Success: One number makes all the difference!
I got up to go to the eTech conference in Columbus (in fact I’m starting this post from a Panera down the street from the Columbus Convention Ctr) and went thru configuring RRAS to be NAT router and remote VPN at about 4:40AM. (By the way, this server is starting to be REAL SLOW. Guess it’s due to the services its running.)
I have never know what to do with the message given in the lower part of this screenshot:
The DHCP server seems to have been involved. After I trimmed down the PPTP and L2TP ports to 5 each, I get this DHCP lease assignments:
Here’s how it setup the basic firewall:
At the cafe, setup a new VPN client connection and tried it. No good. I got to go to the conference now and will try to fix it in the lab.
Back home, I notice that there was an error in the System log that occurred during the setup early this A.M.:
A MS KB article says that you can just shut down L2TP by settting ports to zero. OR setup certificates. I was hoping just to use PPTP and thought that would be the default.
Let’s try this again and I’ll sniff packets (using capture filter “not broadcast and not multicast and not arp”)
It showed absolutely nothing incoming! Outgoing from the client showed three PPTP SYN packets that never received a reply. Maybe the server firewall is killing incoming handshaking packets. I used grc.com’s shields up to test four ports and got this:
Hmmm. That looks correct. By the way this corresponds to the RED Properties screenshot above as follows:
Port GRC name Win name
500 isakmp IPSecurity (IKE)
1701 l2tp VPN Gateway (L2TP/IPSec-running on this server)
1723 pptp VPN Gateway (PPTP)
4500 ipscec-msft IPSecurity (IKE NAT Traversal)
By the way, notice that at no time did I try to select any specific IPSec, it defaults to PPTP.
Lets JUST probe port 1723 and sniff it.
WAIT A MINUTE, THE IP I USED WAS OFF BY ONE DIGIT. IT WORKS!!!
In case I later care, here’s what a SUCCESSFUL server side PPTP VPN handshake looks like:
BTW, here is a screen shot from the client. Not sure what get’s the IP address for 172.16.1.20. Let me check…
I decided to try to turn off the VPN facility by using the RRAS snap-in and selecting “Pause.” GRC still reports the port as open, but I’m assuming the server won’t answer.
I also, want to be able to use Remote Desktop to control the server from my laptop over the VPN. So I enabled the Remote Desktop for two users. It’s working well.