Cannot Connect to Server 2008 Through Custom VPN Connection RRS feed

  • Question

  • My goal is to establish several VPN connections to my server with the goal of using Microsoft Terminal Services Client (mstsc) to allow users to access their own accounts on the server.  The client computers are running Windows 7 and Windows XP.  I've had this working before, but it no longer is working.  As far as I'm aware nothing was changed.  I need this connection up ASAP and I'm stumped as to what could be hampering it.  I'm very new to Server 2008; my networking knowledge and skills are intermediate.  I've been able to do this with Server 2000, but I am stumbling my way through the Role system on Server 2008.

    My server is running Windows Server Standard 2008 with Service Pack 2 installed.  It has a static IP address of on my network.  I'm having to use a custom VPN setup because my server only has one NIC.

    My router is a Linksys WRT400N with the IP address of with a subnet mask of  The internet side is using an address of with a subnet mask of

    The above router is attached to an Actiontec DSL Modem using an internal address of with a subnet mask of

    I'm using dyndns.com as my ddns server and am able to ping the server's site just fine.  All users should have permissions to connect and establish a remote desktop view.  I've uninstalled and reinstalled NPS and RRAS several times now trying different settings to try to get this to work again.

    Monday, May 16, 2011 12:07 PM

All replies

  • Hi Aeden,


    Thanks for posting here.


    You should first enable and configure VPN service on this single NIC Windows Server 2008 host with performing RRAS wizard like what discussed in the articles below:


    VPN server deployment: IP Addressing, Routing/NAT, Single vs two NIC



    How to configure VPN Server with single NIC on Windows Server



    After that you should add routing entries for commutation between two IP segments on Linksys WRT400N , Actiontec DSL Modem device and VPN server:


    Internet--------Actiontec DSL Modem( WRT400N( ( Server


    On Actiontec DSL Modem:



    On VPN Server:




    Meanwhile, you should also configure port forward on Actiontec DSL Modem for forwarding all incoming VPN connation to host


    Which ports to unblock for VPN traffic to pass-through?





    For more information please refer to the articles below:


    Enable RRAS as a VPN Server and a NAT Router



    Remote access/VPN server role: Configuring a remote access/VPN server



    How to use the Windows Server 2003 Routing and Remote Access Service or ISA Server 2006 or ISA Server 2004 with a DSL router for Internet access





    Tiger Li

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, May 17, 2011 6:46 AM
  • I've followed your instructions but I'm still unable to establish a VPN connection.  I'm thinking I might have an issue with the security properties of the VPN connection.  I've included the majority of the settings for the devices below.

    ActionTec DSL Modem
        WAN IP Address
            Obtain an IP Address through PPPoA (Dynamic)
            PPP Auto Connect
            Encapsulation = VC-MUX
        Lan IP Address
            Device IP Address = (Static)
            Device LAN Netmask =
        DHCP Server = On
            Beginning IP Address =
            Ending IP Address =
            SubnetMask =
            Lease Time = 86400
            Domain Name = domain_not_set.invalid
            DNS = Dynamic
        Services Blocking (None)
        Website Blocking (None)
        Remote Management = Off
        Application Level Gateway (ALG) and Port Forwarding
                    TCP    22    22    22
                    TCP    540    540    540
                    UDP    500    500    500
                    ESP    *    *    *
                    TCP    1723    1723    1723
                    GRE    *    *    *
                    UDP    4500    4500    4500
                    UDP    1701    1701    1701
                    TCP    443    443    443
        DMZ Hosting = Off
        Firewall Security Level = Off
        Dynamic Routing = Off
        NAT = On
        Static Routing
        UPnP = Off

    WRT400N Simultaneous Dual-Band Wireless-N Router
        Internet Setup
            Internet Connection Type = Static IP
            Internet IP Address =
            Subnet Mask =
            Default Gateway =
            DNS 1 =
            DNS 2 =
            DNS 3 =
        Network Setup
            Router IP Address =
            Subnet Mask =
            DHCP Server = Enabled
            Start IP Address =
            Maximum Number of Users = 50
            IP Address Range = to 149
            Client Lease Time = 1440
            DNS 1 =
            DNS 2 =
            DNS 3 =
            WINS =
        DDNS Service = Disabled
        MAC Address Clone = Disabled
        Advanced Routing
            NAT = Enabled
            Dynamic Routing (RIP) = Disabled
            Static Routing
                Destination    Subnet Mask    Gateway        Hop    Interface
          1    LAN & Wireless
          1    Internet (WAN)
          *        1    LAN & Wireless
          1    LAN & Wireless
                default    1    Internet (WAN)
            Firewall = Disabled
            Internet Filter
            Filter IDENT (Port 113)
            Web Filter (None)
            VPN Passthrough
                IPSec Passthrough = Enabled
                PPTP Passthrough = Enabled
                L2TP Passthrough = Enabled
        Access Restrictions
            Internet Access Policy (Nothing Blocked)
            Applications & Gaming
            Single Port Forwarding
                Ext Port    Int Port    Protocol    To IP Address
                53    53    Both
                25    25    TCP
                22    22    TCP
                540    540    TCP
                3389    3389    Both
                3390    3390    TCP
                1723    1723    TCP
                443    443    TCP
                1701    1701    UDP
                8085    8085    Both
                500    500    UDP
            Port Range Forwarding
                Start    End    Protocol    IP Address
                22    22    TCP
                540    540    TCP
                8080    8080    Both
                3389    3389    Both
                4500    4500    UDP
            Port Range Triggering (None)
            DMZ = Enabled
                Source IP Address = Any IP Address
                Destination IP Address =
                Wireless WMM Support = Enabled
                Wireless No Acknoledgement = Disabled
                Internet Access Priority = Disabled

    VPN Server (Server 2008, Not Using Domains)
            IP Address =
            Subnet Mask =
            Default Gateway =
            Preferred DNS Server =
            Alternate DNS Server =
            Firewall = Disabled
        Network Policy and Access Services
            Events: 1 Warning
                A certificate could not be found. Connections that use the L2TP protocol over IPsec require the
                installation of a machine certificate, also known as a computer certificate.  No L2TP calls will be
            System Services: All Running
                Display Name            Service Name    Status    Startup Type    Monitor
                Remote Access Connection Manager    RasMan        Running    Manual        Yes
                Routing and Remote Access        RemoteAccess    Running    Auto        Yes
            Role Services: 3 Installed
                Role Service                Status
                Network Policy Server            Not Installed
                Routing and Remote Access Services        Installed
                    Remote Access Service        Installed
                    Routing                Installed
                Health Registration Authority            Not Installed
                Host Credential Authorization Protocol        Not Installed
        Routing and Remote Access Properties
                IPv4 Router = Enabled
                    LAN and demand-dial routing
                IPv6 Router = Disabled
                IPv4 Remote Access Server = Enabled
                IPv6 Remote Access Server = Disabled
                Authentication Provider: Windows Authentication
                    Authentication Methods:
                        Extensible Authentication Protocol (EAP) = Enabled
                            Protected EAP (PEAP)
                        Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) = Enabled
                        Encrypted Authentication (CHAP) = Enabled
                        Unencrypted Password (PAP) = Enabled
                        Unauthenticated Access = Disabled
                    Accounting Provider: Windows Accounting
                    Allow Custom IPSec Policy for L2TP Connection = Disabled
                Enable IPv4 Forwarding = Enabled
                IPv4 Address Assignment = Static Address Pool
                    From        To        Number    IP Address    Mask
                Enable Broadcast Name Resolution = Enabled
                Enable IPv6 Forwarding = Enabled
                Enable Default Route Advertisement = Enabled
                IPv6 Prefix Assignment (None)
                Multilink Connections = Enabled
                    Dynamic Bandwidth Control Using BAP or BACP = Enabled
                Link Control Protocol (LCP) Extensions = Enabled
                Software Compression = Enabled
                Log Errors and Warnings
                Log Additional Routing and Remote Access Information (used for debugging) = Disabled
        Network Interfaces
            Interface            Type        Status        State
            Loopback            Loopback        Enabled        Connected
            Local Area Connection    Dedicated    Enabled        Connected
            Internal            Internal        Enabled        Connected
        Ports Properties
            Name            Used By        Type    Number of Ports
            WAN Miniport (PPPOE)    Routing        PPPoE    1
            WAN Miniport (PPTP)    RAS/Routing    PPTP    128
            WAN Miniport (L2TP)    RAS/Routing    L2TP    128
            WAN Miniport (SSTP)    RAS        SSTP    128
            Static Routes
                Destination    Network Mask    Gateway        Interface            Metric    View
          Local Area Conneciton    256    Both

    VPN Connection Properties (On Client PC, Running Win 7 Ultimate x64, Not Using Domain, On a Private Class C Network
            Host Name or IP Address
                (ommitted for security reasons)
            First Connect = Disabled
            Display Progress While Connecting = Enabled
            Prompt for Name and Password, Certificate, Etc. = Enabled
            Include Windows Logon Domain = Enabled
            Redial Attempts = 3
            Time Between Redial Attempts = 1 Minute
            Idle Time Before Hanging Up = Never
            Redial if Line is Dropped = Enabled
            PPP Settings:
                Enable LCP Extensions = Enabled
                Enable Software Compression = Disabled
                Negotiate Multi-Link for Single-Link Connections = Disabled
            Type of VPN = Automatic
            Advanced Settings
                    Use Certificate for Authentication
                    Verify the Name and Usage Attributes of the Server's Certificate = Enabled
                    Mobility = Enabled
                    Network Outage Time = 30 Minutes
            Data Encryption = Require Encryption (Disconnect if Server Declines)
                Allow These Protocols
                    EAP-MSCHAPv2 will be used for IKEv2 VPN type
                    Unencrypted Passowrd (PAP) = Enabled
                    Challenge Handshake Authentication Protocol (CHAP) = Enabled
                    Microsoft CHAP Version 2 (MS-CHAP v2) = Enabled
                        Automatically use my Windows Logon Name and Password = Disabled
            Internet Protocol Version 6 (TCP/IPv6) = Enabled
                    Obtain an IPv6 Address Automatically
                    Obtain DNS Server Address Automatically
                        IP Settings
                            Use Default Gateway on Remote Network = Enabled
                            Automatic Metric = Enabled
                        DNS (Empty or All Options Disabled)
            Internet Protocol Version 4 (TCP/IPv4) = Enabled
                    Obtain an IPv4 Address Automatically
                    Obtain DNS Server Address Automatically
                        IP Settings
                            Use Default Gateway on Remote Network = Enabled
                            Automatic Metric = Enabled
                        DNS (Empty or All Options Disabled)
                            Enable NetBIOS over TCP/IP
            File and Printer Sharing for Microsoft Networks = Enabled
            Client for Microsoft Networks = Enabled
            Allow Other Network Users to Connect Through This Computer's Internet Connection = Disabled

    Wednesday, May 18, 2011 1:16 AM