Quantcast
Channel: Network Infrastructure Servers forum
Viewing all 5877 articles
Browse latest View live

VPN Established but no access to the internal network resources

July 12, 2020, 4:42 am
$
0
0

I have a Cisco Router 2921 which i am using to establish a VPN Connection to a remote site. I would like to access the internal network but most especially the server ip 192.168.90.222. I have managed to establish the vpn connection and i have also been able to ping the internal interface 192.168.90.1 but i cannot reach, ping or remote desktop the server and any other resources.

My Current Config looks like this;

crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 101
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group GroupVPN
 key lw-sfh
 dns 192.168.90.222
 domain studiofh.net
 pool VPNPOOL
 acl 120
 max-users 5
!
!
crypto ipsec transform-set SetVPN esp-3des esp-md5-hmac
!
crypto ipsec profile VPN-Profile-1
 set transform-set SetVPN
!
!
crypto dynamic-map DynamicVPN 100
 set transform-set SetVPN
 reverse-route
!
!
crypto map StaticMap client authentication list UserVPN
crypto map StaticMap isakmp authorization list GroupVPN
crypto map StaticMap client configuration address respond
crypto map StaticMap 20 ipsec-isakmp dynamic DynamicVPN
!
!
!
!
!
interface GigabitEthernet0/0
 ip address x.x.x.x x.x.x.x
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map StaticMap
!
interface GigabitEthernet0/1
 ip address 192.168.90.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template2 type tunnel
 ip address 192.168.40.1 255.255.255.0
 tunnel mode ipsec ipv4
!
ip local pool VPNPOOL 192.168.40.20 192.168.40.25
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
access-list 100 remark [Deny NAT for VPN Clients]=-
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.20
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.21
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.22
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.23
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.24
access-list 100 deny   ip 192.168.90.0 0.0.0.255 host 192.168.40.25
access-list 100 remark -=[Internet NAT Service]=-
access-list 100 permit ip 192.168.90.0 0.0.0.255 any
access-list 120 remark ==[Cisco VPN Users]==
access-list 120 permit ip 192.168.90.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 120 permit ip any host 192.168.40.20
access-list 120 permit ip any host 192.168.40.21
access-list 120 permit ip any host 192.168.40.22
access-list 120 permit ip any host 192.168.40.23
access-list 120 permit ip any host 192.168.40.24
access-list 120 permit ip any host 192.168.40.25

I wonder what is missing in my config. Please help?

Search

[SOLVED] VPN clients can't do RDP to different subnets

July 1, 2020, 8:12 am
$
0
0

I have an office branch with a Cisco ASA 5508-X and 3 internal networks:

-> 192.168.150.0/24 (the RRAS server is 192.168.150.252/24)
-> 192.168.151.0/24
-> 192.168.152.0/24

I have deployed a VPN L2TP (which gives 192.168.150.0/24 address) with Windows Server 2012 R2 and RRAS so home users can access office branch resources, so far it's working as expected, users can access shared folders, internal Exchange email, printersbut they can only do PING and RDP to computers on the 192.168.150.0/24 network.

I added 2 NICs to the RRAS (1 for 192.168.151.0/24 network and 1 for 192.168.152.0/24 network) and now users CAN PING resources on those networks but RDP to PC's on those networks still fails.

I have deployed the followings GPOs on all networks (image) with no effect:

Windows Defender Firewall: Allow inbound file and printer sharing exception "*"
Windows Defender Firewall: Allow inbound Remote Desktop exceptions "*"
Windows Defender Firewall: Define inbound port exceptions "3389:TCP:*:enabled:RDP
So, now I'm not sure how to follow

Do I need to forward TCP 3389 port to the VPN Server?
Do I need to add anything to my Cisco Firewall configuration?
Do I need to configure anything on RRAS?

SOLVED:

To anyone looking for an answer this is my final configuration (everything was done on the RRAS/VPN Server):

There was no need to enable "Remote Desktop" under RRAS/Server (local)/IPv4/NAT/Properties/Services and Ports, nor modify any GPO.


1. Ethernet Card connected to internal LAN.

IP: 192.168.150.252/24

Gateway: 192.168.150.247 (This one is important since trought this interface the server will reach 192.168.151.0/24 and 192.168.152.0/24 networks).



2. Ethernet Card connected to Internet Source (Modem).

IP: 192.168.4.110/24

Gateway: 192.168.4.97



To fix the problem I added static routes on the RRAS/VPN server with the following commands:

route add -p 192.168.151.0 mask 255.255.255.0 192.168.150.247
route add -p 192.168.152.0 mask 255.255.255.0 192.168.150.247

Once I did this, remote users started to be able to RDP to 192.168.151.0/24 and 192.168.152.0/24

Any questions, feel free to send me a message. Thanks.



[Announcement] “Network Infrastructure Servers” Forum will be migrating to a new home on Microsoft Q&A!

July 13, 2020, 7:16 pm
$
0
0

This “Network Infrastructure Servers” Forum will be migrating to a new home on Microsoft Q&A! 

We’ve listened to your feedback on how we can enhance the forum experience. Microsoft Q&A allows us to add new functionality and enables easier access to all the technical resources most useful to you, like Microsoft Docs and Microsoft Learn.    

Now until July 26, 2020: 

From July 27, 2019 until August 10, 2020: 

  • New posts  We invite you to post new questions in the “Network Infrastructure Servers” forum’s new home on Microsoft Q&A. The current forum will not allow any new questions. 

  • Existing posts  Interact here with existing content, answer questions, provide comments, etc.  

August 10, 2020 onward: 

  • This forum will be closed to all new and existing posts and all interactions will be in Microsoft Q&A.  

We are excited about moving to Microsoft Q&A and seeing you there.          

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   


Always on VPN with server 2019, NPS (Radius auth) and selectable dhcp subnet selection ....

July 16, 2020, 2:16 am
$
0
0

Hi,

I'm playing around with AOVPN now for some weeks and in general it would work as expeced. The internal dhcp server is assigning an ip based on the interface selected in rras.

Deployment and certificate generation is done with Intune and is working fine.

The only thing I'm not able to do is to force the rras to assign an ip based on a radius (NPS) condition (rras interface selection) ... Radius attributes?

Is there a possibility to do that with rras 2019 or do I have to search for anoter solution?

Thx and best regards

Stiasny Stefan

Direct Access SSL vulnerability

March 26, 2018, 11:49 pm
$
0
0

Following Direct Access SSL vulnerability has been detected. Kindly advise mitigation plan without breaking DirectAccess connectivity.

SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
SSL Medium Strength Cipher Suites Supported
SSL Null Cipher Suites Supported
SSL Version 2 and 3 Protocol Detection
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Always ON VPN not connecting first times when launched - ok after 2nd / 3d connection attempt

June 3, 2020, 4:34 am
$
0
0
Hi,

We've configured an always on vpn environment with NPS proxies, NPS radius servers, and AOVPN servers.

We're connecting the AOVPN manually from our Win10 client machines (mix 1709/1909) >> will be upgraded to 1909 soon.

The strange thing is that the first time(s) we start the VPN connection after a reboot of the Win10, we're unable to connect :

Win10 :
The connection was prevented because of policy configured on your RAS/VPN server.
Specifically... the authentication method used by the server...

event 20227 :
CoId={C00A8050-6FBA-4AF5-8594-A13860D9842F}: The user domain\user1 dialed a connection named AlwaysOnVPN which has failed. The error code returned on failure is 812.

On the NPS Proxy we get :
event 6274
Network Policy Server discarded the request for a user.
Account Session Identifier:333031
Reason Code: 117
Reason: The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond.


On the RADIUS :
Account Session Identifier:333031
Reason Code: 96
Reason: Authentication failed due to an EAP session timeout; the EAP session with the access client was incomplete.



The strange thing is that this happens 1, 2 or max 3 times when manually connecting, and then connections are created correctly. Even disconnect/reconnect is working right away afterwards.

To be sure I already configured FRAMED-MTU : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771164(v=ws.10)?redirectedfrom=MSDN

I also raised the timeouts on the NPS (doubled the default values) 


But no luck..

RRAS L2TP Maximum LineBPS

July 17, 2020, 10:51 am
$
0
0

Hi

I have an RRAS server running on a 2012 r2 Windows Server in a HyperV with 10Gbps virtual adapter and a 100Mbps internet connection.  I have been unable to find a method to increase all ports connection speed.  The connection speed for all connections is 10 Mbps regardless or number of ports available and/or number of connections established.

Image showing maximum line BPS of 10,000,000

Running simultaneous speed tests on the connection all those connect receive 10Mbps but not anything additional.  A single connection running a speed test will also yield 10Mbps.  Directly in the OS a speed test will yield 80Mbps+.

Thank you,

Andrew


RRAS doesn't start. Error 8007042a. EventID 20103

September 16, 2009, 8:04 am
$
0
0
Hi all.
When I install and enable the Routing and Remote Access service on a Windows 2008 R2 (with Remote Access and NAT), the service does not start (EventID 20103 - Unable to load C:\Winnt\System32\Iprtrmgr.dll).
In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\RouterManagers\<protocol>\DllPath:
 Value data: %SystemRoot%\System32\Iprtrmgr.dll
Iprtrmgr.dll is located in the C:\Windows\System32\

When I install RRAS without Remote Access, the service is start without errors.

Can anybody help me to solve this problem?
P.S. sorry for my bad english.
Search

[VPN] Cannot access computer in the same network, through VPN

July 21, 2020, 12:10 pm
$
0
0

I have set up an SSTP VPN server on a Windows Server 2019 machine, which is actually an AWS EC2 instance with private ip in the 10.10.0.0/16 subnet.

I can connect to it via standard VPN client , the one built-in in my Windows 10 home computer, and when i am connected to the VPN i also have assigned an address in the same subnet: 10.10.0.0/16 

I have tried connecting via Putty/SSH to a Linux EC2 instance on the same subnet, but the IP was not reachable from my home.

But i have successfully connected to it via ssh command from the VPN Server.

Why not from my home PC?

I am sure i am missing some VPN server configuration.

Thanks

Dynamic DNS only updating for non Windows clients

July 21, 2020, 9:16 pm
$
0
0

I am having an issue where DDNS is setup but only updating A records for non windows clients, Windows clients will only get a PTR record created for some reason. 

To clear some things up:

active directory integrated zone with secure updates only

credentials setup for dhcp to update dns

server object added to dnsupdateproxy group (or whatever that group is called)

DHCP is pushing the correct connection specific suffix, also tried messing with the primary suffix on the windows client

DHCP server settings for dns as follows:

Enable DNS Dynamic updates according to the following: checked 

Always Dynamically update DNS records: checked

Discard A and PTR records when lease deleted: Checked

Dynamically update DNS records for DHCP clients that do not request updates: Checked

dhcp name protection: enabled

RRAS 异常故障

July 23, 2020, 7:08 am
$
0
0

我本地安装了一台 windows server 2019,启用了RRAS实现到Azure的S2S VPN,但是近期有故障,检查日志发现有多个错误,但是在网上没搜索到对应的解决方法,希望大家能帮忙一块分析一下,谢谢

event id : 20227

error id    633、809

Always on VPN - local dns issue for clients using a nic

October 29, 2019, 12:24 pm
$
0
0

Hello,

Always On VPN is working pretty well.   I just have a couple more items to work out before we decide if we'll use it.    If someone could help resolve the issue below, I'd greatly appreciate it.   

We use split tunneling.

When a vpn client connects by wireless, we have no issues with DNS.

When a vpn client connects by wired, it wants to use the nic's dns to resolve queries.   It can't resolve anything.

If we change the metric on the vpn adapter to something low, it will work right.   Surely this isn't the norm though and I'm missing something as we don't want to have to update this regularly for staff.

Thank you much,

Matt

DHCP policy based on MAC

July 24, 2020, 2:35 am
$
0
0

Hi,

I wish to create a group of PC of my LAN sharing a Gateway based on their MAC address.

How can I set this?

For example 74-D4-35-8A-24-xx must point to 192.168.1.1, while other MAC to 192.168.1.2

Windows Admin Center 2007 无法下载

July 25, 2020, 7:55 am
$
0
0

近期微软发布了Windows Admin Center 2007,但是通过下载链接无法下载,不知道如何下载到最新,谢谢

下载地址打开后无任何显示:

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-admin-center

How to configure wifi authentication process diagram with active directory

June 16, 2020, 6:54 am
$
0
0

Hi Team

Thanks

I want to configure wifi device (all smart phone) and RADIUS server authentication process diagram with active directory. please share authentication network diagram.

Parvez


Search

Always on VPN Settings missing

September 10, 2018, 1:28 am
$
0
0

Testing deploying MS Always on VPN Profile to W10 1703 with Force tunneling. Looking at this document for settings

https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp

I have two settings that are in this document but missing from 1703

ByPassForLocal and RegisterDNS

1. The VPN Entry has the box "Register this Connection's Address" unticked. Although there is a profile setting above it is not implemented so I need to get around it. Has anyone resolved it. I can see you can use set-dns PowerShell command but only when the VPN connection is active so this is hard to manage through an SCCM job. Without this box ticked the home router's IP address is registered on our DNS server rather than the correct VPN IP address.

2. Found with Forcetunnel that the VPN entry needs to have Proxy setting in order to allow traffic out. Again there is a setting in profileXLM "ByPassForLocal" but it is not active yet - so although I can enter the Proxy/Manual/Server entry which is fine without that bypass box ticked nothing works - again has anyone hit/resolved this?

Ian Burnell, London (UK)

RRAS Clients continuously disconnecting

July 11, 2018, 5:02 am
$
0
0

I have a problem that is beginning to drive me crazy, any help is much appreciated.

We have a RRAS Windows 2016 Server running in our DMZ. All our laptops are Windows 10 1607 or 1703. We are using IKEv2 Protocol which uses a computer certificate for authentication. 

A number of laptops repeatedly disconnect from Always on VPN but on the other hand some remain connected just fine. This morning for example myself and three other colleagues were connected to the same Wi-Fi Access Point, three of us were working fine and remained connected but my other colleague continuously kept getting disconnected. We are seeing this happen a lot and I really need to find the root cause of this problem. It's been tried and tested on numerous Wireless networks (In a few of our offices and many user's home networks and mobile hotspots).

What I've tried and found so far;

- Updated wireless drivers on laptops and updated BIOS

- Installed latest Windows updates on laptops and RRAS Server

- Re-install Always On VPN Profile

- 'Forget' wireless networks on the laptops

- Even though we use IKEv2 I found a few forums posts that mention issues when the VPN is behind a NAT, and so I modified the registry on a couple of affected laptops as follows; 

  • create a new DWORD value called "AssumeUDPEncapsulationContextOnSendRule" under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent" and set it to "2"

What I have noticed is a reoccurring log in event viewer both on the client and server.

On the clients I see: The user dialed a connection named "" which has been terminated. The reason code return on termination is 829. A Google search of this returned that 829 is an (ERROR_LINK_FAILURE). I'm almost certain it's not the wireless connection as we have laptops connected to the same wireless network in the same small room, and some get the problem and some not. 

On the server side I've found something that I think may be related but I don't understand the log well enough. If possible could someone shed some light on what the following means? It's in the RASTAPI.LOG which can be found in C:\Windows\Tracing.

07-11 10:57:34:438: RasTapiCallback: lineDropped. port VPN2-449, id=0xffffffff
[6368] 07-11 10:57:34:438: RasTapiCallback: Idle Received for port VPN2-449
[6368] 07-11 10:57:34:438: RasTapiCallback: changing state of VPN2-449. 5 -> 1
[6368] 07-11 10:57:34:438: RasTapiCallback: lineDeallocateCall for VPN2-449,hcall = 0x8da00a0
[6368] 10:57:34: SyncDriverRequest: Oid(CloseCall), devID(1), reqID(2bb2), hCall(000000000000007B)
[5840] 07-11 10:57:34:438: PortTestSignalState: DisconnectReason = 2
[7876] 07-11 10:57:34:453: DeviceListen: Changing State for VPN2-449 from 1 -> 2
[7876] 07-11 10:57:34:453: DeviceListen: Changing Listen State for VPN2-449 from 4 -> 2

In particular why is it changing state? What do the state numbers 1,2,4 & 5 mean? What does DisconnectReason=2 mean?

I will be grateful of any help please.

Viewing all 5877 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>