Where's My VPN?

garak0410

I feel silly for posting this but where the heck is my VPN? I am trying to transfer it to my new server and I went to our old VPN server and ROUTING AND REMOTE ACCESS is not even set up. Yet, if the server was down VPN would be down.

Our firewall (Endian) has VPN settings for OpenVPN but it is NOT enabled. However, it does have BRIDGED enabled to one of our interface cards with Dynamic IP pool start and end addresses listed.

Sounds like a "noob" kind of question but it is just something I've never had to touch with all my other duties.

scottalanmiller

So maybe it is not a Windows VPN in use. Might be a third party product. Check out the process table to see what is running.

alexntg

On a humorous note, inserting "Dude," at the beginning of the title would be hilarious.

Seriously, though, how do the clients connect? That should give you a starting place to look.

garak0410

@alexntg said:

On a humorous note, inserting "Dude," at the beginning of the title would be hilarious.

Seriously, though, how do the clients connect? That should give you a starting place to look.

"Dude"...being solo IT guy for everything means something's go untouched for years. LOL.

@scottalanmiller said:

So maybe it is not a Windows VPN in use. Might be a third party product. Check out the process table to see what is running.

Well, that's why I thought it may be the firewall but if OpenVPN is not on, then it is somewhere else.

If this helps, it is the broadcast address of our T1 internet service. It's address is after the WAN gateway and before the subnet mask.

alexntg

How do the clients connect?

Bill Kindle

Garak, didn't I send you a link with information from TechNet on this topic elsewhere?

garak0410

@alexntg said:

How do the clients connect?

Though the broadcast address and using their domain ID and password.

alexntg

@garak0410 said:

@alexntg said:

How do the clients connect?

Though the broadcast address and using their domain ID and password.

Let's see if i can be more specific - Is it SSL? PPTP? IPSEC? Is there a VPN client installed, or does it use the built-in Windows VPN client?

garak0410

@Bill-Kindle said:

Garak, didn't I send you a link with information from TechNet on this topic elsewhere?

Yes...the link will help but find it kind of puzzling that it wasn't configured on the original server at all (SBS 2003)

@alexntg said:

@garak0410 said:

@alexntg said:

How do the clients connect?

Though the broadcast address and using their domain ID and password.

Let's see if i can be more specific - Is it SSL? PPTP? IPSEC? Is there a VPN client installed, or does it use the built-in Windows VPN client?

Sorry...Windows VPN client...they configure it with the broadcast IP address of our internet service. Security is set to Automatic type of VPN and data encryption is optional. Windows 8x users have to also select ALLOW THESE PROTOCOLS.. Sign in with domain ID and password and they are in.

garak0410

@garak0410

Also, when on a VPN connection, when you do IPCONFIG /ALL, it shows the OLD server IP as primary DNS, so it has to be there. But if I go into ROUTING AND REMOTE ACCESS on the old server, and go into properties, it says THE SERVER HAS NOT BEEN SET UP FOR ROUTING. Perhaps I am just in the wrong properties?

alexntg

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

garak0410

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

garak0410

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

alexntg

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

garak0410

@alexntg said:

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

On the DC or allow my "services/file" server to handle it?

alexntg

@garak0410 said:

@alexntg said:

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

On the DC or allow my "services/file" server to handle it?

Personal preference? There's pros and cons to both.

garak0410

@alexntg said:

@garak0410 said:

@alexntg said:

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

On the DC or allow my "services/file" server to handle it?

Personal preference? There's pros and cons to both.

Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?

alexntg

@garak0410 said:

@alexntg said:

@garak0410 said:

@alexntg said:

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

On the DC or allow my "services/file" server to handle it?

Personal preference? There's pros and cons to both.

Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?

I've never worked with SBS before.

garak0410

@alexntg said:

@garak0410 said:

@alexntg said:

@garak0410 said:

@alexntg said:

@garak0410 said:

@garak0410 said:

@alexntg said:

You should see a related tunnel/rule in your firewall configuration. In an AD environment, the DC should be set as the DNS server, so that doesn't necessarily point to anything specific as the VPN.

Checking...

Well, the "free" Endian firewall we use kind of hid these options but I did find something (masking out the IP and port numbers):

Uplink ANY UDP/1701 ALLOW with IPS 0.0.0.0: 000 L2TP

Uplink ANY TCP/1723 ALLOW 0.0.0.0: 0.0.0.0 PPTP

It was pointed at the old server. So, just point this to the new DC and I'll be good? No need to go through and set up ROUTING AND REMOTE ACCESS since it was never configured on the old server? That's basically where my confusion was in how ROUTING AND REMOTE ACCESS was never set up on the old one.

You'll want to configure remote access on the new server first.

On the DC or allow my "services/file" server to handle it?

Personal preference? There's pros and cons to both.

Quick side question...since ROUTING AND REMOTE ACCESS was never configured on the old server/DC (SBS 2003), how did it work then? Just by the tunneling?

I've never worked with SBS before.

Thanks for tips...as I said, not having ROUTING AND REMOTE ACCESS set up on the original was causing me to just sit here and shake my head...as I multitask with other things...

garak0410

@garak0410

Made the changes in the firewall tunneling and configured ROUTING AND REMOTE ACCESS on the services server (though had to use CUSTOM since this is a VM and only had one NIC.) Using Windows Authentication, MS-CHAP v2 only...tried a test VPN connection and it fails with ERROR 812...complaining about a policy on the RAS/VPN server and the authentication method used by the server to verify username and password.. Can't seem to find the solution yet but love OTJ training... Still searching...