RRAS Branch to Corp problem

Trying to set up a branch office connection to a corp office using RRAS
only.

Network Setup. both networks are connected to the internet with a SOHO
type FW router. PPTP is set up to pass though the routers to the RRAS
servers on both sides. I've followed the instructions provided by RRAS to
set up the connection but when the DOD interface of the branch office tries
to connect it fails and the error message on the corp office side says no
protocol was negotiated. Event ID 20050

To test VPN actually works between the networks, I've created a regular VPN
client connection on the branch server and it will connect to the Corp
server no problem.

Branch server is a 2k3 R2 server, Corp server is a 2K server with SP4.

Any help would be greatly appreciated. I need to get this working ASAP.

--

--

Rob
"A disturbing new study finds that studies are disturbing"

Get rid of the SOHO Router,...RRAS *is* your router,...it goes in place of
the SOHO box. The Cable/DSL Modem plugs directly into the external facing
nic of the RRAS box (like it did the SOHO box). If the RRAS box is not
compatible with the ISP's method of line technology, then you have to enable
VPN Passthrough on both the SOHO boxes and follow the manufactrurer's
instruction for dealing with that on those boxes.

RRAS requires two connections for a Site-to-Site VPN. Each RRAS box "calls"
the other so there is one connection going each direction. Search for
documentation specifically for a Site-to-Site (Router-to-Router) VPN
connection using RRAS. A Remote Access VPN, which can also be done with
RRAS, is not the same thing and will not work.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Robert R Kircher, Jr." <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Trying to set up a branch office connection to a corp office using RRAS
> only.
>
> Network Setup. both networks are connected to the internet with a SOHO
> type FW router. PPTP is set up to pass though the routers to the RRAS
> servers on both sides. I've followed the instructions provided by RRAS to
> set up the connection but when the DOD interface of the branch office
> tries to connect it fails and the error message on the corp office side
> says no protocol was negotiated. Event ID 20050
>
> To test VPN actually works between the networks, I've created a regular
> VPN client connection on the branch server and it will connect to the Corp
> server no problem.
>
> Branch server is a 2k3 R2 server, Corp server is a 2K server with SP4.
>
> Any help would be greatly appreciated. I need to get this working ASAP.
>
> --
>
> --
>
> Rob
> "A disturbing new study finds that studies are disturbing"
>
>
>
>

Unfortunately the SOHO router need to stay in place. As I said Remote
Access VPN works just fine in both directions but site-to-site doesn't.

I've use the docs provided in the RRAS help to set up the site-to-site but
again I receive the following error message on the corp server
The user connected to port VPN3-127 has been disconnected because no
protocols were successfully negotiated.

So my thought was the connection would work if it could figure out what
causes this error.

--

Rob
"A disturbing new study finds that studies are disturbing"



"Phillip Windell" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Get rid of the SOHO Router,...RRAS *is* your router,...it goes in place of
> the SOHO box. The Cable/DSL Modem plugs directly into the external facing
> nic of the RRAS box (like it did the SOHO box). If the RRAS box is not
> compatible with the ISP's method of line technology, then you have to
> enable VPN Passthrough on both the SOHO boxes and follow the
> manufactrurer's instruction for dealing with that on those boxes.
>
> RRAS requires two connections for a Site-to-Site VPN. Each RRAS box
> "calls" the other so there is one connection going each direction. Search
> for documentation specifically for a Site-to-Site (Router-to-Router) VPN
> connection using RRAS. A Remote Access VPN, which can also be done with
> RRAS, is not the same thing and will not work.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft, or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "Robert R Kircher, Jr." <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Trying to set up a branch office connection to a corp office using RRAS
>> only.
>>
>> Network Setup. both networks are connected to the internet with a SOHO
>> type FW router. PPTP is set up to pass though the routers to the RRAS
>> servers on both sides. I've followed the instructions provided by RRAS
>> to set up the connection but when the DOD interface of the branch office
>> tries to connect it fails and the error message on the corp office side
>> says no protocol was negotiated. Event ID 20050
>>
>> To test VPN actually works between the networks, I've created a regular
>> VPN client connection on the branch server and it will connect to the
>> Corp server no problem.
>>
>> Branch server is a 2k3 R2 server, Corp server is a 2K server with SP4.
>>
>> Any help would be greatly appreciated. I need to get this working ASAP.
>>
>> --
>>
>> --
>>
>> Rob
>> "A disturbing new study finds that studies are disturbing"
>>
>>
>>
>>
>
>

I have to agree with Philip on this. It is unlikely to work with SOHO
routers outside the RRAS routers at both ends. SOHO "routers" are simple NAT
devices just one step up from ICS. (I am surprised that you didn't get
Philip's usual blast about this. Perhaps he is mellowing, or just getting
tired of saying it over and over). The documentation from Microsoft assumes
that the RRAS router is directly conncted to the Internet.

The site-to-site (or router-to-router) VPN connection is nothing like a
client-server VPN connection. The point to point connection is established
between the RRAS routers and each router has a subnet route to the "other"
site linked to connection. The demand-dial interfaces on the routers are the
endpoints of the tunnel. The link then acts as a simple (and slow) IP
router for site to site traffic through the tunnel. A client-server type
connection is just a dialup connection using the Internet instead of a phone
line and modem.

PS. Welcome back, Philip. We missed you!

"Robert R Kircher, Jr." <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Unfortunately the SOHO router need to stay in place. As I said Remote
> Access VPN works just fine in both directions but site-to-site doesn't.
>
> I've use the docs provided in the RRAS help to set up the site-to-site but
> again I receive the following error message on the corp server
> The user connected to port VPN3-127 has been disconnected because no
> protocols were successfully negotiated.
>
> So my thought was the connection would work if it could figure out what
> causes this error.
>
> --
>
> Rob
> "A disturbing new study finds that studies are disturbing"
>
>
>
> "Phillip Windell" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Get rid of the SOHO Router,...RRAS *is* your router,...it goes in place
>> of the SOHO box. The Cable/DSL Modem plugs directly into the external
>> facing nic of the RRAS box (like it did the SOHO box). If the RRAS box
>> is not compatible with the ISP's method of line technology, then you have
>> to enable VPN Passthrough on both the SOHO boxes and follow the
>> manufactrurer's instruction for dealing with that on those boxes.
>>
>> RRAS requires two connections for a Site-to-Site VPN. Each RRAS box
>> "calls" the other so there is one connection going each direction.
>> Search for documentation specifically for a Site-to-Site
>> (Router-to-Router) VPN connection using RRAS. A Remote Access VPN,
>> which can also be done with RRAS, is not the same thing and will not
>> work.
>>
>> --
>> Phillip Windell
>> www.wandtv.com
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft, or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>> "Robert R Kircher, Jr." <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> Trying to set up a branch office connection to a corp office using RRAS
>>> only.
>>>
>>> Network Setup. both networks are connected to the internet with a SOHO
>>> type FW router. PPTP is set up to pass though the routers to the RRAS
>>> servers on both sides. I've followed the instructions provided by RRAS
>>> to set up the connection but when the DOD interface of the branch office
>>> tries to connect it fails and the error message on the corp office side
>>> says no protocol was negotiated. Event ID 20050
>>>
>>> To test VPN actually works between the networks, I've created a regular
>>> VPN client connection on the branch server and it will connect to the
>>> Corp server no problem.
>>>
>>> Branch server is a 2k3 R2 server, Corp server is a 2K server with SP4.
>>>
>>> Any help would be greatly appreciated. I need to get this working
>>> ASAP.
>>>
>>> --
>>>
>>> --
>>>
>>> Rob
>>> "A disturbing new study finds that studies are disturbing"
>>>
>>>
>>>
>>>
>>
>>
>
>

"Robert R Kircher, Jr." <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> So my thought was the connection would work if it could figure out what
> causes this error.

Your getting the error because you aren't following what I said in the last
post.
I didn't say you had to get rid of the SOHO box,..I said you should. I
indicated the way to go about it if you keep them.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> devices just one step up from ICS. (I am surprised that you didn't get
> Philip's usual blast about this. Perhaps he is mellowing, or just getting
> tired of saying it over and over).

It's the "over and over" thing. And I might be getting a bit old and lazy.

> PS. Welcome back, Philip. We missed you!

Thanks very much Bill!
I went on vacation for a week and a half which caused a lot of work to pile
up,..so I'm just now getting caught up.

I'm also not an MVP any more unless I get re-nominated, and that was a bit
discouraging, and probably caused me to slow down in the groups a bit,..I
guess I needed a break after that. I makes it hard to want to devote as
much to the task.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Robert R Kircher, Jr." <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> So my thought was the connection would work if it could figure out what
>> causes this error.
>
> Your getting the error because you aren't following what I said in the
> last post.
> I didn't say you had to get rid of the SOHO box,..I said you should. I
> indicated the way to go about it if you keep them.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft, or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

Robert,

The real problem is with your network topology. Site to site VPN
connections should be made between the edge routers of each site. If the
RRAS routers are not at the edge and are not the default gateway for each
site, the routing will not work even if you solve the problem of setting up
the site to site link (which requires making sure that the NAT devices
correctly forward the traffic and do not block protocols which PPTP needs).
Instead of going to the RRAS router, VPN traffic for the "other" site will
arrive at the default router unencrypted and unencapsulated.

In other words, even if you solve the problem of setting up a router to
router VPN tunnel between your RRAS routers, the VPN traffic will not use it
unless you add extra routing on your LAN to get the inter-site traffic to
the RRAS router rather than the gateway router.