Where's My VPN?
-
Also, when on a VPN connection, when you do IPCONFIG /ALL, it shows the OLD server IP as primary DNS, so it has to be there. But if I go into ROUTING AND REMOTE ACCESS on the old server, and go into properties, it says THE SERVER HAS NOT BEEN SET UP FOR ROUTING. Perhaps I am just in the wrong properties?
-
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
-
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
-
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
-
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
-
@alexntg said:
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
On the DC or allow my "services/file" server to handle it?
-
@garak0410 said:
@alexntg said:
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
On the DC or allow my "services/file" server to handle it?
Personal preference? There's pros and cons to both.
-
@alexntg said:
@garak0410 said:
@alexntg said:
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
On the DC or allow my "services/file" server to handle it?
Personal preference? There's pros and cons to both.
Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?
-
@garak0410 said:
@alexntg said:
@garak0410 said:
@alexntg said:
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
On the DC or allow my "services/file" server to handle it?
Personal preference? There's pros and cons to both.
Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?
I've never worked with SBS before.
-
@alexntg said:
@garak0410 said:
@alexntg said:
@garak0410 said:
@alexntg said:
@garak0410 said:
@garak0410 said:
@alexntg said:
You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.
Checking...
Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):
Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP
Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP
It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.
You'll want to configure remote access on the new server first.
On the DC or allow my "services/file" server to handle it?
Personal preference? There's pros and cons to both.
Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?
I've never worked with SBS before.
Thanks for tips...as I said, not having ROUTING AND REMOTE ACCESS set up on the original was causing me to just sit here and shake my head...as I multitask with other things...
-
Made the changes in the firewall tunneling and configured ROUTING AND REMOTE ACCESS on the services server (though had to use CUSTOM since this is a VM and only had one NIC.) Using Windows Authentication, MS-CHAP v2 only...tried a test VPN connection and it fails with ERROR 812...complaining about a policy on the RAS/VPN server and the authentication method used by the server to verify username and password.. Can't seem to find the solution yet but love OTJ training...
Still searching... -
@garak0410 said:
Made the changes in the firewall tunneling and configured ROUTING AND REMOTE ACCESS on the services server (though had to use CUSTOM since this is a VM and only had one NIC.) Using Windows Authentication, MS-CHAP v2 only...tried a test VPN connection and it fails with ERROR 812...complaining about a policy on the RAS/VPN server and the authentication method used by the server to verify username and password.. Can't seem to find the solution yet but love OTJ training...
Still searching...Still trying to solve this problem. Do I need to set up NPS to configure NAP? As I've referred to Ad nauseam, the old server didn't have anything special set up.
-
More in depth details on the connection problem:
Error 812: THE CONNECTION WAS PREVENTED BECAUSE OF A POLICY CONFIGURED ON YOUR RAS/VPN SERVER. SPECIFICALLY, THE AUTHENTICATION METHOD USED BY THE SERVER TO VERIFY YOUR USERNAME AND PASSWORD MAY NOT MATCH THE AUTHENICATION METOHD CONFIGURED IN YOUR CONNECTION PROFILE.
In the properties under ROUTING AND REMOTE ACCESS for my server, under security tab, I have EAP and MS-CHAP V2 selected. on the client, it's security tab is set to Automatic VPN and Allow these protocols with MS-CHAP V2 selected.
-
@garak0410 I have never used Windows RAS before so cannot help ya there. Are you sure there was no 3rd party application running as a service on the old server?
-
@JaredBusch said:
@garak0410 I have never used Windows RAS before so cannot help ya there. Are you sure there was no 3rd party application running as a service on the old server?
Agreed and checked...nothing...after all the suggestions above, I only found the tunneling information in the firewall that pointed to this server.
-
Going to remove and reinstall the Remote Access role. Just waiting for people to get out of here...come on people...it is well after 5 on a Friday!
-
@garak0410 said:
Going to remove and reinstall the Remote Access role. Just waiting for people to get out of here...come on people...it is well after 5 on a Friday!
Can't work remotely?
-
@scottalanmiller said:
@garak0410 said:
Going to remove and reinstall the Remote Access role. Just waiting for people to get out of here...come on people...it is well after 5 on a Friday!
Can't work remotely?
Well, Scott...I fixed that issue we discussed with the IP address of the old server needed for pre-migration created projects...adding it as a secondary IP to the new file server works like a charm. Now if I can get this dang VPN working, I can officially shut down that old, blasted server.
-
Have you used telnet to verify that the server is responding on that port as expected?
-
Yes it responds...now, one thing I didn't know about is that there is a DIAL-IN tab for the users...it is not in the remote admin tools but I have to do it directly from the DC...I go into a remote user, go to the Dial-In tab and allow permission...bam...got in but then couldn't name resolve anything while on VPN and my network connection on my client went to limited...
So firing up the old server for now to just retain VPN and figure it out next week...
