HPE Community
Windows Server 2003
1823759 Members
4306 Online
109664 Solutions
New Discussion юеВ

VPN setup. Weird results

 
Steven E. Protter
Exalted Contributor

тАО06-29-2004 03:42 AM

тАО06-29-2004 03:42 AM

VPN setup. Weird results

I set up Windows 2003 Server for VPN Access. I got the general setup to work via a support.microsoft.com document that set go into remote access, turn it off, turn it back on and use the wizard to configure VPN.

I did this and all of the sudden the VPN works great. Inside my local network. VPN works wonderfully using the default setting for Windows 2000 Pro or Windows XP Pro.

I have tried forwarding the Linux firewall and got no results.

So I put the VPN Nic on the public Internet and ran the same configuration wizard. Again, I can only connect on my internal network.

I am a real newbie and am thoroughly confused.

I have remove active directory because this machine is not my primary domain controller.

Its obvious I should have paid some more attention during installation, but I noticed this:

The VPN setup has lines for Protocol 47, ports 500, 4500 and 1701 and 1723.

The checkbox says accept only traffic on these ports and none other. My support.microsoft.com document says this.

I have a few questions:

1) Are there changes to the VPN client I can make to get this beastie to accept connections.
2) Are there other server componenents besides DCHP(which works) that need to be configured. Perhaps I need the firewall with NAT.
3) Does anyone know what firewall ports need to be forwarded to make the VPN work sitting behind a firewall.
4) Has anyone seen this kind of behavior?
5) Is there maybe a special VPN client to connect to Windows Server 2003?

Complications: I will be out of the country the next two weeks. I am not sure I can connect to the box via Terminal services but I will try. I'm afraid I might mess up the box anyway.

I can try anything on the client side.


I might need a book. I'm heading to the store at lunch time.

Rules: Client solutions are acceptable for any platform. Server suggestions are welcome but they need to be Windows 2003 Server only. Getting this working on Windows 2000 Server was trivial.

Lots of point opportunities, but I'm not going to be generous for solutions that don't apply to this situation.

I am busily searching support.microsoft.com

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
13 REPLIES 13
Steven E. Protter
Exalted Contributor

тАО06-29-2004 06:56 AM

тАО06-29-2004 06:56 AM

Re: VPN setup. Weird results

Additional Question.

I already activated Windows 2003 Server. Can I start over with a cold install?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Ganesh Babu
Honored Contributor

тАО06-29-2004 07:55 AM

тАО06-29-2004 07:55 AM

Re: VPN setup. Weird results

i think u might have seen this page..

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpnexamp.mspx

Ganesh
0 Kudos
Ganesh Babu
Honored Contributor

тАО06-29-2004 07:56 AM

тАО06-29-2004 07:56 AM

Re: VPN setup. Weird results

and this one too..

http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx#XSLTfullModule125121120120

Ganesh
0 Kudos
Rune J. Winje
Honored Contributor

тАО06-29-2004 08:28 PM

тАО06-29-2004 08:28 PM

Re: VPN setup. Weird results

Port-number description for most ports is found in the \WINDOWS\system32\drivers\etc\services file.

1) More probably on the VPN server side and/or firewall.
2) http://www.isaserver.org/img/upl/vpnkitbeta2/nat-t-packetfilters.htm
3) 500 is essential for VPN connections. Also some firewalls (especially the personal kind) may not support more than one connection via VPN. Look for "multi-VPN" capability of the firewall. Also see point 2.
4) Haven't tried it yet... :)
5) Activate Remote Desktop, and allow it in your firewall (port 3389)



Cheers,
Rune
0 Kudos
Thomas Bianco
Honored Contributor

тАО06-30-2004 12:09 AM

тАО06-30-2004 12:09 AM

Re: VPN setup. Weird results

1) Freeswan is known to connect to Windows AD VPN servers, check out http://www.freeswan.org
2) Not that I├в m aware of, and NAT is known to break some implementations of IPSEC
3) In general, you need port 500 (UDP), IP protocols 50 and 51. Some firewalls only accept IP Protocols 6 and 17 (TCP and UDP), so check this.
5) Windows is the only client Microsoft accepts for obvious reasons.

I have to disagree strongly with rune, though DO NOT ALLOW REMOTE DESKTOP THROUGH YOUR FIREWALl, this is essentally giving hackers a conso
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
0 Kudos
Rune J. Winje
Honored Contributor

тАО06-30-2004 06:55 PM

тАО06-30-2004 06:55 PM

Re: VPN setup. Weird results

Re: Thomas's comment on my 5)

Yes - totally agree - my brain must've been "out to lunch". Use VPN first to the internal network then Remote Desktop to the server. Additionally allow only access to a limited account (meaning use RunAs when necessary).


Cheers,
Rune
0 Kudos
Steven E. Protter
Exalted Contributor

тАО07-01-2004 01:15 AM

тАО07-01-2004 01:15 AM

Re: VPN setup. Weird results

No way, no how is remote desktop going to be allowed to work through the firewall.

It is quite wierd honestly that it works just fine on the internal network and not at all on the firewall.

The meaning of this is obvious. The wizard that comes with Windows 2003 doesn't complete the setup.

I will try adding protocol 50 and 51 when I get home.

For a few reasons I'd like to totally redo the OS on the Windows 2003 server. Will I be able to activate the product again?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Steven E. Protter
Exalted Contributor

тАО07-01-2004 01:19 AM

тАО07-01-2004 01:19 AM

Re: VPN setup. Weird results

Two good links Ganesh Babu,

Similar to what I printed, but I believe once I put all of this together and go through the document methodically I will have my answer.

What about the Routing and firewall configuration?

Also, I'd like to check the server logs after connection attempts.

Can someone give me the location and viewing instructions for the logging for the following components:

Firewall
VPN/Remote Access
Routing

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Bruno Ganino
Honored Contributor

тАО07-01-2004 05:10 AM

тАО07-01-2004 05:10 AM

Re: VPN setup. Weird results

Hi, SEP
Founded this
http://www.tacteam.net/isaserverorg/vpnkit/configisavpn.htm
and
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndeplr.mspx

Regards
Bruno
Torino (Turin) +2H
0 Kudos
Steven E. Protter
Exalted Contributor

тАО07-27-2004 03:07 AM

тАО07-27-2004 03:07 AM

Re: VPN setup. Weird results

I may have those packets forwarding.

I've created a local certificate but when I try and connect through the firewall I get a message saying there is no valid certificate.

I found this doc:

http://support.microsoft.com/default.aspx?scid=kb;en-us;323342

Seems trivial to request a certificate for a machine sitting on the lan.

How do I deliver this certificate to a workstation sitting 100 miles away if the server isn't on the public Internet. This is a VPN after all.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Steven E. Protter
Exalted Contributor

тАО07-28-2004 02:32 AM

тАО07-28-2004 02:32 AM

Re: VPN setup. Weird results

I am now quite satisfied that my Linux boxes are properly forwarding packets.

This article, applying to 2000 Server scares me.

http://support.microsoft.com/default.aspx?scid=kb;en-us;247231

The fix suggested here does not work.

This scares me more because the router in this case is a Linux box.

http://support.microsoft.com/default.aspx?scid=kb;en-us;329858

I'm going to file a case on support.microsoft.com and perhaps open a incident with Microsoft

After a google search and some other ideas.

Help please, this is getting ridiculous.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Steven E. Protter
Exalted Contributor

тАО07-28-2004 02:45 AM

тАО07-28-2004 02:45 AM

Re: VPN setup. Weird results

http://support.microsoft.com/default.aspx?scid=kb;en-us;829074

I seem to have this symptom.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Steven E. Protter
Exalted Contributor

тАО07-30-2004 06:23 AM

тАО07-30-2004 06:23 AM

Re: VPN setup. Weird results

Microsoft has admitted that there is a defect in the Windows 2003 Server product that prevents it from working behind certain firewalls. A similar defect was found and eventually corrected in the Server 2000 product.

In the case of certain Linksys routers, Microsoft recommends a firmware update. Obviously this is not possible in a Linux ES 3.0 environment. I have done a direct connect to the Internet and locked down the server. It now works the way its supposed to work.

I will continue to test firewall passthrough and as soon as it works report back. There may be a hotfix to the software that works, but Microsoft isn't talking about that right now. I'll report these findings back as well.

Regards,

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.