topic Re: VPN setup. Weird results in Windows Server 2003

VPN setup. Weird results

Steven E. Protter — Tue, 29 Jun 2004 10:42:06 GMT

I set up Windows 2003 Server for VPN Access. I got the general setup to work via a support.microsoft.com document that set go into remote access, turn it off, turn it back on and use the wizard to configure VPN.

I did this and all of the sudden the VPN works great. Inside my local network. VPN works wonderfully using the default setting for Windows 2000 Pro or Windows XP Pro.

I have tried forwarding the Linux firewall and got no results.

So I put the VPN Nic on the public Internet and ran the same configuration wizard. Again, I can only connect on my internal network.

I am a real newbie and am thoroughly confused.

I have remove active directory because this machine is not my primary domain controller.

Its obvious I should have paid some more attention during installation, but I noticed this:

The VPN setup has lines for Protocol 47, ports 500, 4500 and 1701 and 1723.

The checkbox says accept only traffic on these ports and none other. My support.microsoft.com document says this.

I have a few questions:

1) Are there changes to the VPN client I can make to get this beastie to accept connections.
2) Are there other server componenents besides DCHP(which works) that need to be configured. Perhaps I need the firewall with NAT.
3) Does anyone know what firewall ports need to be forwarded to make the VPN work sitting behind a firewall.
4) Has anyone seen this kind of behavior?
5) Is there maybe a special VPN client to connect to Windows Server 2003?

Complications: I will be out of the country the next two weeks. I am not sure I can connect to the box via Terminal services but I will try. I'm afraid I might mess up the box anyway.

I can try anything on the client side.

I might need a book. I'm heading to the store at lunch time.

Rules: Client solutions are acceptable for any platform. Server suggestions are welcome but they need to be Windows 2003 Server only. Getting this working on Windows 2000 Server was trivial.

Lots of point opportunities, but I'm not going to be generous for solutions that don't apply to this situation.

I am busily searching support.microsoft.com

SEP

Re: VPN setup. Weird results

Steven E. Protter — Tue, 29 Jun 2004 13:56:21 GMT

Additional Question.

I already activated Windows 2003 Server. Can I start over with a cold install?

SEP

Re: VPN setup. Weird results

Ganesh Babu — Tue, 29 Jun 2004 14:55:15 GMT

i think u might have seen this page..

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpnexamp.mspx

Ganesh

Re: VPN setup. Weird results

Ganesh Babu — Tue, 29 Jun 2004 14:56:59 GMT

and this one too..

http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx#XSLTfullModule125121120120

Ganesh

Re: VPN setup. Weird results

Rune J. Winje — Wed, 30 Jun 2004 03:28:14 GMT

Port-number description for most ports is found in the \WINDOWS\system32\drivers\etc\services file.

1) More probably on the VPN server side and/or firewall.
2) http://www.isaserver.org/img/upl/vpnkitbeta2/nat-t-packetfilters.htm
3) 500 is essential for VPN connections. Also some firewalls (especially the personal kind) may not support more than one connection via VPN. Look for "multi-VPN" capability of the firewall. Also see point 2.
4) Haven't tried it yet... :)
5) Activate Remote Desktop, and allow it in your firewall (port 3389)

Cheers,
Rune

Re: VPN setup. Weird results

Thomas Bianco — Wed, 30 Jun 2004 07:09:37 GMT

1) Freeswan is known to connect to Windows AD VPN servers, check out http://www.freeswan.org
2) Not that Iâ m aware of, and NAT is known to break some implementations of IPSEC
3) In general, you need port 500 (UDP), IP protocols 50 and 51. Some firewalls only accept IP Protocols 6 and 17 (TCP and UDP), so check this.
5) Windows is the only client Microsoft accepts for obvious reasons.

I have to disagree strongly with rune, though DO NOT ALLOW REMOTE DESKTOP THROUGH YOUR FIREWALl, this is essentally giving hackers a conso

Re: VPN setup. Weird results

Rune J. Winje — Thu, 01 Jul 2004 01:55:33 GMT

Re: Thomas's comment on my 5)

Yes - totally agree - my brain must've been "out to lunch". Use VPN first to the internal network then Remote Desktop to the server. Additionally allow only access to a limited account (meaning use RunAs when necessary).

Cheers,
Rune

Re: VPN setup. Weird results

Steven E. Protter — Thu, 01 Jul 2004 08:15:20 GMT

No way, no how is remote desktop going to be allowed to work through the firewall.

It is quite wierd honestly that it works just fine on the internal network and not at all on the firewall.

The meaning of this is obvious. The wizard that comes with Windows 2003 doesn't complete the setup.

I will try adding protocol 50 and 51 when I get home.

For a few reasons I'd like to totally redo the OS on the Windows 2003 server. Will I be able to activate the product again?

SEP

Re: VPN setup. Weird results

Steven E. Protter — Thu, 01 Jul 2004 08:19:34 GMT

Two good links Ganesh Babu,

Similar to what I printed, but I believe once I put all of this together and go through the document methodically I will have my answer.

What about the Routing and firewall configuration?

Also, I'd like to check the server logs after connection attempts.

Can someone give me the location and viewing instructions for the logging for the following components:

Firewall
VPN/Remote Access
Routing

SEP

Re: VPN setup. Weird results

Bruno Ganino — Thu, 01 Jul 2004 12:10:47 GMT

Hi, SEP
Founded this
http://www.tacteam.net/isaserverorg/vpnkit/configisavpn.htm
and
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndeplr.mspx

Regards
Bruno

Re: VPN setup. Weird results

Steven E. Protter — Tue, 27 Jul 2004 10:07:00 GMT

I may have those packets forwarding.

I've created a local certificate but when I try and connect through the firewall I get a message saying there is no valid certificate.

I found this doc:

http://support.microsoft.com/default.aspx?scid=kb;en-us;323342

Seems trivial to request a certificate for a machine sitting on the lan.

How do I deliver this certificate to a workstation sitting 100 miles away if the server isn't on the public Internet. This is a VPN after all.

SEP

Re: VPN setup. Weird results

Steven E. Protter — Wed, 28 Jul 2004 09:32:36 GMT

I am now quite satisfied that my Linux boxes are properly forwarding packets.

This article, applying to 2000 Server scares me.

http://support.microsoft.com/default.aspx?scid=kb;en-us;247231

The fix suggested here does not work.

This scares me more because the router in this case is a Linux box.

http://support.microsoft.com/default.aspx?scid=kb;en-us;329858

I'm going to file a case on support.microsoft.com and perhaps open a incident with Microsoft

After a google search and some other ideas.

Help please, this is getting ridiculous.

SEP

Re: VPN setup. Weird results

Steven E. Protter — Wed, 28 Jul 2004 09:45:11 GMT

http://support.microsoft.com/default.aspx?scid=kb;en-us;829074

I seem to have this symptom.

SEP

Re: VPN setup. Weird results

Steven E. Protter — Fri, 30 Jul 2004 13:23:24 GMT

Microsoft has admitted that there is a defect in the Windows 2003 Server product that prevents it from working behind certain firewalls. A similar defect was found and eventually corrected in the Server 2000 product.

In the case of certain Linksys routers, Microsoft recommends a firmware update. Obviously this is not possible in a Linux ES 3.0 environment. I have done a direct connect to the Internet and locked down the server. It now works the way its supposed to work.

I will continue to test firewall passthrough and as soon as it works report back. There may be a hotfix to the software that works, but Microsoft isn't talking about that right now. I'll report these findings back as well.

Regards,

SEP