Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Windows 2003 VPN

Status
Not open for further replies.
VieiraR

VieiraR

MIS
Jul 3, 2003
66
US
Hi,

I set up a Windows Server 2003 box as a VPN serever. I followed MS TechNet instruction. However, when I test it the tunnel is established for a few seconds then drops and tries again. I am assuming the authentication is failing. This is the set up:
Box with 2 NIC(A & B)

NIC A is set with static Class C private IP Intranet and is joined to domain. Only left out Default gateway per instructions.

NIC B is set with static Class C private IP Internet.
Firewall has PUblic IP nadded to NIC B's IP and Default gatway is firewalls IP.

RRAS Wizard was used and assume IP Forwading is turned on then. We are using PPTP not L2TP and used both CMAK and maunally added network connection. I can see the tunnel being created but then drops after a few seconds. Any Idea as to the issue. Any help would be great.


Rich
 
Sort by date Sort by votes
First, I wouldn't even think about CMAK until you have a stable connection established with a manual connectoid. Too hard to change the options, and there are some you don't see in CMAK unless you dig real deep.

the tunnel is established for a few seconds
Brings the second . . . how do you know the tunnel is established? On the client side, properties for the connection, general tab, make sure the 'show icon in taskbar' is marked, at least while you are testing. Do you get the icon, or does it work for a bit then stop before the icon comes along? Any error messages?

Check your event logs on the server side. Anything going on there?

From what you are describing, I would bet that the tunnel is not established. I probably shouldn't guess without seeing your responses, but just the feeling I get.

Don't see what you are using for a firewall, but sounds to me like it isn't passing GRE. GRE is a protocol used by pptp, also known as protocol 47. Check to make sure your firewall is set to let it through, sometimes the option is labeled 'pptp passthrough'.
 
Upvote 0 Downvote
mhkwood thanks for the quick response. We are using netscreen 25. and I can see the incoming ip address going through the fire wall and then packet being sent out. I can't see any info hence the tunnel then nothing after that the tunnel closes. Yes I have protocol ip 47 and 1723 port tcp open. The event log in security is showing attempts but nothing else. We are using a domain not an AD and was wondering if the authenticating with the domain was casueing problems. If you need any more info let me know. I hope I gave you what you are looking for. Again thanks for the quick response.

Rich
 
Upvote 0 Downvote
What are you seeing on the client end . . . Do you get the icon in the taskbar, or does it stop before that point? Any error messages? Does everything seem to happen fairly quickly, or does it wait at some stage for several seconds before moving on?
 
Upvote 0 Downvote
The client end we use a dial-up and we get that icon then it says connecting to 64.*.*.* then states verifiying username and password. then we get and error 721 remote not responding.
 
Upvote 0 Downvote
If you are using DHCP on the server side to get VPN addresses, try assigning a static pool.

Failing that, I would go back to GRE not getting back to the client. Not familar with the Netscreen at all, so I don't know what else to check there. Possible that it isn't on your end, as well. Many dialups block GRE on their networks.

You might want to try with a different ISP to rule that out. You could also enable logging, I would start on the client side. I can point you to directions depending upon the version of Windows. If you do turn it on, make sure you turn it off when you are done as it eats disk space fast.

Another option would be to install a network analyzer on the client to see if the GRE is getting there.
 
Upvote 0 Downvote
Ok I formated and reloaded Windows Server 2003. This VPN is behind the firewall. I set up my External Card with private address 192.168.*.* with subnet of 255.255.255.0 and default gateway 192.168.*.* which is the firewall. The Internal card is a differnt private address and no defaukt gateway and connected to the domain. I ran the RRAS Wizard for Remote Access and VPN and specified which card is which. WHen I click finish it askes me anout not be autherized for a Reote Server in the AD. We are not runnig an AD and I am signed in as the Dmain Admin. Also I get a message about DHCP relay messages but I am not using a DHCP for the remote users I am using static addresses. I made sure TCP port 1723 and IP Protocol 47 (GRE) is available. I set up my ports and logged all error messages. I still am getting and error 721 server not responding . what am I forgetting or doing wrong.


Rich
 
Upvote 0 Downvote
I assme that you set Dial-up access to Accept, even with the domain admin you have to set it.
 
Upvote 0 Downvote
breader,

I may sound stupid but... where and how?
 
Upvote 0 Downvote
Users and Computers
Properties of User
Dial-in
Allow
 
Upvote 0 Downvote
If both of your cards have addresses on the same network, that could be causing your problem. Based upon your subnet of 255.255.255.0 and partial network address of 192.168, if the third number is the same they are on the same network. This is one of those things that could cause GRE to go goofy on the server side.

Two ways to deal with that. I would remove the second card. The references that you see to a second card with a Windows VPN are really related to ISA, not the VPN. You haven't mentioned ISA (unless I missed it), so I'm fairly sure you can get away without the second card.

The other option would be to change the network address of the second card. I'm sure that will work, provided your Netscreen can deal with two networks on the same box, I would assume it can. You can stay with the 192.168.xxx, change the third numeber and stay with the 255.255.255.0 mask. Your VPN should still use numbers from the original LAN address so the automatic route that is added on the client side works.

The issue that breader mentioned could be a problem, but not at this point. That would not throw a 721. Check it out, but don't dwell on it yet.

Last thing, you mentioned that you are using static addresses for the clients. Do you mean that the client is configured to request a specific address? That is another one of those areas that can cause problems, I would allow the server assign addresses until you get going. That will generally cause a long (up to 2 minutes or so) delay before giving an error, so I don't think that's your problem. But, sometimes things like that act odd depending upon the combination of client/server/connections/temprature of the air/etc, so I wouldn't rule it out.
 
Upvote 0 Downvote
Ok,
Now I have a different question. Behind the firewall is the VPN and the intranet. THe other servers we have are Windows 2000 running as a file server and Windows NT 4.0 as the DHCP and PDC. Do we need to make one of these an IAS? Will NT be able to handel it also could the file server work as and IAS-RAIDUS?

Rich
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
693
GlobeTrekkerGal
GlobeTrekkerGal
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
428
Joon Smith
Joon Smith
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
518
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
478
sircles
sircles
LearningNetworking
  • Locked
  • Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
478
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top