0

Studying MCSA, currently working on a Server 2012 R2 server lab I have set up on a custom built computer.

Current configuration, I have a host computer that is just that, a host, with RRAS installed for internal network (which I call my virtual office) to be able to reach the internet.

In my VIRTUAL OFFICE (via Hyper-V):

I have a DC server set up with Active Directory, DNS and DHCP and a few client computers (mix of Win 7 and 8), all connected with internal switch. I also have an NPS server with two network connections, one to the internal network and an external connection straight to my home router that connects to the ISP.

It took me hours as this is my first time, but I was able to successfully set up a PPTP VPN connection and test it with my physical laptop connected through my cellphone's mobile hot-spot. Configurations are through RRAS and NPS.

I then deleted my nps/vpn server and deleted the vpn connection on my laptop to set everything up again for experience. Then the problems started. I can get authenticated to the RRAS and I can see my connection in the RRAS console, but on the laptop it gets stuck on "creating a connection" for 10-15 and then disconnects. Event viewer on server gives me an error about encryption. I've restarted back to scratch (delete and reinstall server) several times and I always get stuck at this point. I've gone as far as taking 30 minutes to slowly go through every setting on both the laptop and server to make sure it matches. I've even removed any form of encryption for unsecured connection and still failed.

I am lost here. Any ideas? I can't remember the error code in event viewer, will get that tomorrow

Zach85
  • 19
  • 1
  • 1
  • 5
  • EDIT: I have once again reset the server back to after it was originally installed. Going to give this another try this morning before I need to head to work. In addition, the error message in Event Viewer is 20255. Don't remember exactly word for word and forgot to copy it before resetting the server, but it had to do with the remote computer (I'm assuming my laptop) not accepting the encryption or something like that – Zach85 Jul 18 '17 at 14:45
  • UPDATE (somewhat good news): so like I said this morning, I deleted the server from Hyper-V, cleared out the VHD and started a new install for a VPN server. The only difference I made was that I installed the Server 2012 R2 DataCenter version, previously I was using Standard. However, I do not think that makes a difference. This time I took the extra 10-15 minutes to go through every setting in RRAS, did not install NPS yet. Using my work phone as a hotspot and a different laptop with Windows 7, I was successful. Also successful from my cellphone. Thinking I'm screwing up NPS somehow – Zach85 Jul 19 '17 at 00:57
  • LAST UPDATE: after activating NPS, I am connected to my VPN via mobile hotspot to post this update. It seems that patience is a virtue when running these kinds of settings. and just my luck, using checkpoints along the way seem to have upped my chances of this working this time. Thanks everyone who has helped along the way – Zach85 Jul 19 '17 at 04:53

3 Answers3

0

As you already stated, you have to make sure that protocol settings, encryption, and authentication settings all match.

When you are sure everything is alright, there is one more thing I had quite often in Microsoft RRAS configurations: The RRAS server will ask Active Directory about the authentication and sometimes, Windows "thinks" it is not on a domain network anymore (check network and sharing center about the network profile). Most of the times it is a DNS problem you have to fix, but I also had cases where I did not see anything wrong and disabling/re-enabling the internal network adapter of the RRAS server solved the problem.

If it is due to incompatible encyrption settings check the correct server (RRAS server if you do not use NPS, NPS server if you do use NPS) policies. Always go for highest encryption standard possible.

Also check that your firewall you might have in between does not block your VPN protocol(s).

Klaus
  • 16
  • 2
  • I have ports 1723 and 47 both open for PPTP and GRE. As for DNS... I have the internal adapter assigned with a reserved address from DHCP, and it's DNS is set to the DC that has DNS enabled. For my external adapter, I have a static IP address with the gateway pointed to the physical router that connects to my ISP. But, for DNS, I've been going back and forth between using the DNS on my DC and the physical router. Both are on separate subnets. My home network is on the 192.168.1.0 network while my virtual network is 192.168.10.0 network. – Zach85 Jul 18 '17 at 14:32
  • after about 5 reinstalls of server 2012 over the past two days, I finally got it to work with only RRAS installed. Possibly I'm screwing something up in NPS, so I'm creating a checkpoint on that VM tonight and then giving NPS a try again. And will keep trying until I get it working. – Zach85 Jul 19 '17 at 01:00
  • it is very easy to screw something up in NPS ;) – Klaus Jul 20 '17 at 07:33
  • First, make sure your policy actually hits - check order on connection request and network policies. Then, check all the tabs in your network policy for compatibility with your client. from your error message, i assume the problem lies in encryption settings in settings tab. Just select 'strongest' only which is best practise anyway – Klaus Jul 20 '17 at 07:47
0

If I am understanding you correctly you have set up your RRAS VPN server and your client (Windows 10) is where the help is needed. If I have that right (It's late, I'm tired, and I am stepping into my 18th + hour and have more ahead)...

  1. Create your VPN connection as you normally would
  2. Click Start, type Control Panel and then press enter
  3. Click Network and Internet
  4. Click Network and Sharing Center
  5. Click Change adapter settings in the left side menu list
  6. Right-click your VPN connection and select properties
  7. On the security tab your Allow these protocols settings will need to change to Microsoft CHAP Version 2 (MS-CHAP v2).



On the one I did my settings were

Type of VPN:  Automatic

Advanced Settings:  L2TP - Use certificate for authentication with Verify Name and Usage... selected

Advanced Settings:  IKEv2 - Mobility option enabled with network outage time of 30 mins

Data Encryption: Optional encryption (connect even if no encryption)

Authentication section:  see number 7 above



Hopefully this helps you. I have to get back to what I SHOULD be doing right now LOL



edit: Don't forget that you may need to play with GRE port 47 in your firewall - depends on the firewall and your configuration.

Daniel S. Gurrola II
  • 11
  • 3
  • Thank you. I have checked multiple times with the VPN connection set up on the laptop. I'm using PPTP, though, and not L2TP as you have in your comment above. – Zach85 Jul 18 '17 at 14:36
  • Have you done any packet traces? I am not sure I am following the packet path here. VPN Client device (physical) ---> Client device's WAN Network (mobile) --> HOST WAN Router's ISP --> HOST WAN Router --> Host (physical) passes to RRAS server (virtual) via Hyper-V virtual switch. If I find some time I will look at this and see if I can ping back. Sorry that did not work out for you. – Daniel S. Gurrola II Jul 18 '17 at 22:56
  • 1
    After spending extra time to make sure the RRAS settings were absolute and being successful with that, I've activated NPS and guess what... I'm posting this comment through my VPN via my laptop connected to my mobile hotspot. Authenticated and passed encryption test, I am in a tunnel! Finally excited to have this working again. Thanks for the suggestions. Could you tell me though, when you say "packet trace", are you talking like using WireShark or something? – Zach85 Jul 19 '17 at 04:52
  • You can run packet traces using WireShark, yes. Also, Microsoft Message Analyzer can be used, but your Google-Fu may need to be stronger LOL It is best to run the traces at both ends and in the middle (router) if in the path of the packet's traversal. Weeding through packet traces is not something you can just stab at, it takes a little more effort, patience and time. WireShark and Message Analyzer have functions to help with that, but neither tool has the magic - "do ______________ to fix it" answer :-) Thanks for letting us know how it turned out and glad you got it sorted out. – Daniel S. Gurrola II Jul 19 '17 at 17:01
  • I have done some fiddling around with WireShark before, but you're right, it can get complicated. Once I get my MCSA, I will focus on tools like WireShark that will help me whenever I get into a SysAdmin position, hopefully in the near future :) Thanks again for your help! – Zach85 Jul 20 '17 at 00:49
0

It seems as if I was being careless when setting up rras and/or nps. Today I took my time seeing up, step by step, creating checkpoints along the way, and I was successful!

Zach85
  • 19
  • 1
  • 1
  • 5