VPN common faults and Solutions

There is no problem in testing VPN via intranet in the lab, but it won't work when it comes back in the house

VPN Server

Where is the fault possible?

When a client establishes a connection with an ISP (this connection uses the Point-to-Point Protocol in the VPN connection-PPP-part), the ISP assigns the client an IP address, a DNS server address, and a default gateway. When the client initiates a PPTP connection, this operation creates a second TCP/IP SESSION (this session is the tunnel part of the VPN connection ), and embed it into the first session that provides data packet encryption and encapsulation. After the client is successfully connected, the VPN Server assigns the client a second IP address, a second DNS server address, an optional WINS server, and another default gateway. Therefore, faults may occur on each link in the connection.


1. multi-host server: If the PPTP server is equipped with two NICs, one for the LAN and the other for the WAN, set the gateway on the LAN adapter to null (note, set it to null instead of 0 ). Enter the IP address defined by the ISP in the gateway field of the WAN network interface. The gateway address usually points to a router to which the ISP belongs. Leave the LAN gateway empty so that the server can route network packets to the client. When multiple network adapters are configured for the server, it is a standard implementation to keep the LAN gateway empty. During the test, we recommend that you manually enter the IP address of the LAN Nic and the address of the WINS Server (instead of DHCP ).

2. RAS: when installing Ras, configure the necessary number of VPN ports only for active client connections that really need to be supported. If you configure ras to allocate the client address from the static address pool, the client inherits the DNS and wins settings from the RAS server. If the RAS server can browse the network, the client can also use the same settings to browse the network.

3. When using DHCP, make sure that DHCP "range option 44" (wins/NetBIOS Name Server) points to the DNS server address displayed in "range option 6. If you fail to define these options, you will almost certainly encounter problems during client browsing.

4. enable PPTP Filtering: if you run a server in a highly secure environment, you can safely place the server outside the firewall and limit the unique VPN communication content that can be accessed to PPTP packets. Enable the PPTP filter function from the control panel. Select "network", "protocol", "TCP/IP protocol", "Wan adapter", and "advanced ", select the "enable PPTP filter" check box. When the PPTP filter is enabled, the server rejects all non-PPTP requests. The PPTP filtering function has an important side effect: When the filtering function is enabled, because it blocks incoming HTTP and FTP communication content, the LAN client will not be able to browse the Internet through the WAN connection of the RAS server.

5. Use firewall: Check that the firewall software can receive PPTP packets. In some cases, the firewall may not accept PPTP connections. In this case, the client that tries to establish a connection with the RAS server will report an error message with the event number 721-the remote end of the PPP fails to respond. Therefore, when the VPN Server is placed behind the firewall, make sure that the IP protocol port 47 (Universal route encapsulation-GRE) and TCP port 1723 are enabled. VPN connections use port 1723 to perform routine management such as creating, maintaining, and terminating the PPTP tunnel. Port 47 is used to transmit tunnel data between the client and the server (including the GRE protocol.

6. before trying to establish a connection with the VPN Client, ensure that the RAS server can perform all typical network operations (such as browsing the LAN, connecting to lan resources, connecting to the Internet, or browsing the Internet ). After that, enable the dialing permission for the test account. In addition, you may need to enable the PPP log feature during the initial test.



VPN Client

Where is the fault possible?

To ensure successful operations, the PPTP client must correctly maintain two sets of TCP/IP stack settings: one for ISP and Internet connections, and the other for VPN Server connections. The client route table must also contain two records: one is responsible for directing network packets to the ISP that provides Internet browsing services, and the other is directed to the VPN Server Interface Used for LAN browsing. When the protocol stack settings are incorrect, the client may encounter serious problems. Generally, the T client maintains independent TCP/IP protocol stack settings. However, when both the NIC and modem are configured, Windows clients often encounter protocol stack settings problems. After a PPTP connection is established, the default gateway of windows may still point to the ISP, so that the client cannot successfully browse the LAN. Common Client connection problems.
-----------------------------------------------
The client cannot connect to the PPTP Server:

1. Specify IP addresses as much as possible, instead of using DHCP for automatic allocation.

2. Configure the correct DNS server address

3. Disable PPTP filtering.
Command: net stop raspptpf

4. Enable IP protocol port 47 (general route encapsulation -- GRE) and TCP port 1723
-----------------------------------------------

The client can be connected but cannot log on

1. Make sure that a valid user account is used.

2. Make sure that the user account has the dial-in permission

3. Negotiate the client authentication method

The RAS server can use three authentication protocols to authenticate PPTP users. The logon authentication protocol determined by the client and server through negotiation is determined by the encryption settings selected when the server access port is configured and the PPTP connection network is set.

In a low-to-high security order, the three protocols are pap, chap, and mschap.

PAP: Password Authentication Protocol in plaintext Mode

Chap: A Challenge Handshake Authentication Protocol implemented through encryption and Hash Algorithms

Mschap: Microsoft Challenge Handshake Authentication Protocol Based on encryption and double hash algorithms with checksum


Analyze the cause of the error from the system security log

1. Enable the Audit Policy of the Group Policy and try to establish a connection again.

2. When viewing the records stored in the Event Viewer security log, you can get a clear description of the related obstacles.

You can see whether the user name is legal, whether the password is incorrect or has expired, whether the computer lacks a valid account, and whether there is no available VPN port. After a user successfully logs on, the application event log records the logon date and time. In addition, user logout time and session duration are also recorded.

-----------------------------------------------

The client can log on but cannot browse the LAN

1. Make sure that the workgroup has been set as the name of the target NT domain on all Windows clients

2. Client TCP/IP Settings

The TCP/IP settings for VPN sessions are run in the same way as those for LAN connections.

First, understand how the four TCP/IP settings affect network connection and browsing methods:

DNS server: It can convert a domain name to a corresponding IP address.

WINS server: the NetBIOS name can be converted to the corresponding IP address.

DHCP server: at least an IP address can be assigned to the LAN client and an IP address is assigned to the RAS client during connection.
The configurable range options include domain names, default gateways, DNS servers, and WINS servers.

Default Gateway: it can send data to a specific computer or router when the data transmission target is a system outside the local subnet.

3. Use the route command to add a static route !!

4. Install the netbeui Protocol

5. Use the net use command
For example, net use Z: // myserver/myshare
Manual connection to shared resources is a good working mechanism for accessing files and printers.


-----------------------------------------------
The connected client cannot browse the Internet.

When this problem occurs, the client cannot browse the Internet even though the VPN session is active.
There are two common causes for this problem:

1. When the remote client has a network connection, the VPN Server may not allow the remote client to access the Internet. When the VPN connection is closed, the default gateway is restored to the gateway defined by the ISP, so the client can browse the Internet.

2. When the client is connected, windows may use the gateway defined by the VPN Server to overwrite the ISP gateway, thus disconnecting the client from accessing the Internet.

Solution: manually add static route records (first try the VPN gateway, and then try the ISP Gateway