Where's My VPN?
-
On a humorous note, inserting "Dude," at the beginning of the title would be hilarious.
Seriously, though, how do the clients connect? That should give you a starting place to look.
-
@alexntg said:
On a humorous note, inserting "Dude," at the beginning of the title would be hilarious.
Seriously, though, how do the clients connect? That should give you a starting place to look.
"Dude"...being solo IT guy for everything means something's go untouched for years. LOL.
@scottalanmiller said:
So maybe it is not a Windows VPN in use. Might be a third party product. Check out the process table to see what is running.
Well, that's why I thought it may be the firewall but if OpenVPN is not on, then it is somewhere else.
If this helps, it is the broadcast address of our T1 internet service. It's address is after the WAN gateway and before the subnet mask.
-
How do the clients connect?
-
Garak, didn't I send you a link with information from TechNet on this topic elsewhere?
-
@alexntg said:
How do the clients connect?
Though the broadcast address and using their domain ID and password.
-
@garak0410 said:
@alexntg said:
How do the clients connect?
Though the broadcast address and using their domain ID and password.
Let's see if i can be more specific - Is it SSL? PPTP? IPSEC? Is there a VPN client installed, or does it use the built-in Windows VPN client?
-
@Bill-Kindle said:
Garak, didn't I send you a link with information from TechNet on this topic elsewhere?
Yes...the link will help but find it kind of puzzling that it wasn't configured on the original server at all (SBS 2003)
@alexntg said:
@garak0410 said:
@alexntg said:
How do the clients connect?
Though the broadcast address and using their domain ID and password.
Let's see if i can be more specific - Is it SSL? PPTP? IPSEC? Is there a VPN client installed, or does it use the built-in Windows VPN client?
Sorry...Windows VPN client...they configure it with the broadcast IP address of our internet service. Security is set to Automatic type of VPN and data encryption is optional. Windows 8x users have to also select ALLOW THESE PROTOCOLS.. Sign in with domain ID and password and they are in.
-
Also, when on a VPN connection, when you do IPCONFIG /ALL, it shows the OLD server IP as primary DNS, so it has to be there. But if I go into ROUTING AND REMOTE ACCESS on the old server, and go into properties, it says THE SERVER HAS NOT BEEN SET UP FOR ROUTING. Perhaps I am just in the wrong properties?
-
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
-
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
-
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
-
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
-
@alexntg said:
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
On the DC or allow my "services/file" server to handle it?
-
@garak0410 said:
@alexntg said:
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
On the DC or allow my "services/file" server to handle it?
Personal preference? There's pros and cons to both.
-
@alexntg said:
@garak0410 said:
@alexntg said:
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
On the DC or allow my "services/file" server to handle it?
Personal preference? There's pros and cons to both.
Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?
-
@garak0410 said:
@alexntg said:
@garak0410 said:
@alexntg said:
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
On the DC or allow my "services/file" server to handle it?
Personal preference? There's pros and cons to both.
Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?
I've never worked with SBS before.
-
@alexntg said:
@garak0410 said:
@alexntg said:
@garak0410 said:
@alexntg said:
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
On the DC or allow my "services/file" server to handle it?
Personal preference? There's pros and cons to both.
Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?
I've never worked with SBS before.
Thanks for tips...as I said, not having ROUTING AND REMOTE ACCESS set up on the original was causing me to just sit here and shake my head...as I multitask with other things...
-
Made the changes in the firewall tunneling and configured ROUTING AND REMOTE ACCESS on the services server (though had to use CUSTOM since this is a VM and only had one NIC.) Using Windows Authentication, MS-CHAP v2 only...tried a test VPN connection and it fails with ERROR 812...complaining about a policy on the RAS/VPN server and the authentication method used by the server to verify username and password.. Can't seem to find the solution yet but love OTJ training... Still searching...
-
@garak0410 said:
Made the changes in the firewall tunneling and configured ROUTING AND REMOTE ACCESS on the services server (though had to use CUSTOM since this is a VM and only had one NIC.) Using Windows Authentication, MS-CHAP v2 only...tried a test VPN connection and it fails with ERROR 812...complaining about a policy on the RAS/VPN server and the authentication method used by the server to verify username and password.. Can't seem to find the solution yet but love OTJ training... Still searching...
Still trying to solve this problem. Do I need to set up NPS to configure NAP? As I've referred to Ad nauseam, the old server didn't have anything special set up.
-
More in depth details on the connection problem:
Error 812: THE CONNECTION WAS PREVENTED BECAUSE OF A POLICY CONFIGURED ON YOUR RAS/VPN SERVER. SPECIFICALLY, THE AUTHENTICATION METHOD USED BY THE SERVER TO VERIFY YOUR USERNAME AND PASSWORD MAY NOT MATCH THE AUTHENICATION METOHD CONFIGURED IN YOUR CONNECTION PROFILE.
In the properties under ROUTING AND REMOTE ACCESS for my server, under security tab, I have EAP and MS-CHAP V2 selected. on the client, it's security tab is set to Automatic VPN and Allow these protocols with MS-CHAP V2 selected.