|
-
June 14th, 2001, 05:22 PM
#1
 VPN problem
I have a problem. We got our DSL service back a couple of months ago and the router has NAT activated. Everything was working great, Exchange-no problems etc, so I decide to install a VPN.... piece of cake..right? Everything gets installed and from the office, I can connect using the server name and IP address. When I get home, no go. Can't connect. It connects to the router and then just sits at the verifying user name and password and then gives the following error: no response from the server. If I try connecting using the router WAN address or server name from an ISP (which resolves to the router WAN address) I can't connect but if I use the server IP addy, I connect. I called our DSL provider to ensure that port 1723 on the router was open and protocol 47 was enabled...they were. I've scoured the MS knowledgebase and tried everything (we only have one adapter so I tried the dupe IP address and LMHOSTS entry).
Server is NT SBS 4.5, protocol is TCP/IP. PPTP is installed. clients are Win9x, ME, NT and Win2K. Also, I checked the event log and there were no RAS errors and at the office I tried to connect using the router IP while checking RAS admin and no connection was ever listed as taking place... the VPN port just waited for a connection.
What am I missing?? Or is NAT throwing everything off??
Thanks for any advice...
J
-
June 14th, 2001, 06:14 PM
#2
I connect to my server from home and I have a NAT firewall w/ no problems.
Have you made sure that in the VPN connection properties Log on to network is click on? Also make sure your using the right protocols.
Also, you can try setting the advanced properties to include the Domain at the login screen.
When cometh the day we lowly ones
Through quiet reflection and great dedication
Master the art of karate
Lo, we shall rise up
And then we'll make the bugger's eyes water
-
June 14th, 2001, 08:15 PM
#3
Hi Budster64,
Where exactly do you find the Log On to Network? Is that on the client or the PPTP server? I've tried the domain box also. Nothing works except for not going through the DSL router IP address. What firewall are you using? When you ping you server by name from home, do you get the router WAN IP or the Server IP? Our server is configured with an address in the private range (192.168.x.x) but due to our mx and DNS records being out there, every ISP will resolve our server's name to the router's WAN IP....
Thanks,
J
-
June 15th, 2001, 12:50 AM
#4
After re-reading your first post I am a little confused as to what problem your having. Are you saying that you're trying to VPN into a server from home using the router WAN address? If that's the case that's problem right there. You should be using the server IP to access the RAS. You would be right about checking for port 1723 and GRE protocal 47 and make sure the providers go those enabled, as long and they do you should be able to VPN to the server.
But if your trying to use the router IP to connect to the server that won't help.
I gather yoy have the RAS installed properly at the server end, so let's talk about the connection from the clients machines.
to ensure that you can connect to an NT server with VPN you have to do the following...first off I would have the 9X machines use client for MS networks instead of windows log on. Next make sure VPN is installed and you have it as a choice when making a new DUN connection ( but I gather you've done that already) you must use the IP of the NT server to connect through VPN. The TCP/IP bindings for VPN are to the NIC card's IP, the server IP.
Once you have your VPN DUN connection created, in 98 you can find Dial-up Networking in My Computer and right-click on the VPN icon then go to properties and click on the server types tab. That's where you'll find Log on to network, make sure that is enabled. You can also disable any protocols you don't need underneath that, like IXP/SPX and NetBEUI. This will speed up the time VPN takes to make a connection to the server.
In 2000 it's even easier since the wizard will walk you through the VPN connection process. Just make sure you use the NT server IP. There may be something I'm missing, but it's getting late and I'm kinda sleepy <IMG SRC="smilies/wink.gif" border="0">
I'll check tomorrow and see if I actually made any sense here <IMG SRC="smilies/biggrin.gif" border="0">
Let me know If I missed something.
When cometh the day we lowly ones
Through quiet reflection and great dedication
Master the art of karate
Lo, we shall rise up
And then we'll make the bugger's eyes water
-
June 15th, 2001, 06:39 AM
#5
Registered User
Hi let me quote some of your statements and ask some questions about them (as I'm unsure whether I understood right):
Originally posted by gsd4me:
<STRONG>... from the office, I can connect using the server name and IP address.</STRONG>
- Do you have a DNS in the office?
- If yes: Does your DNS entry in the network properties points to that?
<STRONG>When I get home, no go. Can't connect. It connects to the router and then just sits at the verifying user name and password and then gives the following error: no response from the server.</STRONG>
- Are you trying to connect to the server via modem/ISDN?
- If yes: Did you change something for the VPN connection properties? If that answer is no... How will you ever connect to a private IP via Internet - that doesn't work... (as you have installed the VPN in the private IP range of your office)
<STRONG>If I try connecting using the router WAN address or server name from an ISP (which resolves to the router WAN address) I can't connect but if I use the server IP addy, I connect. I called our DSL provider to ensure that port 1723 on the router was open and protocol 47 was enabled...they were.</STRONG>
- Is port 1723 not only open but pointing to the servers IP adress? If not, it'll never work...
- Do you have access to the router? If yes, may you configure it? If yes: better do it...
Originally posted by gsd4me:
<STRONG>... When you ping you server by name from home, do you get the router WAN IP or the Server IP? Our server is configured with an address in the private range (192.168.x.x) but due to our mx and DNS records being out there, every ISP will resolve our server's name to the router's WAN IP....</STRONG>
- If you want to ping into a NATed network you'll have to have open ICMP as well as redirecting the internal IP to an external... nobody will do that (even if the router may be capable to do it) - so things are ok, it just doesn't work!
- Internet DNS records MUST point to the routers WAN adress!!! That is the ONLY adress that is allowed to be part of the internet! So I'm a little bit confused and I think you'll probably have some misconfiguration in your VPN settings - mainly the ones you use from home... (+ settings on the router like I told before)...
... better recheck and rethink your settings ... if you're connecting via Internet your VPN somehow has to point to the routers WAN-adress and somehow that router must be able to forward the appropriate VPN-packets to the servers IP (by translating port 1723 to the servers IP+port 1723)
Well you'll have to have time to find it out... good luck!
-
June 15th, 2001, 06:51 AM
#6
Registered User
Originally posted by Budster64:
<STRONG>Just make sure you use the NT server IP.</STRONG>
I didn't wanted to overload my posting so here my question:
How does the VPN will connect to the NT server when the IP range is private? Isn't that only for Servers, where you directly dial in or that have official IPs? I wonder how you'd be able to route...
-
June 15th, 2001, 08:31 AM
#7
Originally posted by h166:
<STRONG>
I didn't wanted to overload my posting so here my question:
How does the VPN will connect to the NT server when the IP range is private? Isn't that only for Servers, where you directly dial in or that have official IPs? I wonder how you'd be able to route...</STRONG>
you'd have to use the external IP for the server, not the IP assigned to the server when setting up DHCP. In our case that would be the Static IP assigned to us by our ISP. Which would be yet another questions. Does the server have a static IP assigned by their ISP?
Also, I believe the ISP only needs to have port 1723 and protocol 47 enabled simply because VPN uses these to connect. the port or protocol does not have to be configured at the ISP and directed to any particular server IP. Again, if your trying to connect using your router's IP you will not be able to connect...look at it this was, let's say my server IP is 214.67.48.6(WAN not LAN)....my router IP will usually be 214.67.48.1 and if your trying to VPN using router IP you will NEVER connect since the VPN server uses the NT servers IP hence the 214.67.48.6.
but I think you may be right about most of the configuration changes being made on the client machines.
When cometh the day we lowly ones
Through quiet reflection and great dedication
Master the art of karate
Lo, we shall rise up
And then we'll make the bugger's eyes water
-
June 15th, 2001, 05:07 PM
#8
Thanks everyone who helped. I love this place because I always learn something new that's usually not in a certification book. Turns out that there was a protocol filter that wasn't set right in MS Proxy Server (It was half assed configured by the company's previous tech due to the SBS only having 1 NIC), so I modified the proxy filters and now I can connect. Proxy Server is another product I am learning on the fly so I never thought of checking all of it's filters because I was told it was disabled.
Thanks again for everyones help. Have a great weekend.
J.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks