Re: VPN not working when i connect through SBS 2003 server running ISA 2004

Tech-Archive recommends: Fix windows errors by optimizing your registry

A frustrating problem for sure. Anything helpful in the ISA logs at either
end, or the Security logs? I wonder if this is because you're authenticated
to your ISA as yourdomain\you, and you're trying to connect to
theirdomain\you. Absent that IP issue, it seems like authentication is the
only thing left, but I'm having a tough time coming up with something
specific to look at or change.


"Roger Cook" <roger-nospam-or-junk-at-redpuma.co.uk> wrote in message
news:%23WPWxI3AHHA.3540@xxxxxxxxxxxxxxxxxxxxxxx
I've tried playing around with the security settings to no avail. The
problem PCs (we have tested several within the network behind ISA) will
VPN (through ISA) to another network where there is a Draytek router as
the PPTP VPN endpoint.

The references to CHAP are presumably because it is the RASCHAP log ! I
have looked in the other logs but I thought this one might be particularly
relevant as it was noticeably different between the two connections. I too
am starting to wonder if it is an authentication problem - yet "vpning"
from XP PCs elsewhere with the same credentials and no fiddling with
settings works OK.





"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:u4RvDm2AHHA.4472@xxxxxxxxxxxxxxxxxxxxxxx
Is there any way you can try two connections from the same client PC? It
would be interesting to verify if the client PC that fails to connect to
the remote SBS through ISA can then connect when bypassing ISA or not.

I'm not familiar with that log enough to make sense out of it, but it
appears that the remote SBS is not responding to the authentication
request. That would be consistent with the 619 error
http://www.chicagotech.net/vpnerrors.htm. I wonder if you could have an
issue with settings, which is why I'd like to see if the same PC can
connect directly but not through ISA. But, it seems like the default
settings on an XP desktop would work. I'm just thinking security
settings because of all the references to CHAP.



"Roger Cook" <roger-nospam-or-junk-at-redpuma.co.uk> wrote in message
news:OQk4wL2AHHA.4428@xxxxxxxxxxxxxxxxxxxxxxx
No - they are on different subnets -I was looking at the log files in
the tracing directory on the remote server and notice that there seems
to be communication but that RASCHAP.log for instance shows quite
different entries




==================
RASCHAP.LOG on remote SBS VPN server

when connecting from problem PC on local network through ISA- VPN gives
error 619


[4280] 11-08 16:30:23:336: ChapBegin(fS=1,bA=0x81)
[4280] 11-08 16:30:23:336: ChapBegin done.
[4280] 11-08 16:30:23:336: ChapMakeMessage,RBuf=00000000
[4280] 11-08 16:30:23:336: CS_Initial...
[4280] 11-08 16:30:23:336: MakeChallengeMessage...
01 00 00 1E 10 05 0E 2D D3 64 EF 97 E4 4B 9D F7 |.......-.d...K..|
21 C3 D5 0D 7D 53 42 53 53 45 52 56 45 52 00 00 |!...}SBSSERVER..|
[4280] 11-08 16:30:23:398: ChapEnd


when connecting from PC connected outside ISA direct to router - VPN
works

[4280] 11-08 16:36:48:552: ChapBegin(fS=1,bA=0x81)
[4280] 11-08 16:36:48:552: ChapBegin done.
[4280] 11-08 16:36:48:552: ChapMakeMessage,RBuf=00000000
[4280] 11-08 16:36:48:552: CS_Initial...
[4280] 11-08 16:36:48:552: MakeChallengeMessage...
01 00 00 1E 10 BA DB 17 70 EB 95 CB 3A AB E3 BA |........p...:...|
B6 C9 15 D6 A5 53 42 53 53 45 52 56 45 52 00 00 |.....SBSSERVER..|
[4280] 11-08 16:36:48:614: ChapMakeMessage,RBuf=00FD1ECA
[4280] 11-08 16:36:48:614: CS_ChallengeSent...
[4280] 11-08 16:36:48:630: ChapMakeMessage,RBuf=00000000
[4280] 11-08 16:36:48:630: Result=0,Tries=2
[4280] 11-08 16:36:48:630: CS_Done...
03 00 00 2E 53 3D 37 45 33 30 36 39 33 35 41 35 |....S=7E306935A5|
41 42 38 30 44 37 42 34 36 34 44 30 42 41 39 32 |AB80D7B464D0BA92|
31 42 39 31 35 33 38 46 45 43 43 33 32 44 00 00 |1B91538FECC32D..|


====================


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:euxxR31AHHA.1196@xxxxxxxxxxxxxxxxxxxxxxx
Are both SBS networks using 192.168.16.x addressing? If so, changing
one of them to a different subnet should resolve this.

And thanks to SBS MVP Steven Teiger for this info.


"Roger Cook" <roger-nospam-or-junk-at-redpuma.co.uk> wrote in message
news:evBfCuyAHHA.3380@xxxxxxxxxxxxxxxxxxxxxxx
Right

All this relates to PPTP VPNs and the XP PC is using the SecureNAT
client, which I believe is the apprpriate client for VPN usage.

I can VPN to the desired network (call it network 1) from another
machine (XP) that is connected directly to the router ie bypassing ISA
2004.

I can also VPN to another (not the desired) network (call it network
2 - a test network) through ISA where the VPN endpoint is a Draytek
router. This would seem to confirm that there is no problem with
communication on 1723 and with GRE.

Telnetting to port 1723 on network 1 seems to elicit a connection.
HOWEVER PPTP Ping does NOT confirm a GRE connection as the test data
is not passed.

So - I cannot VPN through ISA to the desired network 1 where the
endpoint is another SBS 2003 server (behind its own ISA 2004
firewall). I can however VPN to this network 1 from another external
PC and indeed by bypaasing ISA as mentioned above.

The errors I get are 619 except when testing from the server itself
which results in a 628 error.

I am assuming that the PPTP Ping failure is key to this but cannot
understand why GRE would be a problem if I can make a PPTP connection
to the other test network. You might conclude from this that there is
a problem with GRE at the remote end but as I can connect to it when
bypassing ISA at this end so that does not seem logical either.

Does anyone have any ideas ?

(There is an active outbound rule for PPTP in ISA)
















.

Relevant Pages

  • Re: Outgoing VPN Error 619
    ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ...
    (microsoft.public.isa.vpn)
  • Re: Outgoing VPN Error 619
    ... Jim Harrison (ISA SE) ... A network capture will be very revealing. ... Ok Inbound VPN access is now working, just the Outbound VPN problem to go ... As long as the VPN client is assigned an address from this predefined ...
    (microsoft.public.isa.vpn)
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    ... I've tried playing around with the security settings to no avail. ... problem PCs (we have tested several within the network behind ISA) will VPN ... VPN endpoint. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN from workstation behind ISA 2006
    ... The ISA is acting at the LAN Router. ... used for a VPN Server? ... What are the IP Ranges listed in the properties of the Internal Network ...
    (microsoft.public.isa.vpn)
  • RE: VPN Access to External Site
    ... made my ISA 2004 server my default gateway ... A socket operation was attempted to an unreachable network. ... internal users to connect to an external VPN server through Microsoft ... firewall client application and then sent to the ISA server. ...
    (microsoft.public.windows.server.sbs)