Re: Mysterious VPN Errors
From: Bill Grant (not.available_at_online)
Date: 03/12/04
- Next message: Marc: "vpn 721 error"
- Previous message: Richard Rickard: "Cisco VPN and ESP packets"
- In reply to: Boris Nikolaevich: "Re: Mysterious VPN Errors"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 12 Mar 2004 12:06:40 +1000
If you want to use the "login using a dialup connection", you will need
to use the Windows server as the VPN endpoint.
If you can connect successfully from a local client, the server config
is correct. So the reason you cannot connect remotely over the Internet has
to be related to the firewall/router. Everything else remains the same.
There are two things involved. First, you must forward PPTP (tcp port
1723) from the firewall to the VPN server. This enables the VPN connection
to be made to the server rather than the firewall itself. The client
initially connects to the firewall's public IP, but the port forwarding
extends that to the VPN server. So the VPN tunnel is established between the
remote client and the VPN server.
Second, PPTP only sets up and maintains the tunnel. The actual VPN data
is encrypted then encapsulated in an IP packet with a GRE header. GRE
(Generic Routing Encapsulation protocol) is IP protocol 47. If your firewall
blocks GRE in either direction, the connection will fail, because no data is
being transferred. This usually shows up as error 721.
"Boris Nikolaevich" <boris@nikolaevich.mailshell.com> wrote in message
news:ekIKZFzBEHA.2804@tk2msftngp13.phx.gbl...
> Thank you! While this doesn't explain why at times I *am* able to connect
> externally, I can see that I actually should *not* be able to... the setup
> you describe is what I will push for at the office, since I really don't
> want to play network admin anyway.
>
> Does this mean that the process of connecting to the VPN and
authenticating
> to the domain will now be two-part process? How will it affect the
Windows
> startup option to "log in using dial-up networking"?
>
> Thanks again for your help!
> --Boris
>
> "Phillip Windell" <@.> wrote in message
> news:OI4HbAuBEHA.580@TK2MSFTNGP11.phx.gbl...
> > If your Firewall is performing NAT for the system and all your servers &
> > workstations are behind it, then the firewall must be the VPN Server and
> not
> > your Windows Machine that is behind it. Your Windows Server may do the
> job
> > fine for internal users because they can directly contact it, but from
the
> > outside users cannot do this and can only connect directly to the
> Firewall,
> > hence the Firewall must be the "VPN Server" for them.
> >
> > This also means that you could also use the firewall as the VPN Server
for
> > internal users as well since there would be no real point in having two
> VPN
> > Servers. If you wanted the Windows Server to be the VPN Server then you
> > would have to throw out the firewall and the Windows Server would
replace
> it
> > and become the firewall.
> >
> > It comes down to this,...whatever you want to use for the VPN Server
must
> be
> > *directly* accessable to all users that need to use it.
> >
> > We have a similar setup here and we use the Firewall box as the VPN
> Server.
> > We connect about 20 other sites full time 24-7. Our LAN Router is the
> > Default Gateway of *all* the machines, and then the Router uses the
> Firewall
> > box as it Default Gateway. This allows all the users to connect to the
> > remote LANs across the VPN without even being aware that it exists.
> >
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> > "Boris Nikolaevich" <boris@nikolaevich.mailshell.com> wrote in message
> > news:OHqQ6VmBEHA.3284@TK2MSFTNGP09.phx.gbl...
> > > Hi all,
> > >
> > > I'm having a real headache of a time with VPN on Windows Server 2003.
I
> > > don't even know where to begin troubleshooting, but I'll give as much
> > > relevant information as I can and hopefully you'll know what questions
> to
> > > ask me so that I can add any additional information you need. Thanks
> for
> > > taking the time to read and help!
> > >
> > > The VPN Server (ZARYA) is Windows 2003.
> > > The Domain Controller (VOSKHOD) is Windows 2003.
> > > There is a workstation (SPUTNIK1) running Windows XP Professional.
> > > The remote client (SPUTNIK2) is notebook Windows XP Professional.
> > > All are members of the domain SOYUZ.
> > >
> > > I added "VPN Server" as one of the server roles through the Manage
Your
> > > Server wizard on ZARYA.
> > >
> > > I tested the VPN connection internally from SPUTNIK1 and had no
problem
> > > connecting, authenticating, and having the computer registered on the
> > > network.
> > >
> > > When I try to connect remotely with SPUTNIK2 (usually from home) I get
> one
> > > of the following situations:
> > > a) The connection is made successfully and authentication completes
> > normally
> > > b) The connection is made, but times out with the progress indicating
> > > "Verifying username and password..."
> > > c) The connection is made, and after several minutes at "Verifying
> > username
> > > and password..." I get a message that my credentials couldn't be
> verified.
> > > After re-entering my username and password, connection and
> authentication
> > > complete normally.
> > > d) The connection is not made, with an error that the VPN server could
> not
> > > be contacted.
> > >
> > > Unfortunately, situation "a" happens infrequently and inconsistently.
> On
> > > the server side, situations "b" and "c" produce one of the following
> > entries
> > > in the System log:
> > >
> > > ==============
> > > Event Type: Warning
> > > Event Source: RemoteAccess
> > > Event Category: None
> > > Event ID: 20049
> > > Date: 3/9/2004
> > > Time: 8:53:30 PM
> > > User: N/A
> > > Computer: ZARYA
> > > Description:
> > > The user connected to port VPN1-1 has been disconnected because the
> > > authentication process did not complete within the required amount of
> > time.
> > > ==============
> > > Event Type: Warning
> > > Event Source: RemoteAccess
> > > Event Category: None
> > > Event ID: 20189
> > > Date: 3/9/2004
> > > Time: 8:53:58 PM
> > > User: N/A
> > > Computer: ZARYA
> > > Description:
> > > The user SOYUZ\boris connected from 555.555.555.555 but failed an
> > > authentication attempt due to the following reason: Authentication was
> not
> > > successful because an unknown user name or incorrect password was
used.
> > > ==============
> > >
> > > Note that in every situation, I am entering the same (correct)
username
> > and
> > > password.
> > >
> > > One of the things I came across in trying to figure this out was the
> > > suggesstion that error 20049 is often caused by firewall
settings--i.e.
> > > ports required for VPN are blocked by my firewall. While I've been
> pretty
> > > aggressive about restricting unnecessary ports, I'm fairly certian
that
> > I've
> > > got everything that needs to be open is open on my end, and my ISP
> (since
> > > I'm connecting from home) swears that they're not blocking anything.
> > > [Maybe, just as a favor, someone could verify the ports that I need to
> > have
> > > open on my office firewall, in case that's part of the problem.]
> > >
> > > I've put a lot of effort into figuring this out, and I'm getting
pretty
> > > frustrated about the whole affair. Part of the problem is that I'm
not
> a
> > > network admin of any sort--I'm a developer, a programmer, an MCSD, a
> > DBA...
> > > you get the idea. This network is supposed to be my development and
> > testing
> > > environment. But administering the network is not just taking my
time,
> > it's
> > > over my head!
> > >
> > > Thanks for any assistance you can give.
> > >
> > > --Boris Nikolaevich
> > >
> > >
> >
> >
>
>
- Next message: Marc: "vpn 721 error"
- Previous message: Richard Rickard: "Cisco VPN and ESP packets"
- In reply to: Boris Nikolaevich: "Re: Mysterious VPN Errors"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
