locked
Cannot Connect to Server 2008 Through Custom VPN Connection RRS feed

  • Question

  • My goal is to establish several VPN connections to my server with the goal of using Microsoft Terminal Services Client (mstsc) to allow users to access their own accounts on the server.  The client computers are running Windows 7 and Windows XP.  I've had this working before, but it no longer is working.  As far as I'm aware nothing was changed.  I need this connection up ASAP and I'm stumped as to what could be hampering it.  I'm very new to Server 2008; my networking knowledge and skills are intermediate.  I've been able to do this with Server 2000, but I am stumbling my way through the Role system on Server 2008.

    My server is running Windows Server Standard 2008 with Service Pack 2 installed.  It has a static IP address of 192.168.1.254 on my network.  I'm having to use a custom VPN setup because my server only has one NIC.

    My router is a Linksys WRT400N with the IP address of 192.168.1.1 with a subnet mask of 255.255.255.0.  The internet side is using an address of 192.168.0.4 with a subnet mask of 255.255.255.0.

    The above router is attached to an Actiontec DSL Modem using an internal address of 192.168.0.1 with a subnet mask of 255.255.255.0.

    I'm using dyndns.com as my ddns server and am able to ping the server's site just fine.  All users should have permissions to connect and establish a remote desktop view.  I've uninstalled and reinstalled NPS and RRAS several times now trying different settings to try to get this to work again.



    Monday, May 16, 2011 12:07 PM

All replies

  • Hi Aeden,

     

    Thanks for posting here.

     

    You should first enable and configure VPN service on this single NIC Windows Server 2008 host with performing RRAS wizard like what discussed in the articles below:

     

    VPN server deployment: IP Addressing, Routing/NAT, Single vs two NIC

    http://blogs.technet.com/b/rrasblog/archive/2006/09/20/vpn-server-deployment-ip-addressing-routing-nat-single-vs-two-nic.aspx

     

    How to configure VPN Server with single NIC on Windows Server

    http://blogs.technet.com/b/rrasblog/archive/2006/06/19/how-to-configure-vpn-server-with-single-nic-on-windows-server.aspx

     

    After that you should add routing entries for commutation between two IP segments on Linksys WRT400N , Actiontec DSL Modem device and VPN server:

     

    Internet--------Actiontec DSL Modem(192.168.0.1)--------(192.168.0.4)Linksys WRT400N(192.168.1.1)-------- (192.168.1.254)VPN Server

     

    On Actiontec DSL Modem:

     

    192.168.1.0 255.255.255.0 192.168.0.4

     

    On VPN Server:

     

                192.168.0.0 255.255.255.0 192.168.1.1

     

    Meanwhile, you should also configure port forward on Actiontec DSL Modem for forwarding all incoming VPN connation to host 192.168.1.254.

     

    Which ports to unblock for VPN traffic to pass-through?

    http://blogs.technet.com/b/rrasblog/archive/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through.aspx

     

     

     

    For more information please refer to the articles below:

     

    Enable RRAS as a VPN Server and a NAT Router

    http://technet.microsoft.com/en-us/library/dd458971(WS.10).aspx

     

    Remote access/VPN server role: Configuring a remote access/VPN server

    http://technet.microsoft.com/en-us/library/cc736357(WS.10).aspx

     

    How to use the Windows Server 2003 Routing and Remote Access Service or ISA Server 2006 or ISA Server 2004 with a DSL router for Internet access

    http://support.microsoft.com/kb/837453

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, May 17, 2011 6:46 AM
  • I've followed your instructions but I'm still unable to establish a VPN connection.  I'm thinking I might have an issue with the security properties of the VPN connection.  I've included the majority of the settings for the devices below.

    ActionTec DSL Modem
        WAN IP Address
            Obtain an IP Address through PPPoA (Dynamic)
            PPP Auto Connect
            Encapsulation = VC-MUX
        Lan IP Address
            Device IP Address = 192.168.0.1 (Static)
            Device LAN Netmask = 255.255.255.0
        DHCP Server = On
            Beginning IP Address = 192.168.0.2
            Ending IP Address = 192.168.0.254
            SubnetMask = 255.255.255.0
            Lease Time = 86400
            Domain Name = domain_not_set.invalid
            DNS = Dynamic
        Services Blocking (None)
        Website Blocking (None)
        Remote Management = Off
        Application Level Gateway (ALG) and Port Forwarding
            192.168.0.4
                Other
                    TCP    22    22    22
                    TCP    540    540    540
                IPSEC
                    UDP    500    500    500
                    ESP    *    *    *
                PPTP
                    TCP    1723    1723    1723
                    GRE    *    *    *
                VPN
                    UDP    4500    4500    4500
                    UDP    1701    1701    1701
                    TCP    443    443    443
        DMZ Hosting = Off
        Firewall Security Level = Off
        Dynamic Routing = Off
        NAT = On
        Static Routing
            192.168.1.0    255.255.255.0    192.168.0.4
        UPnP = Off

    WRT400N Simultaneous Dual-Band Wireless-N Router
        Internet Setup
            Internet Connection Type = Static IP
            Internet IP Address = 192.168.0.4
            Subnet Mask = 255.255.255.0
            Default Gateway = 192.168.0.1
            DNS 1 = 192.168.0.1
            DNS 2 = 208.254.148.69
            DNS 3 = 208.254.148.100
        Network Setup
            Router IP Address = 192.168.1.1
            Subnet Mask = 255.255.255.0
            DHCP Server = Enabled
            Start IP Address = 192.168.1.100
            Maximum Number of Users = 50
            IP Address Range = 192.168.1.100 to 149
            Client Lease Time = 1440
            DNS 1 = 64.51.191.57
            DNS 2 = 216.175.203.59
            DNS 3 = 192.168.0.1
            WINS = 0.0.0.0
        DDNS Service = Disabled
        MAC Address Clone = Disabled
        Advanced Routing
            NAT = Enabled
            Dynamic Routing (RIP) = Disabled
            Static Routing
                Destination    Subnet Mask    Gateway        Hop    Interface
                192.168.1.0    255.255.255.0    192.168.1.1    1    LAN & Wireless
                192.168.0.0    255.255.255.0    192.168.0.4    1    Internet (WAN)
                239.0.0.0    255.0.0.0    *        1    LAN & Wireless
                127.0.0.0    255.0.0.0    192.168.1.1    1    LAN & Wireless
                default        0.0.0.0        192.168.0.1    1    Internet (WAN)
        Security
            Firewall = Disabled
            Internet Filter
            Filter IDENT (Port 113)
            Web Filter (None)
            VPN Passthrough
                IPSec Passthrough = Enabled
                PPTP Passthrough = Enabled
                L2TP Passthrough = Enabled
        Access Restrictions
            Internet Access Policy (Nothing Blocked)
            Applications & Gaming
            Single Port Forwarding
                Ext Port    Int Port    Protocol    To IP Address
                53    53    Both    192.168.1.254
                25    25    TCP    192.168.1.211
                22    22    TCP    192.168.1.211
                540    540    TCP    192.168.1.211
                3389    3389    Both    192.168.1.211
                3390    3390    TCP    192.168.1.254
                1723    1723    TCP    192.168.1.254
                443    443    TCP    192.168.1.254
                1701    1701    UDP    192.168.1.254
                8085    8085    Both    192.168.1.254
                500    500    UDP    192.168.1.254
            Port Range Forwarding
                Start    End    Protocol    IP Address
                22    22    TCP    192.168.1.211
                540    540    TCP    192.168.1.211
                8080    8080    Both    192.168.1.211
                3389    3389    Both    192.168.1.211
                4500    4500    UDP    192.168.1.254
            Port Range Triggering (None)
            DMZ = Enabled
                Source IP Address = Any IP Address
                Destination IP Address = 192.168.1.211
            QoS
                Wireless WMM Support = Enabled
                Wireless No Acknoledgement = Disabled
                Internet Access Priority = Disabled

    VPN Server (Server 2008, Not Using Domains)
        NIC
            IP Address = 192.168.1.254
            Subnet Mask = 255.255.255.0
            Default Gateway = 192.168.1.1
            Preferred DNS Server = 192.168.1.1
            Alternate DNS Server = 192.168.0.1
            Firewall = Disabled
        Network Policy and Access Services
            Events: 1 Warning
                A certificate could not be found. Connections that use the L2TP protocol over IPsec require the
                installation of a machine certificate, also known as a computer certificate.  No L2TP calls will be
                accepted.
            System Services: All Running
                Display Name            Service Name    Status    Startup Type    Monitor
                Remote Access Connection Manager    RasMan        Running    Manual        Yes
                Routing and Remote Access        RemoteAccess    Running    Auto        Yes
            Role Services: 3 Installed
                Role Service                Status
                Network Policy Server            Not Installed
                Routing and Remote Access Services        Installed
                    Remote Access Service        Installed
                    Routing                Installed
                Health Registration Authority            Not Installed
                Host Credential Authorization Protocol        Not Installed
        Routing and Remote Access Properties
            General
                IPv4 Router = Enabled
                    LAN and demand-dial routing
                IPv6 Router = Disabled
                IPv4 Remote Access Server = Enabled
                IPv6 Remote Access Server = Disabled
            Security
                Authentication Provider: Windows Authentication
                    Authentication Methods:
                        Extensible Authentication Protocol (EAP) = Enabled
                            Protected EAP (PEAP)
                        Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) = Enabled
                        Encrypted Authentication (CHAP) = Enabled
                        Unencrypted Password (PAP) = Enabled
                        Unauthenticated Access = Disabled
                    Accounting Provider: Windows Accounting
                    Allow Custom IPSec Policy for L2TP Connection = Disabled
            IPv4
                Enable IPv4 Forwarding = Enabled
                IPv4 Address Assignment = Static Address Pool
                    From        To        Number    IP Address    Mask
                    192.168.1.50    192.168.1.99    50    192.168.1.0    255.255.255.128
                Enable Broadcast Name Resolution = Enabled
            IPv6
                Enable IPv6 Forwarding = Enabled
                Enable Default Route Advertisement = Enabled
                IPv6 Prefix Assignment (None)
            PPP
                Multilink Connections = Enabled
                    Dynamic Bandwidth Control Using BAP or BACP = Enabled
                Link Control Protocol (LCP) Extensions = Enabled
                Software Compression = Enabled
            Logging
                Log Errors and Warnings
                Log Additional Routing and Remote Access Information (used for debugging) = Disabled
        Network Interfaces
            Interface            Type        Status        State
            Loopback            Loopback        Enabled        Connected
            Local Area Connection    Dedicated    Enabled        Connected
            Internal            Internal        Enabled        Connected
        Ports Properties
            Name            Used By        Type    Number of Ports
            WAN Miniport (PPPOE)    Routing        PPPoE    1
            WAN Miniport (PPTP)    RAS/Routing    PPTP    128
            WAN Miniport (L2TP)    RAS/Routing    L2TP    128
            WAN Miniport (SSTP)    RAS        SSTP    128
        IPv4
            Static Routes
                Destination    Network Mask    Gateway        Interface            Metric    View
                192.168.0.0    255.255.255.0    192.168.1.1    Local Area Conneciton    256    Both

    VPN Connection Properties (On Client PC, Running Win 7 Ultimate x64, Not Using Domain, On a Private Class C Network 192.168.66.0)
        General
            Host Name or IP Address
                (ommitted for security reasons)
            First Connect = Disabled
        Options
            Display Progress While Connecting = Enabled
            Prompt for Name and Password, Certificate, Etc. = Enabled
            Include Windows Logon Domain = Enabled
            Redial Attempts = 3
            Time Between Redial Attempts = 1 Minute
            Idle Time Before Hanging Up = Never
            Redial if Line is Dropped = Enabled
            PPP Settings:
                Enable LCP Extensions = Enabled
                Enable Software Compression = Disabled
                Negotiate Multi-Link for Single-Link Connections = Disabled
        Security
            Type of VPN = Automatic
            Advanced Settings
                L2TP
                    Use Certificate for Authentication
                    Verify the Name and Usage Attributes of the Server's Certificate = Enabled
                IKEv2
                    Mobility = Enabled
                    Network Outage Time = 30 Minutes
            Data Encryption = Require Encryption (Disconnect if Server Declines)
            Authentication
                Allow These Protocols
                    EAP-MSCHAPv2 will be used for IKEv2 VPN type
                    Unencrypted Passowrd (PAP) = Enabled
                    Challenge Handshake Authentication Protocol (CHAP) = Enabled
                    Microsoft CHAP Version 2 (MS-CHAP v2) = Enabled
                        Automatically use my Windows Logon Name and Password = Disabled
        Networking
            Internet Protocol Version 6 (TCP/IPv6) = Enabled
                Properties
                    Obtain an IPv6 Address Automatically
                    Obtain DNS Server Address Automatically
                    Advanced
                        IP Settings
                            Use Default Gateway on Remote Network = Enabled
                            Automatic Metric = Enabled
                        DNS (Empty or All Options Disabled)
            Internet Protocol Version 4 (TCP/IPv4) = Enabled
                Properties
                    Obtain an IPv4 Address Automatically
                    Obtain DNS Server Address Automatically
                    Advanced
                        IP Settings
                            Use Default Gateway on Remote Network = Enabled
                            Automatic Metric = Enabled
                        DNS (Empty or All Options Disabled)
                        WINS
                            Enable NetBIOS over TCP/IP
            File and Printer Sharing for Microsoft Networks = Enabled
            Client for Microsoft Networks = Enabled
        Sharing
            Allow Other Network Users to Connect Through This Computer's Internet Connection = Disabled

    Wednesday, May 18, 2011 1:16 AM