I set up a VPN server in W2K. I left the default access policy and in a user properties I allow access fordial-in connections. I tried to connect from home with a W98 box. The connection seems opened but I can't see the computer in my domain. In the log file I can see that the user wasn't accepted. Is there something wrong with the permissions? Any help is appreciate. Thank you.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
VPN doesn't work! HELP !!!!!! 6
- Thread starter Vero
- Start date
-
1
- Thread starter
- #3
- Thread starter
- #5
Do you have a computer account in the domain?
Are your credentials locally the same as they are on the domain?
Can you do anything(ie ping,telnet?) from the command prompt to inside boxes?
Start there and see where it goes. Trial and error.
Are your credentials locally the same as they are on the domain?
Can you do anything(ie ping,telnet?) from the command prompt to inside boxes?
Start there and see where it goes. Trial and error.
-
1
- #9
-
2
- #10
I guess you could say I may be having similar problem although it sounds like ya'll really know what you are doing and I have no idea. I want to connect to my companies network from home. I have a cable modem. I'd like to just be able to connect and browse the network for files, check my e-mail, etc. I having Windows 2000 Pro on my computer at home and am using the same credentials at home that I do at work. I know the IP address I need to connect to and the domain I need to log into at work and that is it. My IT department allows for VPN connections but will not support them or help set them up. Long story short, I don't know hardly anything about computers or networking but would like to be able to work from home once or wice a month. Is there and F.A.Q. or something out there that could help me figure out how to get this thing working? Any help is greatly apprecaited. Thanks so much.
Can you ping your VPN server IP address?
Do you have users setup to use Dial In?
Do you have shares setup for the Folders and/or files?
Are you using Active Directory?
Are you using MS Explorer to browse the VPN server?
If you can answer these questions for me I may be able to give you more help.
Do you have users setup to use Dial In?
Do you have shares setup for the Folders and/or files?
Are you using Active Directory?
Are you using MS Explorer to browse the VPN server?
If you can answer these questions for me I may be able to give you more help.
I can ping the server. We do have users set-up that use both VPN connections and dial directly into the network, my IT department did do something to my NT account that they told me would enable me to login via VPN. The other people in my company that I know are connecting with a VPN are using Windows 98 and of course like me, don't know much about computers and don't remember what they did to their computer to get it set-up. I am using Windows 2000 anyway so it's different, I know that much. 
I don't know what Active Directory is. If I could even connect, I would use Windows Explorer to browse the network. Thank you so much for the help. I really appreciate it.
I don't know what Active Directory is. If I could even connect, I would use Windows Explorer to browse the network. Thank you so much for the help. I really appreciate it.I just looked at the following article:
I don't really understand much of it but I can tell you that my IT department upgrading all of our servers to Windows 2000 when it came out last year so I am sure that we do probably have Active Directory if that helps at all.
I don't really understand much of it but I can tell you that my IT department upgrading all of our servers to Windows 2000 when it came out last year so I am sure that we do probably have Active Directory if that helps at all.
beegled,
Find out from you IT department what the shares are that you will be using. Also get the computer name.
You then can go to the Command prompt window
(Start=> Programs=> Command Prompt). When you are where you can use the NET USE Command to map the share.
An example: NET USE [a drive letter] \\computer name\share
"Computer name" is the name your IT people gave the server you are mapping to and of course "share" is the share name.
If all goes well you will get a message "Command complted"
Close the Window by typing exit
You can then go to Windows Explorer and see the mapped drive. What ever drive letter you gave it. Example S:
If the permissions are setup right, you should me able to see what's in the shared folders.
Find out from you IT department what the shares are that you will be using. Also get the computer name.
You then can go to the Command prompt window
(Start=> Programs=> Command Prompt). When you are where you can use the NET USE Command to map the share.
An example: NET USE [a drive letter] \\computer name\share
"Computer name" is the name your IT people gave the server you are mapping to and of course "share" is the share name.
If all goes well you will get a message "Command complted"
Close the Window by typing exit
You can then go to Windows Explorer and see the mapped drive. What ever drive letter you gave it. Example S:
If the permissions are setup right, you should me able to see what's in the shared folders.
I guess my problem is that I can't even connect. I go to start, settings, network and dial-up connections, and then click on the one I made and named it with my company name. It asks for a user name and password and I enter the same ones I use to log in at work which by the way, I have set-up my computer at home so that when I log into Windows, I use the same user name and password as I do at work. Anyway, after I enter my user name and password, I click the connect button. It acts like it is going to connect and says it is verifying my user name and password. Then it stops and comes up with a dialogue box that says my login credentials have failed remote network authentication. Enter a user name and password with access to the remote network domain. This time it has three text boxes, one for my user name, one for my password and the last one for my logon domain which my IT department says would be the same logon domain I use at work so I enter that. I click ok and it just comes back with the same dialogue box and I do it again and then it disconnects because of failure. The instructions that I got off our intranet while I was at work for setting up a vpn connection at home were of course written for Windows 98 so they don't help much but I will type them in now from the print I made of them:
Before installing VPN tere are a few prerequisites that need to be taken care of prior to VPN networking.
You must have already installed Dial Up Networking correctly.
You must already have an account with a local Internet Service Provider (ISP) and are able to connect with them.
A network administrator must have been made aware that you will be using VPN so they can make an adjustment to your network account. If you need this done send a request to the help desk. (** I did this and they told me they set it up **)
1. Install Virtual Private Networking
Go to Start | Settings | Control Panel | Add Remove Programs
Click on the Windows Setup tab
Double click on communications
Put a check mark in the Virtual Private Networking option
2. Double click on My Computer then double click on Dial Up Networking
3. Dobule click on Make New Connection and fill in the fields to match the following picture. You can use any name but you must make sure that Microsoft VPN Adapter is selected as the device then click next. (** There is a picture of the Make New Connection dialogue box following this step **)
4. Fill in the next screen to look like the following picture, making sure you use ***.**.**.*** as the IP Address. Click Next the Finish to complete setup. (** I put stars in where it gives the IP address to type because I did not know if it is okay to post the IP address to the web. There is a picture following this step of what it would look like **)
5. You will now see a connection icon with the same name you gave it in step 3.
6. Right click on the VPN connection icon and select properties. Got to the Server Type tab and make sure there is a check mark in all the options except NetBeui and IPX/SPX Compatible.
7. Make a connection to you local Internet Service Provider.
8. Once your connected to your ISP you can test whether your ISP is setup for VPN by going to the Start button, clicking on Programs and clicking on MS-DOS prompt. Once your at the Dos Prompt type Ping ***.**.**.*** and the result should look similar to the following:
C:\WINDOWS>ping ***.**.**.*** with 32 bytes of data:
Reply form ***.**.**.***: bytes=32 time=1ms TTL=127
Reply form ***.**.**.***: bytes=32 time=1ms TTL=127
Reply form ***.**.**.***: bytes=32 time=1ms TTL=127
Reply form ***.**.**.***: bytes=32 time=1ms TTL=127
(** I have done this and I do get the same results they speak of except of course where it says C:\WINDOWS for them, it says C:\WINNT for me since I am using 2000 **)
9. Double click the VPN connection icon in the Dial Up Networking area of My Computer to make the virtual connection. You will be prompted to enter your User Name and Password which should be the same ones you use at corporate. Once you've done this you should have the same capabilities as you would at corporate.
10. You will notice in the lower right corner of the screen should look like the picture below telling you that you are connected to your ISP as well as the VPN.
(** There is a picture following this step of the system tray with the two icons **)
11. In order to disconnect it is recommended that you disconnect from the VPN connection first then disconnect from your ISP.
That's the complete intructions that they give and like I said really aren't much use to me since of course with Windows 2000 everything looks different, has a whole lot more options and there is anything actualy call VPN or Virtual Private Networking that I can find.
Before installing VPN tere are a few prerequisites that need to be taken care of prior to VPN networking.
You must have already installed Dial Up Networking correctly.
You must already have an account with a local Internet Service Provider (ISP) and are able to connect with them.
A network administrator must have been made aware that you will be using VPN so they can make an adjustment to your network account. If you need this done send a request to the help desk. (** I did this and they told me they set it up **)
1. Install Virtual Private Networking
Go to Start | Settings | Control Panel | Add Remove Programs
Click on the Windows Setup tab
Double click on communications
Put a check mark in the Virtual Private Networking option
2. Double click on My Computer then double click on Dial Up Networking
3. Dobule click on Make New Connection and fill in the fields to match the following picture. You can use any name but you must make sure that Microsoft VPN Adapter is selected as the device then click next. (** There is a picture of the Make New Connection dialogue box following this step **)
4. Fill in the next screen to look like the following picture, making sure you use ***.**.**.*** as the IP Address. Click Next the Finish to complete setup. (** I put stars in where it gives the IP address to type because I did not know if it is okay to post the IP address to the web. There is a picture following this step of what it would look like **)
5. You will now see a connection icon with the same name you gave it in step 3.
6. Right click on the VPN connection icon and select properties. Got to the Server Type tab and make sure there is a check mark in all the options except NetBeui and IPX/SPX Compatible.
7. Make a connection to you local Internet Service Provider.
8. Once your connected to your ISP you can test whether your ISP is setup for VPN by going to the Start button, clicking on Programs and clicking on MS-DOS prompt. Once your at the Dos Prompt type Ping ***.**.**.*** and the result should look similar to the following:
C:\WINDOWS>ping ***.**.**.*** with 32 bytes of data:
Reply form ***.**.**.***: bytes=32 time=1ms TTL=127
Reply form ***.**.**.***: bytes=32 time=1ms TTL=127
Reply form ***.**.**.***: bytes=32 time=1ms TTL=127
Reply form ***.**.**.***: bytes=32 time=1ms TTL=127
(** I have done this and I do get the same results they speak of except of course where it says C:\WINDOWS for them, it says C:\WINNT for me since I am using 2000 **)
9. Double click the VPN connection icon in the Dial Up Networking area of My Computer to make the virtual connection. You will be prompted to enter your User Name and Password which should be the same ones you use at corporate. Once you've done this you should have the same capabilities as you would at corporate.
10. You will notice in the lower right corner of the screen should look like the picture below telling you that you are connected to your ISP as well as the VPN.
(** There is a picture following this step of the system tray with the two icons **)
11. In order to disconnect it is recommended that you disconnect from the VPN connection first then disconnect from your ISP.
That's the complete intructions that they give and like I said really aren't much use to me since of course with Windows 2000 everything looks different, has a whole lot more options and there is anything actualy call VPN or Virtual Private Networking that I can find.
-
2
- #17
the configuration of a PPTP based VPN is pretty straightforward,
using L2TP over IPSec will be more difficult to employ because you will need a CA for it.
This is a step-by-step guide to set up PPTP based VPN using MS Chapv2 :
Setting up the server
You will need a multihomed server. Use Windows 2000 Server or Advanced Server with 2 network cards
If you want the remote users to connect to the VPN through the internet, one of the NIC’s on the server will need a public registered internet address.
The internal NIC that connects our VPN server to the private network (or to an additional Firewall if your server is in a DMZ) has a statically configured IP address, that is excluded from your DHCP address pool.
If you want your users to connect using a direct RAS connection (analog modem, ISDN), you will need only 1 NIC, but you will need sufficient phone lines & RAS equipment.
Remark
My advise is not to connect to a VPN server that uses NAT…
Do not specify a gateway address on any of the interface cards
Go to the Routing & Remote Access snap-in in MMC
Right-click on the servername and choose ‘Configure and Enable Routing & Remote Access’
A wizard will be launched, but we are not going to use it, so choose ‘Manually Configured Server’ + finish to start the server with default settings.
Again, right click on the server name and select Properties
In the ‘general’ tab, make sure the ‘Remote Access Server’ checkbox is enabled.
In the ‘security’ tab, you can set the authentication methods.
If you have a RADIUS server, you can set the parameters to enable authentication against the RADIUS server.
If not, you will have to use Windows authentication (against the Active Directory)
Click ‘authentication methods’ and choose only Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and click OK
This will enable the Internet connection server to become capable of handling remote access and VPN.
In the ‘IP’ tab, enable IP routing.
You can also specify how you want to provide your users with an IP address.
Maybe it’s not a bad idea to assign a static address pool on the RAS server. This way you can put your server in a DMZ and handle DHCP requests independently of the LAN. Also, you can define rules on your firewall to only allow the IP address you’ve assigned…
The adapter that has to be used to assign DHCP, DNS, WINS, … parameters has to be the LAN interface !! Do not specify the internet interface !!!
In the ‘PPP’ tab, enable all settings
In the ‘Event logging’ tab, enable PPP logging, and log max. amount of information (Could be helpful when you want to troubleshoot the connection)
Click OK to save these settings
Now doubleclick on the server name and righ-click on ‘Ports’
Choose ‘properties’
Select the WAN miniport (PPTP) adapter and choose ‘properties’
Enable ‘Remote Access connections (inbound only)’, disable Demand-Dial routing
Set the maximum ports to the number of concurrent users you want to be connected (e.g. 25)
If the port is a Modem Card, you can set a phonenumber for the card specified.
For network interfaces, do not specify a phone number
Click OK, 25 WAN Miniport (PPTP) ports will be generated. The device type is VPN
Select WAN Miniport (L2TP) and set the number of ports to 0 and/or deselect both of the checkboxes in from of the ‘Remote Access connections (inbound only)’ and ‘Demand-dial routing connections (inbound and outbound)’ options.
Go to the ‘Remote Access Policies’ item, open it, select the default rule ‘Allow access if dial-in permission is enabled’, right click on it and choose ‘properties’
Grant remote access permissions on the conditions you want to be matched :
Phone number called by user
Phone number from which call originated
Friendly name for the RADIUS client (IAS only)
IP address of RADIUS client (IAS only)
Manufacturer or RADIUS proxy or NAS (IAS only)
Day-and-time restrictions
Protocol to be used
String identifying the NAS originated the request (IAS only)
IP address of the NAS originating the request
Type of physical port used by the NAS originating the request
Type of service the user has requested
Tunneling protocols to be used
Windows groups that user belongs to
Before experimenting with these restrictions, set day-and-time restriction to allow access All days at all times, and specify ‘Grant remote access permission’ if a user matches this condition.
After specifying the rule(s), click ‘Edit profile’
Dial-in constraints : make sure you don’t restrict any dail-in media (unless you know what you are doing…)
IP tab : choose ‘Server settings define policy’
Here, you can also specify a IP packet filter (inbound and outbound) -> some sort of built-in firewall
Multilink tab : Default to server settings
Authentication tab : only select ‘Microsoft Encrypted Authentication version 2 (MS-CHAP v2)’
Encryption tab : only enable ‘Strong’ and ‘Strongest’
At this point, your server is configured to accept VPN connections over PPTP, using MS-CHAP v2
If you change something to the server configuration, make sure you restart the RRAS service
(Right click on the server name, All tasks, Restart)
Configuring client accounts
Configuring the server is not enough to allow clients to connect to the network over a tunnel.
We’ve configured the server to allow account to connect if they have dial-in permissions.
All we have to do is to create users in active directory, set a strong password, and enable remote access
Open the ‘Active Directory Users and Computers’ from the Administrative Tools folder in the start menu.
Configuring client software
Windows 2000 professional / Windows 2000 server
Add a network connection to connect to the VPN :
Open the ‘Network and Dial-up Connections’ folder from either ‘Control Panel’ or from ‘Settings’ on the Start menu
Opent the option for ‘Make new connection’
Click next at the welcome message
Choose ‘Connect to a private network through the internet’ when you want to connect through the internet
If you want to dial into the VPN server using a modem, use the option ‘Dial-up to private network’
* Connect to a private network through the internet :
If you need a additional connection through the internet, you can enable the connection to dial into the internet first, and log onto the VPN server afterwards.
If you have a non-dial-up connection to the internet (xDSL, Cable, Leased Line, …), don’t choose the initial connection.
Specify the IP address of the VPN server you want to connect to (use the public internet IP address of the VPN server !!).
Choose between using this connection for ‘all users’ or just for yourself. + next
DO not enable internet sharing for this connection + next
Assign a name to this connection and click Finish
The Connection will be started. Click ‘Properties’
On the options tab, enable ‘Display progress while connecting’, ‘Prompt for name and password, certificate, etc’, ‘Include Windows logon domain’
In the security tab, set the security options to ‘Typical’
Validate my identity as follows : ‘Require secured password’
Enable ‘Require data encryption’
In the networking tab, Type of VPN server : automatic (or PPTP)
Click OK
Now you can specify the login, password and domain to try to log onto the VPN server.
When you are connected and authenticated, you will get a new IP address, a new gateway address will make sure you can access resources inside the LAN
If the VPN server is in a DMZ, the firewall can apply additional rules on the IP address (destination & target…)
For Win9x clients, you will need the latest DUN software, to support VPN,
or you can create a VPN client package on your Win2K server using Connection Manager Administration Kit
Good Luck
I have not failed, I just found 10000 ways that don't work
Peter Van Eeckhoutte
peter.ve@pandora.be
Did this post help ? Click below to let me know ;-)
using L2TP over IPSec will be more difficult to employ because you will need a CA for it.
This is a step-by-step guide to set up PPTP based VPN using MS Chapv2 :
Setting up the server
You will need a multihomed server. Use Windows 2000 Server or Advanced Server with 2 network cards
If you want the remote users to connect to the VPN through the internet, one of the NIC’s on the server will need a public registered internet address.
The internal NIC that connects our VPN server to the private network (or to an additional Firewall if your server is in a DMZ) has a statically configured IP address, that is excluded from your DHCP address pool.
If you want your users to connect using a direct RAS connection (analog modem, ISDN), you will need only 1 NIC, but you will need sufficient phone lines & RAS equipment.
Remark
My advise is not to connect to a VPN server that uses NAT…
Do not specify a gateway address on any of the interface cards
Go to the Routing & Remote Access snap-in in MMC
Right-click on the servername and choose ‘Configure and Enable Routing & Remote Access’
A wizard will be launched, but we are not going to use it, so choose ‘Manually Configured Server’ + finish to start the server with default settings.
Again, right click on the server name and select Properties
In the ‘general’ tab, make sure the ‘Remote Access Server’ checkbox is enabled.
In the ‘security’ tab, you can set the authentication methods.
If you have a RADIUS server, you can set the parameters to enable authentication against the RADIUS server.
If not, you will have to use Windows authentication (against the Active Directory)
Click ‘authentication methods’ and choose only Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and click OK
This will enable the Internet connection server to become capable of handling remote access and VPN.
In the ‘IP’ tab, enable IP routing.
You can also specify how you want to provide your users with an IP address.
Maybe it’s not a bad idea to assign a static address pool on the RAS server. This way you can put your server in a DMZ and handle DHCP requests independently of the LAN. Also, you can define rules on your firewall to only allow the IP address you’ve assigned…
The adapter that has to be used to assign DHCP, DNS, WINS, … parameters has to be the LAN interface !! Do not specify the internet interface !!!
In the ‘PPP’ tab, enable all settings
In the ‘Event logging’ tab, enable PPP logging, and log max. amount of information (Could be helpful when you want to troubleshoot the connection)
Click OK to save these settings
Now doubleclick on the server name and righ-click on ‘Ports’
Choose ‘properties’
Select the WAN miniport (PPTP) adapter and choose ‘properties’
Enable ‘Remote Access connections (inbound only)’, disable Demand-Dial routing
Set the maximum ports to the number of concurrent users you want to be connected (e.g. 25)
If the port is a Modem Card, you can set a phonenumber for the card specified.
For network interfaces, do not specify a phone number
Click OK, 25 WAN Miniport (PPTP) ports will be generated. The device type is VPN
Select WAN Miniport (L2TP) and set the number of ports to 0 and/or deselect both of the checkboxes in from of the ‘Remote Access connections (inbound only)’ and ‘Demand-dial routing connections (inbound and outbound)’ options.
Go to the ‘Remote Access Policies’ item, open it, select the default rule ‘Allow access if dial-in permission is enabled’, right click on it and choose ‘properties’
Grant remote access permissions on the conditions you want to be matched :
Phone number called by user
Phone number from which call originated
Friendly name for the RADIUS client (IAS only)
IP address of RADIUS client (IAS only)
Manufacturer or RADIUS proxy or NAS (IAS only)
Day-and-time restrictions
Protocol to be used
String identifying the NAS originated the request (IAS only)
IP address of the NAS originating the request
Type of physical port used by the NAS originating the request
Type of service the user has requested
Tunneling protocols to be used
Windows groups that user belongs to
Before experimenting with these restrictions, set day-and-time restriction to allow access All days at all times, and specify ‘Grant remote access permission’ if a user matches this condition.
After specifying the rule(s), click ‘Edit profile’
Dial-in constraints : make sure you don’t restrict any dail-in media (unless you know what you are doing…)
IP tab : choose ‘Server settings define policy’
Here, you can also specify a IP packet filter (inbound and outbound) -> some sort of built-in firewall
Multilink tab : Default to server settings
Authentication tab : only select ‘Microsoft Encrypted Authentication version 2 (MS-CHAP v2)’
Encryption tab : only enable ‘Strong’ and ‘Strongest’
At this point, your server is configured to accept VPN connections over PPTP, using MS-CHAP v2
If you change something to the server configuration, make sure you restart the RRAS service
(Right click on the server name, All tasks, Restart)
Configuring client accounts
Configuring the server is not enough to allow clients to connect to the network over a tunnel.
We’ve configured the server to allow account to connect if they have dial-in permissions.
All we have to do is to create users in active directory, set a strong password, and enable remote access
Open the ‘Active Directory Users and Computers’ from the Administrative Tools folder in the start menu.
Configuring client software
Windows 2000 professional / Windows 2000 server
Add a network connection to connect to the VPN :
Open the ‘Network and Dial-up Connections’ folder from either ‘Control Panel’ or from ‘Settings’ on the Start menu
Opent the option for ‘Make new connection’
Click next at the welcome message
Choose ‘Connect to a private network through the internet’ when you want to connect through the internet
If you want to dial into the VPN server using a modem, use the option ‘Dial-up to private network’
* Connect to a private network through the internet :
If you need a additional connection through the internet, you can enable the connection to dial into the internet first, and log onto the VPN server afterwards.
If you have a non-dial-up connection to the internet (xDSL, Cable, Leased Line, …), don’t choose the initial connection.
Specify the IP address of the VPN server you want to connect to (use the public internet IP address of the VPN server !!).
Choose between using this connection for ‘all users’ or just for yourself. + next
DO not enable internet sharing for this connection + next
Assign a name to this connection and click Finish
The Connection will be started. Click ‘Properties’
On the options tab, enable ‘Display progress while connecting’, ‘Prompt for name and password, certificate, etc’, ‘Include Windows logon domain’
In the security tab, set the security options to ‘Typical’
Validate my identity as follows : ‘Require secured password’
Enable ‘Require data encryption’
In the networking tab, Type of VPN server : automatic (or PPTP)
Click OK
Now you can specify the login, password and domain to try to log onto the VPN server.
When you are connected and authenticated, you will get a new IP address, a new gateway address will make sure you can access resources inside the LAN
If the VPN server is in a DMZ, the firewall can apply additional rules on the IP address (destination & target…)
For Win9x clients, you will need the latest DUN software, to support VPN,
or you can create a VPN client package on your Win2K server using Connection Manager Administration Kit
Good Luck
I have not failed, I just found 10000 ways that don't work
Peter Van Eeckhoutte
peter.ve@pandora.be
Did this post help ? Click below to let me know ;-)
Beegled,
actually, it gives all of you an overview on how to set up a PPTP vpn server (a step-by-step guide that works )
so you can see my answer as an addition to your post... I have not failed, I just found 10000 ways that don't work
Peter Van Eeckhoutte
peter.ve@pandora.be
Did this post help ? Click below to let me know ;-)
actually, it gives all of you an overview on how to set up a PPTP vpn server (a step-by-step guide that works
)so you can see my answer as an addition to your post... I have not failed, I just found 10000 ways that don't work
Peter Van Eeckhoutte
peter.ve@pandora.be
Did this post help ? Click below to let me know ;-)
- Status
Similar threads
- Question