Help configuring VPN - using Win2k3, ISA2000, DG834W

Khattab

Hi All,

I thought it best to create a new thread for this, so i could get some input from any VPN guru's out there.....

To recap very briefly......

I had and old domain controller that was running AD and ISA2000 - i set up a new DC and demoted the previous DC. It is still a member of the domain though, and it has ISA 2000 still installed on it (i'm not sure how that affects the network - i.e does it still operate as the ISA Server the way it used to when it was still the DC). Anyways, now on the new DC i want to set up a VPN.

I have run RRAS on the server and when i try to VPN from the local network, it works fine. When i try to VPN from external - i get an "Error 800: Unable to establish the VPN connection. The VPN server may be un-reachable, or security parameters may not be configured properly for this connection."

I dont know where exactly the problem is - so here's a quick rundown of what i have done:
- On Netgear DW834G router, i forwarded the VPN-PPTP protocol (which apparently is also supposed to allow protocal GRE - but not sure) to the VPN Server.
- I set it up to use Static IP Addresses instead of DHCP - so i dont think the issue is a DHCP issue (and when i connected to the VPN internally, i checked to ensure it was given an IP address from the range that i had selected - and this was okay).

Do i have to do anything on the ISA box (that i mentioned earlier)? If so, what do i have to do - and how do i do it? Also, sprkymrky once suggested that NAT-T might be enabled on the router and this could cause problems - but i didnt find such a setting on the router?? (or perhaps i didnt look in the right area??)

What else am i missing? I was sitting there for a couple of hours last night fiddling with it and didnt really get anywhere...... any tips would be great!

Thanks!

sprkymrk

Is the ISA firewall sitting in between the netgear and RRAS server? If not, don't even worry about it because the only thing it is protecting is itself. I think in your last thread you confirmed that the ISA box is just a single-nic computer on your LAN.

You might want to check that the netgear really is allowing GRE because if not that would be a show stopper.

Also in your last post I believe you stated that you are using 192.168.x.x internally which means 100% that your netgear is nat'ing your addresses to your public ip on the netgear. This is why I suggested dropping the netgear and placing the ISA server as your edge device and let it publish your RRAS server. I don't remember if that will work, but if not you can always terminate the VPN right there at the ISA server and thus access your internal LAN with a lot less trouble.

Keep in mind that the ISA server will need a second nic, one for the internal LAN and one for the external public ip.

Do you have a single public ip, or multiple?

Khattab

Thanks for the reply. Well, by the sounds of it the ISA box is not the issue - because it isnt sitting between the netgear and the RRAS. And yes, the ISA Server is a single-nic computer.

I spoke to netgear a few minutes ago, and they said that GRE is enabled on the router by default, so i guess the issue isnt with GRE or the PPTP protocol.

On my router, i have an option to disable NAT - is that something i should consider doing? i.e would it make VPN work without causing me any problems??

If need be, i think i will go down the route you suggested - setting up the ISA box as the RRAS server (i have a spare NIC that i can use). I only have one single public IP - will i need to purchase an additional one?

If i need to go down the route you suggested, please let me know what exactly i need to do?

Thanks

sprkymrk

Khattab wrote:

I spoke to netgear a few minutes ago, and they said that GRE is enabled on the router by default, so i guess the issue isnt with GRE or the PPTP protocol.

Okay, that's good.

Khattab wrote:

On my router, i have an option to disable NAT - is that something i should consider doing? i.e would it make VPN work without causing me any problems??

If you disable NAT you'll need publicly accessable IP's for every computer on your network that needs Internet access.

Khattab wrote:

If need be, i think i will go down the route you suggested - setting up the ISA box as the RRAS server (i have a spare NIC that i can use). I only have one single public IP - will i need to purchase an additional one?

No, you just assign the single public IP to the external interface of the ISA server, and assign a private (192.16 to the internal side.

Khattab wrote:

If i need to go down the route you suggested, please let me know what exactly i need to do?

Well that's a bit of a long story, but you can do it in a single day if you do your homework first. The main thing is to become familiar with creating rules on the ISA server first so your clients will be able to do what they need to do (surf, email, etc.). Then you need to record your TCP/IP settings on the netgear to duplicate them on the ISA server. Are you running your own DNS or using the ISP? Does the netgear currently provide DHCP? I realize I may have given the impression that replacing the netgear with the ISA would be easy, and really it's not that hard, but you need to get your ducks in a row first and you'll have much better security with the ISA than with the netgear.

If the main thing is to just get the VPN working, let's do that first and then give yourself time to learn about ISA before we go that route.

Tell me how you are trying to connect from a client externally (like from home) to the RRAS server and what errors do you get in the event logs on the client/server?

Khattab

Apologies for the delayed response.....

Some progress yet again! Previously, when i was trying to VPN i was getting an error 800.... it turns out, that against my orders not to - one of the girls in the office was shutting down the domain controller before leaving the office.... which is why VPN wasnt working.

VPN is now working like a treat. Internet wasnt working (and wasnt able to ping the network resources earlier) but i changed the settings on the local VPN connection (and configured it to use the correct DNS settings) and now its working perfectly.

VPN is running on the win2k3 Domain Controller.... I also set up Live Communication Server - and it's looking good. I am almost finished everything i started out to achieve, and now just have 2 things that i want to sort out.

1. We have a website that a network provider is hosting for us. At the moment though, we cant access the website internally. I have set up Forwarders for the domain, and i also created a host A record for "www" pointing to the external IP address of the website and it still doesnt work.... am i missing something?

2. I dont think the network is very secure at all at the moment. The only thing that is "securing" the network at the moment, is the netgear modem/router. As mentioned earlier, the former ISA server is currently only protecting itself - i'm not really sure how to place it between the router and the domain controller.......

Any tips would be greatly appreciated!!

Thanks a million!

sprkymrk

Khattab wrote:

Some progress yet again! Previously, when i was trying to VPN i was getting an error 800.... it turns out, that against my orders not to - one of the girls in the office was shutting down the domain controller before leaving the office.... which is why VPN wasnt working.

Silly kids!

Khattab wrote:

1. We have a website that a network provider is hosting for us. At the moment though, we cant access the website internally. I have set up Forwarders for the domain, and i also created a host A record for "www" pointing to the external IP address of the website and it still doesnt work.... am i missing something?

The site is hosted externally, but when you try to access it from your internal network it fails? Can you access it via IP address, like http://123.123.123.123/? What does an nslookup show? From a command type:

nslookup [url]www.mysite.com[/url]

Khattab wrote:

2. I dont think the network is very secure at all at the moment. The only thing that is "securing" the network at the moment, is the netgear modem/router. As mentioned earlier, the former ISA server is currently only protecting itself - i'm not really sure how to place it between the router and the domain controller.......

If you're not familiar with ISA, pick up the book by Tom Shinder first. Browse his site at www.isaserver.org also. If you want a "quick start" look at ISA 2000 I think the book "Firewalls for Dummies" has a couple of chapters devoted to it. The dummies book is a very good intro on firewalls in general, so don't be embarrassed to pick it up. I still have my copy from several years ago. Hopefully they've got a second or third edition by now.

Khattab

I cant remote into the server from my office, so i'll wait till i'm home to try the nslookup and let you know what it comes back with.

Regarding ISA.... thanks for the advice.

I was just on amazon.com and i found:

- Dr. Tom Shinder's Configuring ISA Server 2004
- Configuring ISA Server 2000

I am guessing you would advise me to buy the ISA Server 2000 book... but i'm thinking would it be worth updating the ISA2000 Installation to ISA2004? (i suppose all i would need to do is backup the config in ISA2000 and simply restore it into ISA 2004?). If so, i will purchase the 2004 book, because i think 2000 is pretty outdated...

I gotta say... before this forum, i was content to just sit on an MCP and see how far that would get me.... but over the last 2-3 weeks, you've really motivated me to start reading/learning more!

sprkymrk

Khattab wrote:

I am guessing you would advise me to buy the ISA Server 2000 book... but i'm thinking would it be worth updating the ISA2000 Installation to ISA2004? (i suppose all i would need to do is backup the config in ISA2000 and simply restore it into ISA 2004?). If so, i will purchase the 2004 book, because i think 2000 is pretty outdated...

Yes, ISA 2000 is pretty outdated, and ISA 2006 is out:

http://www.microsoft.com/isaserver/prodinfo/trial-software.mspx

However, you would have to consider the price ($$$) beofre deciding to upgrade. I am going to look into ISA 2004 in the coming months. ISA 2000 did have some short comings, but it was still a great product, so if you can't afford the upgrade it might still be worth replacing your current router.

Khattab wrote:

I gotta say... before this forum, i was content to just sit on an MCP and see how far that would get me.... but over the last 2-3 weeks, you've really motivated me to start reading/learning more!

That's what this site is all about. It did (and still does) the same thing for me.

Khattab

We already have a copy of ISA2004... so the only thing that was really standing in the way of upgrading from 2000 was not knowing whether or not it would cause any complications.

Provided it wont be too difficult, i'll just perform the upgrade. The more i think about it, the more i'm leaning towards upgrading to 2004... because even if i have to rebuild ISA from scratch, at least that will really force me to learn it - QUICK!

What do you think?

Khattab

I did an nslookup on the domain controller... this is what i got....

C:\>nslookup www.mydomain.com.au
*** Can't find server name for address 192.168.0.34: Non-existent domain
Server: UnKnown
Address: 192.168.0.34

Looked to be an issue with the external dns server which i've set as the forwarder... so i went into DNS and checked the forwarders that i had set. I had mistaken set the internet IP address of the router as one of the forwarders. I took that off, and now i can browse the website without any problems, but when i do an nslookup of the site, i still get the same error message as above.... strange?

sprkymrk

Did you do the nslookup from your home? The message:

Can't find server name for address 192.168.0.34: Non-existent domain
Server: UnKnown
Address: 192.168.0.34

is referring to your dns server. What is at ip address 192.168.0.34)? Do you have your own DNS server at that address? It's a typical error message for things like broadband routers sitting behind a cable or DSL modem. You should have then received another message stating something like:

Non-authoritative answer:
Name: www.mydomain.com.au
Address: 123.123.123.123

sprkymrk

Khattab wrote:

We already have a copy of ISA2004... so the only thing that was really standing in the way of upgrading from 2000 was not knowing whether or not it would cause any complications.

Provided it wont be too difficult, i'll just perform the upgrade. The more i think about it, the more i'm leaning towards upgrading to 2004... because even if i have to rebuild ISA from scratch, at least that will really force me to learn it - QUICK!

What do you think?

Unless you already have a working configuration (which I don't think you do since it's not protecting anything) I would do an install from scratch. You'll want to install a high quality NIC as a second interface first.

Khattab

sprkymrk wrote:

Did you do the nslookup from your home? The message:

Can't find server name for address 192.168.0.34: Non-existent domain
Server: UnKnown
Address: 192.168.0.34

I connected via Terminal Services session to the server and did the nslookup from there... but i didnt think that would make any difference? I connected via RDP directly over the net... not through VPN or anything.....

What is at ip address 192.168.0.34)? Do you have your own DNS server at that address? It's a typical error message for things like broadband routers sitting behind a cable or DSL modem.

192.168.0.34 is the address of the internal DNS Server (also the DC/VPN Server). There is nothing infront of it except for the netgear DG834G router/modem. Is there something on the router that is blocking it??

Oh, and yeah i did recieve the "non-authoritive answer......" thing too.

sprkymrk

If you manage your own DNS, just put a ptr record in the reverse lookup zone for 192.168.0.34, then you won't get the "unknown server" message.