VPN client can ping cannot see domain 1

[dimmech]

Creating this vpn has given me a crash course in basic networking but by no means am I experienced. Please keep that in mind when responding.
I can connect and ping the server and other machines in the domain, but I do not have access to resources.

I used 2003 server wizards to create domain controller, dns and wins roles in that order.

client pc = xp
d-link I704p router
muvpn client software for firebox soho 6

server pc = 2003 server
firebox soho 6 router

The client software creates a secure connection with the router and I am assuming that I have a dns issue.

If while connected I try to join the domain I get an error something like:
might be
netbios name not registered with wins
dns srv record not registered in dns
delegation to child zone

 

[minxca]

What is the DNS server on the client? It should be your DC IP Address.

 

[dimmech]

That is correct the client employs the safenet virtual adapter interface which is almost identical to having a second physical adapter/nic.
Set to:
client requests ip 192.168.1.15
dns
192.168.1.2
wins
192.168.1.2

router vpn server reserves 192.168.1.15

Server static ip 192.168.1.2
default gateway is router 192.168.1.1
prefered dns 127.0.0.1
secondary dns whatever isp provides

I have a local account on the client that has admin rights on the domain.

 

[GlenJohnson]

prefered dns 127.0.0.1

Why did you set it up like this and not use the real ip address?

Click here to learn How to help with tsunami relief...

http://www.google.com/tsunami_relief.html

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.
Don't forget to shop @ theTek-Tips Store

 

[dimmech]

I had some help with setting up the network and I'm not sure why it was set up that way. In any event I made the correction and it was not the source of my issue.

My dlink router(client side)logs show blocked connection attempts for tcp ports 135,445,1076 and 6101. The times seem to correspond to my vpn connection attempts. This router however has vpn pass through radio button settings "allow vpn connections" pptp and ipsec which are enabled.

Am I barking up the wrong tree?

 

[dk87]

netbios name not registered with wins - This is most likely because you have tcp port 135 blocked.

 

[dimmech]

From everything I've read about this particular setup I should not have to open ports. As many times as we will need to make secure connections to remote computers with different setups I can already see where this is headed.

Thanks for the replies. At this time we have decided to abandon the watchguard router. We need a solution that will give us less trouble setting up vpn clients for the simple fact that we will have to do it often.

In my research on this problem I found that alot of people were running into the same types of issues with wg routers. I'm sure there are probably alot of people who swear by wg but flags go up when you visit the watchguard solutions forum on tek-tips and see that half of the help requests go unanswered and the other half is left unresolved.

Anyway, thats my take on it. I hear tell that sonicwall is what I want. zat true?

 

[ITPangaeaArchitect]

you are required to have certain ports open depending on what you are trying to accomplish. such as joining them to the domain, youd need port 88, 53, etc. open.

this is all covered in 179442

you only need to pay attention to the windows 2000 portion

135 will be very important, equally important is ports 1024-65535, these are the ports required for RPC communications. 135 is the endpoint mapper, and 1024-65535 are the dynamic ports that are used to respond to RPC calls. You can statically set them to use a particular response port, but you are way more likely to end up with RPC related errors.

as for wins...you don't need it if all clients and servers are Win2000 and up. So tshooting that is a waste.


One thing to keep in mind though is this...VPN tunnels usually have ALL ports opened within them, thereby making most port issues null and void. However there are certain VPNs that do not do this and you have to explicitly open ports...all depends there.

If you are only using vpn software, save yourself the headache of trying to use them as domain members. The VPN would have to be the very first thing initialized at startup, before all other services, with authentication taking place at the same time, then all other services owuld need to start afterwards in order to do all the needed functions of a domain member. It could work with hardware equipment doing the vpn though, such as a router at the users home office or what have you.

If you plan on using this method, prepare for disaster in your helpdesk callwise, as they will get multiple calls all stemming from the same problem...vpn client software should not be used for domain members.

Plus too, you ever have a problem, and call Microsoft...guess what the answer will be...."this is not supported, here are a couple workarounds you could try"

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there

 

[dimmech]

Thanks for the explanation, that clears up alot.

All clients establishing a connection WILL have to log on to the domain for the purposes intended. That being the case, are there any suggestions for a no frills firewall with minimal setup? I will also need a server side fw/router(preferably same manufacturer).

-dimmech

 

[ITPangaeaArchitect]

well depending on your knowledge, you can use a light weight cisco router. That is what we use. Essentially any router that will encompass a VPN tunnel should work. This way, your tunnel is always up, and a machine can get an IP from that router that makes it a part of your internal network, and can then logon to the domain. There are other considerations however once you get to that point, such as logon scripts and group policy settings.

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there

 

[EnglishBoy]

Hi,

The Safenet software creates an IPSEC tunnel to the Watchguard firewall (most firewalls use some sort of VPN client and they all have the same set-up issues as safenet so the make of firewall you buy is pretty irrelevant). The VPN tunnel will support any protocol that runs over TCP/IP. The safenet software uses an internal IP address which can be statically assigned (it is independent of the IP of your PC's connection i.e. it is a virtual IP). Usually your internal IP address would be on a different subnet to the internal range of the LAN you are connecting to. So if your internal range is 192.168.1.0 255.255.255.0 you could give your Client an internal IP of 192.168.2.1 255.255.255.255.

The safenet software can be set to automatically start. This means that when you boot the PC, and get to your log on screen the software has all ready connected the VPN so that you can log onto the domain. NetBios will not propagate across a VPN connection, so you need to make sure you have ticked Netbios over TCP/IP in the options for your Network connection. Also in the Network connection you need to add the IP's of your DNS and WINS server (leaving your ISP's as your secondary DNS so you can still browse when the VPN is not in use).

Safenet version 10 supports NAT transversal, I’m not sure the others versions will properly, XP SP2 also screws up most VPN client software. CISCO also produces similar software for PIX firewalls.

Oh and there are also issues with VPN's and the MTU of your connection, IPSEC packets do not like being fragmented, so if your connection has an MTU of under 1500, your VPN will establish but not pass traffic (unless you drop the MTU on your NIC card or router)

I think that if you want no hassle VPN for a Microsoft network then you need a Microsoft VPN server running PPTP and the windows built in VPN client.