VPN Problem

[eggy]

This isn't DAOC related, but I thought as many of you will be bored at work you might want to read this over and give your opinion.

At work we run the following configuration:

Dual Xeon Windows SBS 2003 Server
2 NICs (internal/external)
2mb ADSL via Router into external NIC

The problem I'm having is to do with VPN from outside of the office. I set up the VPN to allow our "mobile users" full access to the network from outside of the physical boundaries of the building. For this example, I'll be using my account (full administrative rights).

From home, I can log onto my main PC (not on the work domain), connect via a VPN connection to the server, and everything works perfectly 100%. No problems - it's just as though I'm sitting on the network.

This works from other PCs that aren't on the domain as well.

However...

If I try and log on from my work laptop (which by default tries to log onto the local network domain), the VPN connection gets stuck on "verifying username and password"...and that's it.

*I have full administrative rights
*The laptop runs through the same router as my main PC, the correct ports must therefore be open?
*I can happily connect via this laptop to http://serverIP/remote with no problems whatsoever, and use the webmail/server control interface included with SBS.
*The problem is the same even with laptop firewalls turned off.

Is there a group policy setting I'm missing to allow domain computers to access the network via VPN?

Any help would be much appreciated!!

 

[anioal]

hmm... givf more details (what vpn solution u use, what type of authentification)

anyway, do u use the logins like?
user: domain\user
pass: password

1. if i remember right, there are some tabs in active directory user's properties that controls user rights to connects through vpn, if not, u may need to create a group in active directory containing the users that are allowed to connect through vpn
2. how do u allocate ip addresses for vpn clients?
3. can u ping the servers on your network by FQDN when u are using the vpn?
3. as a workaround, did u tried to login on your laptop using a local account, not a domain account, and then try to connect to vpn?

 

[eggy]

hmm... givf more details (what vpn solution u use, what type of authentification)

All I know is it's out-of-the-box Windows SBS 2003 VPN! If you want specific info you'll have to elaborate! (I'm new to VPN).

anyway, do u use the logins like?
user: domain\user
pass: password

Yep, exactly right.

1. if i remember right, there are some tabs in active directory user's properties that controls user rights to connects through vpn, if not, u may need to create a group in active directory containing the users that are allowed to connect through vpn

I'll check it out, but as far as I am aware everyone in the office has rights to VPN (works on my account from home PC).

2. how do u allocate ip addresses for vpn clients?

They are assigned automatically as far as I know.

3. can u ping the servers on your network by FQDN when u are using the vpn?

Yes, I can ping servers on the network. When I'm running VPN through my personal computer, I can do everything as though I am on the network seamlessly.

3. as a workaround, did u tried to login on your laptop using a local account, not a domain account, and then try to connect to vpn?

Yep, didn't work either :s

 

[scorge]

ok eggy, will try and help you out

does the server have two NIC in them one for internal one for external ip addresses?

Are you routing through a firewall before you hit the 2003 machine?


i take it you are not using site to site vpn? but a VPN client that connects to the VPN gateway?

are you using PPTP or L2TP?

what authentication mechanism are you using?

Password Authentication Protocol (PAP)
Challenge-Handshake Authentication Protocol (CHAP)
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
MS-CHAP version 2 (MS-CHAP v2)
Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)
Extensible Authentication Protocol-Transport Level Protocol (EAP-TLS)


if you haven't done so already i need you to enable connection logging.

A log (Isakmp.log) is created in the
C:\Program Files\Microsoft IPSec VPN folder.

When you create a connection, also enable logging for the PPP processing in L2TP. To do so:

Right-click the Dialup Networking folder, and then click Properties.
Click the Networking tab, and then click to select the Record a log file for this connection check box.

The PPP log file is C:\Windows\Ppplog.txt. It is located in the C:\Program Files\Microsoft IPSec VPN folder.

this should be done on the client machine.

on the server:

On the Logging tab in the properties of a VPN server in the Routing and Remote Access snap-in, there are four levels of logging. Select Log all events, and then try the connection again. After the connection fails, check the system event log for events logged during the connection process. After you are done viewing remote access events, select the Log errors and warnings option on the Logging tab to conserve system resources.


on the windows 2003 server, if you haven't done already set up a VPN group

Access by Group Membership
If you manage remote access on a group basis, follow these steps:
1. Create a group with members who are permitted to create VPN connections.
2. Click Start, point to Administrative Tools, and then click Routing and Remote Access.
3. In the console tree, expand Routing and Remote Access, expand the server name, and then click Remote Access Policies.
4. Right-click anywhere in the right pane, point to New, and then click Remote Access Policy.
5. Click Next, type the policy name, and then click Next.
6. Click VPN for Virtual Private Access access method, or click Dial-up for dial-up access, and then click Next.
7. Click Add, type the name of the group that you created in step 1, and then click Next.
8. Follow the on-screen instructions to complete the wizard.

if you are using windows xp clients make sure they all have SP2, as this service pack has some fixes PPTP

need more info before i can give more advice

 

[eggy]

Cheers for the replies.

I've added the company-named user group to the remote access group policy, so they should all have access.

I'll check later if it's working after changes suggested. If not, I'll get back to you!

 

[Gazon]

Dunno if this helps you but this was a problem I had when setting up VPN:

The remote site didn't get access to the network because they both had the same IP range (192.168.1.xxx)
I had to change the range to 192.168.2.xxx for the remote site.