This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Cannot Connect to Server 2008 Through Custom VPN Connection

Question
0

Sign in to vote

My goal is to establish several VPN connections to my server with the goal of using Microsoft Terminal Services Client (mstsc) to allow users to access their own accounts on the server. The client computers are running Windows 7 and Windows XP. I've had this working before, but it no longer is working. As far as I'm aware nothing was changed. I need this connection up ASAP and I'm stumped as to what could be hampering it. I'm very new to Server 2008; my networking knowledge and skills are intermediate. I've been able to do this with Server 2000, but I am stumbling my way through the Role system on Server 2008.

My server is running Windows Server Standard 2008 with Service Pack 2 installed. It has a static IP address of 192.168.1.254 on my network. I'm having to use a custom VPN setup because my server only has one NIC.

My router is a Linksys WRT400N with the IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. The internet side is using an address of 192.168.0.4 with a subnet mask of 255.255.255.0.

The above router is attached to an Actiontec DSL Modem using an internal address of 192.168.0.1 with a subnet mask of 255.255.255.0.

I'm using dyndns.com as my ddns server and am able to ping the server's site just fine. All users should have permissions to connect and establish a remote desktop view. I've uninstalled and reinstalled NPS and RRAS several times now trying different settings to try to get this to work again.

Monday, May 16, 2011 12:07 PM

All replies

1

Sign in to vote

Hi Aeden,

Thanks for posting here.

You should first enable and configure VPN service on this single NIC Windows Server 2008 host with performing RRAS wizard like what discussed in the articles below:

VPN server deployment: IP Addressing, Routing/NAT, Single vs two NIC

http://blogs.technet.com/b/rrasblog/archive/2006/09/20/vpn-server-deployment-ip-addressing-routing-nat-single-vs-two-nic.aspx

How to configure VPN Server with single NIC on Windows Server

http://blogs.technet.com/b/rrasblog/archive/2006/06/19/how-to-configure-vpn-server-with-single-nic-on-windows-server.aspx

After that you should add routing entries for commutation between two IP segments on Linksys WRT400N , Actiontec DSL Modem device and VPN server:

Internet--------Actiontec DSL Modem(192.168.0.1)--------(192.168.0.4)Linksys WRT400N(192.168.1.1)-------- (192.168.1.254)VPN Server

On Actiontec DSL Modem:

192.168.1.0 255.255.255.0 192.168.0.4

On VPN Server:

192.168.0.0 255.255.255.0 192.168.1.1

Meanwhile, you should also configure port forward on Actiontec DSL Modem for forwarding all incoming VPN connation to host 192.168.1.254.

Which ports to unblock for VPN traffic to pass-through?

http://blogs.technet.com/b/rrasblog/archive/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through.aspx

For more information please refer to the articles below:

Enable RRAS as a VPN Server and a NAT Router

http://technet.microsoft.com/en-us/library/dd458971(WS.10).aspx

Remote access/VPN server role: Configuring a remote access/VPN server

http://technet.microsoft.com/en-us/library/cc736357(WS.10).aspx

How to use the Windows Server 2003 Routing and Remote Access Service or ISA Server 2006 or ISA Server 2004 with a DSL router for Internet access

http://support.microsoft.com/kb/837453

Thanks.

Tiger Li

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Tuesday, May 17, 2011 6:46 AM
0

Sign in to vote

I've followed your instructions but I'm still unable to establish a VPN connection. I'm thinking I might have an issue with the security properties of the VPN connection. I've included the majority of the settings for the devices below.
ActionTec DSL Modem
   WAN IP Address
       Obtain an IP Address through PPPoA (Dynamic)
       PPP Auto Connect
       Encapsulation = VC-MUX
   Lan IP Address
       Device IP Address = 192.168.0.1 (Static)
       Device LAN Netmask = 255.255.255.0
   DHCP Server = On
       Beginning IP Address = 192.168.0.2
       Ending IP Address = 192.168.0.254
       SubnetMask = 255.255.255.0
       Lease Time = 86400
       Domain Name = domain_not_set.invalid
       DNS = Dynamic
   Services Blocking (None)
   Website Blocking (None)
   Remote Management = Off
   Application Level Gateway (ALG) and Port Forwarding
       192.168.0.4
           Other
               TCP   22   22   22
               TCP   540   540   540
           IPSEC
               UDP   500   500   500
               ESP   *   *   *
           PPTP
               TCP   1723   1723   1723
               GRE   *   *   *
           VPN
               UDP   4500   4500   4500
               UDP   1701   1701   1701
               TCP   443   443   443
   DMZ Hosting = Off
   Firewall Security Level = Off
   Dynamic Routing = Off
   NAT = On
   Static Routing
       192.168.1.0   255.255.255.0   192.168.0.4
   UPnP = Off

WRT400N Simultaneous Dual-Band Wireless-N Router
   Internet Setup
       Internet Connection Type = Static IP
       Internet IP Address = 192.168.0.4
       Subnet Mask = 255.255.255.0
       Default Gateway = 192.168.0.1
       DNS 1 = 192.168.0.1
       DNS 2 = 208.254.148.69
       DNS 3 = 208.254.148.100
   Network Setup
       Router IP Address = 192.168.1.1
       Subnet Mask = 255.255.255.0
       DHCP Server = Enabled
       Start IP Address = 192.168.1.100
       Maximum Number of Users = 50
       IP Address Range = 192.168.1.100 to 149
       Client Lease Time = 1440
       DNS 1 = 64.51.191.57
       DNS 2 = 216.175.203.59
       DNS 3 = 192.168.0.1
       WINS = 0.0.0.0
   DDNS Service = Disabled
   MAC Address Clone = Disabled
   Advanced Routing
       NAT = Enabled
       Dynamic Routing (RIP) = Disabled
       Static Routing
           Destination   Subnet Mask   Gateway       Hop   Interface
           192.168.1.0   255.255.255.0   192.168.1.1   1   LAN & Wireless
           192.168.0.0   255.255.255.0   192.168.0.4   1   Internet (WAN)
           239.0.0.0   255.0.0.0   *       1   LAN & Wireless
           127.0.0.0   255.0.0.0   192.168.1.1   1   LAN & Wireless
           default       0.0.0.0       192.168.0.1   1   Internet (WAN)
   Security
       Firewall = Disabled
       Internet Filter
       Filter IDENT (Port 113)
       Web Filter (None)
       VPN Passthrough
           IPSec Passthrough = Enabled
           PPTP Passthrough = Enabled
           L2TP Passthrough = Enabled
   Access Restrictions
       Internet Access Policy (Nothing Blocked)
       Applications & Gaming
       Single Port Forwarding
           Ext Port   Int Port   Protocol   To IP Address
           53   53   Both   192.168.1.254
           25   25   TCP   192.168.1.211
           22   22   TCP   192.168.1.211
           540   540   TCP   192.168.1.211
           3389   3389   Both   192.168.1.211
           3390   3390   TCP   192.168.1.254
           1723   1723   TCP   192.168.1.254
           443   443   TCP   192.168.1.254
           1701   1701   UDP   192.168.1.254
           8085   8085   Both   192.168.1.254
           500   500   UDP   192.168.1.254
       Port Range Forwarding
           Start   End   Protocol   IP Address
           22   22   TCP   192.168.1.211
           540   540   TCP   192.168.1.211
           8080   8080   Both   192.168.1.211
           3389   3389   Both   192.168.1.211
           4500   4500   UDP   192.168.1.254
       Port Range Triggering (None)
       DMZ = Enabled
           Source IP Address = Any IP Address
           Destination IP Address = 192.168.1.211
       QoS
           Wireless WMM Support = Enabled
           Wireless No Acknoledgement = Disabled
           Internet Access Priority = Disabled

VPN Server (Server 2008, Not Using Domains)
   NIC
       IP Address = 192.168.1.254
       Subnet Mask = 255.255.255.0
       Default Gateway = 192.168.1.1
       Preferred DNS Server = 192.168.1.1
       Alternate DNS Server = 192.168.0.1
       Firewall = Disabled
   Network Policy and Access Services
       Events: 1 Warning
           A certificate could not be found. Connections that use the L2TP protocol over IPsec require the
           installation of a machine certificate, also known as a computer certificate. No L2TP calls will be
           accepted.
       System Services: All Running
           Display Name           Service Name   Status   Startup Type   Monitor
           Remote Access Connection Manager   RasMan       Running   Manual       Yes
           Routing and Remote Access       RemoteAccess   Running   Auto       Yes
       Role Services: 3 Installed
           Role Service               Status
           Network Policy Server           Not Installed
           Routing and Remote Access Services       Installed
               Remote Access Service       Installed
               Routing               Installed
           Health Registration Authority           Not Installed
           Host Credential Authorization Protocol       Not Installed
   Routing and Remote Access Properties
       General
           IPv4 Router = Enabled
               LAN and demand-dial routing
           IPv6 Router = Disabled
           IPv4 Remote Access Server = Enabled
           IPv6 Remote Access Server = Disabled
       Security
           Authentication Provider: Windows Authentication
               Authentication Methods:
                   Extensible Authentication Protocol (EAP) = Enabled
                       Protected EAP (PEAP)
                   Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) = Enabled
                   Encrypted Authentication (CHAP) = Enabled
                   Unencrypted Password (PAP) = Enabled
                   Unauthenticated Access = Disabled
               Accounting Provider: Windows Accounting
               Allow Custom IPSec Policy for L2TP Connection = Disabled
       IPv4
           Enable IPv4 Forwarding = Enabled
           IPv4 Address Assignment = Static Address Pool
               From       To       Number   IP Address   Mask
               192.168.1.50   192.168.1.99   50   192.168.1.0   255.255.255.128
           Enable Broadcast Name Resolution = Enabled
       IPv6
           Enable IPv6 Forwarding = Enabled
           Enable Default Route Advertisement = Enabled
           IPv6 Prefix Assignment (None)
       PPP
           Multilink Connections = Enabled
               Dynamic Bandwidth Control Using BAP or BACP = Enabled
           Link Control Protocol (LCP) Extensions = Enabled
           Software Compression = Enabled
       Logging
           Log Errors and Warnings
           Log Additional Routing and Remote Access Information (used for debugging) = Disabled
   Network Interfaces
       Interface           Type       Status       State
       Loopback           Loopback       Enabled       Connected
       Local Area Connection   Dedicated   Enabled       Connected
       Internal           Internal       Enabled       Connected
   Ports Properties
       Name           Used By       Type   Number of Ports
       WAN Miniport (PPPOE)   Routing       PPPoE   1
       WAN Miniport (PPTP)   RAS/Routing   PPTP   128
       WAN Miniport (L2TP)   RAS/Routing   L2TP   128
       WAN Miniport (SSTP)   RAS       SSTP   128
   IPv4
       Static Routes
           Destination   Network Mask   Gateway       Interface           Metric   View
           192.168.0.0   255.255.255.0   192.168.1.1   Local Area Conneciton   256   Both

VPN Connection Properties (On Client PC, Running Win 7 Ultimate x64, Not Using Domain, On a Private Class C Network 192.168.66.0)
   General
       Host Name or IP Address
           (ommitted for security reasons)
       First Connect = Disabled
   Options
       Display Progress While Connecting = Enabled
       Prompt for Name and Password, Certificate, Etc. = Enabled
       Include Windows Logon Domain = Enabled
       Redial Attempts = 3
       Time Between Redial Attempts = 1 Minute
       Idle Time Before Hanging Up = Never
       Redial if Line is Dropped = Enabled
       PPP Settings:
           Enable LCP Extensions = Enabled
           Enable Software Compression = Disabled
           Negotiate Multi-Link for Single-Link Connections = Disabled
   Security
       Type of VPN = Automatic
       Advanced Settings
           L2TP
               Use Certificate for Authentication
               Verify the Name and Usage Attributes of the Server's Certificate = Enabled
           IKEv2
               Mobility = Enabled
               Network Outage Time = 30 Minutes
       Data Encryption = Require Encryption (Disconnect if Server Declines)
       Authentication
           Allow These Protocols
               EAP-MSCHAPv2 will be used for IKEv2 VPN type
               Unencrypted Passowrd (PAP) = Enabled
               Challenge Handshake Authentication Protocol (CHAP) = Enabled
               Microsoft CHAP Version 2 (MS-CHAP v2) = Enabled
                   Automatically use my Windows Logon Name and Password = Disabled
   Networking
       Internet Protocol Version 6 (TCP/IPv6) = Enabled
           Properties
               Obtain an IPv6 Address Automatically
               Obtain DNS Server Address Automatically
               Advanced
                   IP Settings
                       Use Default Gateway on Remote Network = Enabled
                       Automatic Metric = Enabled
                   DNS (Empty or All Options Disabled)
       Internet Protocol Version 4 (TCP/IPv4) = Enabled
           Properties
               Obtain an IPv4 Address Automatically
               Obtain DNS Server Address Automatically
               Advanced
                   IP Settings
                       Use Default Gateway on Remote Network = Enabled
                       Automatic Metric = Enabled
                   DNS (Empty or All Options Disabled)
                   WINS
                       Enable NetBIOS over TCP/IP
       File and Printer Sharing for Microsoft Networks = Enabled
       Client for Microsoft Networks = Enabled
   Sharing
       Allow Other Network Users to Connect Through This Computer's Internet Connection = Disabled

Wednesday, May 18, 2011 1:16 AM