none
DHCP Issues with VPN Connections on Server 2012 and 2012 R2

    Question

  • I am trying to configure a dirt-simple VPN setup:

    Router (DHCP host, 192.168.1.1)

        Server (VPN host, 192.168.1.151)

            VPN clients (should get 192.168.1.X)

        Other devices connected to Router (192.168.1.Y-N)

    I want the Router to provide IP addresses via DHCP.  I can connect clients to the VPN using static addresses, but I am unable to configure the DHCP to work for some reason.  Previously I used "Server 2012 R2" and it gave me no trouble with this exact topology.  What can I try?

    I'm using the RRAS VPN role only.  DHCP Relay Agent is configured with the 192.168.1.1 server address.  I've tried with all permutations of Internal and Ethernet interfaces installed and configured for the agent.



    • Edited by neuben Sunday, September 15, 2013 12:21 AM
    Saturday, September 07, 2013 5:25 AM

All replies

  • Hi neuben,

    Firstly, please let us know whether the DHCP host is a physical router or a Windows Server with DHCP role installed.

    Meanwhile, regarding how to assign IP address to VPN clients, please refer to this article.

    Configure the Way RRAS Assigns IP Addresses to VPN Clients

    http://technet.microsoft.com/en-us/library/dd469667.aspx

    Hope this helps.


    Best Regards
    Jeremy Wu

    Tuesday, September 10, 2013 4:37 PM
    Moderator
  • Hi Jeremy, 

    The DHCP host is a simple consumer gigabit router.  (Asus rt56u)

    I have tried both options that the linked article highlights -  and the static IP option does permit clients to connect to the VPN host; however this is not the required setup.  When the VPN host is configured to use DHCP I get a 720 error.

    I have tried with and without the Routing role installed.  I don't think it should be necessary to use DHCP Relay Agent since the VPN host is in the same subnet as the DHCP host (and because Server 2012 r2 worked with this in configuration out of the box). 

    Wednesday, September 11, 2013 12:13 AM
  • I reinstalled Windows Server 2012 today and VPN access still does not work for me using DHCP.  If I define a static block of addresses, it works - however this is NOT a correct configuration.  How can I configure Server 2012 to allow connecting clients to get addresses from the network router's DHCP service?

    Setup:

    1. Install Windows Server 2012
    2. Install Remote Access role with "Direct Access and VPN (RAS)" feature only
    3. Run "Getting Started" wizard and deploy VPN only
    4. "Configure and Enable Routing and Remote Access"
      Custom Configuration
        VPN Access checked
    5. Configure NPS

    After this, I can only connect with a static IP block defined.  I am testing with the local computer, a LAN computer and a remote computer; using PPTP and L2TP/IPSec.  Connections work fine only with a static block.

    I was randomly able to connect and get DHCP addresses from my router once earlier today, and I thought I had it set up correctly finally.  I rebooted the server to make sure it was durable, and I could no longer connect without a static block.

    The router is a standard consumer 192.168.1.x gigabit router.  It has options for all manners of VPN passthrough; however when I am attempting a connection to 127.0.0.1, it behaves the same way as a connection that goes through the router (won't connect with a DHCP IP address, will connect with a static block IP address).

    While a connection is being attempted, there is a brief period of time, about 3 seconds, where if I refresh the "Remote Access Clients" list in RRAS I see the user that is attempting to connect.  There is no network address listed, but the user is there until the DHCP request fails and the connection is terminated.

    I'm pulling my hair out here, can someone please take some ownership here and help me work through this?  I can't believe nobody else has ever had this problem!

    RAS Event log message:

    RoutingDomainID- {00000000-0000-0000-0000-000000000000}: CoId={NA}: The user {unimportant} connected to port VPN0-127 has been disconnected because no network protocols were successfully negotiated.

    Sunday, September 15, 2013 12:40 AM
  • What is wrong with using a static address pool? Your remotes have to get their network config from a pool of addresses on the server anyway. They cannot get it directly from DHCP.

     The only difference if you use the DHCP option is that the server leases a batch of addresses from DHCP to use as a pool.

    The reason it has to work this way is that the client lease has to be only for the duration of the connection, not for the lease time of the DHCP server.


    Bill

    Sunday, September 15, 2013 2:37 AM
  • Using the static address pool means that I cannot directly connect by friendly name, for one example.  \\Server\Share has to be ip\share which becomes a hassle when I need to connect to someone who is connected via VPN.

    "Your remotes have to get their network config from a pool of addresses on the server anyway. They cannot get it directly from DHCP."

    That is simply not accurate.  I am not sure why, but it did work briefly.  I could inspect my router's connected client log and could see remote machines connected as though by a gigabit wire to a LAN port.  I rebooted and it now no longer works.

    "The reason it has to work this way is that the client lease has to be only for the duration of the connection, not for the lease time of the DHCP server."

    In general, the lease only needs to be as long as the client session, but it is not the case that it must be limited to the session.  This is a small VPN and I will not be scaling it out past the addressing capability of a single commodity hardware router.  The better integration with the LAN is a sufficient payoff to clutter my router's DHCP pool slightly.

    I am trying to debug the connection with Wireshark currently.

    Sunday, September 15, 2013 3:16 AM