VPN setup Troubleshooting

How can I troubleshoot my VPN setup. I have followed 2 book setting up RRAS
on server 2003 for VPN on the client side. There are no books that help
setting up the router. I have the router setup with the static ip my isp gave
me. I wasn't able to ping my static ip from remote location but I am able to
know after turning off the firewall on the router (i think that was it)
So I can ping the router. I have forward 1743 and 47 to my servers local ip
address: 10.1.10.5 (external nic on server)
router: 10.1.10.2
internal nic: 192.168.10.5
Internal handles DHCP and DNS.
How can I troubleshoot how far I am going from a remote location. I want to
see if I am atleast getting past the router.

How do you forward 47? And which port? Normally, you don't need to do that or just enable it. You may use PPTPclnt and PPTPsrv to test GRE and PPTP. Or this link may help,

VPN troubleshooting toolsVPN Troubleshooting Tools. 1. PPTPclnt and PPTPsrv to test GRE and PPTP. 2. IPCONFIG to troubleshooting connection and name resolution issues ...
http://www.chicagotech.net/vpnissues/vpntools.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Cali Tech" <(E-Mail Removed)> wrote in message news:94392273-5CA4-4783-B5DF-(E-Mail Removed)...
How can I troubleshoot my VPN setup. I have followed 2 book setting up RRAS
on server 2003 for VPN on the client side. There are no books that help
setting up the router. I have the router setup with the static ip my isp gave
me. I wasn't able to ping my static ip from remote location but I am able to
know after turning off the firewall on the router (i think that was it)
So I can ping the router. I have forward 1743 and 47 to my servers local ip
address: 10.1.10.5 (external nic on server)
router: 10.1.10.2
internal nic: 192.168.10.5
Internal handles DHCP and DNS.
How can I troubleshoot how far I am going from a remote location. I want to
see if I am atleast getting past the router.

"Cali Tech" <(E-Mail Removed)> wrote in message
news:94392273-5CA4-4783-B5DF-(E-Mail Removed)...
> How can I troubleshoot my VPN setup. I have followed 2 book setting up
> RRAS
> on server 2003 for VPN on the client side. There are no books that help
> setting up the router. I have the router setup with the static ip my isp
> gave
> me. I wasn't able to ping my static ip from remote location but I am able
> to
> know after turning off the firewall on the router (i think that was it)
> So I can ping the router. I have forward 1743 and 47 to my servers local
> ip
> address: 10.1.10.5 (external nic on server)
> router: 10.1.10.2
> internal nic: 192.168.10.5
> Internal handles DHCP and DNS.
> How can I troubleshoot how far I am going from a remote location. I want
> to
> see if I am atleast getting past the router.
>

Have you checked that your server is set up correctly for VPN? Can you
make a VPN connection to the server from a LAN machine using the server's
internal IP? There is no point in trying it from the Internet if it isn't
configured properly.

If this works you should be able to connect from a remote location if
you can ping your router's public IP. If you are using PPTP you forward PPTP
(tcp port 1723) to10.1.10.5 .

The other problem which can arise is if the router blocks GRE. GRE
(Generic Routing Encapsulation) is IP protocol 47. It is not a port and it
cannot be forwarded. What you need to ensure is that your router does not
block traffic with a GRE header. If it does, PPTP VPN will never work
because the encrypted VPN data has a GRE header. If this is your problem you
will get a 721 error.

It worked internally, but i get error 800: unable to establish the vpn
connection from a remote location. Is there any thing I have to do on the
remote location router?
What are the settings I should have on the server end router? Just forwared
port 1723 on the server router pointing to the server?



"Bill Grant" wrote:

>
> "Cali Tech" <(E-Mail Removed)> wrote in message
> news:94392273-5CA4-4783-B5DF-(E-Mail Removed)...
> > How can I troubleshoot my VPN setup. I have followed 2 book setting up
> > RRAS
> > on server 2003 for VPN on the client side. There are no books that help
> > setting up the router. I have the router setup with the static ip my isp
> > gave
> > me. I wasn't able to ping my static ip from remote location but I am able
> > to
> > know after turning off the firewall on the router (i think that was it)
> > So I can ping the router. I have forward 1743 and 47 to my servers local
> > ip
> > address: 10.1.10.5 (external nic on server)
> > router: 10.1.10.2
> > internal nic: 192.168.10.5
> > Internal handles DHCP and DNS.
> > How can I troubleshoot how far I am going from a remote location. I want
> > to
> > see if I am atleast getting past the router.
> >
>
> Have you checked that your server is set up correctly for VPN? Can you
> make a VPN connection to the server from a LAN machine using the server's
> internal IP? There is no point in trying it from the Internet if it isn't
> configured properly.
>
> If this works you should be able to connect from a remote location if
> you can ping your router's public IP. If you are using PPTP you forward PPTP
> (tcp port 1723) to10.1.10.5 .
>
> The other problem which can arise is if the router blocks GRE. GRE
> (Generic Routing Encapsulation) is IP protocol 47. It is not a port and it
> cannot be forwarded. What you need to ensure is that your router does not
> block traffic with a GRE header. If it does, PPTP VPN will never work
> because the encrypted VPN data has a GRE header. If this is your problem you
> will get a 721 error.
>
>
>
>

I get this error on the server side. So I know there is a connection taking
place just no DHCP address.
Where should I look?

Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20169
Date: 7/9/2007
Time: 9:54:33 PM
User: N/A
Computer: SERVER
Description:
Unable to contact a DHCP server. The Automatic Private IP Address
169.254.36.90 will be assigned to dial-in clients. Clients may be unable to
access resources on the network.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


"Bill Grant" wrote:

>
> "Cali Tech" <(E-Mail Removed)> wrote in message
> news:94392273-5CA4-4783-B5DF-(E-Mail Removed)...
> > How can I troubleshoot my VPN setup. I have followed 2 book setting up
> > RRAS
> > on server 2003 for VPN on the client side. There are no books that help
> > setting up the router. I have the router setup with the static ip my isp
> > gave
> > me. I wasn't able to ping my static ip from remote location but I am able
> > to
> > know after turning off the firewall on the router (i think that was it)
> > So I can ping the router. I have forward 1743 and 47 to my servers local
> > ip
> > address: 10.1.10.5 (external nic on server)
> > router: 10.1.10.2
> > internal nic: 192.168.10.5
> > Internal handles DHCP and DNS.
> > How can I troubleshoot how far I am going from a remote location. I want
> > to
> > see if I am atleast getting past the router.
> >
>
> Have you checked that your server is set up correctly for VPN? Can you
> make a VPN connection to the server from a LAN machine using the server's
> internal IP? There is no point in trying it from the Internet if it isn't
> configured properly.
>
> If this works you should be able to connect from a remote location if
> you can ping your router's public IP. If you are using PPTP you forward PPTP
> (tcp port 1723) to10.1.10.5 .
>
> The other problem which can arise is if the router blocks GRE. GRE
> (Generic Routing Encapsulation) is IP protocol 47. It is not a port and it
> cannot be forwarded. What you need to ensure is that your router does not
> block traffic with a GRE header. If it does, PPTP VPN will never work
> because the encrypted VPN data has a GRE header. If this is your problem you
> will get a 721 error.
>
>
>
>

That means that your server cannot contact your DHCP server to get a
pool of addresses to allocate to clients (and to itself for the internal
interface).

You can always use a static pool of addresses for your remotes. Either
allocate a pool of addresses from the subnet that your LAN uses (and reserve
them in your DHCP scope) or give them their own IP subnet.

"Cali Tech" <(E-Mail Removed)> wrote in message
news:C5F5910F-1DED-4641-8664-(E-Mail Removed)...
>I get this error on the server side. So I know there is a connection taking
> place just no DHCP address.
> Where should I look?
>
> Event Type: Warning
> Event Source: RemoteAccess
> Event Category: None
> Event ID: 20169
> Date: 7/9/2007
> Time: 9:54:33 PM
> User: N/A
> Computer: SERVER
> Description:
> Unable to contact a DHCP server. The Automatic Private IP Address
> 169.254.36.90 will be assigned to dial-in clients. Clients may be unable
> to
> access resources on the network.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> "Bill Grant" wrote:
>
>>
>> "Cali Tech" <(E-Mail Removed)> wrote in message
>> news:94392273-5CA4-4783-B5DF-(E-Mail Removed)...
>> > How can I troubleshoot my VPN setup. I have followed 2 book setting up
>> > RRAS
>> > on server 2003 for VPN on the client side. There are no books that help
>> > setting up the router. I have the router setup with the static ip my
>> > isp
>> > gave
>> > me. I wasn't able to ping my static ip from remote location but I am
>> > able
>> > to
>> > know after turning off the firewall on the router (i think that was it)
>> > So I can ping the router. I have forward 1743 and 47 to my servers
>> > local
>> > ip
>> > address: 10.1.10.5 (external nic on server)
>> > router: 10.1.10.2
>> > internal nic: 192.168.10.5
>> > Internal handles DHCP and DNS.
>> > How can I troubleshoot how far I am going from a remote location. I
>> > want
>> > to
>> > see if I am atleast getting past the router.
>> >
>>
>> Have you checked that your server is set up correctly for VPN? Can you
>> make a VPN connection to the server from a LAN machine using the server's
>> internal IP? There is no point in trying it from the Internet if it
>> isn't
>> configured properly.
>>
>> If this works you should be able to connect from a remote location if
>> you can ping your router's public IP. If you are using PPTP you forward
>> PPTP
>> (tcp port 1723) to10.1.10.5 .
>>
>> The other problem which can arise is if the router blocks GRE. GRE
>> (Generic Routing Encapsulation) is IP protocol 47. It is not a port and
>> it
>> cannot be forwarded. What you need to ensure is that your router does not
>> block traffic with a GRE header. If it does, PPTP VPN will never work
>> because the encrypted VPN data has a GRE header. If this is your problem
>> you
>> will get a 721 error.
>>
>>
>>
>>

Ok I right clicked the RRAS server and went to properties. Under IP I added a
static pool 192.168.10.20 - 192.168.10.40 and it created a mask of
255.255.255.192
I still can't connect.


"Bill Grant" wrote:

> That means that your server cannot contact your DHCP server to get a
> pool of addresses to allocate to clients (and to itself for the internal
> interface).
>
> You can always use a static pool of addresses for your remotes. Either
> allocate a pool of addresses from the subnet that your LAN uses (and reserve
> them in your DHCP scope) or give them their own IP subnet.
>
> "Cali Tech" <(E-Mail Removed)> wrote in message
> news:C5F5910F-1DED-4641-8664-(E-Mail Removed)...
> >I get this error on the server side. So I know there is a connection taking
> > place just no DHCP address.
> > Where should I look?
> >
> > Event Type: Warning
> > Event Source: RemoteAccess
> > Event Category: None
> > Event ID: 20169
> > Date: 7/9/2007
> > Time: 9:54:33 PM
> > User: N/A
> > Computer: SERVER
> > Description:
> > Unable to contact a DHCP server. The Automatic Private IP Address
> > 169.254.36.90 will be assigned to dial-in clients. Clients may be unable
> > to
> > access resources on the network.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> >
> > "Bill Grant" wrote:
> >
> >>
> >> "Cali Tech" <(E-Mail Removed)> wrote in message
> >> news:94392273-5CA4-4783-B5DF-(E-Mail Removed)...
> >> > How can I troubleshoot my VPN setup. I have followed 2 book setting up
> >> > RRAS
> >> > on server 2003 for VPN on the client side. There are no books that help
> >> > setting up the router. I have the router setup with the static ip my
> >> > isp
> >> > gave
> >> > me. I wasn't able to ping my static ip from remote location but I am
> >> > able
> >> > to
> >> > know after turning off the firewall on the router (i think that was it)
> >> > So I can ping the router. I have forward 1743 and 47 to my servers
> >> > local
> >> > ip
> >> > address: 10.1.10.5 (external nic on server)
> >> > router: 10.1.10.2
> >> > internal nic: 192.168.10.5
> >> > Internal handles DHCP and DNS.
> >> > How can I troubleshoot how far I am going from a remote location. I
> >> > want
> >> > to
> >> > see if I am atleast getting past the router.
> >> >
> >>
> >> Have you checked that your server is set up correctly for VPN? Can you
> >> make a VPN connection to the server from a LAN machine using the server's
> >> internal IP? There is no point in trying it from the Internet if it
> >> isn't
> >> configured properly.
> >>
> >> If this works you should be able to connect from a remote location if
> >> you can ping your router's public IP. If you are using PPTP you forward
> >> PPTP
> >> (tcp port 1723) to10.1.10.5 .
> >>
> >> The other problem which can arise is if the router blocks GRE. GRE
> >> (Generic Routing Encapsulation) is IP protocol 47. It is not a port and
> >> it
> >> cannot be forwarded. What you need to ensure is that your router does not
> >> block traffic with a GRE header. If it does, PPTP VPN will never work
> >> because the encrypted VPN data has a GRE header. If this is your problem
> >> you
> >> will get a 721 error.
> >>
> >>
> >>
> >>
>
>
>