Win 2K VPN Config/Connectivity

[MelvinSE]

I've got a few issues, so I'll just rattle them all off in hopes for some help.

Running a Win 2K Server as a domain MEMBER of an NT4 domain. Active Directory is NOT running. The 2K Server has ONE NIC. Our firewall is configured to allow PPTP packets (GRE AND PPTP) packets through to the Win 2K machine. The 2K box is running RAS and it is configured (i think) properly according to all the white papers I've read. On the NT4 PDC, I give the user account dial-in priviledges. When I try to connect from the internet, I get an "Ërror 721" message. From what I've read, this is probably caused by the server not being able to assign the client an IP address. I did set up a static address pool. I can ping the public IP address from the internet. The VPN Client connection finds the server and asks for a user name and password. Once those are entered, I get the error after about 20 seconds. I know this is a relatively common problem, but I haven't found and sites with an actual solution. Maybe I'm not configured correctly considering my situation with one NIC, no Active Directory and an NT 4 network. My IP address pool is a group of addresses on my company's LOCAL subnet. Is that wrong? Should I make the VPN address pool it's own subnet? I don't even know if that's the problem. This configuration is a first for me, so any help is appreciated.

 

[bwatkins14]

Just reading through your post its sounds like you will need to install a second NIC with and internal IP then config NAT between the two NIC's. I don't think your w2k server knows what to do with the traffic coming to the external IP.

 

[MelvinSE]

I'm not sure if I needed to install a second NIC or not, but I have seen writeups on configuring a VPN with just one. The external IP is handled by the firewall/router, which translates the external address to the hidden internal address of the VPN server and forwards the packet. The VPN NIC isn't getting packets directly from the outside. I don't know. Maybe I'm missing something, but I think that setup should work.

 

[bwatkins14]

Most firewalls will allow you to install and config VPN. We have a cisco pix with vpn server installed, I use it for admin access. Just an idea!

 

[aznluvsmc]

Go into the Routing and Remote Access console and access the properties for the server. Under the IP tab, select static address pool and give it an IP range. When clients connect to the server they should get one of those IP addresses.

The problem with your configuration is that with only one NIC, you will only be able to access resources on the VPN server itself and not the rest of the LAN.

Steven S.
MCSA
A+, Network+, Server+, i-Net+

 

[MelvinSE]

I have set a static IP address pool, so I'm not sure that's it. However, I have read that the "721" error could be caused by the router not forwarding GRE packets properly. However, in the router log, it says it saw and accepted the GRE protocol packets and forwarded them to the proper address. I did notice, though, that the allowed GRE packets came through with a destination of the PUBLIC IP address. The router caught them when they hit the router and forwarded them to the VPN server's public address. The router is running NAT, so I'm thinking that maybe the packets don't get translated properly to the INTERNAL address of the VPN server and remain unforwarded. Is this a correct assumption?

 

[aznluvsmc]

Is the VPN server exposed to the Internet or does it sit in the DMZ?

I'm assuming your VPN client is the one that can be configured through the Windows Network connection. If the client is already part of the domain, ensure that you disable the Log on to domain option. If the client is not part of the domain then the option must be checked.

Steven S.
MCSA
A+, Network+, Server+, i-Net+

 

[MelvinSE]

The server sits on the internal network, behind the router, which uses NAT. I though about installing RAS on the multi-homed server connected to the router, but that's an old NT4 machine that I don't want to use for that purpose.

I've only tried to connect using a WinXP Pro client, and tried with and without the Log On To Domain option. I got the same 721 error. I read that there were bug issues between XP Pro and 2000 Server over RAS, but I installed the 2000 Service Pack just as suggested my Microsoft. For that reason, I'm going to attempt to connect using a Win98SE client today.

 

[aznluvsmc]

Try this on the XP Client:

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
Locate the following subkey, where <000x> is the network adapter for the WAN Miniport (PPTP) driver:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}\<000x>

On the Edit menu, point to New, and then click DWORD Value.
Type ValidateAddress, and then press ENTER.

Note By default, the Data value is 0 (Off).
Quit Registry Editor.
Restart your computer

Steven S.
MCSA
A+, Network+, Server+, i-Net+

 

[aznluvsmc]

The problem is with the NAT. Initially the client is sending a request to the public IP address of the server but the server is responding using a different IP address. When the client verifies the return address it will not match hence giving you an Error 721 Remote PPP peer is not responding.

Steven S.
MCSA
A+, Network+, Server+, i-Net+

 

[MelvinSE]

Will setting up a L2TP VPN work instead?

 

[MelvinSE]

I've looked into setting up an L2TP/IPSec VPN, but from what I've been reading, Windows 2000 Server doesn't support the necessary L2TP/IPSEC NAT-T that I would need since my firewall is running NAT. But, there is an update for L2TP/IPSec NAT-T from Microsoft, but it lists only "Windows 2000" as the target operating system and mentions nothing of installing to the Server version.

Do you guys know if setting up an L2TP/IPSec VPN behind NAT is possible on Windows 2000 Server?

 

[AlexIT]

Install the update, while I have not done this myself others have said this will fix the server NAT-T issue.

Alex