Virtual Private Networking |
VPN problems typically fall into the following categories:
Use the following troubleshooting tips to isolate the configuration or infrastructure problem causing the stated VPN problem.
In order for the connection to be established, the parameters of the connection attempt must:
For more information about remote access policies, see Windows 2000 Server Help and "Remote Access Server" in this book.
The properties of the remote access policy profile and the properties of the RAS server both contain settings for:
If the settings of the profile of the matching remote access policy are in conflict with the settings of the VPN server, the connection attempt is rejected. For example, if the matching remote access policy profile specifies that the EAP-TLS authentication protocol must be used and EAP-TLS is not enabled on the VPN server, the VPN server rejects the connection attempt.
By default, Windows 2000 remote access VPN clients have the Automatic server type option selected, which means that they try to establish a L2TP over IPSec-based VPN connection first, then they try a PPTP-based VPN connection. If either the Point-to-Point Tunneling Protocol (PPTP) or Layer-2 Tunneling Protocol (L2TP) server type option is selected, verify that the selected tunneling protocol is supported by the VPN server.
By default, a Windows 2000 Server–based computer running the Routing and Remote Access service is a PPTP and L2TP server with five L2TP ports and five PPTP ports. To create a PPTP-only server, set the number of L2TP ports to zero. To create an L2TP-only server, set the number of PPTP ports to zero.
If all of the addresses in the static pools have been allocated to connected VPN clients, the VPN server is unable to allocate an IP address for TCP/IP-based connections, and the connection attempt is rejected.
The VPN server can be configured to use either Windows 2000 or RADIUS to authenticate the credentials of the VPN client.
A connection can be rejected for the following reasons:
The parameters of the connection attempt must be denied remote access permission through the remote access permission of the user account (with Deny access selected)
The user account has the Control access through Remote Access Policy option selected, and the remote access permission of the first remote access policy that matches the parameters of the connection attempt has the Deny remote access permission selected.
For more information about remote access policies, see Windows 2000 Server Help.
If the VPN server is configured to use a static IP address pool, verify that the routes to the range of addresses defined by the static IP address pools are reachable by the hosts and routers of the intranet. If not, then IP route consisting of the VPN server static IP address pools, as defined by the IP address and mask of the range, must be added to the routers of the intranet or enable the routing protocol of your routed infrastructure on the VPN server. If the routes to the remote access VPN client subnets are not present, remote access VPN clients cannot receive traffic from locations on the intranet. Routes for the subnets are implemented either through static routing entries or through a routing protocol, such as Open Shortest Path First (OSPF) or Routing Information Protocol (RIP).
If the VPN server is configured to use DHCP for IP address allocation and no DHCP server is available, the VPN server assigns addresses from the Automatic Private IP Addressing (APIPA) address range from 169.254.0.1 through 169.254.255.254. Allocating APIPA addresses for remote access clients works only if the network to which the VPN server is attached is also using APIPA addresses.
If the VPN server is using APIPA addresses when a DHCP server is available, verify that the proper adapter is selected from which to obtain DHCP-allocated IP addresses. By default, the VPN server randomly chooses the adapter to use to obtain IP addresses through DHCP. If there is more than one LAN adapter, then the Routing and Remote Access service may choose a LAN adapter for which there is no DHCP server available. You can manually choose a LAN adapter from the IP tab on the properties of a remote access server in the Routing and Remote Access snap-in.
If the static IP address pools are a range of IP addresses that are a subset of the range of IP addresses for the network to which the VPN server is attached, verify that the range of IP addresses in the static IP address pool are not assigned to other TCP/IP nodes, either through static configuration or through DHCP.
Unlike a remote access VPN connection, a router-to-router VPN connection does not automatically create a default route. You need to create routes on both sides of the router-to-router VPN connection so that traffic can be routed to and from the other side of the router-to-router VPN connection.
You can manually add static routes to the routing table, or you can add static routes through routing protocols. For persistent VPN connections, you can enable Open Shortest Path First (OSPF) or Routing Information Protocol (RIP) across the VPN connection. For on-demand VPN connections, you can automatically update routes through an auto-static RIP update.
If the user name of the calling router's credentials appears under Remote Access Clients in the Routing and Remote Access snap-in, the VPN server has interpreted the calling router as a remote access client. Verify that the user name in the calling router's credentials matches the name of a demand-dial interface on the VPN server.
On a Windows 2000–based VPN server, IP packet filtering can be configured from the advanced TCP/IP properties and from the Routing and Remote Access snap-in. Check both places for filters that might be excluding VPN connection traffic.
For more information about VPN connection traffic and packet filtering, see "VPNs and Firewalls" earlier in this chapter.
When the Winsock Proxy client is active, Winsock API calls such as those used to create tunnels and send tunneled data are intercepted and forwarded to a configured proxy server.
A proxy server–based computer allows an organization to access specific types of Internet resources (typically Web and FTP) without directly connecting that organization to the Internet. The organization can instead use InterNIC-allocated private IP network IDs (such as 10.0.0.0/8).
Proxy servers are typically used so that private users in an organization can have access to public Internet resources as if they were directly attached to the Internet. VPN connections are typically used so that authorized public Internet users can gain access to private organization resources as if they were directly attached to the private network. A single computer can act as a proxy server (for private users) and a VPN server (for authorized Internet users) to facilitate both exchanges of information.
For more information about troubleshooting remote access VPN connections, see "Remote Access Server" in this book. For more information about troubleshooting router-to-router VPN connections, see "Demand-Dial Routing" in this book.