n00b question: can't access VPN externally

[edge65]

Hi All,

This is a total n00b question, so I apologize if it's not sophisticated enough for this forum. That said, I'd really like an answer if anyone can give one!

I'm practicing my server/networking skills in preparation for setting up a new office of our company in a new facility. I have an old Dell tower, on which I have installed Windows Server 2003. I added an NCI card to it to facilitate a VPN connection, and I have set that up based on tutorials on the Internet. In-office, I can connect to the VPN, browse files, print, etc.

At this point, here's what's going on:

SETUP

Cable Internet -> Cable Modem -> 1) my server via CATV AND 2) the office network through a NetGear router


PROBLEM

I can access my made-up VPN from other computers in the office by typing in the 24.xxx.x.x IP address in the New Connection wizard. But I cannot access the VPN this way externally.

What I'm guessing is that I've done something wrong or overlooked something, but that mistake is being "masked" by the fact that the office computers I'm testing the connection on are actually physically connected, however circuitously, to the server I'm trying to connect to.

Any ideas on what I might be overlooking?

Thanks!

edge65

 

[dberg35]

Could be a firewall issue but most likely a config problem. What Netgear router are you using and what kind of VPN solution are you needing?

 

[edge65]

Hi dberg--thanks for writing.

The router is a NetGear RangeMax. But remember that my "server" is connected directly to the cable modem, not through the Netgear router that serves the office. Could the router still be screwing up the config despite this?

I'm not sure I know enough about VPNs to answer your second question...The goal is just to be able to connect to the VPN to read/write files on a shared drive and perhaps print to a network printer. The issue is being able to gain access from a physically external location.

Let me know if you have any ideas, or if I need to get some config specs to help you analyze this further.

Thanks!

 

[John Lewis]

You haven't provided enough information to even take a good guess at this one. First, what you have provided. Please verify that this is correct.

1)You have a server that you have configured to accept incoming VPN connections. This server is obtaining a public IP address from your cable modem 24.x.x.x

2)The other computers on your work network connect through a router which is attached to the same cable modem.

At this point I have to guess a bit, so please check carefully

3)The office router obtains a different public IP address from the cable modem, also 24.x.x.x but not the same as your server.

4)The other computers at work are assigned private IP addresses, the router does NAT to provide internet access through its single public IP.

5)Your test server is not attached to the office router that serves the other computers.

If this is all correct and you are able to connect from the other computers in the office, your VPN server configuration is probably OK.

Now the important facts that you have not provided:

1)What happens when you try to connect from another location. I know, it doesn't work. Something happens, what is it? Error messages? You should get a message that includes a 3 digit number.

2)What kind of internet connection do you have at the remote connection? Are you using a router? What brand/model/version? What version is the firmware?

3)Try to ping your server from the remote location. What happens? Again, doesn't work is not a answer. What is the specific response to the ping command.

4)Another good test is to telnet to the VPN port of the server. Open a command prompt and type

telnet 24.x.x.x 1723

and press enter (substituting the IP of your server, of course).

With the telnet command, a blank screen with a flashing cursor indicates a successful connection, otherwise you should get an error message.

Fill in the blanks and we'll try again.

 

[dberg35]

First I will say is Windows VPN isn't always the easiest to set up and can be more trouble than it is worth. Take a look at this from MS.

http://technet.microsoft.com/en-us/network/bb545442.aspx

Second, Look at using a hardware solution. Netgear has a range of router that are inexpensive like Netgear FVS318 or FVG318 I have used these and they works great.

 

[edge65]

Hi All,

After tinkering a bit, I was able to establish a VPN connection. (I think I had a perms problem that I had overlooked.)

To your questions, mhkwood, your assumptions are all correct as far as I can guess. Error had been 721, but now I've fixed it. After establishing an external VPN connection, I tried a ping and all 10 attempts timed out with "100% packet loss."

The shared folders show up in my network (on PC and Mac) but I can't access them. I'm guessing it's another perms problem that I need to tinker with. Any ideas? If not, I'll report back if I can't resolve it.

 

[John Lewis]

I would guess that you are indeed having permission problems at this point. Accessing computers by name across a VPN connection can be problematic regardless of your VPN solution. A DNS server, or alternatively a WINS server can clear some of those issues up. You might want to try accessing the shares using IP addresses just to eliminate name resolution issues.

Also, the message you receive when you try to access the share should give some insight. When the failure is reported, be sure to click on the "Details" button if one is present to make certain you are getting as much information as possible. Sometimes it is easier to diagnose these issues by using the "NET" commands from a command prompt. Of particular interest:

"NET VIEW \\192.168.x.x" to view the shared resources available on a remote computer. You can substitute the name for the IP address if name resolution is working.

"NET USE X: \\192.168.x.x\share_name" to map the specified share to drive X:. If the command is successful, change to the drive to verify permissions are good.

"NET HELP" will list other commands you can use.

The big advantage to using these commands is that error messages are reported a bit more clearly. If you can get the NET commands working, the other issues should resolve.

Good luck, post back if you need further assistance.

 

[burtsbees]

In-office, I can connect to the VPN, browse files, print, etc."

Huh? That's definitely a problem, and should NOT happen!

Most of the time, when someone can connect to a VPN externally, yet cannot browse files internally, it is a NAT problem.

1.Make sure that the VPN pool is excluded from NAT rules---it is best to create the VPN pool in a different subnet than the remote LAN, but still exclude that from NAT.

2.NAT-T---this wraps (encapsulates) the IP header into a new IP/UDP header...this is a common problem with IPSec VPN's. The new UDP header can now be NATted, since NAT works with port numbers.

Your problem sounds like number 1.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!