Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SBS 2003 failed VPN Setup\Connection

Status
Not open for further replies.
TimKidney

TimKidney

IS-IT--Management
Mar 3, 2009
16
GB
Hi all

Hope you can help me out...

Have set up a VPN connection on a SBS 2003 using the Configure Remote Access wizard, accepting all defaults and naming VPN connection vpn.<company website excluding www> (details of server name\domain etc to follow)

Have also used the Configure Firewall wizard to open relevant ports on my D-Link DSL-2740B and even logged into config page to check the VPN PassThru box and Port Forward the following ports to the Servers IP address:
External Port Internal Port Type
47 47 TCP
50 50 TCP
500 500 TCP
1723 1723 TCP
1701 1701 UDP

Server is a SBS 2003 single server (DHCP, AD etc) single static NIC.

Ive manually setup the connection on Vista and Windows 7 as well as run the .exe SBS creates for you but fails on Error 800 failed to connect which seems to be a generic message which could mean a lot of things?

Really stuck now as have tried many things.

m not 100% sure the ISP IP address is a static one, could that be an issue?

How can i tell if the client connection is even reaching my router?

Ive run a tracert from the Client and it stops somewhere out in the web?

Ive also spoken to 1 and 1 who host side\email etc and they say we need to upgrade to a dedicated server package to allow VPN connections which im sure is not right?

Internet is with BT Business

Any help\guidance id be very grateful.

Cheers, Tim
 
Sort by date Sort by votes
Can you telnet to your public ip on port 1723?

Network+ Inet+ MCP MCSA 2k3
 
Upvote 0 Downvote
It looks to me like you are trying to access the VPN server using a domain name that includes then domain name used by a third party to host your website and email. The VPN server is hosted at your location over a DSL connection. This will not work without changing DNS information for that domain name, which will probably require cooperation from you hosting provider that you are not likely to receive. If I have missed something here, please clarify. For now, use the public IP address of your router.

You need TCP port 1723 forwarded to your server. 47 and 50 are not port numbers in the realm of VPN connections, rather they are protocol numbers. Having these ports forwarded doesn't really hurt anything, just doesn't help. I would get rid of them just to eliminate some confusion. UDP 1701 and UDP 500 (you note TCP 500) are used for some connections, leave the 1701 and change 500 to UDP. Probably will not be used unless you change the default settings on your server, but can't hurt.

You do need protocol 47 (GRE) to get through. Most routers have an option for VPN pass-through or PPTP pass-through which will allow this to happen. Browsed the manual for your router but did not see the option. Either it is not supported, in which case you will either need to get a different router or configure your server as a DMZ server (not recommended), or it is enabled by default and you can't turn it off. The latter would not be a problem at all as GRE does nothing without the connection of port 1723. Also possible I missed it in the manual. This is NOT the cause of the 800 error, but you may want to research a bit before you go much farther.

You should be able to connect to the server even if your public IP address is dynamic. If it changes often, you will certainly want to use a dynamic DNS service. Your router does support this, so that should not be a problem. In this case you would use the name you configure with the service to access your server instead of the IP address.

In order to get tracert or ping to work, your router will need to respond to ICMP requests. Did not see a specific option in the manual for ICMP, but you should disable attack prevention in the firewall settings. Again, you will need to use the public IP address of your router or the dynamic DNS name for this to work.

Can you connect to the VPN server from the local network? Give it a try, using the server's local IP address, not the public IP of your router. This is much simpler than connecting over the internet and should eliminate issues with your router and internet connections. Once you confirm that you can connect locally move on to testing across the internet.

You can test the connection to your server on port 1723 using telnet. Open a command prompt. Type
Code: 
telnet x.x.x.x 1723
replacing the x.x.x.x with the public IP of your router (server's local IP if testing from your network) and press enter. There are three common responses, each of which has different implications.

1) You see a blank screen with a flashing cursor in the upper left corner within a couple of seconds. This actually means that you are connecting to the VPN server. The traffic is making it through the internet, your port forwarding is working, and the server is running. The next step would be to try the VPN connection again -- it should either work or give a different error message.

2) Within a few seconds, you receive the message "Unable to connect to host, on port 1723:Connect failed". The timing is important here. If the message comes within a few seconds, traffic on port 1723 is being rejected somewhere between your client and the server. Either the client ISP is blocking traffic, the server ISP is dropping traffic, your router is blocking traffic with its firewall, or your VPN server firewall is blocking traffic. In rare cases, a router with defective firmware will cause the problem.

3) After a brief delay (15-30 seconds) you receive the "Unable to connect to host, on port 1723:Connect failed" message. In this case, traffic on 1723 is being dropped instead of rejected. The drop could happen anywhere between the client and the server, including a configuration problem with the server.
 
Upvote 0 Downvote
Wow! Firstly i am so grateful for your advice! You really have gone to great depths to help me out which i really appreciate!

Secondly...it now works!! So thank you so much!

I succeeded at Step 1 with the Telnet (which ill also send out a thanks to the first reply NetworkTek) as this proved the setup was fine and it was simply a DNS issue.

So i created a free account with DynDNS then configured it within the router and now have an active VPN connection to an address!!

Ive learnt a great deal from this both technically and morally about forums so i will for sure be helping all i can when i can after the help you have offered me.

Really grateful mhkwood.

Cheers

Tim Kidney
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
435
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
323
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
268
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
230
Joon Smith
Joon Smith
LearningNetworking
  • Locked
  • Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
304
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top