VPN setup not working

Oyeve

Lifer
Oct 18, 1999
22,020
868
126
Hi. I installed a windows 2003 VPN server. I put it in front of my firewall. I have 2 locations, HQ and a remote office that are connecting to my active directory network via the firewalls vpn, that why I put the 2003 vpn server in front of the FWs. I added 1 of my public IPs on the server and I can ping from the outside (internet) but I cannot get a computer that is on the internet to connect via pptp vpn. What am I missing?
 

imagoon

Diamond Member
Feb 19, 2003
5,199
0
0
Define "infront of your firewall" is the server directly on the internet? If so 2003 is just asking to be "pwned." Did you use RRAS or is this some other 3rd party server?
 

Oyeve

Lifer
Oct 18, 1999
22,020
868
126
Define "infront of your firewall" is the server directly on the internet? If so 2003 is just asking to be "pwned." Did you use RRAS or is this some other 3rd party server?
Yes, directly on and yes, its RRAS.
 

imagoon

Diamond Member
Feb 19, 2003
5,199
0
0
Yes, directly on and yes, its RRAS.

Well, a) get that thing off being directly on the Internet.
b) what is the error code the VPN client is returning? PPTP is pretty straight forward through a firewall, you removed that by sticking it right on the net.

Is your routing correct on the 2003 box. With a public IP address the default gateway would need to be on the Internet adapter with the next hop being the ISP's router.
 

imagoon

Diamond Member
Feb 19, 2003
5,199
0
0
Since you are doing a site to site VPN. You will need to setup RRAS, from a static mapped external IP in the firewall, port forwarding 1723 and protocol 43 to the RRAS server.

You will need to create a user in AD and assign it a static IP in AD under dial in properties. Typically the remote VPN will be set to dial, maintain and reconnect. Once you verify that this specialized user is able to connect (it must be allowed in AD and in RRAS. Typically an AD group is assigned for this purpose.)

You will need to apply routes to the dial in user on the RRAS server. Then in your router core you will need to assign routes that have a gateway of your RRAS server. On the remote end, you will need to define a route for the internal networks to be pushed over the VPN tunnel.

example:

Home office : 10.1.0.1/24
Remote office: 192.168.1.0/24
RRAS IP : 10.1.0.4/24
Remote firewall ip : 192.168.1.1

Remote username: "remoteoffice1" static IP assigned: 10.1.0.5
"static route for remoteoffice1" 192.168.1.0/24 10.1.0.5 (this gets inserted in to RRAS static route list)

Route to insert in to the home office route list (static / BGP / RIP2 pick your poison)
192.168.1.0/24 10.1.0.4

Remotely:
192.168.1.0/24 gateway 192.168.1.1

Route in the firewall: 10.0.0.0/8 10.1.0.5. [some firewalls here will have a 'fake route' of 10.0.0.0/8 <VPN Tunnel>]

This just example only, your real environment is likely very different.

In the PPTP side of the firewall:

username DOMAIN\remoteoffice1
password <some really long and difficult password.

Your 2003 VPN server being right on the Internet is going to cause all sorts of connectivity issues including misregistered DNS names, improper IP management etc. This is ignoring the fact that it will likely be "omgwtfowned" in less than a month and provide a) free access to your internal network or b) "Free VPN" to the rest of the world. or c) a botnet master.
 
Last edited:

Oyeve

Lifer
Oct 18, 1999
22,020
868
126
Since you are doing a site to site VPN. You will need to setup RRAS, from a static mapped external IP in the firewall, port forwarding 1723 and protocol 43 to the RRAS server.

You will need to create a user in AD and assign it a static IP in AD under dial in properties. Typically the remote VPN will be set to dial, maintain and reconnect. Once you verify that this specialized user is able to connect (it must be allowed in AD and in RRAS. Typically an AD group is assigned for this purpose.)

You will need to apply routes to the dial in user on the RRAS server. Then in your router core you will need to assign routes that have a gateway of your RRAS server. On the remote end, you will need to define a route for the internal networks to be pushed over the VPN tunnel.

example:

Home office : 10.1.0.1/24
Remote office: 192.168.1.0/24
RRAS IP : 10.1.0.4/24
Remote firewall ip : 192.168.1.1

Remote username: "remoteoffice1" static IP assigned: 10.1.0.5
"static route for remoteoffice1" 192.168.1.0/24 10.1.0.5 (this gets inserted in to RRAS static route list)

Route to insert in to the home office route list (static / BGP / RIP2 pick your poison)
192.168.1.0/24 10.1.0.4

Remotely:
192.168.1.0/24 gateway 192.168.1.1

Route in the firewall: 10.0.0.0/8 10.1.0.5. [some firewalls here will have a 'fake route' of 10.0.0.0/8 <VPN Tunnel>]

This just example only, your real environment is likely very different.

In the PPTP side of the firewall:

username DOMAIN\remoteoffice1
password <some really long and difficult password.

Your 2003 VPN server being right on the Internet is going to cause all sorts of connectivity issues including misregistered DNS names, improper IP management etc. This is ignoring the fact that it will likely be "omgwtfowned" in less than a month and provide a) free access to your internal network or b) "Free VPN" to the rest of the world. or c) a botnet master.
Ok, I took it off the direct internet connection and it is now behind the firewall.

I am not doing a site to site. I already have that working. I just want to build a cheap 2003 VPN server that I can access from outside. I dont want to muck around with my firewalls as they are really old sonicwalls. I need the VPN server to be able to be seen from the outside, thats why I put it in front of the firewall.
 

imagoon

Diamond Member
Feb 19, 2003
5,199
0
0
Ok, I took it off the direct internet connection and it is now behind the firewall.

I am not doing a site to site. I already have that working. I just want to build a cheap 2003 VPN server that I can access from outside. I dont want to muck around with my firewalls as they are really old sonicwalls. I need the VPN server to be able to be seen from the outside, thats why I put it in front of the firewall.

In that case now that you will just need to create a couple of forwards in the firewall. 1723 (UDP only I think from memory) and protocol 43 GRE. I know you don't want to muck around in there but you have to create the forward.

Once you do that, you need to create a rule that says something to the effect of "User is a member of group "<your AD group>": Accept connection. Add your test user to that group. You can do the initial testing from the XP / 7 VPN client using the inside IP. Then fix the firewall at the end. The client should generate an error code if it fails for some reason. This will help a bunch in diagnosing. I also recommend that you enable logging on RRAS. It normally plugs the log in to c:\windows\system32\logs\<something> <- memory error here.