Re: VPN not working when i connect through SBS 2003 server running ISA 2004

---

• From: "Roger Cook" <roger-nospam-or-junk-at-redpuma.co.uk>
• Date: Wed, 8 Nov 2006 20:12:09 -0000

---

I've tried playing around with the security settings to no avail. The
problem PCs (we have tested several within the network behind ISA) will VPN
(through ISA) to another network where there is a Draytek router as the PPTP
VPN endpoint.

The references to CHAP are presumably because it is the RASCHAP log ! I have
looked in the other logs but I thought this one might be particularly
relevant as it was noticeably different between the two connections. I too
am starting to wonder if it is an authentication problem - yet "vpning" from
XP PCs elsewhere with the same credentials and no fiddling with settings
works OK.





"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:u4RvDm2AHHA.4472@xxxxxxxxxxxxxxxxxxxxxxx

Is there any way you can try two connections from the same client PC? It
would be interesting to verify if the client PC that fails to connect to
the remote SBS through ISA can then connect when bypassing ISA or not.

I'm not familiar with that log enough to make sense out of it, but it
appears that the remote SBS is not responding to the authentication
request. That would be consistent with the 619 error
http://www.chicagotech.net/vpnerrors.htm. I wonder if you could have an
issue with settings, which is why I'd like to see if the same PC can
connect directly but not through ISA. But, it seems like the default
settings on an XP desktop would work. I'm just thinking security settings
because of all the references to CHAP.



"Roger Cook" <roger-nospam-or-junk-at-redpuma.co.uk> wrote in message
news:OQk4wL2AHHA.4428@xxxxxxxxxxxxxxxxxxxxxxx

No - they are on different subnets -I was looking at the log files in the
tracing directory on the remote server and notice that there seems to be
communication but that RASCHAP.log for instance shows quite different
entries




==================
RASCHAP.LOG on remote SBS VPN server

when connecting from problem PC on local network through ISA- VPN gives
error 619


[4280] 11-08 16:30:23:336: ChapBegin(fS=1,bA=0x81)
[4280] 11-08 16:30:23:336: ChapBegin done.
[4280] 11-08 16:30:23:336: ChapMakeMessage,RBuf=00000000
[4280] 11-08 16:30:23:336: CS_Initial...
[4280] 11-08 16:30:23:336: MakeChallengeMessage...
01 00 00 1E 10 05 0E 2D D3 64 EF 97 E4 4B 9D F7 |.......-.d...K..|
21 C3 D5 0D 7D 53 42 53 53 45 52 56 45 52 00 00 |!...}SBSSERVER..|
[4280] 11-08 16:30:23:398: ChapEnd


when connecting from PC connected outside ISA direct to router - VPN
works

[4280] 11-08 16:36:48:552: ChapBegin(fS=1,bA=0x81)
[4280] 11-08 16:36:48:552: ChapBegin done.
[4280] 11-08 16:36:48:552: ChapMakeMessage,RBuf=00000000
[4280] 11-08 16:36:48:552: CS_Initial...
[4280] 11-08 16:36:48:552: MakeChallengeMessage...
01 00 00 1E 10 BA DB 17 70 EB 95 CB 3A AB E3 BA |........p...:...|
B6 C9 15 D6 A5 53 42 53 53 45 52 56 45 52 00 00 |.....SBSSERVER..|
[4280] 11-08 16:36:48:614: ChapMakeMessage,RBuf=00FD1ECA
[4280] 11-08 16:36:48:614: CS_ChallengeSent...
[4280] 11-08 16:36:48:630: ChapMakeMessage,RBuf=00000000
[4280] 11-08 16:36:48:630: Result=0,Tries=2
[4280] 11-08 16:36:48:630: CS_Done...
03 00 00 2E 53 3D 37 45 33 30 36 39 33 35 41 35 |....S=7E306935A5|
41 42 38 30 44 37 42 34 36 34 44 30 42 41 39 32 |AB80D7B464D0BA92|
31 42 39 31 35 33 38 46 45 43 43 33 32 44 00 00 |1B91538FECC32D..|


====================


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:euxxR31AHHA.1196@xxxxxxxxxxxxxxxxxxxxxxx

Are both SBS networks using 192.168.16.x addressing? If so, changing
one of them to a different subnet should resolve this.

And thanks to SBS MVP Steven Teiger for this info.


"Roger Cook" <roger-nospam-or-junk-at-redpuma.co.uk> wrote in message
news:evBfCuyAHHA.3380@xxxxxxxxxxxxxxxxxxxxxxx

Right

All this relates to PPTP VPNs and the XP PC is using the SecureNAT
client, which I believe is the apprpriate client for VPN usage.

I can VPN to the desired network (call it network 1) from another
machine (XP) that is connected directly to the router ie bypassing ISA
2004.

I can also VPN to another (not the desired) network (call it network
2 - a test network) through ISA where the VPN endpoint is a Draytek
router. This would seem to confirm that there is no problem with
communication on 1723 and with GRE.

Telnetting to port 1723 on network 1 seems to elicit a connection.
HOWEVER PPTP Ping does NOT confirm a GRE connection as the test data is
not passed.

So - I cannot VPN through ISA to the desired network 1 where the
endpoint is another SBS 2003 server (behind its own ISA 2004 firewall).
I can however VPN to this network 1 from another external PC and
indeed by bypaasing ISA as mentioned above.

The errors I get are 619 except when testing from the server itself
which results in a 628 error.

I am assuming that the PPTP Ping failure is key to this but cannot
understand why GRE would be a problem if I can make a PPTP connection
to the other test network. You might conclude from this that there is a
problem with GRE at the remote end but as I can connect to it when
bypassing ISA at this end so that does not seem logical either.

Does anyone have any ideas ?

(There is an active outbound rule for PPTP in ISA)

.

---

• Follow-Ups:
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    • From: Dave Nickason [SBS MVP]

• References:
  • VPN not working when i connect through SBS 2003 server running ISA 2004
    • From: Dave B
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    • From: Roger Cook
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    • From: Dave Nickason [SBS MVP]
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    • From: Roger Cook
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    • From: Dave Nickason [SBS MVP]
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    • From: Roger Cook
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    • From: Dave Nickason [SBS MVP]

• Prev by Date: RE: EMERGENCY! Offline Files Disappearing / Vanishing
• Next by Date: Re: Gateway to Gateway VPN and SBS Server 2003
• Previous by thread: Re: VPN not working when i connect through SBS 2003 server running ISA 2004
• Next by thread: Re: VPN not working when i connect through SBS 2003 server running ISA 2004
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Outgoing VPN Error 619 ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ... (microsoft.public.isa.vpn) Re: Outgoing VPN Error 619 ... Jim Harrison (ISA SE) ... A network capture will be very revealing. ... Ok Inbound VPN access is now working, just the Outbound VPN problem to go ... As long as the VPN client is assigned an address from this predefined ... (microsoft.public.isa.vpn) Re: VPN from workstation behind ISA 2006 ... The ISA is acting at the LAN Router. ... used for a VPN Server? ... What are the IP Ranges listed in the properties of the Internal Network ... (microsoft.public.isa.vpn) RE: VPN Access to External Site ... made my ISA 2004 server my default gateway ... A socket operation was attempted to an unreachable network. ... internal users to connect to an external VPN server through Microsoft ... firewall client application and then sent to the ISA server. ... (microsoft.public.windows.server.sbs) Re: VPN Help... ... From a hotspot try to make a vpn connection, ... your home wifi but some routers don't/won't allow you to make connections ... from inside your network. ... >>> in Bluetooth Settings, Modem is just the one entry, that is *99# to ... (microsoft.public.pocketpc)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)