VPN, Routing and Remote Access (January 20, 2006)
Please note: Portions of this transcript have been edited for clarity
Introduction
**Carolyn [MSFT] (Moderator):
**In about 20 minutes, we will begin a chat, VPN, Routing and Remote Access. Are you seeking answers for questions related to Routing and Remote Access and Virtual Private Network? Then here is an opportunity to ask the experts. Routing and Remote Access Server team at Microsoft is keen on making the customer experience great for their product by answering the tough technical questions and also getting the feedback for the product. Please join us for this Web chat and put forth your questions regarding RAS Client, RAS/VPN Server and Routing. We will answer as many questions as we can and post a transcript of the upper window within a few days at
**Carolyn [MSFT] (Moderator):
**We are pleased to welcome our experts for today. I will have them introduce themselves now.
Pawan_MSFT (Expert):
Hi, I am Pawan. I work in RRAS/VPN Team.
Puja_MSFT (Moderator):
Hi, I am Puja. I work in RRAS VPN team at Microsoft as a Tester.
Janani_MS (Expert):
Hi, I'm Janani from the RRAS test team.
Santosh-Chandwani-MS (Expert):
Hi, I'm the Program Manager for RRAS/VPN.
Pawan_MSFT (Expert):
Q: I would like to know Microsoft's customers who use Site 2 Site VPN functionality. How common is it in enterprise environment? Is there any capacity planning/bench marks available?
A: Site to Site VPN Functionality is a common functionality. Microsoft Site to Site VPN solution is used by mainly small and medium businesses. You can get technical details of implementation from site https://www.microsoft.com/technet/network/vpn/default.mspx
Janani_MS (Expert):
Q: Hey all. I've set up a VPN, 3 PCs, set up to a router, then to a cable modem. I set them up simply, by using the network wizard, and the one hooked directly to the router can see the other two, but the other two can't see me. What do I do? Is there a
A: Hi, can you give me a little more info about how the two PCs that have problem are connected to the router? Do you have correct routes to reach the third machine from the other two? route print - is the command you should use to see the routes..
Santosh-Chandwani-MS (Expert):
Q: With win2k3 do you have to configure the DHCP relay agent or does the default normally work?
A: You have to enable the DHCP relay agent. It is not enabled by default.
Pawan_MSFT (Expert):
Q: A routing problem. I abide in a local network with ID: 192.168.2.0 and mask 255.255.255.0, connected to the Internet via ISA Server 2004, and I need to open a VPN session into another network with the same ID and MASK. Is there a resolution?
A: It's possible if you use 2 NAT's at both the ends. You need to mask address at site-1 with 1 public address and site-2 address with another public address and with that masking in place you can get your connectivity to work.
Puja_MSFT (Moderator):
Q: What ports are used in VPN
A: On VPN server we can have PPTP, L2TP, PPPOe ports by default. If you have ISDN & Modem installed on the machine then you can have ports for those media as well.
Santosh-Chandwani-MS (Expert):
Q: When using VPN to log on to another computer, it usually works great. Sometimes however mouse clicks get delayed from a few seconds to never. Login on the next day, sometimes things work great again. Any ideas?
A: You are observing general network latencies which tend to vary over a period of time.
Janani_MS (Expert):
Q:Q: [13] with win2k3 do you have to configure the DHCP relay agent or does the default normally work?
A: you have to enable the DHCP relay agent. It is not enabled by default. Oh I saw it in there and looked configured is there somewhere to enable it just by checking a box or something?
Pawan_MSFT (Expert):
Q: With win2k3 when you have a DMZ and the PDC has the ISA firewall and is the DHCP server, is it correct to use the private side nic for DHCP server in vpn?
A: You can put DHCP Server on private side of VPN server. Have you faced any issues with this. Can you give details.
Janani_MS (Expert):
Q:Q: [13] with win2k3 do you have to configure the DHCP relay agent or does the default normally work?
A: you have to enable the DHCP relay agent. It is not enabled by default. Oh I saw it in there and looked configured is there somewhere to enable it just by checking a box or something?
A: You need to go to the RRAS snap-in .Start --> Administrative tools --> Routing and remote access --> Right-click on the DHCP relay agent node under IP Routing (add the protocol if not present already by right click IP routing --> Add protocol) --> Properties . You need to ad the DHCP server address here. Also you need to right-click --> Add interface --> add the interface on which you want to enable the relay.
Puja_MSFT (Moderator):
Q: We were without Internet access (and therefore no VPN links were established) and the server went without rebooting itself once. When we got out Internet back, the server went back to rebooting itself randomly.
A: Can you check with your ISP if they are using some third party driver that may be crashing and so your server might be rebooting.
Santosh-Chandwani-MS (Expert):
Q: OK....let's try one more time. I have a small network, 3 PCs, hooked to a router, then a cable modem. F&P; sharing enabled, all drives shared. One pc can see the other 2, the other 2 don't see me. I used the network wizard to set them up. Why?
A: Please check if DHCP is enabled on the LAN interfaces of all the 3 PCs. Please confirm your router configuration to check if it responds to DHCP requests from the clients and issues them IP addresses. Then check if you can ping from each computer to the others using the IP address. And also, check if you can then reach them the other PCs by name,
Pawan_MSFT (Expert):
Q: Error messages indicate the issue is authentication related. When I unconfigure NLB on the External interfaces I am able to use the VPN again. Are there any limitations with NLB and VPNs?
A: What error are you getting? Are you using PPTP or L2TP connections? NLB and VPNs are supported in W2k3-SP1. Look at https://support.microsoft.com/?kbid=248346. L2TP experience might be broken with NLB.
Puja_MSFT (Moderator):
Q: Which particular firewall setting should I be looking for, and what do I change?
A: For VPN connections you need to open GRE 47, TCP 1723 and UDP 1701 ports.
Pawan_MSFT (Expert):
Q: I represent a growing ISP in Hong Kong. We have recently put a data center together and we are having an issue with RRAS on ISA 2004. When we enable NLB on the External interface of the ISAs we are no longer able to VPN in.
A: What error are you getting? Are you using PPTP or L2TP connections? NLB and VPNs are supported in W2k3-SP1. Look athttps://support.microsoft.com/?kbid=248346. L2TP experience might be broken with NLB.
Pawan_MSFT (Expert):
Q: Addendum: The second VPN or SSL connection sits on tip of the first VPN connection and acts as a Network extender. This works fine on a Client, however would like to get Win2k to route for downstream units.
A: You can use site-to-site VPN connection to get different networks connected. And you can add custom routes over site-to-site VPN to get routes for downstream units.
Janani_MS (Expert):
Q: Again on the "Log on using dial-up connection" mode. If I see right, in this scenario my computer is not authenticated in domain before the user is logged on. Is there a way to set up VPN connection to be opened by system on startup?
A: There is no readymade feature as such. However you can use a script using "rasdial.exe" to trigger the VPN connection that you need and have it to be run during system startup as a startup program. You can use the RunOnce registry keys for this.
Santosh-Chandwani-MS (Expert):
Q: This question is about L2TP/IPsec. As you probably know, L2TP clients require a "machine certificate" for IPsec authentication. 1) Is it possible to protect the machine certificate's private key with a password (similar to Keychain in Mac OS X)?
A: Jack2, the machine certificate's private key is accessible to the Administrator only. Access to this account should be protected with a strong password.
Puja_MSFT (Moderator):
Q: Re: L2TP/IPsec 2) Can the machine certificate's private key be stored on a hardware token and if not, why not? The idea is to mitigate damage in case a client (e.g. laptop) is stolen or lost.
A: Authentication using Smart card is an option which you can try for this issue.
Janani_MS (Expert):
Q: On a win2k3 server I added the vpn server role and a bunch of ras connections were created in the DHCP server and someone that normally works on Linux saw them and thought hey those connections don’t exist on the network and they deleted them now I don’t know how to get them back. Do I have to remove the vpn server role and add the vpn server roll again?
A: Do you mean the addresses in DHCPserver that were leased out to RAS? When RRAS is configured and we chose to use the DHCP mode of addressing for the clients, DHCP server leases out 10 addresses for the RAS server. If they are deleted then the client may get 169 addresses. However, if the addresses are not present then the RAS server will get them again from the DHCP server. You may not be required to add and remove the role again. You can also choose to use static pool if you need (RRAS-Properties --> ip).
Santosh-Chandwani-MS (Expert):
Q: Re: L2TP/IPsec 2) Can the machine certificate's private key be stored on a hardware token and if not, why not? The idea is to mitigate damage in case a client (e.g. laptop) is stolen or lost.
A: If you want a separate hardware token to store a certificate or any other security token (essentially, use 2-factor authentication), we support EAP-TLS (smartcards with certificates) and other tokens such as RSA SecurID for VPN authentication.
Pawan_MSFT (Expert):
Q: The unreachability reason? The interface is already connected. The only way to re-establish the connection and resume routing between the links is to reboot the server. Any way to resolve this?
A: Pat, there is no easy way to diagnose this without going through server logs. You can enable server logs using command "netsh ras set tracing * enabled."
Puja_MSFT (Moderator):
Q: I am using PPTP at the moment for remote user VPN and IPSec for Remote Site VPNs. The error on the ISAs states "The VPN connection attempted by User from VPN client IP ipaddress could not be established. The failure is due to error: 0xc0040021"
A: Can you check your authentication settings since this error corresponds to authentication mismatch.
Pawan_MSFT (Expert):
Q:Q: [12] with win2k3 when you have a DMZ and the PDC has the ISA firewall and is the DHCP server, is it correct to use the private side nic for DHCP server in vpn?
A: You can put DHCP Server on private side of VPN server. Have you faced any issues with this not yet as my vpn server is not responding when vpn clients try and connect, I'm just trying to prevent getting 169 ip addresses and since this chat only once in awhile trying to cram all my questions in. thank you for your help
A: to prevent 169 addresses to clients you can configure static pool of addresses on VPN server. That way you do not need DHCP Server to give addresses to RAS clients.
Pawan_MSFT (Expert):
Q: Response [25] - Where will the logs be placed>? Event viewer or C:\WINNT\system32\Logfiles?
A: no it's at %windir%\tracing
Janani_MS (Expert):
Q: I have a VPN set up on a w2k3 server that only has 1 internet card. It is behind a firewall so the server itself gets allocated an internal IP. Problem is that each time the server reboots the allocated internal ip for the VPN clients to use is different
A: By internal IP do you mean private IP? If so you can give a static address for you NIC on that network. That way you can be sure the server always gets the same address.
Santosh-Chandwani-MS (Expert):
Q: ip home this isn’t out of scope if its please forgive me when configuring VPN in ISA 2003 do you need to do more than create one firewall policy and when adding the VPN protocol to the policy does it encompass all the tcp and udp ports required?
A: Sorry, but ISA questions are out of scope of this chat. We can help you with any RRAS, Dial-up and VPN (including routing and demand-dial) related queries.
Pawan_MSFT (Expert):
Q: Part 3--it started after migration to E2K3. Other vpn connections on same server can open Outlook, must be some settings on the laptops?
A: This question seems to be out of scope of this VPN discussion.
Puja_MSFT (Moderator):
Q: Supplement to [19]: We have no software from our ISP. Just a modem with a static IP.
A: There can be multiple reasons here. Modem is a third party device and the drivers used for it might be corrupted. It does not look like a VPN issue. Out of scope of this chat.
Santosh-Chandwani-MS (Expert):
Q: 2) Am I right that it is not possible to use the smartcard's CSP for storing the machine certificate's private key on the smartcard?
A: You could probably write a custom application to do this. But it is not supported in the box.
Santosh-Chandwani-MS (Expert):
Q: Re: my L2TP/IPsec question: 2) So it is not possible to store the IPsec private key on a smartcard, you can only store the EAP-TLS private key on a smartcard (at which point you already have established an IPsec connection)?
A: The certificate on the smartcard is used to authenticate the user. The IPsec tunnel will be established with the machine certificate.
Puja_MSFT (Moderator):
Q: Response [25]: Is logging disabled with "netsh ras set tracing * disabled" ? Where can I find more info about this logging?
A: Yes. You can get more information from https://blogs.technet.com/rrasblog/default.aspx
Santosh-Chandwani-MS (Expert):
Q: Part one: On occasion, a heavy use (large email coming across the VPN, AD replication) of a VPN route (using a Demand-dial interface) will cause the server to reboot without errors logged in the Event viewer. This happens almost on a weekly basis.
A: You should examine the NICs on this server. Demand-dial interfaces are designed to come up when the traffic is generated. It seems in your case, there could be an issue with the NICs or the vendor's driver which is unable to handle the high traffic causing the OS to crash.
Santosh-Chandwani-MS (Expert):
Q: Part 2--except that sometimes the user connects, authenticates to AD and can access all resources (Intranet, file shares, printers) but cannot open Outlook 2003....Exchange server not available. Any one has any idea? This never happened with Exchange 5.5
A: Pat, you should examine your Outlook and Exchange settings. The scope of this web-chat is limited to RRAS (consisting of dial-up, VPN, demand-dial and routing). Thanks.
Pawan_MSFT (Expert):
Q: Every once in a while when I use Terminal Services across our VPN to remotely administer a server in another region, the connection will freeze and Routing and RAS appears to reboot, as all 8 VPN connections to various servers will have disconnected.
A: Paul, to diagnose this issue we will need logs and kernel dump from the server. There seem to be a bug-check on RAS Server causing reboot. To catch the cause of bug-check you will need to get kernel dump of the crash analyzed. That will point to the binary which is causing it and you may try to un-install the device pointed to by analysis.
Janani_MS (Expert):
Q: Instead of using the Win2k included site-to-site VPN connection, I require using a standard client application. It is this VPN connection that I would like Win2k Server to route for downstream units.
A: You can use the RAS client connection without the site-site if you need to route the info to network behind the server. Can you specify what you mean by standard client application?
Pawan_MSFT (Expert):
Q: OK, thank you for answering my questions. This expert chat has been most informative and will allow me to correctly configure my vpn server. I appreciate everyone’s time. Thank you and have a great day!
A: Thanks! You also have a great day.
Santosh-Chandwani-MS (Expert):
Q: I found many people have name resolution or/and connectivity issues when enabling VPN on a DC. However, normally, SBS DC doesn't have these issues. Why?
A: Bob, it is not advisable to enable VPN on a DC. DCs should be kept away from the boundary of the network, as opposed to VPN which is by design at the edge of your network. Enabling RRAS on a DC makes your DC vulnerable to external attacks.
Pawan_MSFT (Expert):
Q: Response [31 or 19]: It is a cable modem or DSL modem... pretty standard broadband equipment - No software or drivers necessary to be installed on the server...RRAS VPN disconnections should be part of this chat.
A: Paul, to diagnose this issue we will need logs and kernel dump from the server. There seem to be a bug-check on RAS Server causing reboot. To catch the cause of bug-check you will need to get kernel dump of the crash analyzed. That will point to the binary which is causing it and you may try to un-install the device pointed to by analysis to resolve the issue.
Puja_MSFT (Moderator):
Q: Thanks to Microsoft guys...You guys make these sessions very informative and I learn new technical information about Microsoft's VPN solution every time I participate in these sessions (even if it is as a silent observer). You guys Rock!!!
A: Thank you for participating in the web chat.
Santosh-Chandwani-MS (Expert):
Q: Another L2TP VPN question: Windows XP's behavior has changed in SP2. It no longer supports L2TP servers behind NAT, unless you apply a registry patch. The rationale behind this was 'security'? Does this mean that XP pre-SP2 and W2K are vulnerable?!
A: Jack2, which registry patch are you referring to and is there a KB associated with this to which you can refer me? XPSP2 added support for NAT-Traversal. This makes it easier for multiple clients behind a NAT to connect to the same network. This is not a security fix, but rather a usability issue which was fixed.
Santosh-Chandwani-MS (Expert):
Q:
A: Bob, it is not advisable to enable VPN on a DC. DCs should be kept away from the boundary of the network, as opposed to VPN which is by design at the edge of your network. Enabling RRAS on a DC makes your DC vulnerable to external attacks. So should be internet>>router>>vpn/nat/firewall server>> then the PDC. Would this be a recommended environment?
A: Ideally, you must have a firewall between the DMZ and the intranet. A firewall between the VPN server and the internet, or on the VPN server (RRAS includes support for a Basic Firewall) is also desirable.
Janani_MS (Expert):
Q: Hi...I setup RWW on SBS 2003 and can access it from pc's using the LAN, but when I get home I have no success. I have added all the necessary ports in my router that is between the server and the modem so I don't know what else I need to do.
A: You can find the kernel dump file location from start --> Right-click 'my computer' --> Properties -->Advanced --> Startup and Recovery settings .Enable Complete memory dump here. The RAS logs will be generated in %windir%\tracing. Follow below steps to collect logs 1) netsh ras set tracing * ena -enables the logging 2) Perform the steps which you did for the problem 3) Disable tracing to flush out the logs - netsh ras set tracing * dis . Then pass on the logs in the newsgroup "microsoft.public.win2000.ras_routing"
Pawan_MSFT (Expert):
Q: Re Q[51]: Sure, see Q885407 for the XP SP2 registry change.
A: No, this is not windows vulnerability. NAT has to translate IPSEC packets to properly route them. IPSEC packets in most secure manner can have even the packet header encrypted. However that will prevent NAT to work. Pre-XP SP2 the default behavior was for IPSEC Packets to go out with header not encrypted. However in XPSP2 to fix the security concerns the default behavior is changed to encrypt by IPSEC headers by default and there by not allowing NAT to work. For getting NAT to work you need to apply the reg-key.
Janani_MS (Expert):
Q: Response [38] Making some progress...Where do I find the kernel dump file (user.dmp, memory.dmp?) and what logs do I need to send where?
A: You can find the kernel dump file location from start --> Right-click 'my computer' --> Properties -->Advanced --> Startup and Recovery settings .Enable Complete memory dump here. The RAS logs will be generated in %windir%\tracing. Follow below steps to collect logs 1) netsh ras set tracing * ena -enables the logging 2) Perform the steps which you did for the problem 3) Disable tracing to flush out the logs - netsh ras set tracing * dis . Then pass on the logs in the newsgroup "microsoft.public.win2000.ras_routing"
Janani_MS (Expert):
Q: Hi...I set up RWW on SBS 2003 and can access it from PCs using the LAN, but when I get home I have no success. I have added all the necessary ports in my router that is between the server and the modem so I don't know what else I need to do.
A: Have you made sure that there is no firewall/NAT in between that blocks the packets?
Santosh-Chandwani-MS (Expert):
Q: Win2k Svr acts as a router and uses the ATT Client for VPN connection. Downstream units are able to go through the VPN connex fine. If I then add a VPN extender (checkpoint VPN) to the Win2k router. The downstream units cannot see the new extended routes.
A: JB, I suggest you the RRAS functionality included W2K to provide the VPN functionality. Since this is integrated into W2K you may be able to avoid any interop issues such as those you are seeing.
Pawan_MSFT (Expert):
Q: We are a 15 user satellite office with a high speed business modem connected to a Cisco 3020 VNP, which routes one IP address to main network through the firewall. We get constant disconnects of the VPN. Modem is no problem. Advice with tracing packets?
A: Satellite connections usually have high latency and can cause possible time outs of VPN protocols causing disconnections.
Carolyn [MSFT] (Moderator):
I'd like to thank our experts for joining us today to talk about VPN, Routing and Remote Access.
If you would like further information on today's topic, please visit the following URLs: • Routing and Remote Access team blog - https://blogs.technet.com/rrasblog/default.aspx • https://www.microsoft.com/technet/network/vpn/default.mspx
Thanks for your interest and feedback!
.gif "Top of Page")
Top of Page