VPN through NAT

[CaptNeo]

I have a network that is connected to the Internet via Frame Relay. I setup the router with DHCP and NAT. My Win2k server has a static ip, DHCP, DNS, AD and I configured it as a VPN server. I setup one computer as VPN client and dial-up connections to the Internet.

I can dial-up to the Internet with no problems, the VPN server my office is running but when I try to connect to it, the authentication fails. I know I put in the right id and password as well as the domain but I couldn't go pass through it.

I looked at the event viewer on the server and I found numerous attempts that I did but failed an authentication because of unknown username or a bad password.

Can anyone help me on this?

 

[flick30]

had a similar one on a w2k pptp vpn. What solved it for me
was on the client, make sure it is set to pptp and NOT auto.. (connection properties> networking>type of vpn)

dunno if it will work for you..

Good luck.

 

[CaptNeo]

I tried that and still get the same error.

 

[flick30]

whats the error code on the client?

 

[CaptNeo]

Your creadentials have failed remote network authentication. Enter a user name and password with access to the remote network domain.

I'm using the administrator account and my account but still I get this same error.

Any ideas?

 

[Serbtastic]

Did you try the username: ADDOMAIN\Administrator and the admin password?

 

[CaptNeo]

Yes, tried that to and it fails.

Do I need to restart the server after configuring the VPN? Because it didn't ask for a reboot so I didn't. Does that help? I can't reboot the server right now because it's in use.

 

[rn4it]

First Question I have is there VPN server is it's IP being NAT'd. If so, that may be the problem. VPN's are point to point and don't react well to being NAT'd. I would do 1 of 2 things, 1 - put your VPN Server out on the internet and attempt VPNing should work without a hitch. This would confirm that it is a NAT Transversal problem. Or 2 - Look into using your Cisco router to establish to act as your VPN server.
Good Luck and

 

[CaptNeo]

The IP is being NAT'd alright so I'll try to assign it with an outside IP and see if it works.

 

[CaptNeo]

That didn't work as well.My cisco router doesn't have the vpn capability.

 

[rn4it]

To give your router VPN capability, you would have to load the correct IOS. Did you get the same error msg when you attempted to establish the tunnel?

 

[robbiear]

If you have NAT running in front of the vpn server, use ESP or NAT traversal.

 

[CaptNeo]

How do I do NAT traversal or ESP?

 

[flick30]

think we're going way off line here with esp & nat traversal.. think the point is getting this w2k pptp vpn to work! ..

What is firewalling the win 2k server? ISA perhaps? If so.. has it correct filters for *protocol* 47

 

[substitute]

This all looks horribly familiar. I think the answer mught be very simple.

My users have two types of VPN:

1. A server behind a firewall router. The firewall is configured to pass VPN protocol to/from the server. The server has RAS pointed at the firewall. The VPN users have dial-in access enabled on their accounts. The users connect the VPN with their server login info. I suspect this is discarded and the actual server login is done using the username and password with which the user logged on to their local PC.

2. A LAN domain behind a VPN firewall router. The VPN firewall mediates VPN access to the LAN. The server knows nothing. The VPN users connect the VPN with a username and password configured on the VPN firewall. Once connected they access LAN resources using their local Windows login.

Some of CaptNeo's problems suggest he is successfully connecting the VPN (the server is logging errors, it couldn't do that if the router was blocking VPN could it?) but the server is rejecting his login. I suggest CaptNeo looks at his local Windows login and sets it the same as his LAN/Server login (he probably can't specify a domain and so doesn't get domain access - e.g. might not be able to browse the LAN - but can access resources specified by name)

Life on a VPN is sweet if you use a laptop which you also use when in the office because it already has the right credentials and cached IP info.

 

[bwilliam13]

Do you have both GRE (protocol 47) and TCP port 1723 open to allow VPN into the W2K server?

I have not seen this question answered yet.

It would help a lot if you could post the config of your firewall--if you have one, what model and OS it is, etc etc.

 

[CaptNeo]

I've finally figured out the problem. My Win2k server only allows PAP, SPAP authentication.

So my question now is, how do I allow other authentication methods to work? I'd like to use either MS-CHAP or EAP?

 

[bwilliam13]

Ummm...no. CHAP and MS-CHAP are supported natively in Windows 2000. All you have to do is enable it in the Remote Access Policy.

What is the VPN client here? Windows 2000, Windows 98, Windows XP???

 

[CaptNeo]

I tried enabling them one at a time and it didn't work. the VPN client is Windows XP and 2000.

 

[bwilliam13]

You should enable MS-CHAP v2 on the server.

In XP, it's easy. Do a properties of the VPN connection --> Security --> Advanced (custom settings) --> Settings

Allow the protocol MS-CHAP v2. Hit OK, reconnect. If it doesn't connect, you've got other issues you need to solve. PPTP VPN under an all Microsoft environment is one of the easiest things to do. If it isn't working, you've got a greater problem somewhere else.