Microsoft VPN setup - what am I doing wrong?

I'm trying to set up VPN on a windows 2003, but I just can't seem to get it
to work. I followed the microsoft instructions on installing a multi-homed
standard VPN (or maybe I've missed something). On the internal car, I set up
the IP address, internal DNS and WINS, but with no gateway. On the external
(internet) card, I set up the external IP address, mask, and the external
gateway that's on our PIX firewall (this is the address showing up as our
internet gateway everyone uses to get out).

I set up a custom IP pool, and then added our internal DHCP server address
under the DHCP relay portion of RRAS. It doesn't work right now, so can
someone please tell me what I'm doing wrong. Do I need to do something with
static routes in RRAS (if so can someone tell me how I can configure that?).

Thanks much in advance!

Hi,

How does this problem reflect? Can you connect to VPN server? What error do
you get if you can't connect?

Are you trying to connect (for testing) to VPN server on internal network or
from external network (Internet)? What protocols do you use (PPTP, L2TP,
IPSec)? Are there any rules on PIX firewall that might filter requests to
VPN Server from Internet?

--
Mike
Microsoft MVP - Windows Security

"Jon Doe" <(E-Mail Removed)> wrote in message
news:0pydnWXUH-V2_3XfRVn-(E-Mail Removed)...
>
> I'm trying to set up VPN on a windows 2003, but I just can't seem to get
> it to work. I followed the microsoft instructions on installing a
> multi-homed standard VPN (or maybe I've missed something). On the internal
> car, I set up the IP address, internal DNS and WINS, but with no gateway.
> On the external (internet) card, I set up the external IP address, mask,
> and the external gateway that's on our PIX firewall (this is the address
> showing up as our internet gateway everyone uses to get out).
>
> I set up a custom IP pool, and then added our internal DHCP server address
> under the DHCP relay portion of RRAS. It doesn't work right now, so can
> someone please tell me what I'm doing wrong. Do I need to do something
> with static routes in RRAS (if so can someone tell me how I can configure
> that?).
>
> Thanks much in advance!
>

I'm trying to connect from home to it, so from the outside...it just says it
can't connect. I'm using PPTP and I haven't done anything on the firewall
yet.

"Miha Pihler [MVP]" <mihap-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> How does this problem reflect? Can you connect to VPN server? What error
> do you get if you can't connect?
>
> Are you trying to connect (for testing) to VPN server on internal network
> or from external network (Internet)? What protocols do you use (PPTP,
> L2TP, IPSec)? Are there any rules on PIX firewall that might filter
> requests to VPN Server from Internet?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Jon Doe" <(E-Mail Removed)> wrote in message
> news:0pydnWXUH-V2_3XfRVn-(E-Mail Removed)...
>>
>> I'm trying to set up VPN on a windows 2003, but I just can't seem to get
>> it to work. I followed the microsoft instructions on installing a
>> multi-homed standard VPN (or maybe I've missed something). On the
>> internal car, I set up the IP address, internal DNS and WINS, but with no
>> gateway. On the external (internet) card, I set up the external IP
>> address, mask, and the external gateway that's on our PIX firewall (this
>> is the address showing up as our internet gateway everyone uses to get
>> out).
>>
>> I set up a custom IP pool, and then added our internal DHCP server
>> address under the DHCP relay portion of RRAS. It doesn't work right now,
>> so can someone please tell me what I'm doing wrong. Do I need to do
>> something with static routes in RRAS (if so can someone tell me how I can
>> configure that?).
>>
>> Thanks much in advance!
>>
>
>

Hi,

If you are connecting from home and need to connect to server behind your
firewall (PIX) then you will need to open few things on this firewall to
allow PPTP traffic pass through to your VPN server.

For PPTP you will need to open:
- TCP 1723
- GRE protocol (IP protocol 47)

After you open these things on your firewall try to connect...

--
Mike
Microsoft MVP - Windows Security

"Jon Doe" <(E-Mail Removed)> wrote in message
news:OrudnS17GIijTXXfRVn-(E-Mail Removed)...
> I'm trying to connect from home to it, so from the outside...it just says
> it can't connect. I'm using PPTP and I haven't done anything on the
> firewall yet.
>
> "Miha Pihler [MVP]" <mihap-(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi,
>>
>> How does this problem reflect? Can you connect to VPN server? What error
>> do you get if you can't connect?
>>
>> Are you trying to connect (for testing) to VPN server on internal network
>> or from external network (Internet)? What protocols do you use (PPTP,
>> L2TP, IPSec)? Are there any rules on PIX firewall that might filter
>> requests to VPN Server from Internet?
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Jon Doe" <(E-Mail Removed)> wrote in message
>> news:0pydnWXUH-V2_3XfRVn-(E-Mail Removed)...
>>>
>>> I'm trying to set up VPN on a windows 2003, but I just can't seem to get
>>> it to work. I followed the microsoft instructions on installing a
>>> multi-homed standard VPN (or maybe I've missed something). On the
>>> internal car, I set up the IP address, internal DNS and WINS, but with
>>> no gateway. On the external (internet) card, I set up the external IP
>>> address, mask, and the external gateway that's on our PIX firewall (this
>>> is the address showing up as our internet gateway everyone uses to get
>>> out).
>>>
>>> I set up a custom IP pool, and then added our internal DHCP server
>>> address under the DHCP relay portion of RRAS. It doesn't work right now,
>>> so can someone please tell me what I'm doing wrong. Do I need to do
>>> something with static routes in RRAS (if so can someone tell me how I
>>> can configure that?).
>>>
>>> Thanks much in advance!
>>>
>>
>>
>
>

"Jon Doe" <(E-Mail Removed)> wrote in message
news:0pydnWXUH-V2_3XfRVn-(E-Mail Removed)...
> I set up a custom IP pool, and then added our internal DHCP server address
> under the DHCP relay portion of RRAS. It doesn't work right now, so can

You use the Staic IP Pool *or* the DHCP Agent. You don't use both,...it is
a choice between the two methods.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

> You use the Staic IP Pool *or* the DHCP Agent. You don't use both,...it is
> a choice between the two methods.
>
> --

Not it isn't - how are VPN Client supposed to receive DNS Suffix and other
DHCP Options that aren't issued through IPCP? You can absolutely configure a
static pool and then configure the DHCP Relay Agent simultaneously for VPN
Clients.

Even if VPN Clients are statically assigned, the client OS still sends out
DHCP Inform packets to request additional information.

"Clint Denham" <(E-Mail Removed)> wrote in message
news89FB698-3AB8-4C7C-8783-(E-Mail Removed)...
> > You use the Staic IP Pool *or* the DHCP Agent. You don't use both,...it
is
> > a choice between the two methods.
> >
> > --
>
> Not it isn't - how are VPN Client supposed to receive DNS Suffix and other
> DHCP Options that aren't issued through IPCP? You can absolutely configure
a
> static pool and then configure the DHCP Relay Agent simultaneously for VPN
> Clients.

The DHCP Relay Agent doesn't use the Static Pool,...it gets the address
directly from the DHCP Server's Scope itself, along with all the other DHCP
Options. You use the Static Address Pool when there is no DHCP Server to
draw from. If you setup both then they are fighting against each other.
The excerpt below is taken from:

Microsoft Windows Server 2003 Remote Access/VPN Server Role
http://www.microsoft.com/technet/pro...94b01f615.mspx

The "stars" for emphasis are mine.
-------------------------------------------------
Determine whether remote clients will receive IP addresses from a Dynamic
Host Configuration Protocol (DHCP) server on your private network *OR* from
the remote access/VPN server that you are configuring.
If you have a DHCP server on your private network, the remote access/VPN
server can lease 10 addresses at a time from the DHCP server and assign
those addresses to remote clients. If you *Do Not* have a DHCP server on
your private network, the remote access/VPN server can automatically
generate and assign IP addresses to remote clients. If you want the remote
access/VPN server to assign IP addresses from a range that you specify, you
must determine what that range should be.
----------------------------------------------


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

<The DHCP Relay Agent doesn't use the Static Pool,...it gets the address
directly from the DHCP Server's Scope itself, along with all the other DHCP
Options. You use the Static Address Pool when there is no DHCP Server to
draw from. >

The RELAY doesn't "GET" addresses - it RELAYS DHCP messages only - in this
case, it RELAYS DHCP Inform messages from VPN Clients to the DHCP Server. The
clients send the DHCP Inform packets requesting additional parameters which
the RELAY sends to the DHCP Server.

<If you setup both then they are fighting against each other.>

Hogwash - if they are both setup, then clients get duplicate DNS and WINS
Server addresses at worst. Are you saying you consider the ability to receive
a DNS Suffix an un-necessary detail? You didn't answer that question from
earlier either. If you have a static pool configured, how are VPN Clients
supposed to get additional scope options from the DHCP Server? WPAD? Static
Routes? DNS Suffix? These are all things that the DHCP Server can provide to
VPN Clients provided the Relay Agent is configured. These are all attributes
that a Static Pool configuration cannot provide.

> The excerpt below is taken from:
>
> Microsoft Windows Server 2003 Remote Access/VPN Server Role> http://www.microsoft.com/technet/pro...94b01f615.mspx
>
> The "stars" for emphasis are mine.
> -------------------------------------------------
> Determine whether remote clients will receive IP addresses from a Dynamic
> Host Configuration Protocol (DHCP) server on your private network *OR* from
> the remote access/VPN server that you are configuring.
> If you have a DHCP server on your private network, the remote access/VPN
> server can lease 10 addresses at a time from the DHCP server and assign
> those addresses to remote clients. If you *Do Not* have a DHCP server on
> your private network, the remote access/VPN server can automatically
> generate and assign IP addresses to remote clients. If you want the remote
> access/VPN server to assign IP addresses from a range that you specify, you
> must determine what that range should be.
> ----------------------------------------------

Yes, I've seen all of that before, but you're missing the most important
fact of IP Address assignment - IPCP can only assign an IP Address, DNS
Server and WINS Server - other key bits of information that can be passed on
from the DHCP Server require the DHCP Relay.

"Clint Denham" <(E-Mail Removed)> wrote in message
news:F8A309E4-A7E4-4C76-888C-(E-Mail Removed)...

> Yes, I've seen all of that before, but you're missing the most important
> fact of IP Address assignment - IPCP can only assign an IP Address, DNS
> Server and WINS Server - other key bits of information that can be passed
on
> from the DHCP Server require the DHCP Relay.

That is what I have been trying to tell you. Either you don't know what I
was trying to say or something,....

My oringinal point is that you do not need a Static Pool of Address on the
RRAS Box for the clients to get the address from,...you use the DHCP Server
instead and the RRAS Service gets them from the DHCP Server in groups of 10,
and it will do *that much* without the DHCP Agent:

<from the article>
------------
If you have a DHCP server on your private network, the remote access/VPN
server can lease 10 addresses at a time from the DHCP server and assign
those addresses to remote clients
------------

But you do not get any Scope Options given to the Client unless the DHCP
Agent in RRAS is used,...that is how you get the rest of the scope options
to the Client. The DHCP Agent in RRAS shares some similarities but is *not*
the same thing as enabling DHCP Relay in some other brand of regular Router.

[....as proof...empahsis mine with ***]
Enabling DHCP Relay for DMZ Segments
http://www.isaserver.org/tutorials/2...prelaydmz.html
Date - Jun 21, 2005 Author - Thomas Shinder Section - Tutorials ::
Configuration - General
In an earlier article I discussed how you can configure the DHCP Relay Agent
on the ISA firewall to deliver DHCP options to VPN clients. The VPN client
situation is somewhat unique, in that the RRAS server obtains IP addresses
on behalf of the VPN clients (**from DHCP without the agent**), and then
when the VPN clients connect to the ISA firewall's VPN server component, the
RRAS service provides the VPN clients with an IP address. The RRAS service
*never sends* the VPN client DHCP options. That is why you need a DHCP Relay
Agent on the ISA firewall. The DHCP Relay Agent forwards the DHCP messages
to a DHCP server on the corporate network.

And back to the *original* point,.....you don't create a static pool of
addresses on the RRAS box,...that is only done when there is no DHCP Server
the use.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

That is what I have been trying to tell you. Either you don't know what I was
trying to say or something,....

My oringinal point is that you do not need a Static Pool of Address on the
RRAS Box for the clients to get the address from,...you use the DHCP Server
instead and the RRAS Service gets them from the DHCP Server in groups of 10,
and it will do *that much* without the DHCP Agent


No - your original point was - and I quote - "You use the Staic IP Pool *or*
the DHCP Agent. You don't use both,...it is a choice between the two
methods.".

This is patently false and you have provided no information proving that it
is a choice between the 2 methods, nor have you - yet again - answered my
question on how clients who receive their IP through a static pool can
receive additional DHCP options without having the DHCP Relay Agent
configured. You have provided nothing proving that you cannot use both - only
step by step procedures for novices to follow on how to configure ISA for VPN
connectivity. I have used both simultaneously and when I worked in the ISA
support team in PSS configured many large customers with this exact
configuration and it worked with no issues whatsoever.

Furthermore, how do you, in ISA 2004 Enterprise Edition, assign VPN clients
DNS Suffix, WPAD, etc...? In Enterprise Edition, you cannot configure a
multi-node array to use DHCP to assign addresses - you must use a static
pool. So with this in mind, you are saying that in a multi-node ISA 2004 EE
array, it is not recommended to configure the DHCP Relay?

That, in effect, the ISA developers have crippled VPN Clients from resolving
internal resources with ISA 2004 EE since you don't configure the DHCP Relay
as you have stated?

With the configuration I have mentioned, DHCP Relay and Static Pool
assignment are possible, deployable, and supported by PSS.

>
> <from the article>
> ------------
> If you have a DHCP server on your private network, the remote access/VPN
> server can lease 10 addresses at a time from the DHCP server and assign
> those addresses to remote clients
> ------------
>
> But you do not get any Scope Options given to the Client unless the DHCP
> Agent in RRAS is used,...that is how you get the rest of the scope options
> to the Client. The DHCP Agent in RRAS shares some similarities but is *not*
> the same thing as enabling DHCP Relay in some other brand of regular Router.
>
> [....as proof...empahsis mine with ***]
> Enabling DHCP Relay for DMZ Segments
> http://www.isaserver.org/tutorials/2...prelaydmz.html
> Date - Jun 21, 2005 Author - Thomas Shinder Section - Tutorials ::
> Configuration - General
> In an earlier article I discussed how you can configure the DHCP Relay Agent
> on the ISA firewall to deliver DHCP options to VPN clients. The VPN client
> situation is somewhat unique, in that the RRAS server obtains IP addresses
> on behalf of the VPN clients (**from DHCP without the agent**), and then
> when the VPN clients connect to the ISA firewall's VPN server component, the
> RRAS service provides the VPN clients with an IP address. The RRAS service
> *never sends* the VPN client DHCP options. That is why you need a DHCP Relay
> Agent on the ISA firewall. The DHCP Relay Agent forwards the DHCP messages
> to a DHCP server on the corporate network.
>
> And back to the *original* point,.....you don't create a static pool of
> addresses on the RRAS box,...that is only done when there is no DHCP Server
> the use.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>