A strange thing happened about six months ago ...
My VPN Server
stopped working, and it was after doing a set of Security updates for my
firewall / proxy server which the Routing and Remote Access was also
installed.
After troubleshooting the problem for a long time (off and on for
a couple of months) I came to the conclusion that Microsoft has
changed something in the service packs, which one I don't know.
Here are some of the troubleshooting steps I took to determine that a
firewall / proxy service (software) will not reside peacefully with
the new and improved Routing and Remote Access service for Windows
Server 2003.
While traveling last summer I wanted to connect to my home network
to check my mail and get some stats on my web sites. When I tried to
connect to the network I would get an "Error 678" that "The
remote computer did not respond." So to get my email and stats I used an open network.
Something I really dislike doing since my Pay Pal account was stolen
in 2007 while at Dallas-Fort Worth airport coming home from a trip to
the UK. (I resolved that by contacting Pay Pal and getting a new
account, lost 14 USD to the thief and learned that the "WiFi hot
spots" were hot for thieves.)
My first step was to remove the RRA (Routing
and Remote Access) service from my firewall
/proxy server check the registry to see if there were any remnants of
the service left. Then reinstall it, configure it, then test it.
Still getting the
Error 678
I decided to put the image I had made of the Operating System
partition when I did an upgrade for the server hardware on the drive and see what would
happen. When I try to connect it connects but...
That is the rub the "but...", I couldn't get outside of my network
when using the VPN tunnel. That is it connects and authenticates my
user id and password. When trying to ping a computer inside the
network the ping times out. When using the proxy settings on my
browser the target web site page never loads.
When I could get the VPN Server to work the proxy service would
quit, there is an incompatibility with the RRA and the proxy software.
Upgrading the proxy software (Wingate by Qbick.com) did not make any
difference and to activate the built in VPN software was over 50 USD
which I didn't want to buy because well Routing and Remote Access is free with the Server
OS...
For over six months I would try different things that forum posters
said they tried and worked. Maybe those things worked for them but
they didn't work for me.
When I checked Microsoft Technet no one said that they using the
same Server to have their RRA/VPN and firewall / proxy services
installed on.
Technet has a couple of white papers on setting up a Routing and
Remote Access and the
VPN client, what I noticed with the two I downloaded was that the RRA
server was behind a firewall (on the router) but outside the internal
network much like a DMZ server but not open to the public the way a
DMZ server is.
With an extra computer (a ASUS Netbook) I decided to see if the
Routing and Remote Access
service would do what I wanted:
A secure connection anywhere I traveled to get my email and check
the stats on my web sites. With the ability to check the servers I
leave running while I am gone.
Setting up the hardware and Server Operating System ...
The little netbook gave me a few problems when I loaded the Server
OS on it, at first the video drivers wouldn't load, then the desktop
went corrupt, then the wireless drivers wouldn't load (wrong version
of the OS, they were for XP or Windows 2000). And so on. It took three
attempts at loading the OS before the netbook would be ready to try to
make the RRA service work.
One of the things I found out from the white paper was the
"example"
company had three intranet (internal networks) that needed to connect
to the "campus" the home office intranet using the internet (www) for
access.
To do this the corporate network and the three satellite networks
would each use a separate VPN Server with Routing and Remote Access
service that would use the VPN to connect. The
setup would be basically the same for all the RRA servers with the
exception of the in/out bound connection for each intranet which is
the ISP provided IP address of the local router.
Once the VPN Server operating system is installed, all the current
security service packs installed, and the server is locked down then
bring the VPN Server into your domain, you should do this before
installing the Routing and Remote Access service. You need domain security, group policies,
and rights on the server before installing the RRA service on the VPN
Server.
If you do the service before adding the server to the domain some
of the rights in the Routing and Remote Access policies have to be manually set. See the
help function for the RRA service if you have problems with the
installation.
Before the service pack (I may research this sometime in the
future) that changed the static route option you didn't have to have
the Static Routes under the IP
Routing section. This is why my Routing and Remote Access and VPN stopped working,
now you have to configure the static route for both the WAN connection
and the LAN connection. Such as:
Static Routes under the IP
Routing section
|
The image, table, or PDF was removed because it will not display on your device. Check back on a PC...
|
LAN Static Route
WAN Static Route
Note: These IP addresses are fictitious by the way.
The first three tries to get the connection to work failed because
the IP range I was using was "outside the scope of the base IP
address." uh -- ya.
Note on the LAN image the last octet (last number) of the IP
address is 0 (zero), I was trying to get the route to my Domain
Controller and was using it's last octet as the number for the route,
what I needed to realize is this route is for all of my LAN not just
my Domain Controller... My DOH! moment.
Now it has been over fifteen years since I did any network
design to set up a network with the subnet mask to fit. It
took me a few tries to figure out the real number I needed to use to
get to the intranet and be able to use the proxy server to get to the
www securely.
Instead of having one computer to have access from the network to
the internet and then access to the intranet from the internet I now
have two servers, one for the firewall / proxy to access the internet
from my business network and another one for access to my business
network from the internet while traveling.
This is not an optimum configuration because I have to use two
computers not one but the VPN Server and Wingate programs will not work
properly on one server, that is if one is working the way it was
designed the other program (or service) will not work at all.
Now you ask why use a VPN Server and Routing and Remote Access service to connect?
You have to
understand how a
VPN
works, basically it is a connection inside a connection, that
is you connect to the internet through a router, it could be wired or
wireless. Then you connect to the RRA service with the VPN, the VPN is
an encrypted connection, call it a tunnel inside a tunnel. Read here
for
configuring
one.
The first tunnel is your connection to the internet, the second
tunnel is encrypted and connects to the RRA service.
You can have different levels of encryption from none to 40, 56, or 128 bit
which is quite strong when you consider that to crack this encryption
the thief would have to have over two hours of data to sample. If you
need to use a WiFi hot spot to connect and only stay connected for a
short period of time a thief would not have enough data to hack into
your VPN and gain access to your network.
And now my VPN works again. 
Proudly Made in The U. S. A.
www.diy-computer-repair.net