IP Change effecting VPN

[Guest]

Hi!
I have switched ISP providers. And, as such, I have a new static IP
address. I have also changed routers (the old one was a terminal based
router provided by the ISP that did not lend itself well to reconfiguring).
I setup the Terminal Services connections and they work without a hitch.
However, I cannot get me VPN to work. I have opened ports 1723 and 3389 on
the new router, but all else should remain the same. The internal address is
the same.

Is there something that I missed?

 

[Robert L [MS-MVP]]

any error code like 721 or 800? You may check this link,

VPN error code VPN Error Codes · System Error Codes · Windows Event ID · Internal Errors. Case Studies ... Receiving VPN error 619 while connecting to a VPN via SBC ...
www.chicagotech.net/vpnerrors.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Hi!
I have switched ISP providers. And, as such, I have a new static IP
address. I have also changed routers (the old one was a terminal based
router provided by the ISP that did not lend itself well to reconfiguring).
I setup the Terminal Services connections and they work without a hitch.
However, I cannot get me VPN to work. I have opened ports 1723 and 3389 on
the new router, but all else should remain the same. The internal address is
the same.

Is there something that I missed?

 

[Guest]

The error number is 628. I have tried to reboot the computer without
success. I went to canyouseeme.org and checked port 1723 and it showed it to
be successful.
Any ideas?

 

[Phillip Windell]

The error number is 628. I have tried to reboot the computer without
success. I went to canyouseeme.org and checked port 1723 and it showed it to
be successful.
Any ideas?

There is more to it than "opeing ports". GRE is a "protocol" that you have
to allow (not a port). Allowing GRE in many devices is called "VPN
Passthrough",...that may or may not be an "official term".

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[Phillip Windell]

I'm assuming there is a VPN Server Device somewhere that you have not
mentioned,...and that the "router" is *not* it. You never really made that
clear.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

The error number is 628. I have tried to reboot the computer without
success. I went to canyouseeme.org and checked port 1723 and it showed

it

to
be successful.
Any ideas?

There is more to it than "opeing ports". GRE is a "protocol" that you have
to allow (not a port). Allowing GRE in many devices is called "VPN
Passthrough",...that may or may not be an "official term".

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Guest]

Yes, I did not mention the server behind the firewall that I am trying to
access via VPN. I did indicate that this problem has surfaced due to change
in IP address and router. I had a VPN tunnel running on the server before
this change. May assumption is that the server is not at issue here. Of
course ... I could be wrong, so I will indicate here that the Server in
question is a Windows 2000 Terminal Server. The terminal server portion, by
the way, does work as it did before the change. If GRE protocol must be
allowed, what do I initiate this protocol? How would this protocol become
denied by the change of an IP address or router (assuming that it worked
before these changes were made)?

Your help is greatly appreciated.

I'm assuming there is a VPN Server Device somewhere that you have not
mentioned,...and that the "router" is *not* it. You never really made that
clear.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

The error number is 628. I have tried to reboot the computer without
success. I went to canyouseeme.org and checked port 1723 and it showed

it

to
be successful.
Any ideas?

There is more to it than "opeing ports". GRE is a "protocol" that you have
to allow (not a port). Allowing GRE in many devices is called "VPN
Passthrough",...that may or may not be an "official term".

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Phillip Windell]

Yes, I did not mention the server behind the firewall that I am trying to
access via VPN.

No. I mean a "VPN Server",...not a Server that is accessed after the VPN is
active. I mean the Server that actually responds to the VPN "call" itself.
It is the "termination point" of the Tunnel.

Anyway, if it is a VPN Server behind the NAT Device then you need to look
for something called VPN Passthrough (not all NAT Devices are capable). This
allows the entire VPN "call" to reach the VPN Server "unmolested".

If the NAT Device itself is the "VPN Server" then you will just have to
examine the documentation of the thing and go over your setup closely to
look for setup errors. There is not much I can do with that from here. All
these SOHO NAT Devices are different,...they are probably the most
"unstandardized" equipment in the industry,...they usually don't even use
correct terminology in their documentation,...probably was written by
marketers instead of technicians.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------



I did indicate that this problem has surfaced due to change

in IP address and router. I had a VPN tunnel running on the server before
this change. May assumption is that the server is not at issue here. Of
course ... I could be wrong, so I will indicate here that the Server in
question is a Windows 2000 Terminal Server. The terminal server portion, by
the way, does work as it did before the change. If GRE protocol must be
allowed, what do I initiate this protocol? How would this protocol become
denied by the change of an IP address or router (assuming that it worked
before these changes were made)?

Your help is greatly appreciated.

I'm assuming there is a VPN Server Device somewhere that you have not
mentioned,...and that the "router" is *not* it. You never really made that
clear.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

message The error number is 628. I have tried to reboot the computer without
success. I went to canyouseeme.org and checked port 1723 and it

showed
it

to
be successful.
Any ideas?

There is more to it than "opeing ports". GRE is a "protocol" that you have
to allow (not a port). Allowing GRE in many devices is called "VPN
Passthrough",...that may or may not be an "official term".

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Guest]

I was blind, but now I can see!

You are most likely referring to my router's VPN pass-through. I will check
to make sure I have everything right. Thanks so much!

Yes, I did not mention the server behind the firewall that I am trying to
access via VPN.

No. I mean a "VPN Server",...not a Server that is accessed after the VPN is
active. I mean the Server that actually responds to the VPN "call" itself.
It is the "termination point" of the Tunnel.

Anyway, if it is a VPN Server behind the NAT Device then you need to look
for something called VPN Passthrough (not all NAT Devices are capable). This
allows the entire VPN "call" to reach the VPN Server "unmolested".

If the NAT Device itself is the "VPN Server" then you will just have to
examine the documentation of the thing and go over your setup closely to
look for setup errors. There is not much I can do with that from here. All
these SOHO NAT Devices are different,...they are probably the most
"unstandardized" equipment in the industry,...they usually don't even use
correct terminology in their documentation,...probably was written by
marketers instead of technicians.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------



I did indicate that this problem has surfaced due to change

in IP address and router. I had a VPN tunnel running on the server before
this change. May assumption is that the server is not at issue here. Of
course ... I could be wrong, so I will indicate here that the Server in
question is a Windows 2000 Terminal Server. The terminal server portion, by
the way, does work as it did before the change. If GRE protocol must be
allowed, what do I initiate this protocol? How would this protocol become
denied by the change of an IP address or router (assuming that it worked
before these changes were made)?

Your help is greatly appreciated.

I'm assuming there is a VPN Server Device somewhere that you have not
mentioned,...and that the "router" is *not* it. You never really made that
clear.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------



message The error number is 628. I have tried to reboot the computer without
success. I went to canyouseeme.org and checked port 1723 and it showed
it
to
be successful.
Any ideas?

There is more to it than "opeing ports". GRE is a "protocol" that you
have
to allow (not a port). Allowing GRE in many devices is called "VPN
Passthrough",...that may or may not be an "official term".

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Phillip Windell]

You're welcomed sir!
Gook luck with it.

Phil

I was blind, but now I can see!

You are most likely referring to my router's VPN pass-through. I will check
to make sure I have everything right. Thanks so much!

Yes, I did not mention the server behind the firewall that I am trying to
access via VPN.

No. I mean a "VPN Server",...not a Server that is accessed after the VPN is
active. I mean the Server that actually responds to the VPN "call" itself.
It is the "termination point" of the Tunnel.

Anyway, if it is a VPN Server behind the NAT Device then you need to look
for something called VPN Passthrough (not all NAT Devices are capable). This
allows the entire VPN "call" to reach the VPN Server "unmolested".

If the NAT Device itself is the "VPN Server" then you will just have to
examine the documentation of the thing and go over your setup closely to
look for setup errors. There is not much I can do with that from here. All
these SOHO NAT Devices are different,...they are probably the most
"unstandardized" equipment in the industry,...they usually don't even use
correct terminology in their documentation,...probably was written by
marketers instead of technicians.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------



I did indicate that this problem has surfaced due to change

in IP address and router. I had a VPN tunnel running on the server before
this change. May assumption is that the server is not at issue here. Of
course ... I could be wrong, so I will indicate here that the Server in
question is a Windows 2000 Terminal Server. The terminal server

portion,
by

the way, does work as it did before the change. If GRE protocol must be
allowed, what do I initiate this protocol? How would this protocol become
denied by the change of an IP address or router (assuming that it worked
before these changes were made)?

Your help is greatly appreciated.


:

I'm assuming there is a VPN Server Device somewhere that you have not
mentioned,...and that the "router" is *not* it. You never really

made
that

clear.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

-----------------------------------------------------



"David Langschied" <[email protected]>

wrote
in

message The error number is 628. I have tried to reboot the computer without
success. I went to canyouseeme.org and checked port 1723 and it showed
it
to
be successful.
Any ideas?

There is more to it than "opeing ports". GRE is a "protocol" that you
have
to allow (not a port). Allowing GRE in many devices is called "VPN
Passthrough",...that may or may not be an "official term".

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Guest]

I have looked at the router's documentation (SCMBR14UP). I have the VPN
passthrough enabled, according to the doc. I will follow up with a support
call to the manufacturer, but I am still unsure on how to test to see if the
GRE protocol is enabled. The router setup only shows the PPTP and IPSec as
enabled or disabled.

Still dazed and confused.

You're welcomed sir!
Gook luck with it.

Phil

I was blind, but now I can see!

You are most likely referring to my router's VPN pass-through. I will check
to make sure I have everything right. Thanks so much!

message Yes, I did not mention the server behind the firewall that I am trying to
access via VPN.

No. I mean a "VPN Server",...not a Server that is accessed after the VPN is
active. I mean the Server that actually responds to the VPN "call" itself.
It is the "termination point" of the Tunnel.

Anyway, if it is a VPN Server behind the NAT Device then you need to look
for something called VPN Passthrough (not all NAT Devices are capable). This
allows the entire VPN "call" to reach the VPN Server "unmolested".

If the NAT Device itself is the "VPN Server" then you will just have to
examine the documentation of the thing and go over your setup closely to
look for setup errors. There is not much I can do with that from here. All
these SOHO NAT Devices are different,...they are probably the most
"unstandardized" equipment in the industry,...they usually don't even use
correct terminology in their documentation,...probably was written by
marketers instead of technicians.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------



I did indicate that this problem has surfaced due to change
in IP address and router. I had a VPN tunnel running on the server before
this change. May assumption is that the server is not at issue here. Of
course ... I could be wrong, so I will indicate here that the Server in
question is a Windows 2000 Terminal Server. The terminal server portion,
by
the way, does work as it did before the change. If GRE protocol must be
allowed, what do I initiate this protocol? How would this protocol become
denied by the change of an IP address or router (assuming that it worked
before these changes were made)?

Your help is greatly appreciated.


:

I'm assuming there is a VPN Server Device somewhere that you have not
mentioned,...and that the "router" is *not* it. You never really made
that
clear.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------



in
message The error number is 628. I have tried to reboot the computer
without
success. I went to canyouseeme.org and checked port 1723 and it
showed
it
to
be successful.
Any ideas?

There is more to it than "opeing ports". GRE is a "protocol" that you
have
to allow (not a port). Allowing GRE in many devices is called "VPN
Passthrough",...that may or may not be an "official term".

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition


http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Guest]

Phillip,
Forgive me for pestering you about this issue, but it is really starting to
get to me. I spent an hour on the phone with SMC and we concluded that it
has something to do with the server. We placed the server in a DMZ and still
could not connect. He indicated that this was proof positive that the router
was not the problem.

So ... I went to my W2K server and started looking over the RAS
configuration. I found what I thought was the problem. My predicessor had
included the ip address into a RAS policy. I was so elated! I changed it to
the new ip address and restarted the RAS server and nothing! I even removed
the ip address in the criteria altogether. Is there any other place where
the ip address could be hard coded and is still tripping me up?

You're welcomed sir!
Gook luck with it.

Phil

I was blind, but now I can see!

You are most likely referring to my router's VPN pass-through. I will check
to make sure I have everything right. Thanks so much!

message Yes, I did not mention the server behind the firewall that I am trying to
access via VPN.

No. I mean a "VPN Server",...not a Server that is accessed after the VPN is
active. I mean the Server that actually responds to the VPN "call" itself.
It is the "termination point" of the Tunnel.

Anyway, if it is a VPN Server behind the NAT Device then you need to look
for something called VPN Passthrough (not all NAT Devices are capable). This
allows the entire VPN "call" to reach the VPN Server "unmolested".

If the NAT Device itself is the "VPN Server" then you will just have to
examine the documentation of the thing and go over your setup closely to
look for setup errors. There is not much I can do with that from here. All
these SOHO NAT Devices are different,...they are probably the most
"unstandardized" equipment in the industry,...they usually don't even use
correct terminology in their documentation,...probably was written by
marketers instead of technicians.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------



I did indicate that this problem has surfaced due to change
in IP address and router. I had a VPN tunnel running on the server before
this change. May assumption is that the server is not at issue here. Of
course ... I could be wrong, so I will indicate here that the Server in
question is a Windows 2000 Terminal Server. The terminal server portion,
by
the way, does work as it did before the change. If GRE protocol must be
allowed, what do I initiate this protocol? How would this protocol become
denied by the change of an IP address or router (assuming that it worked
before these changes were made)?

Your help is greatly appreciated.


:

I'm assuming there is a VPN Server Device somewhere that you have not
mentioned,...and that the "router" is *not* it. You never really made
that
clear.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------



in
message The error number is 628. I have tried to reboot the computer
without
success. I went to canyouseeme.org and checked port 1723 and it
showed
it
to
be successful.
Any ideas?

There is more to it than "opeing ports". GRE is a "protocol" that you
have
to allow (not a port). Allowing GRE in many devices is called "VPN
Passthrough",...that may or may not be an "official term".

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition


http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Phillip Windell]

I have looked at the router's documentation (SCMBR14UP). I have the VPN
passthrough enabled, according to the doc. I will follow up with a support
call to the manufacturer, but I am still unsure on how to test to see if the
GRE protocol is enabled. The router setup only shows the PPTP and IPSec as
enabled or disabled.

The VPN Passthrough is the GRE protocol.

Phil

 

[Phillip Windell]

has something to do with the server. We placed the server in a DMZ and still
could not connect. He indicated that this was proof positive that the router
was not the problem.
OK.

So ... I went to my W2K server and started looking over the RAS
configuration. I found what I thought was the problem. My predicessor had
included the ip address into a RAS policy. I was so elated! I changed it to
the new ip address and restarted the RAS server and nothing! I even removed
the ip address in the criteria altogether.

I would start from scratch with RRAS. I would remove it from the server and
then reinstall it. (Add/Remove Programs -- Windows Componenets)

I have never seen a "single-nic" RRAS/VPN "in action". Since your
duel-homed device is the "router" the RRAS box obviously has only one Nic.

Personally I would never even attempt what you are trying to do. If I was
stuck with a Cable/DSL NAT Device (the "router") I would get one capable of
doing the VPN itself,...it would *be* the VPN Server and not some server
behind it. But then I never run business networks off of DSL or Cable which
are *home-user* technologies.

Anyway,..here are some articles to check into concerning RRAS and VPN. I do
not know if any of them deal with a single-nic RRAS/VPN box,...they may all
assume duel-nics,...sorry I don't remmeber what all it is them anymore.
My article list is getting so long I am lucky to find the articles,
let alone know what is in all of them.

I assume you have a Remote Access VPN situation and not a Site-to-Site VPN
Situation.

Virtual Private Networking with Windows 2000: Deploying Remote Access VPNs
http://www.microsoft.com/windows2000/techinfo/planning/incremental/vpndeploy.asp

Microsoft Windows Server 2003 Remote Access/VPN Server Role
http://www.microsoft.com/technet/pr...elp/00c498a8-95e7-4780-942e-c4594b01f615.mspx

Overview of Deploying Dial-up and VPN Remote Access Servers
http://www.microsoft.com/resources/...2003/all/deployguide/en-us/dnsbf_vpn_mcnx.asp

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------