Where's My VPN?

Bill Kindle

Garak, didn't I send you a link with information from TechNet on this topic elsewhere?

garak0410

@alexntg said:

How do the clients connect?

Though the broadcast address and using their domain ID and password.

alexntg

@garak0410 said:

@alexntg said:

How do the clients connect?

Though the broadcast address and using their domain ID and password.

Let's see if i can be more specific - Is it SSL? PPTP? IPSEC? Is there a VPN client installed, or does it use the built-in Windows VPN client?

garak0410

@Bill-Kindle said:

Garak, didn't I send you a link with information from TechNet on this topic elsewhere?

Yes...the link will help but find it kind of puzzling that it wasn't configured on the original server at all (SBS 2003)

@alexntg said:

@garak0410 said:

@alexntg said:

How do the clients connect?

Though the broadcast address and using their domain ID and password.

Let's see if i can be more specific - Is it SSL? PPTP? IPSEC? Is there a VPN client installed, or does it use the built-in Windows VPN client?

Sorry...Windows VPN client...they configure it with the broadcast IP address of our internet service. Security is set to Automatic type of VPN and data encryption is optional. Windows 8x users have to also select ALLOW THESE PROTOCOLS.. Sign in with domain ID and password and they are in.

garak0410

@garak0410

Also, when on a VPN connection, when you do IPCONFIG /ALL, it shows the OLD server IP as primary DNS, so it has to be there. But if I go into ROUTING AND REMOTE ACCESS on the old server, and go into properties, it says THE SERVER HAS NOT BEEN SET UP FOR ROUTING. Perhaps I am just in the wrong properties?

alexntg

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

garak0410

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

garak0410

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

alexntg

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

garak0410

@alexntg said:

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

On the DC or allow my "services/file" server to handle it?

alexntg

@garak0410 said:

@alexntg said:

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

On the DC or allow my "services/file" server to handle it?

Personal preference? There's pros and cons to both.

garak0410

@alexntg said:

@garak0410 said:

@alexntg said:

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

On the DC or allow my "services/file" server to handle it?

Personal preference? There's pros and cons to both.

Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?

alexntg

@garak0410 said:

@alexntg said:

@garak0410 said:

@alexntg said:

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

On the DC or allow my "services/file" server to handle it?

Personal preference? There's pros and cons to both.

Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?

I've never worked with SBS before.

garak0410

@alexntg said:

@garak0410 said:

@alexntg said:

@garak0410 said:

@alexntg said:

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

On the DC or allow my "services/file" server to handle it?

Personal preference? There's pros and cons to both.

Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?

I've never worked with SBS before.

Thanks for tips...as I said, not having ROUTING AND REMOTE ACCESS set up on the original was causing me to just sit here and shake my head...as I multitask with other things...

garak0410

@garak0410

Made the changes in the firewall tunneling and configured ROUTING AND REMOTE ACCESS on the services server (though had to use CUSTOM since this is a VM and only had one NIC.) Using Windows Authentication, MS-CHAP v2 only...tried a test VPN connection and it fails with ERROR 812...complaining about a policy on the RAS/VPN server and the authentication method used by the server to verify username and password.. Can't seem to find the solution yet but love OTJ training... Still searching...

garak0410

@garak0410 said:

@garak0410

Made the changes in the firewall tunneling and configured ROUTING AND REMOTE ACCESS on the services server (though had to use CUSTOM since this is a VM and only had one NIC.) Using Windows Authentication, MS-CHAP v2 only...tried a test VPN connection and it fails with ERROR 812...complaining about a policy on the RAS/VPN server and the authentication method used by the server to verify username and password.. Can't seem to find the solution yet but love OTJ training... Still searching...

Still trying to solve this problem. Do I need to set up NPS to configure NAP? As I've referred to Ad nauseam, the old server didn't have anything special set up.

garak0410

More in depth details on the connection problem:

Error 812: THE CONNECTION WAS PREVENTED BECAUSE OF A POLICY CONFIGURED ON YOUR RAS/VPN SERVER. SPECIFICALLY, THE AUTHENTICATION METHOD USED BY THE SERVER TO VERIFY YOUR USERNAME AND PASSWORD MAY NOT MATCH THE AUTHENICATION METOHD CONFIGURED IN YOUR CONNECTION PROFILE.

In the properties under ROUTING AND REMOTE ACCESS for my server, under security tab, I have EAP and MS-CHAP V2 selected. on the client, it's security tab is set to Automatic VPN and Allow these protocols with MS-CHAP V2 selected.

JaredBusch

@garak0410 I have never used Windows RAS before so cannot help ya there. Are you sure there was no 3rd party application running as a service on the old server?

garak0410

@JaredBusch said:

@garak0410 I have never used Windows RAS before so cannot help ya there. Are you sure there was no 3rd party application running as a service on the old server?

Agreed and checked...nothing...after all the suggestions above, I only found the tunneling information in the firewall that pointed to this server.

garak0410

@garak0410

Going to remove and reinstall the Remote Access role. Just waiting for people to get out of here...come on people...it is well after 5 on a Friday!