Announcement

Collapse
No announcement yet.

VPN will not work

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN will not work

    I am losiing the little hair I have left.

    I have a server at my main job that works fine. I also have another client with nearly the same setup, but vpn connection will not find the server. Here is what I have done.

    SBS2003 sp1 (I am installing updates)

    Just replaced the router. Had a linksys with known problems allowing vpn.

    New Linksys router with vpn(wrv200 I think).

    Gone thru connect to the internet wizard several times.
    Gone thru the Routing and Remote access wizard several times.

    Have the correct FQDN in the server.

    Tried a couple of different settings on the router.
    1. It has it's own page for vpn settings, allowing ipsec, pptp, and L2TP passthrough (all enabled)

    2. Added forwarding of ports: 1723, 3389, 443, 444, 500, 50, 4125, 80 to the correct NIC on the server

    3. Port triggering of 500 and 133.

    4. Added a tunnel on the router that would accept connections from any IP.

    5. Connecting from an xp machine and vista machine.

    I have pinged the server from out of the LAN successfully.
    RDP and RWW work fine.

    I have tried to duplicate the settings from my other router that works fine.

    Every time I try to connect I get the 800 error, could not connect to server. For some reason it will not resolve the server for vpn. I have also tried using the IP address and get the same error.

    I have enabled and disabled the port forwarding in many different configurations.

    I have compared the routing and remote access settings between the 2 servers and believe they are identical.

    I hope that covers it all. Does someone know why RWW works when vpn can't even locate the server. That fact is really driving me nuts. I would greatly appreciate any help out there.

    Thanks,
    Tony

  • #2
    Re: VPN will not work

    To try and isolate if this is a server or router issue, try creating a VPN from an internal workstation to the internal IP address of the server. If the VPN establishes then you know it's a router issue, if not it's on the server.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: VPN will not work

      For PPTP you also need to forward GRE and for IPSEC the router needs to support NAT-T.
      Usually such router devices has VPN passtrough...
      Isn't that easier to use/find?
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: VPN will not work

        Thanks for the input. I have tried connecting an internal machine via vpn with not luck. I have been thinking it is a server issue.

        On the router vpn settings, the general setup page has pptp, ipsec, and l2tp passthrough enabled. This page does not have any options for where to forward these services, so I manually entered it into the port forwarding page. Then I wondered if I was causing more problems by having the same settings in more then one area and disabled my manual entries.

        Which port does the gre service run through? I have seen it mentioned before, but not much in the way of specific settings for it.

        Thanks,
        Tony

        Comment


        • #5
          Re: VPN will not work

          I've set up a RRAS Server as the VPN endpoint behind a LinkSys RV082 and it was really weird to get going. First, GRE is not something that has a port number. It's its own Transport Layer protocol. Check out the wikipedia article. It's IP Protocol 47 where as TCP is IP protocol 6. Check this link out for all the protocol numbers.

          Anyway, how I eventually got my RV082 to work is a mystery to me. I had set everything up with forwarding and ports and it still wouldn't work. There's no explicit way of forwarding GRE to an internal IP address for that model. Strangely, it just started working for no reason. I had installed Wireshark on the server to watch for traffic that was caused by incoming connection attempts and it suddenly worked. I'd suggest rebooting your router, but other than that, low end LinkSys products tend to be a bit oversimplified and make IT pros jobs harder than they need to be.

          I'm not saying that your issue is with the LinkSys... it could be elsewhere. But it also wouldn't surprise me if it turned out to be a quirk in the LinkSys.
          Wesley David
          LinkedIn | Careers 2.0
          -------------------------------
          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
          Vendor Neutral Certifications: CWNA
          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

          Comment


          • #6
            Re: VPN will not work

            UPDATE!!!

            I was just able to connect vpn from an internal pc. I was using the incorrect IP address before, I think.

            Shouldn't the external IP be the one I target for the port forwarding? I am not using the server as a gateway or firewall between the client machines and the internet.

            So perhaps there is a setting on the external NIC that is blocking vpn???

            Tony

            Comment


            • #7
              Re: VPN will not work

              Yes, for an external VPN you should forward from the router to the external IP. The test I suggested was purely to make sure that the server was configured correctly as a VPN endpoint.

              Most Linksys routers will suffice with VPN passthrough enabled and port 1723 (for PPTP) forwarded to the server. I have a WAG300N which was setup this way, now using ISA with the router in bridge mode (modem only) so it passes all traffic to ISA.

              GRE may well be the issue, one thing to check is that your firmware is up to date as I had an older Linksys that needed an update for VPN passthrough to work properly. As nonapeptide says there's no explicit way to forward GRE traffic.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: VPN will not work

                Originally posted by edanono View Post
                I was just able to connect vpn from an internal pc. I was using the incorrect IP address before, I think.
                That shows that it's probably not the server that's the problem in this situation. That's good... we're narrowing down the possibilities.


                Originally posted by edanono View Post
                Shouldn't the external IP be the one I target for the port forwarding?
                Based on your grammar, I'm not entirely sure what you mean. Let's say your external IP is 1.1.1.1 and your server's internal IP is 192.168.0.2. In your LinkSys, all you have to do is go to the port forwarding feature screen and say "[Port] -> 192.168.0.2" and that's it. So forward all the ports that you want (I think you mentioned 1723, 3389, 443, 444, 500, 50, 4125, 80) and make sure they're forwarding to 192.168.0.2. When someone goes to 1.1.1.1 using any one of those ports, their traffic will be forwarded to the server.

                The sticky wicket is how / if GRE will be forwarded to the server since there's no explicit option in the LinkSys to set. I've done some reading about your model just now and it looks like people have had success with PPTP VPNs behind it. Maybe the firmware is smart enough to know that if you forward TCP port 1723 to a server then it should also do GRE?



                Originally posted by edanono View Post
                So perhaps there is a setting on the external NIC that is blocking vpn???
                If by external NIC you mean the LinkSys firewall... it's possible as long as you're sure that port are being forwarded in the proper way.


                EDIT: cross-posted with cruachan

                Originally posted by cruachan View Post
                Yes, for an external VPN you should forward from the router to the external IP. (Emphasis mine --Nonapeptide)
                Perchance did you mean "Internal" IP?
                Last edited by Nonapeptide; 26th January 2009, 21:24.
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment


                • #9
                  Re: VPN will not work

                  Originally posted by Nonapeptide View Post
                  Perchance did you mean "Internal" IP?
                  No, I did mean external but I should have clarified that this assumes that it uses a dual NIC setup in SBS with one "external" connected to the router and one "internal" connected to the private network with RRAS routing between them. So I probably should have written External NIC, rather than External IP.

                  If it's single homed it's irrelevant, only has one NIC.
                  BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                  sigpic
                  Cruachan's Blog

                  Comment


                  • #10
                    Re: VPN will not work

                    Thanks for the help all.

                    The external NIC I am talking about is the NIC on the server that is used to access the internet. The one that RWW is forwarded to and any other traffic coming from outside the network.

                    Considering that: if I can vpn the other NIC from inside the network, but NOT the NIC designated for external traffic, I can assume there is a problem with the settings on that card, right?

                    Say, ###.###.#.104 is the IP address all clients are directed to for internal DNS.

                    ###.###.#119 is the IP address all external requests are ported to from the router.

                    I have 1723, 80, 500 and others being directed to the "119" address.

                    Thanks,
                    Tony
                    Last edited by edanono; 26th January 2009, 22:11.

                    Comment


                    • #11
                      Re: VPN will not work

                      Originally posted by edanono View Post
                      The external NIC I am talking about is the NIC on the server that is used to access the internet. The one that RWW is forwarded to and any other traffic coming from outside the network.
                      Ah ha! Somehow I missed that we were talking about a dual NIC server.



                      Originally posted by edanono View Post
                      Considering that: if I can vpn the other NIC from inside the network, but NOT the NIC designated for external traffic, I can assume there is a problem with the settings on that card, right?
                      My first suspicion would be a misconfiguration in RRAS for that interface. For my tastes, RRAS can be a bit picky about things like that. The NIC itself is rather passive about the whole thing. It just takes whatever is handed to it. What about your Windows firewall settings (or any software firewall on the server for that matter)? Is that set to block any needful traffic on that interface?
                      Wesley David
                      LinkedIn | Careers 2.0
                      -------------------------------
                      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                      Vendor Neutral Certifications: CWNA
                      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                      Comment


                      • #12
                        Re: VPN will not work

                        Update...

                        I believe the problem is on the router. I was able to vpn on the LAN successfully.

                        So, is there anyone out there who has this router, or a similar one that could point me in the right direction of the proper configuration for it.

                        As stated before, I have forwarded ports: 1723, 80, 443, 444, 3389, 500, 50 to the IP address of the server. Also have enabed ipsec, pptp, and l2tp passthrough, and configured a tunnel on it.

                        And I still am getting the error 800.

                        Thanks again for all your help so far.
                        Tony

                        Comment


                        • #13
                          Re: VPN will not work

                          Originally posted by edanono View Post
                          I believe the problem is on the router. I was able to vpn on the LAN successfully.
                          If my understanding of your situation is finally correct, the ability to VPN into the server from the LAN just means that the LAN facing card is correctly configured. However, the WAN facing card still has the possibility of misconfigured RRAS and Windows Firewall settings. I don't know if we can check that card off the list of possible culprits just yet.


                          Originally posted by edanono View Post
                          So, is there anyone out there who has this router, or a similar one that could point me in the right direction of the proper configuration for it.
                          For my LinkSys specific issues, I usually go to LinkSysInfo.org. There are lots of people on those forums that are quite knowledgeable about the specifics of dealing with LinkSys products. You might be recommended to install a different firmware like Tomato.

                          BTW, does your LinkSys router have an imbedded VPN server in it? The RV series has an embedded PPTP and IPSec VPN server. If so, make sure to turn it off.
                          Wesley David
                          LinkedIn | Careers 2.0
                          -------------------------------
                          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                          Vendor Neutral Certifications: CWNA
                          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                          Comment


                          • #14
                            Re: VPN will not work

                            This might bite with the passtrough so I would make sure that I remove 1723 and 500:
                            Btw, where are you using port 444 and 50 for?

                            I don't say it will solve it but it's better to remove it.
                            Marcel
                            Technical Consultant
                            Netherlands
                            http://www.phetios.com
                            http://blog.nessus.nl

                            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                            "No matter how secure, there is always the human factor."

                            "Enjoy life today, tomorrow may never come."
                            "If you're going through hell, keep going. ~Winston Churchill"

                            Comment


                            • #15
                              Re: VPN will not work

                              Been gone for awhile, but I have updates.

                              Installed a dlink DIR-330

                              Now I get a 721 error, the server did not respond. So the router is passing through the vpn traffic, now the server is not accepting connections. Comparing a working server to this one, I can see that in the RRAS mmc under the ports, I am missing the L2TP connections.

                              I have added 5 ports in the properties window and restarted the service and restarted the server. Any ideas why that would be or why I would be getting the 721 error. I have the following ports forwarded to the server

                              RWW 443-444
                              pptp 1723
                              rdp 4125
                              term 3389
                              ipsec 500
                              gre 47
                              vpn 50
                              http 80

                              This may seem like overkill, but this is what is working on the other network. I have also tried adding 1701, but it did nothing.

                              I have seen plenty of people talking about 721 error leading to GRE not being passed through the router. Is there anyway to test for that?

                              Thanks again,
                              Tony

                              Comment

                              Working...
                              X