Frustrating VPN Problem

  • Thread starter Thread starter CTSI.2Robs
  • Start date Start date
C

CTSI.2Robs

I have a Windows 2003 Server acting as the AD, Exchange Server, FTP
server, web server, and, recently, the VPN server. It's sitting in my
office behind a Linksys router, with the appropriate PPTP ports open
and the VPN settings configured.

When I first set this up yesterday, I could connect to the VPN from
home with my Windows XP Home computer just fine. I was able to browse
the internet, access network resources, and connect to my Exchange
Server with MS Outlook. My partner, on his Mac, could connect, and get
an IP address, but he couldn't get internet or connect Entourage to the
Exchange server. (When I originally tried to set this up some 6 months
ago, the exact same thing happened; I could connect properly but he
couldn't.)

Today, I connected directly to the network while in the office (not
using the VPN), and again everything was still fine. But now, I've
come home and connected to the VPN and it's not working correctly.
Like my partner's Mac, my computer gets an IP address but cannot get on
the internet and cannot connect to the exchange server. The only thing
I can think of is that I did reboot the server while in the office
after installing the latest critical update from MS.

Something I've noticed is that when I run IPconfig /all while connected
to the VPN, the numbers look different than before. I didn't make note
of what they were when the VPN was working, but now my computer gets
the proper IP address from the limited range I've assigned it, but now
the default gateway is the same IP as my connection is assigned, and
the DNS ip is the same as the VPN server (i.e. 192.168.1.64 and
192.168.1.5, respectively). I can't say for sure, but I believe
yesterday when it was working that my gateway IP was the Linksys router
and the DNS was the info from my cable modem. Again, I'm not sure
because I didn't pay attention to it when it was working.

If it helps to know, I don't have the server doing DHCP info; that's
all coming from the router. Again, it worked yesterday so I don't
think that's the problem, but I'll listen to any advice from those who
actually know. Thanks in advance:

Rob Miles
 
These are many issues in this post.

1. It is not recommended to enable RRAS on a DC. Check the link below. However, if you configre it correctly, it should work

2. PPTP IP and PPTP Default gateway is the same. This is normal if you have XP client.

3. To troublehsooting this issue, can you ping the server IP? if yes, can you pig it by name? It could be the name resolution issue.

Name resulotion on VPN Connection issues on DC, ISA, DNS and WINS server as VPN server How to assign DNS and WINS on VPN client manually Name resolution Issue in a VPN client ...
www.chicagotech.net/nameresolutionpnvpn.htm


Computer browser over VPN Computer browsing over VPN involves routers, multiple segments and multihomed servers. It is generally recommended that you implement WINS for name ...
www.howtonetworking.com/VPN/browsingovervpn0.htm

tcp/ip settings for vpn
Why my XP VPN client's IP is the same as default gateway IP Unable to contact a
DHCP server - Event ID 20169. Why does my VPN server or client PPP adapter ...
www.chicagotech.net/vpntcpipsettings.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
I have a Windows 2003 Server acting as the AD, Exchange Server, FTP
server, web server, and, recently, the VPN server. It's sitting in my
office behind a Linksys router, with the appropriate PPTP ports open
and the VPN settings configured.

When I first set this up yesterday, I could connect to the VPN from
home with my Windows XP Home computer just fine. I was able to browse
the internet, access network resources, and connect to my Exchange
Server with MS Outlook. My partner, on his Mac, could connect, and get
an IP address, but he couldn't get internet or connect Entourage to the
Exchange server. (When I originally tried to set this up some 6 months
ago, the exact same thing happened; I could connect properly but he
couldn't.)

Today, I connected directly to the network while in the office (not
using the VPN), and again everything was still fine. But now, I've
come home and connected to the VPN and it's not working correctly.
Like my partner's Mac, my computer gets an IP address but cannot get on
the internet and cannot connect to the exchange server. The only thing
I can think of is that I did reboot the server while in the office
after installing the latest critical update from MS.

Something I've noticed is that when I run IPconfig /all while connected
to the VPN, the numbers look different than before. I didn't make note
of what they were when the VPN was working, but now my computer gets
the proper IP address from the limited range I've assigned it, but now
the default gateway is the same IP as my connection is assigned, and
the DNS ip is the same as the VPN server (i.e. 192.168.1.64 and
192.168.1.5, respectively). I can't say for sure, but I believe
yesterday when it was working that my gateway IP was the Linksys router
and the DNS was the info from my cable modem. Again, I'm not sure
because I didn't pay attention to it when it was working.

If it helps to know, I don't have the server doing DHCP info; that's
all coming from the router. Again, it worked yesterday so I don't
think that's the problem, but I'll listen to any advice from those who
actually know. Thanks in advance:

Rob Miles
 
Hi Robert L. Thanks for your response. My answers (and additional
questions) will go in the order of your list, so here goes.

1) I understand that my setup right now isn't optimal, but I only
(currently) have one server, so I'm kind of stuck. In fact, the server
I'm using is pretty underpowered, with only 512M Ram, which could have
as much to do with my problems as anything else. I might just be
asking that poor PIII to do too much.
I have an XP pro machine that I could use to handle the VPN, but that
can (from what I read) only handle one connection, and I need at least
two (one of my parnter and one for me.) I will be bringing in another
computer to install Win2003 Server on soon, though, so maybe that will
help. It'll have more power and RAM, so maybe my issues will
completely disappear. Until then, though, I'll continue with some
other areas to see if there is something else that needs to be
addressed.

2) Okay, no further questions here. If they are supposed to be the
same, then I'm good to go. I just thought they were different when it
was working the first day, but I didn't pay that much attention.

3) I cannot currently ping the server's IP when the VPN is connected,
but when it worked previously (the first day, before rebooting the
server) I could ping both the IP and the servers name without any
problem.

And that's the really frustrating thing. I wouldn't mind so much if it
just didn't work at all; it did work the first day and part of the
second, up until I rebooted the server. Since that point, without
making any other configuration changes, it doesn't work. I'm
considering deleting the VPN settings on the server, rebooting it, and
setting it all up again to see if that will make a difference.

Getting back to number 1 above, you say that the VPN server should not
be a DC. Does that mean that when I install W2k3 on the new box, I
should configure it to be a stand-alone on my network, but not a DC on
it? What is the issue with the VPN server being a DC that it's
recommended against? Am I beating my head against a wall because of my
configuration, and should just concentrate on getting the new machine
setup and then working on the VPN part?

Also, could my linksys router be the problem? It's not a true VPN
router, but it enables PPTP and IPSec passthroughs, and is supposed to
work. It's a WRT54G, but I haven't yet found any direct confirmation
that it will allow multiple tunnels, or multiple connections per tunnel
(not really clear on that part of VPN, actually.)

Thanks for your help, Robert. Any additional info you can give me will
be greatly appreciated.

Rob Miles
 
1. correct. XP is peer to peer VPN.

2. We don't recommend install RRAS on a DC. But that doesn't mean that won't work. It is not power or RAM issue. It is connectivity issue or name resolution issue. As said, if you have correct configuration, it should work.

3. If you can establish the VPN, but can't ping. This may not be router issue.

4. If you can't establish the VPN with an error code, that could be the router issue. Post the error code.

5.post the result of both server and client ipconfig /all here may help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Hi Robert L. Thanks for your response. My answers (and additional
questions) will go in the order of your list, so here goes.

1) I understand that my setup right now isn't optimal, but I only
(currently) have one server, so I'm kind of stuck. In fact, the server
I'm using is pretty underpowered, with only 512M Ram, which could have
as much to do with my problems as anything else. I might just be
asking that poor PIII to do too much.
I have an XP pro machine that I could use to handle the VPN, but that
can (from what I read) only handle one connection, and I need at least
two (one of my parnter and one for me.) I will be bringing in another
computer to install Win2003 Server on soon, though, so maybe that will
help. It'll have more power and RAM, so maybe my issues will
completely disappear. Until then, though, I'll continue with some
other areas to see if there is something else that needs to be
addressed.

2) Okay, no further questions here. If they are supposed to be the
same, then I'm good to go. I just thought they were different when it
was working the first day, but I didn't pay that much attention.

3) I cannot currently ping the server's IP when the VPN is connected,
but when it worked previously (the first day, before rebooting the
server) I could ping both the IP and the servers name without any
problem.

And that's the really frustrating thing. I wouldn't mind so much if it
just didn't work at all; it did work the first day and part of the
second, up until I rebooted the server. Since that point, without
making any other configuration changes, it doesn't work. I'm
considering deleting the VPN settings on the server, rebooting it, and
setting it all up again to see if that will make a difference.

Getting back to number 1 above, you say that the VPN server should not
be a DC. Does that mean that when I install W2k3 on the new box, I
should configure it to be a stand-alone on my network, but not a DC on
it? What is the issue with the VPN server being a DC that it's
recommended against? Am I beating my head against a wall because of my
configuration, and should just concentrate on getting the new machine
setup and then working on the VPN part?

Also, could my linksys router be the problem? It's not a true VPN
router, but it enables PPTP and IPSec passthroughs, and is supposed to
work. It's a WRT54G, but I haven't yet found any direct confirmation
that it will allow multiple tunnels, or multiple connections per tunnel
(not really clear on that part of VPN, actually.)

Thanks for your help, Robert. Any additional info you can give me will
be greatly appreciated.

Rob Miles
 
Hi Robert L. Thanks for your response. My answers (and additional
questions) will go in the order of your list, so here goes.

1) I understand that my setup right now isn't optimal, but I only
(currently) have one server, so I'm kind of stuck. In fact, the server
I'm using is pretty underpowered, with only 512M Ram, which could have
as much to do with my problems as anything else. I might just be
asking that poor PIII to do too much.
I have an XP pro machine that I could use to handle the VPN, but that
can (from what I read) only handle one connection, and I need at least
two (one of my parnter and one for me.) I will be bringing in another
computer to install Win2003 Server on soon, though, so maybe that will
help. It'll have more power and RAM, so maybe my issues will
completely disappear. Until then, though, I'll continue with some
other areas to see if there is something else that needs to be
addressed.

2) Okay, no further questions here. If they are supposed to be the
same, then I'm good to go. I just thought they were different when it
was working the first day, but I didn't pay that much attention.

3) I cannot currently ping the server's IP when the VPN is connected,
but when it worked previously (the first day, before rebooting the
server) I could ping both the IP and the servers name without any
problem.

And that's the really frustrating thing. I wouldn't mind so much if it
just didn't work at all; it did work the first day and part of the
second, up until I rebooted the server. Since that point, without
making any other configuration changes, it doesn't work. I'm
considering deleting the VPN settings on the server, rebooting it, and
setting it all up again to see if that will make a difference.

Getting back to number 1 above, you say that the VPN server should not
be a DC. Does that mean that when I install W2k3 on the new box, I
should configure it to be a stand-alone on my network, but not a DC on
it? What is the issue with the VPN server being a DC that it's
recommended against? Am I beating my head against a wall because of my
configuration, and should just concentrate on getting the new machine
setup and then working on the VPN part?

Also, could my linksys router be the problem? It's not a true VPN
router, but it enables PPTP and IPSec passthroughs, and is supposed to
work. It's a WRT54G, but I haven't yet found any direct confirmation
that it will allow multiple tunnels, or multiple connections per tunnel
(not really clear on that part of VPN, actually.)

Thanks for your help, Robert. Any additional info you can give me will
be greatly appreciated.

Rob Miles
 
First, I apologize for the double post of my response. The Google
server said there was a problem the first time I tried to post it, so I
attempted to post it again, and here we are. Anyway...

IP Config /all for client (while connected):
C:\Documents and Settings\Rob Miles>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Vaio-Rob-home
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Wireless Network Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/Wireless
2200BG Network Connection
Physical Address. . . . . . . . . : 00-0E-35-D4-88-3F
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.108
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 151.199.0.39
199.45.32.43
Lease Obtained. . . . . . . . . . : Tuesday, January 10, 2006
12:58:40 PM
Lease Expires . . . . . . . . . . : Wednesday, January 11, 2006
12:58:40 PM

Ethernet adapter Local Area Connection: [I'M NOT USING THIS CONNECTION
AT ALL]

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network
Connection
Physical Address. . . . . . . . . : 00-01-4A-19-CD-9F

PPP adapter Custom Tech:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.61
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.1.61
DNS Servers . . . . . . . . . . . : 192.168.1.5

ipconfig /all from VPN server:
C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : ctsi-server
Primary Dns Suffix . . . . . . . : ctsi-2robs.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : ctsi-2robs.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast
Ethernet
NIC
Physical Address. . . . . . . . . : 00-30-BD-06-56-AE
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.5

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.60
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

I don't know enough to determine if anything is wrong there or not. I
can establish the VPN, but cannot ping, and I don't have an error code
to post.

On a whim I did delete the VPN settings on the server, rebooted, and
reestablished the VPN settings to see if it would work again, but no
luck there either. I know something is wrong, but no idea what.

Thanks again, Bob.

Rob Miles
 
Not going to work, dude. Your LAN address is in the 192.168.1.xxx subnet,
the same as the VPN server. When you try to ping something on the other end
of the VPN, your computer thinks it's on your end because both the VPN
server and your computer have IP addresses in the 192.168.1.x range.

The only way to fix this is to change the IP addressing on either your end
or the VPN server end so they are in different networks.

I didn't see your original message, but if you're trying to connect to a
company VPN server, that's really the one that should be changed, as hard as
that is going to be. Otherwise almost everyone with a home router is going
to have the same problem.

Ray

First, I apologize for the double post of my response. The Google
server said there was a problem the first time I tried to post it, so I
attempted to post it again, and here we are. Anyway...

IP Config /all for client (while connected):
C:\Documents and Settings\Rob Miles>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Vaio-Rob-home
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Wireless Network Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/Wireless
2200BG Network Connection
Physical Address. . . . . . . . . : 00-0E-35-D4-88-3F
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.108
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 151.199.0.39
199.45.32.43
Lease Obtained. . . . . . . . . . : Tuesday, January 10, 2006
12:58:40 PM
Lease Expires . . . . . . . . . . : Wednesday, January 11, 2006
12:58:40 PM

Ethernet adapter Local Area Connection: [I'M NOT USING THIS CONNECTION
AT ALL]

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network
Connection
Physical Address. . . . . . . . . : 00-01-4A-19-CD-9F

PPP adapter Custom Tech:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.61
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.1.61
DNS Servers . . . . . . . . . . . : 192.168.1.5

ipconfig /all from VPN server:
C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : ctsi-server
Primary Dns Suffix . . . . . . . : ctsi-2robs.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : ctsi-2robs.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast
Ethernet
NIC
Physical Address. . . . . . . . . : 00-30-BD-06-56-AE
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.5

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.60
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

I don't know enough to determine if anything is wrong there or not. I
can establish the VPN, but cannot ping, and I don't have an error code
to post.

On a whim I did delete the VPN settings on the server, rebooted, and
reestablished the VPN settings to see if it would work again, but no
luck there either. I know something is wrong, but no idea what.

Thanks again, Bob.

Rob Miles
Click to expand...
 
Oh, for the love of... It's that freaking easy? You've got to be
kidding me. Sure enough, it works now. Thanks, Ray, I really
appreciate the info. I just called my partner and asked him to change
his home addressing also to verify that it works for his Mac now, but
I've got a pretty good feeling about it.

It's just the two of us, so it's really pretty simple for us to change
our respective home IP addressing schemes. The real problem is that
we'll be going to clients, and we have no way to control, or often even
know, what addressing scheme they have running until we get there. The
best I can figure is we'll need to use a private address scheme that's
so far out of the norm that most people won't have it; something really
off the wall.

But hey, at least at home I can connect now, and that's a real plus!

Thanks again, Ray.
 
Thanks for the note. Yes, this is a really, really big problem for companies
that did their network installations many years ago and took all of the
defaults. Their world was fine as long as the outside world was out of the
picture. :-)

Take care,

Ray
 
Back
Top