VPN Headache

**DaRipper** · April 5th, 2006, 05:14 AM

Hi

I am having problems with 1 client, VPN connections just wont work i keep getting

error 778 It was not possible to verify the identity of the server.

The server is windows 2003 small business edition i have installed routing and remote access and have opened up the ports for it on the firewall. i have also checked the router and it supports vpn passthrough, i can telnet to the 1723 port and it connects fine.
I also installed certificate services on the server hoping that will fix it but still no good.

the server was setup using 2 network cards and two ip addresses on the same network, which i didnt like so i have teamed the network cards and now dns is working correctly.

I dont know who setup this server as i have just taken on this client recently as they got rid of there old IT guys becuase they kept causing problems (i can see why). Any ideas are greatly appriciated i am not one that gives up so i better get back to trying to crack this problem.

Thanks

George
MCSE +security

**DaRipper** · April 5th, 2006, 05:16 AM

just a quick question if i am on the internal network and try connecting via a vpn connection to the server (same network as the server) will it work? as it was giving the same error when trying to connect externally.

i just cant get to my other sites at the moment to test this.

**DaRipper** · April 5th, 2006, 07:19 AM

ok here is an update.

i disabled ms chap V2 and the damn thing let me connect, so part of the problem is solved, now i just need to work out how to fix ms chap v2 so that i can use that, it is what i would prefer as it is more secure.

**Fubarian** · April 5th, 2006, 09:01 AM

I think you need to allow IPsec pass through ...you're running p2tp correct? Otherwise I'm not sure why you'd need a certificate (chap requires it if I remember correctly)

Also consider TS unless vpn is ABSOLUTELY necessary.

**DaRipper** · April 7th, 2006, 09:40 AM

iam running pptp, i have a feeling the server must have been renamed or something after it was built for it not to be authenticating the server, ms chap does encryption without authenticating the client and the server ms chap v2 does and is why it requires the certificate but i still cant work out how to get it working.

also your consider TS comment i dont understand what you mean there, i always suggest to my clients to use a vpn and rdp to either a ts server or in this case they dont want to purchase another server to run as a ts server so they vpn in and then rdp to there workstations VPN + TS much more secure.

Still a mystery why i get the error with ms chap v2 but iam not one that gives up.

**Fubarian** · April 7th, 2006, 03:18 PM

Have you turned off EAP right (client)? or verify server identity? (NIC/Security/Adv/Use EAP/verify) Even better, do you have another vpn server somewhere you can test it against?

Originally Posted by DaRipper

i always suggest to my clients to use a vpn and rdp to either a ts server or in this case they dont want to purchase another server to run as a ts server so they vpn in and then rdp to there workstations VPN + TS much more secure.

Explain this me. RDP connections -should- be set to 128b (server set min), then a person uses his/her domain user/pass - right? Running that on top of a vpn doesn't do much good -- just more overhead.

And also, ms chap does do authentication ...only 1 way though using super strong (terrible) 40bit encryption, GOOOOO LanMan!

**DaRipper** · April 11th, 2006, 06:30 AM

the error has nothing to do with the client pc, it is the server that is having the problem as i have tried to connect to it from multiple pcs and multiple locations,
VPN is used so that port 3389 is not open (i know i can change the port that rdp listens on but it needs more management and makes it harder for the users)

and for
"And also, ms chap does do authentication ...only 1 way though using super strong (terrible) 40bit encryption, GOOOOO LanMan!"

that is why i want to use ms chap v2 if you read my first post but i recieve the error when i choose it in routing and remote access on the windows 2003 server.

Users need to RDP to there own workstations that are behind the firewall/router and that is why they vpn to the server and then they can rdp to where ever they please.

**PBase001** · April 11th, 2006, 07:30 AM

You can't connect via ms chap V2 externally from your network and internally?

**Fubarian** · April 11th, 2006, 08:15 AM

Have you applied any patches/updates to it recently that would've affected RRAS?

Stupid question, have you tried deleting and re-adding the machine ? It might royally f' up your config on that box but ...::shrug:: if its already broke...

Originally Posted by DaRipper

that is why i want to use ms chap v2 if you read my first post but i recieve the error when i choose it in routing and remote access on the windows 2003 server.

I don't blame you, but you did say it doesn't authenicate -- it does, it just sucks by todays ..."standards" :P

Users need to RDP to there own workstations that are behind the firewall/router and that is why they vpn to the server and then they can rdp to where ever they please.

that would make more sense.