Windows Server 2008 & VPN

Sean^DCT4

Hi all,

I have Windows Server 2008 loaded on to a machine at home and was trying to get it setup to allow VPN connections remotely.

Info:
1x Wireless router (with VPN port forwarding pointing to the server's IP)
1x Home PC (running Vista 64bit SP1)
2x Laptop (both running Vista 64bit SP1)

I have been able to connect through the VPN on the home pc and one laptop(not on the home network) but I keep getting limited connectivity on both VPN connections (1 internal network and 1 external network).

The other laptop cannot establish any connection to the VPN at all


1. Does anyone know what I could do to fix the limited connectivity problem?
2. Any ideas about the laptop that cannot establish any VPN connection at all?


Any help would really be appreciated.

Thanks in advance

axer

You need to look at the IP addressing used by those that cannot connect. If they are on the 192.168.2.x subnet and they try to VPN to a machine also on the 192.168.2.x subnet then there will be an IP address conflict so make sure the subnet of the computer trying to connect is on a different subnet to the VPN server.

Sean^DCT4

router ip = 192.168.1.1 (VPN: L2TP and PPTP forwarded to sever ip)
machine1 = 192.168.1.2
laptop1 = 192.168.1.3
server = 192.168.1.4

dhcp server is enabled on the router and is set in a range from 192.168.1.2 -> 192.168.1.254


I have Server 2008 installed and have created a few users with remote access priviliges. I have also created the 'Routing and Remote Access' role, I have not specified/created a Network Policy Service (NPS).

axer

Sean^DCT4 wrote: »

router ip = 192.168.1.1 (VPN: L2TP and PPTP forwarded to sever ip)
machine1 = 192.168.1.2
laptop1 = 192.168.1.3
server = 192.168.1.4

dhcp server is enabled on the router and is set in a range from 192.168.1.2 -> 192.168.1.254


I have Server 2008 installed and have created a few users with remote access priviliges. I have also created the 'Routing and Remote Access' role, I have not specified/created a Network Policy Service (NPS).

You won't be able to VPN via your own network since you will be in the same subnet in both connections thus your computer will not know which interface to send packets out.

What is your LAN IP address when trying to connect from a different network?

I suggest you change the IP addressing scheme of your LAN to the 192.168.11.x (or some different subnet that is likely not to be used) e.g.
router ip = 192.168.11.1
machine1 = 192.168.11.2
laptop1 = 192.168.11.3
server (static) = 192.168.11.254

dhcp range 192.168.11.2 -> 192.168.11.253

That way you are less likely to have IP address problems when VPN'ing from different networks.

Sean^DCT4

here's the details from ipconfig (connected from an external network)

PPP adapter VPN Home External:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VPN Home External
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Description . . . . . . . . . . . : Atheros AR5006EX Wireless Network Adapt

   Physical Address. . . . . . . . . : 00-1B-9E-DD-F2-8A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::c085:d319:c85c:6aa8%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.76(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 03 September 2008 23:38:58
   Lease Expires . . . . . . . . . . : 04 September 2008 23:38:58
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

Sean^DCT4

axer wrote: »

I suggest you change the IP addressing scheme of your LAN to the 192.168.11.x (or some different subnet that is likely not to be used) e.g.
router ip = 192.168.11.1
machine1 = 192.168.11.2
laptop1 = 192.168.11.3
server (static) = 192.168.11.254

dhcp range 192.168.11.2 -> 192.168.11.253

That way you are less likely to have IP address problems when VPN'ing from different networks.

It's really ironic you mentioned that as I tried that exact thing. The exact same IP's as you mentioned.. DCHP server from 192.168.11.2 to....11.254

Unfortunately I lost all internet connectivity when I made the change. I rebooted the router a few times and the machines but still no internet with those IP's.

I'm a bit tired so I'll give this a go tomorrow evening. Could have made a mistake with the router setup..

I'll post the ipconfig output with the new IP address range then too.


Thanks for the help.

axer

Sean^DCT4 wrote: »

It's really ironic you mentioned that as I tried that exact thing. The exact same IP's as you mentioned.. DCHP server from 192.168.11.2 to....11.254

Unfortunately I lost all internet connectivity when I made the change. I rebooted the router a few times and the machines but still no internet with those IP's.

I'm a bit tired so I'll give this a go tomorrow evening. Could have made a mistake with the router setup..

I'll post the ipconfig output with the new IP address range then too.


Thanks for the help.

I'd say it was a problem with your router setup. Make sure you change the DHCP server IP range first then the router IP address then reboot the router. Then do an ipconfig /renew.

You can see that the wireless connection is on the same subnet as the network you are trying to VPN into. This will cause problems since your computer will not know whether to send traffic destined for the 192.168.1.x network to the local external network or through the VPN.

Change the IP addresses then try again.

Sean^DCT4

I won't have a chance to test this until later this evening but so far I have changed my router settings to:

IP: 192.168.11.1
DHCP : 192.168.11.2 <-> 192.168.11.254
Primary DNS: 192.168.11.1

Should I change my Server's IP address to a fixed one on a different subnet i.e. 10.0.0.1 ?
I suppose that would not make any difference as I have changed the router's IP?

Will it cause a problem if the VPN IP of the connecting machine has the same IP as that of the server's IP?

I suppose what I'm asking is, what should the IP of connecting clients through the VPN be?


Thanks for the help.

axer

Sean^DCT4 wrote: »

Should I change my Server's IP address to a fixed one on a different subnet i.e. 10.0.0.1 ?

I presume this server is plugged into the router you just gave the IP addresses for. If that is true then it needs to be on the same subnet as the router i.e. 192.168.11.x so give it maybe 192.168.11.2 and change the dhcp to start giving ip addresses starting from 192.168.11.3 instead of starting at 192.168.11.2.

Sean^DCT4 wrote: »

I suppose that would not make any difference as I have changed the router's IP?

Will it cause a problem if the VPN IP of the connecting machine has the same IP as that of the server's IP?

I suppose what I'm asking is, what should the IP of connecting clients through the VPN be?

The ip subnet of the connecting clients should be different to that of the servers subnet e.g. you have the server setup on the 192.168.11.x subnet which means it should work fine as long as the machines that are VPN'ing are not on the same subnet on their local network so e.g. if the machines connecting in to your network from a different location they could be using the subnet 192.168.1.x and it would work fine or 192.168.2.x, 192.168.3.x etc etc.

Sean^DCT4

Thanks Axer, that cleared up a few things for me

I was able to VPN into the server from my laptop at home and view the Servers file-shares etc (through the router and VPN).


However, I did notice that on my router setup page it had assigned a new IP to the server (192.168.11.3) even though I had set its LAN connection to use a static IP address of (192.168.11.69).

Windows Server shows the IP as 192.168.11.69 in both the Server Manager and ipconfig. But, the router picks it up as 192.168.11.3

As a result of all this, the port-forwarding is messed up.. It is set to go to 192.168.11.69 but sees this machine as 192.168.11.3


Will I try a different router maybe? Or is there a way to stop the server receiving an IP from the router?



PS:
Forgot to mention the router's settings:

IP: 192.168.11.1
Subnet Mask: 255.255.255.0
Server IP: 192.168.11.69 (static)
DHCP: 192.168.11.5 <-> 192.168.11.50
Primary DNS (Router): 192.168.11.1

azzeretti

Why not use Windows 2008 in RRAS role? This way you should be able to pretty much eliminate the router except for its router role and allow Windows to take care of protecting interfaces and remote access etc.

Sean^DCT4

azzeretti wrote: »

Why not use Windows 2008 in RRAS role? This way you should be able to pretty much eliminate the router except for its router role and allow Windows to take care of protecting interfaces and remote access etc.

Thanks for the reply azzeretti.

To be honest, I am open to any suggestion to get this working.
I had a look at this tutorial: http://www.windowsecurity.com/articles/configuring-windows-server-2008-remote-access-ssl-vpn-server-part2.html

Most of it seems ok with the exception of "Creating an IIS Certificate.."

Could I use something like Opendns to have a public DNS entry running on the server?
The reasoning for it would be if the router IP changes then any VPN client wouldn'y need to change any connection settings as they would be connecting to something like http://SeanDCT4WindowsServer.opendns.org ?

I hope that makes sense