You can build a virtual private network in countless ways. The minimal VPN implementation scheme consists of the Internet-connected ras pptp server, the Internet-connected client, and the PPTP connection between the above server and the client. As long as the ISP service or Internet connection is available, the client can establish a connection with your server from any corner of the world. However, most VPNs are not only composed of interconnected servers and clients. Generally, the VPN Server is located in a lan cidr block that can be routed and behind the firewall. The client connection uses an ISP network that also includes the router and firewall.
You can create a PPTP server by using an independent server or a domain controller in just a few simple steps. You must install the RAS and PPTP protocols and configure the PPTP port according to the configured dial-up connection. The Installation Process of the Windows NT client is also quite direct: you only need to load PPTP and configure the PPTP connection connected to the PPTP server over the Internet. Because the installation method is so simple, you will naturally think that the VPN connection will pass one debugging. However, in some cases, VPN connections still need to be adjusted.
VPN fault diagnosis is very similar to WAN connectivity fault diagnosis. Because data needs to be transmitted on many connections before arriving at the destination, the entire process is quite complex. For example, data is usually transmitted from the client to the ISP router through the firewall, ISP network, or other ISP networks, and then from the ISP router to the enterprise router, firewall, or proxy server in sequence, and finally reach the target PPTP server.
When the client establishes a connection with an ISP, this connection uses the Point-to-Point Protocol in the VPN connection-PPP-part ), the ISP assigns a TCP/IP address, a DNS server address, and a default gateway to the client. When the client initiates a PPTP connection, this operation will create a second TCP/IP session. This session is the tunnel part of the VPN connection ), and embed it into the first session that provides data packet encryption and encapsulation. After the client is successfully connected, the VPN Server assigns the client a second IP address, a second DNS server address, an optional WINS server, and another default gateway. Figure 2 shows the two parts of a PPTP session: the PPP connection and the PPTP connection. Faults may occur on each link in the connection. Understanding common configuration and connectivity problems and understanding the necessary troubleshooting procedures will help you interpret and debug VPN connections.
VPN Server suggestions
If possible, start with an NT server with a minimum service and only TCP/IP and PPTP protocols. NT 4.0 Service Packs 5SP5) and SP6a corrected a large number of PPTP connection problems, including performance problems related to fragment packets, dropped connections, and rejected connections. If you use the service package to update the server before trying to debug the client connection, you can save a lot of time. To help you maintain simple and direct server configuration for fault diagnosis, I will provide you with four suggestions.
Configure a multi-host server:If your PPTP server is equipped with two NICs, one for the LAN and the other for the WAN, set the gateway on the LAN adapter to null, set it to null instead of 0 ). Enter the TCP/IP address defined by the ISP in the gateway field of the WAN network interface. The gateway address usually points to a router to which the ISP belongs. You need to leave the LAN gateway empty so that the server can route network packets to the client. When you configure multiple network adapters for the server, it is a standard way to keep the LAN gateway empty. For more information about how to configure the routing mode for a multi-host server, see page XX in the previous article. During the test, we recommend that you manually enter the TCP/IP address and WINS server address of the lan nic instead of assigning these values through DHCP ).
Configure RAS:When you install RAS, configure the necessary number of VPN ports only for the active client connections that actually require support. Although each RAS server supports 256 concurrent connections, assuming that you have enough network bandwidth to support all these activities, however, in actual application, you may only need to provide 40 parallel connections for your roaming users. Next, Configure the server to allocate the client address through the static address pool instead of the DHCP server. If you configure RAS to allocate the client address from the static address pool, the client will inherit the DNS and WINS settings from the RAS server. If your RAS server can browse the network, the client can also use the same settings to browse the network.
If you prefer DHCP, make sure that the DHCP range option 44 WINS/NetBIOS Name Server directs to the WINS server and the range option 6 shows your DNS server address. If these options are not defined, you will almost certainly encounter problems during client browsing.
Enable PPTP Filtering:To prevent a connection in the test and debug chain from being deleted by the firewall, it is similar to testing the server inside the firewall, it is much easier to configure and test VPN servers outside the firewall. If you run a server in a highly secure environment, you can safely place the server outside the firewall and limit the unique VPN communication content that is allowed to access to PPTP packets. If you need to enable the PPTP filter function from the control panel, as shown in snapshot 1, select "network", "protocol", "TCP/IP protocol", "WAN adapter", and "advanced", and select the "enable PPTP filter" check box. When you enable the PPTP filter, the server rejects all non-PPTP requests. I have conducted a special test on this feature and it turns out that this is an effective way to restrict access to a VPN connection session. The PPTP filtering function has an important side effect: When you enable the filtering function, because it blocks incoming HTTP and FTP communication content, the LAN client will not be able to browse the Internet through the WAN connection of the RAS server.
If you want the VPN Server to limit the data packets allowed to enter to PPTP data packets and host a Web site that can be accessed over the Internet, you need to modify the Registry to allow other data packets to enter the local system through the filter interface. Go to the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ RASPPTPF \ Parameters registry key, add the record item named AllowPacketsForLocalMachine and the data type is REG_DWORD, and set its value to 1. After the modification is completed, the RAS server will be exposed on the Internet, but the connection to the VPN Server will be limited, so that the remote client will not be able to see any other resources on the network.
Use the firewall port:Before placing the VPN Server behind the firewall, make sure that your firewall software can receive PPTP packets. When you configure a firewall through network address translation NAT, the firewall software package includes some FireWall-1 versions that support the Checkpoint Software Technology) in some cases may not be able to accept PPTP connections. In this case, the client that tries to establish a connection with the RAS server will report an error message with the event number 721-the remote end of the PPP fails to respond. When you place the VPN Server behind the firewall, make sure that the IP protocol port number 47 is enabled for Generic Routing Encapsulation-GRE) and TCP port number 1723. VPN connections use port 1723 to perform routine management such as creating, maintaining, and terminating the PPTP tunnel. Port 47 is used to transmit tunnel data between the client and the server including the GRE protocol. If you want to support the RAS server's VPN connection to the server, you also need to establish a TCP port number of 1723.
Before trying to establish a connection with the VPN Client, verify the TCP/IP settings of the server on the NIC of both parties, make sure that your RAS server can perform all typical network operations, such as browsing the LAN, connecting to LAN resources, connecting to the Internet, or browsing the Internet ). After that, enable the dialing permission for your test account. In addition, you may need to enable the PPP log feature during the initial test.
Client Fault Diagnosis
To ensure successful operations, the PPTP client must correctly maintain two sets of TCP/IP stack settings: one for ISP and Internet connections, and the other for VPN Server connections, details 2. The client route table must also contain two records: one is responsible for directing network packets to the ISP that provides Internet browsing services, and the other is directed to the VPN Server Interface Used for LAN browsing. When the protocol stack settings are incorrect, the client may encounter serious problems. Generally, the NT client maintains independent TCP/IP protocol stack settings. However, when both the NIC and modem are configured, the Windows 95 client may frequently encounter protocol stack settings problems. After a PPTP connection is established, the default gateway of Windows 9x may still point to the ISP, so that the client cannot successfully browse the LAN. Next, let's take a look at the five most common client connection problems.
The client cannot connect to the PPTP Server:The first problem you may encounter is that the client cannot connect to the PPTP server. In this case, you need to check the following three factors that may cause this problem.
Establish Internet connectivity for the VPN Server. After configuring the client, verify that the VPN Server has an Internet connection. The simplest way to verify this connection is to ping the server from the client that sets the TCP/IP address of the server. If your PPTP server is behind the firewall and the firewall is set to block the Internet Control Message Protocol-ICMP-ping message, this authentication method will not work .) If the ping command shows that the message request times out, the Internet connection to the server may be faulty. If the server uses an IP address, you can enter a TCP/IP address in the phone number field recorded by DUN to establish a PPTP session. Although not as friendly as fully verified domain name FQDN), this technology is still very effective when you know the server address.
Note that the server that uses the dial-up connection may obtain different addresses each time it establishes a connection with the ISP. To connect through an address, you must know the address allocated by the ISP each time the server establishes a dial-up connection. Typically, your RAS server uses a permanent address, removing a slightly variable factor in the connection process.
If the server responds by address, continue to ping the server by name. If the server cannot respond by name, there may be two reasons: the server may not have a registered domain name, or your isp dns server may be in a stopped status or cannot work properly.
View the PPTP filtering function. When PPTP filtering is enabled on the server, you may see the message "error 678: unable to respond" or "error 650: remote access server unable to respond ". Disable the Net Stop RASPPTPF function on the server and check whether non-filtering connections can be established.
If you can establish a connection when the filter function is disabled, check the server's filter settings. If you disable UPD ports numbered 137 and 138 or TCP ports numbered 139, NetBIOS packets cannot pass through the network. For unicast point-to-point communication, you also need to enable these ports on all firewalls and routers between the client and the server.
Filter the GRE protocol. If the server can respond by address and name, but you still cannot establish a connection, the ISP router, internal router, or firewall you use may filter out GRE packets. To establish a PPTP tunnel, the client and the server need to exchange GRE data packets. However, some ISPs disable the external GRE data packets because GRE is used internally to manage routers. Although the GRE filter is not commonly used, it does Block PPTP connections. Therefore, make sure that you have enabled ipprotocol port GRE 47 on both ends of the VPN connection) and the TCP port number 1723. You can use Microsoft Network Monitor or other similar network detection tools to determine whether the GRE filter function is enabled. To obtain