Hello!

I am having trouble running VPN on an XP machine that is connected to my cable modem (RoadRunner) through a router. If I connect directly to the cable modem, then I can access VPN. However, if I connect to the router, the remote VPN host does not respond.

So, in short:
CASE connected directly to modem: Everything OK, PC's IP address if not RoadRunner-ish (not related to the RR gateway address).

CASE connected to Linksys router: Can access public internet. IP address is RoadRunner-ish (looks like subnet of gateway). VPN server responds to PING, but I cannot connect to it (even if I use its IP address).

Last week I was using Win 98 with exactly the same setup, and no problems.

Any ideas?

-- Kate

lets try to go thru a few things
1.Is the Remote Access Connection Manager is enabled and
started...
2. do you have SP1? Not sure if this would be an issue??
3. Have you looked at your system event log--are there services which are failing to start?
4.Have you contacted RoadRunner yet to see if they have a solution?
5. Are you using Watchguard Firebox ?
Do you have XP's firewall engaged?

6.Can you post RAS logs...To enable RAS tracing:
> > >> >cmd line> netsh ras set tracing * enabled
> > >> >After unsuccessful RAS connection.
>>>>>>Logs will be populated in the %windir%\tracing sub directory.

Ghosthacker... will probobly stop in on this one and have a more inteligent response

mean while take a gander thru this??
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=%230Cfdl0ZBHA.1516%40tkmsftngp07&rnum=7&prev=/groups%3Fq%3DInstalling%2BVPN%2Bon%2Ban%2BXP%2Bmac hine%2Bthat%2Bis%2Bconnected%2Bto%2B%2Bcable%2Bmod em%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3D%25230Cfdl0ZBHA.1516%2540tkmsftngp07%26 rnum%3D7

...IP address is RoadRunner-ish (looks like subnet of gateway)....



I'll take this to mean it's a "NAT" address, since everything works fine when a non "RR" IP is used. In addition to Yoda's steps,try this. Open your VPN properties and choose the "networking" page. Under "type of VPN" choose "PPTP...". (Of course the VPN server must support this, but I'm betting it does.)


Also check your security settings, you might want to go with "Typical" and the "Require data encryption..." settings as a troubleshooting step.


Good Luck :)

Sorry to take so long to reply.

I wasn't the one to install this machine, as it belongs to my company, so I had to do some checking to see what the heck had been done to it! Of course, the company tech support people say, "We've never encountered this problem before" followed by "we can't support your router -- you'll just have to plug directly into the cable modem." So I'm on my own :rolleyes:

Yes, RACM is started.

I don't see anything in the event log that indicates that something failed to start.

No, I do not have SP1, or Watchguard Firebox.

However, I am running CyberArmor Personal Firewall with an "outside_with_VPN" configuration. Any chance that one of the rules is not allowing my connection, perhaps related to the NAT address?

-- Kate

As I posted before check the protocol being used only PPTP works with a NAT address. Do not choose "Auto". When you don't use the NAT address everthing works, is this correct??


LT2P (the other protocol used in a 2000 VPN) uses dynamic port negotiation that doesn't work correctly with a NAT address or with some firewalls.


As I stated before your VPN server and your ISP must support the use of PPTP.

Good Luck :)


EDIT More information here:

NAT AND IPSEC(Lt2p) (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0802.asp)

OK, this is where I show how dense I really am :)

I am using Nortel Contivity VPN Client. As far as I can see (with my somewhat limited knowledge), I can do the following --

(1) Automatically dial up (yes or no) -- set to "no"
(2) Disable autoconnect or install autoconnect (both un-checked)

Under the profile, there are no dial-up options listed.
There are also no nameservers, and I am using "group security authentication." Any idea where to set the protocol?

Well, Nortel"s client doesn't allow you to switch protocols, (my research doesn't show that it does) instead it should support "NAT tranversal" (depending on the version used) which allows you to use IPSEC/LT2P with a NAT address. The other option is to use a Router/firewall that works with IPSEC.

So you have 2 things to troubleshoot.

[list=1]
Does your router/firewall support IPSEC?
What VPN "Mode" is your client in ?
[/list=1]


First VPN "mode". The Nortel NAT tranversal "mode" will work if the box at the other end is configured for it. I belive the Nortel VPN switch checks for the need to use NAT tranversal and goes to that mode if needed. According to my research ,most of Nortel's IPsec settings are configured by using the Nortel VPN switch. If the switch isn't configured for it your out of luck. :(

Now let's look at the Firewall.


Linksys firewalls also support NAT Tranversal or transparency, but only if a firmware version equal to or greater than version 1.32 is used. The Nortel VPN switch must also be configured to use ESP instead of AH. ( these are the two types of IPsec traffic in a nutshell)


More Linksys info here:


Linksys VPN router info (http://kb.linksys.com/cgi-bin/om_isapi.dll?clientID=53295&QuestionText=NAt%20tranversal&SelectName1=&advquery=%5bs%5d%5bRank%2c%2050%3a%5bSum%3a%20NAt% 20tranversal%5d%5bMerge%3a%20%5bThesaurus%3a%20NAt %20tranversal%5d%5d%5d&infobase=linksysrev.nfo&record={2D2}&softpage=IKW_ENU_JHitList)



Hope this helps :)


EDIT Also only Nortel's client version 4.15_06 or higher is supported under Windows XP.

Thanks, Ghost_Hacker!

I'll check everything out and report back.

I am tempted to rule out the router itself as the problem, because last week I had exactly the same setup, with only 2 exceptions. Last week it was a Win98 laptop with a plug-in PCMCIA (pigtail) and Nortel VPN V2_50.91. This week I have a WinXP laptop with an internal NIC (no pigtail) and Nortel VPN V4_65.09. Pity I can't get the old machine back to see if it was assigning a NAT address...

VPN server is the same.

Thanks for taking the time to help me with this.

-- Kate