Re: VPN with SBS 2003 (not R2) and DSL.
- From: DrewYK <drew_cushnir@xxxxxxxxxxx>
- Date: 25 May 2007 14:59:51 -0700
The wizard failed. The log file states:
5/25/2007 4:35 PM
D:\Program Files\Microsoft Windows Small Business Server\Networking
\RRASWiz\wizrras.dll, version 5.2.2651.0
Calling CRRASCommit::CommitEx
Calling CRRASCommit::ValidatePropertyBag
pdispPPPBag->QueryInterface returned OK
PropertyBag 1149438
Reading property value for enabling Remote Access returned OK
bRemoteAccess = 1
Reading property value for VPN returned OK
bVPN = 1
Reading property value for RAS returned OK
bRAS = 0
Calling CRRASCommit::ValidateVPNProperties
Reading VPN Server Name returned OK
VPN Server Name is [xxx.xxx.xxx.xxx]
Calling CRRASCommit::ValidateDHCPProperties
DHCP server is installed on the box
CRRASCommit::ValidateDHCPProperties returned OK
CRRASCommit::ValidateVPNProperties returned OK
CRRASCommit::ValidatePropertyBag returned OK
pdispPPPBag->QueryInterface returned OK
Pointer to the property bag 1149438
Calling CRRASCommit::CommitRRAS
Arguments:
PropertyBag 1149438
bRAS 0
bVPN 1
Getting the GUID of the private NIC returned OK
Private NIC Guid is {A266A6BD-E54B-491E-AE49-60C369BF434A}
Checking whether RRAS is already running returned OK
RRAS is not running
Installing RRAS returned OK
Dhcp server is installed and running on this box
Enabling DHCP client addressing returned OK
Configuring ports returned OK
Identifying the private NIC for RAS returned OK
Setting the default authentication methods returned OK
Disabling NETBIOS for RAS returned OK
Changing RRAS startup type to automatic returned OK
Configuring Remote Access Policy returned OK
Starting RRAS service returned OK
Saving RRAS method returned OK
Method is 2
Where 1 = RAS, 2 = VPN 3 = both
Saving Dhcp Server IP returned OK
CRRASCommit::CommitRRAS returned OK
Calling CRRASCommit::CommitCMAK
Arguments:
PropertyBag 1149438
bRAS 0
bVPN 1
Template file name is sbsvpn
Reading VPN Server name returned OK
Reading VPN Server name is [xxx.xxx.xxx.xxx]
Created temp directory CMPB.tmp
Copying required template files to the temp directory returned OK
Updating CMP template returned OK
Updating CMS template returned OK
Updating SED template returned OK
Creating proxy configuration file returned OK
*** Running IExpress to build the package returned ERROR 80004005
*** ERROR: Cannot delete temp directory CMPB.tmp
Specifying error location (in CMAK) returned OK
*** CRRASCommit::CommitCMAK returned ERROR 80004005
*** CRRASCommit::CommitEx returned ERROR 80004005
The IP address (which I removed here) was the address supplied by the
service provider. To be honest I did not know if that was the one I
should use or not, but the wizard wanted the domain name registered
with the service provider. We do not have a registered domain name,
just the IP address.
On May 25, 4:21 pm, Joe <j...@xxxxxxxxxxxxxx> wrote:
DrewYK wrote:
The Issue:
I am completely green regarding setting up a VPN and I am OBVIOUSLY
missing some step. I tried to follow the two methods that I have
seen, most often. There are various articles on how to setup VPN the
two I followed are:
1)http://support.microsoft.com/kb/323441/
and
2)http://www.windowsdevcenter.com/pub/a/windows/2004/03/09/vpn_connecti...
Not so much missing a step, but going down entirely the wrong path.
To begin with, both of these methods seem to apply to Windows Server
2003. Small Business Server 2003 is *not* Windows Server 2003, though
it is built upon it. SBS is an implementation of a customised server
intended for a particular market, and many Server 2003 configurations
are hard-coded into it. In particular, all aspects of networking are
configured differently.
Results of using method one with Broadcom not in team mode*:
It seems that shortly after enabling "Routing and Remote Access" users
could no longer access shares on servers. The network cards were
generating "limited or no connectivity" and the machines were renewing
their IP addresses to Private addresses. Disable "Routing and Remote
Access", reboot affected machines and it all reverses.
Results of using method two with Broadcom in team mode*:
No impact on Intranet, I can connect to VPN from home, but I cannot
access any IntraNet resources.
Results of using method two with Broadcom not in team mode*:
No Internet at all. For instance, the only web pages that can be
displayed are the ones built into the DSL "Modem."
* The Broadcom BCM5704C has two RJ45 ports and is treated as two
identical network cards. They can each have their own IP addresses or
the can be teamed, making both of them visible to the network with
only one IP address. The team with method two has given me the best
results so far, but still no success.
Obviously method two with Broadcom in team mode looks the most
attractive. But no success is not going to work.
I am going through all of this because we have hired someone who is
going to need to be able to work from home at least two days a week.
He was hired with the understanding that he would be provided VPN
access to files and resources. I was only just told, after he was
hired, of course. All I have to do is make it work. No big deal,
right? ;-)
----------------------------------------------------------------------------------------
The Hardware:
A NetGear Switch - unmanaged: JGS516
A NetGear Switch - managed: FS700TS
A Server - Homegrown: Tyan S2880 Thunderbird K8S Motherboard
w/ a Broadcom BCM5704C dual-channel
Gb Ethernet controller, w two RJ45s setup as a
Team (they show up as one IP address
in the 10.0.0.x range.
A DSl "Modem": Westell Wirespeed 2100.
----------------------------------------------------------------------------------------
The Configuration:
Network:
Range: 10.0.0.1-255
Subnet: 255.255.255.0
Gateway: 10.0.0.11
Server:
Name: Sol
Domain: MilkyWay
IP - Team: 10.0.0.16
IP - No Team: 10.0.0.16 and 10.0.0.17
DSL:
Name: Mercury
IP: 10.0.0.11
Intranet PC:
Name: Earth
IP: 10.0.0.150
Machine on VPN:
Name: Pluto
IP: 10.0.0.3
Sol is connected to both switches.
Mercury is connected to JGS516.
Earth is connected to FS700TS.
First: it seems doubtful that SBS will work properly with two NICs
with IP addresses in the same network. It wasn't designed to. "Team"
mode seems to be essential. With luck, you won't have to disable the
board and install a standard NIC.
Second: it is inadvisable to use the 10.0.0.0 network for the LAN
of a machine expected to be used for VPN. The traditional netmask
for 10.0.0.0 is 255.0.0.0 and I have seen this hard-coded, even
when a different netmask is attempted. As a result, there is only
one possible 10. network, and it is in reasonably common use. The
SBS LAN network must be different from a network used by a VPN
client, and 10. is sometimes used by default by DSL routers. You
may get away with it, but at the moment you are having problems,
and this may be contributing. I'd recommend a 192.168.x.0 network,
with x between about 50 and 200. This will have little chance of
conflicting with anyone's defaults.
Finally and most important: SBS2003 has 'wizards' which configure
networking and VPN, and ignoring them is likely to generate conflicts.
Manual settings may well be overruled. VPN will be set up correctly
if the Connect to Internet and Remote Access wizards are run,
assuming nothing significant has been changed from the SBS installation
defaults. Tell the SBS it has one NIC. Two NICs in an SBS will
cause it to behave as a firewall, to expect to find the LAN machines
connected to the 'internal' NIC, and to find its default gateway
connected to the 'external' one. This is quite definitely what you
don't want here.
Now, the most obvious problem is that Pluto has an IP address in the
same network as the SBS LAN, so VPN will not work. It must use a
different network address. A VPN connection is effectively part of
a router, and a router will only route between different networks.
Make sure that the LAN workstations and the VPN connection of the
remote machine have TCP/IP properties set to get both IP address and
DNS information automatically. When the ipconfig command is run on
SBS and workstations, only the SBS LAN IP address should appear as
DNS server. Any other DNS server appearing here will cause trouble.
(Your ISP's DNS servers can be entered in the CEICW wizard, when they
will be used as forwarders. Or you can leave the entry blank, and
SBS will use the root servers.) When the VPN is open, the same should
be true of the PPP entry for the ipconfig output of the client. The
PPP IP address *will* be in the SBS LAN network, this is correct. The
client's NIC must not be.
Have a go at all this and tell us what happens. It probably won't all
come right in one go, but we'll be closer.
.
- References:
- VPN with SBS 2003 (not R2) and DSL.
- From: DrewYK
- Re: VPN with SBS 2003 (not R2) and DSL.
- From: Joe
- VPN with SBS 2003 (not R2) and DSL.
- Prev by Date: Re: Connect the SBS to a remote IIS for Internet Printing
- Next by Date: Re: VPN with SBS 2003 (not R2) and DSL.
- Previous by thread: Re: VPN with SBS 2003 (not R2) and DSL.
- Next by thread: Re: VPN with SBS 2003 (not R2) and DSL.
- Index(es):
Relevant Pages
|
