separate BB connections and therefore VPN routes into the firm, so it's going to mean creating 4 separate VPN connections on client systems. Not the end of the world as we're a small business. I find the interface for the VPN connections in Windows 10 is a bit of a mess as well, split between the old UI and the modern UI (and with glitches). Hopeful MS will improve soon.

Thanks a lot to you both for your input. I'll issue points shortly :-)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 68

Expert Comment

by:Qlemo
ID: 41850744
Some kind of automation is available by providing a PBK file with the generic connection info, and using it with rasphone (interactive) or rasdial (batch). The latter allows for checking the status and switch over to a different connection.
0
 
LVL 1

Author Comment

by:bluemercury
ID: 41858497
Hi Qlemo - thanks for that last comment. I did have a look into it, but it marginally went over my head, and I'm not sure it helps too much in this specific incidence (or it may be a admin heavy solution), but could be my ignorance too :-)

Bing - thanks for your original commend - I finally fully read that article, and interestingly I note the author states:

"Once the connection is successfully made with one kind of tunnel then this tunnel type is remembered and next time when the connection is attempted that tunnel is tried first. If it fails with this tunnel then again the other tunnel types are tried."
- From the perspective of your concern over a lengthy login, from this I'd assume this only happened first time or occasionally when the VPN topology remembered had been unavailable.

After consideration, I've decided to ditch the idea of the SSTP, as I find it just silently cuts out way too much (I've read that HTTPS is very critical of the quality of the connection) and L2TP is doing the job for us great. Thanks to both of you for your help, and I'll award points now. Cheers!
0
 
LVL 1

Author Closing Comment

by:bluemercury
ID: 41858501
Now have a clear perspective on how this works, many thanks :-)
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now