locked
Connection lost with VPN enabled RRS feed

  • Question

  • I have a server with two NICs, one public internet and one domain intranet. I'm trying to configure this server as a NAT and VPN "edge" device. I am able to configure it as NAT-only, and everything works perfectly. All computers on the private network have internet access through it, and I'm able to ping it from outside computers.

    When I change my NAT service to a "NAT and VPN" service (using RRAS  -> "configure and enable routing and remote access"), I lose the ability to ping that server from outside and when I try to connect to the VPN I get an error "". It's like by configuring it as a VPN server it has blocked any kind of incoming connection, including those that it's designed for (VPN connections).

    If I disable the Windows Firewall entirely, it starts working again. I've checked, and the Ping rule is allowed (the file/printer share echo one), and HTTPS/443 is as well (my VPN is a SSTP), so I don't understand why that would make a difference. Any thoughts on why this might be happening?


    • Edited by Jordan4501 Saturday, February 15, 2014 6:15 AM
    Saturday, February 15, 2014 6:15 AM

Answers

  • Hi,

    Since you already have a NAT router, you don’t need another NAT on VPN server.

    VPN clients cannot access internet is because you use remote gateway. Right click VPN connection>Properties>Advanced>Uncheck Use default gateway on remote network.

    You cannot use the DHCP Relay Agent component on a computer that is running the DHCP service, the network address translation (NAT) routing protocol component with automatic addressing enabled, or Internet Connection Sharing (ICS).

    And DHCP relay agent is not a prerequisite for VPN clients.

    For your information:

    You Cannot Connect to the Internet After You Connect to a VPN Server

    http://support.microsoft.com/kb/317025

    Hope this helps.

    • Marked as answer by Daniel JiSun Monday, February 24, 2014 3:07 PM
    Tuesday, February 18, 2014 5:53 AM

All replies

  • If you configure VPN, then you should check the connection from external client that is connected via VPN.

    Let us imagine the VPN is something like a tunnel between server and client. I do not think it is desirable to see into tunnel from outside, except from your client and via VPN tunnel. So I do not expect pinging is desirable from any host in Internet except this one (or those enabled and connected).

    Regards

    Milos

    Saturday, February 15, 2014 10:39 AM
  • Part of the problem is that I cannot connect to the VPN, it gives me an error saying that it couldn't connect to the server. It's like the server disappeared off the internet:

    Error 0x8007274C: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

    I wasn't saying that I couldn't ping computers inside the network (I agree that would be a bad idea), but I cannot even ping the outside of the tunnel.


    • Edited by Jordan4501 Saturday, February 15, 2014 10:56 PM
    Saturday, February 15, 2014 2:46 PM
  • Hi,

    The only reason I could think of is that some rules created automatically when you configure NAT and VPN.

    I recommend you disable RRAS and compare the difference of your firewall rules.

    Monday, February 17, 2014 7:28 AM
  • Hello,

    I've been putting together a new domain network, and just about have it set except for one final issue. I have a Remote Access server that I have configured for SSTP VPN. It has two NICs, one public/internet facing and the other private/intranet facing. On the network I also have a DNS/DHCP/ADDS server and a NAT router server that has a different public internet connection and acts as the network's default gateway.

    The issue I'm having is with configuring the VPN server's network adapter settings. I have two scenarios:

    - configure private adapter with static IP address and manually entering the subnet/DNS (and leaving the gateway blank, since it also has a gateway on the public adapter). If I do this, then it won't let me configure a DHCP Relay Agent in RRAS, and although I can connect to the VPN on a client, the client doesn't have internet access through the VPN.

    - configure private adapter as "obtain an IP address automatically". If I do this, then the DHCP Relay Agent configures itself properly, but for some reason when I try to connect to the VPN from the client I get an "Error 0x8007274C: A connection attempt failed because the connected party did not properly respond after a period of time..."

    I tested a work-around where I set the VPN server's private adapter to static IP, connected the client to the VPN, then changed the server's private adapter to "Obtain automatically", let it re-identify, and it worked fine (I had internet access on the client after that). Obviously, that's not a usable solution though. Any ideas why neither of these configurations work properly, or perhaps suggestions of a different configuration that might?

    • Merged by Daniel JiSun Tuesday, February 18, 2014 3:06 AM duplicate
    Monday, February 17, 2014 8:37 AM
  • Hi,

    Since you already have a NAT router, you don’t need another NAT on VPN server.

    VPN clients cannot access internet is because you use remote gateway. Right click VPN connection>Properties>Advanced>Uncheck Use default gateway on remote network.

    You cannot use the DHCP Relay Agent component on a computer that is running the DHCP service, the network address translation (NAT) routing protocol component with automatic addressing enabled, or Internet Connection Sharing (ICS).

    And DHCP relay agent is not a prerequisite for VPN clients.

    For your information:

    You Cannot Connect to the Internet After You Connect to a VPN Server

    http://support.microsoft.com/kb/317025

    Hope this helps.

    • Marked as answer by Daniel JiSun Monday, February 24, 2014 3:07 PM
    Tuesday, February 18, 2014 5:53 AM