Troubleshooting Vista VPN problems

re: Troubleshooting Vista VPN problems

Nóri — Tue, 10 Apr 2007 16:01:41 GMT

I've been running Vista on my two work machines since RTM. My work requires me to VPN to my customers. I see that the VPN client in Vista now puts the DNS address of the VPN connection as the preferred one.

That's fine for our own VPN connection but this creates problems when connecting to customers. Since the DNS now queries their DNS server I get locked out of network drives mapped to DFS shares, Outlook starts prompting me for a password (RPC over HTTP) etc.

This probably happens because we're utilizing split DNS and use the same internal and external domain name.

But I've not been able to find a way to revert this behaviour to the way XP worked.

re: Troubleshooting Vista VPN problems

rrasblog — Wed, 11 Apr 2007 12:03:59 GMT

When you are connected over VPN, the DNS address of the VPN is preferred one. But if name resolution fails with this DNS server, then the DNS server of the next available network adapter should be tried.

Have you enabled Split tunneling on the VPN connection to customer? If not, then you wont be able to access your network drives when connected to the customer.

Also, can you please elaborate on the below statement?

>>This probably happens because we're utilizing split DNS >>and use the same internal and external domain name.

-Deepti

re: Troubleshooting Vista VPN problems

Yuguang — Wed, 11 Apr 2007 14:23:28 GMT

I found a very very strange thing in vista.

Everyone can Replicate the problem in his vista machine.

1, repare a clean vista, and add two vista firewall rules which says ALLOW ALL PROTOCOL ALL IP IN and OUT

2, start the RemoteAccess service or create a incomming connection, add a user

3, create a pptp connection and set the server ip to 127.0.0.1

4, dial the pptp connection

5, the dial dialog is hang on the "verify the username and passwd", and at the end, you will get a 628 error.

6, if dail through calling RasDial, you will get a 806 error.

7, if vista firewall is disabled, everything works fine.

BTW: I do same thing in win2k, winxp,win2k3, everything works fine, in these platform, I can establish a pptp connection to self (127.0.0.1), but in vista, I can't if the vista firewall is enabled (even ALLOW all traffic).

I also used the pptpsrv.exe and pptpclnt.exe to test 127.0.0.1 to 127.0.0.1. The result is:

1, Run pptpsrv.exe and then run pptpclnt.exe, everything works fine.

2, Run pptpsrv.exe and then dial pptp connection to 127.0.0.1, the pptpsrv.exe can't receive any GRE packet.

So, it seems that the vista's pptp client can't send any GRE packet to 127.0.0.1 if the vista firewall enabled. But in the same Env. the pptpclnt.exe can send (through socket(raw,GRE_PROTOCOL) and sendto(...)) GRE packet to 127.0.0.1.

re: Troubleshooting Vista VPN problems

yuguang — Fri, 13 Apr 2007 05:15:54 GMT

Another limit in vista.

I found vista can only establish 2 pptp connections to outer

(uncheck default gateway)

When establish the 3rd pptp connection, the pptp dialer will report 800 error.

re: Troubleshooting Vista VPN problems

rrasblog — Fri, 13 Apr 2007 09:56:40 GMT

>>I found vista can only establish 2 pptp connections to >>outer (uncheck default gateway)

>>When establish the 3rd pptp connection, the pptp dialer >>will report 800 error.

Yuguang, you can establish only two simultaneous PPTP connections from the same machine. This is same for L2TP also. This has been the behaviour with Windows XP too.

-Janani

re: Troubleshooting Vista VPN problems

yuguang — Fri, 13 Apr 2007 11:16:48 GMT

Very thanks for your reply!

How can I establish more two simultaneous PPTP connections in vista or winxp?

Is there a work around for this problem?

BTW: I tested in win2k3, win2k3 can establish more than two simultaneous PPTP connections from the same machine.

re: Troubleshooting Vista VPN problems

yuguang — Sun, 15 Apr 2007 16:06:50 GMT

Janani:

Could you please take a look at the vista pptp client and vista firewall?

Why vista can't dial pptp to 127.0.0.1 when vista firewall is enabled?

Is there any work around solution?

BTW: I have known how to establish more than 2 connections in winxp/vista (I modify the registry HLM\system\controlclass\net_guid\0001\WanEndpoints).

re: Troubleshooting Vista VPN problems

pellen — Tue, 17 Apr 2007 00:14:01 GMT

I have a pptp-vpn on my m0n0wall gateway. When i used Windows XP on my laptop it worked flawless to connect to the VPN where ever i was. Now im on Vista and when i connect to my VPN i get a dedicated ip (v4) from the vpn-server, but then my local network connection that connects me to the internet dies somehow...and that makes the vpn connection die too...i have noooo idea why it behaves like this and it drives me nuts :(

Please help me :/

re: Troubleshooting Vista VPN problems

Donna — Tue, 17 Apr 2007 01:09:41 GMT

I can estabilish the VPN connection, but it drops all internet capabilities and the status shows local only. What is the .inf file that needs to be selected if you want to install IPv4?

re: Troubleshooting Vista VPN problems

pellen — Tue, 17 Apr 2007 01:23:55 GMT

yaay...problem solved...it was my FON-router that screwed the network my VPN was on :)

re: Troubleshooting Vista VPN problems

rrasblog — Tue, 17 Apr 2007 08:46:34 GMT

>>I can estabilish the VPN connection, but it drops all >>internet capabilities and the status shows local only. >>What is the .inf file that needs to be selected if you want >> to install IPv4?

Donna, please check if you have enabled the "Use remote default gateway" on your VPN connection. If you want to continue to use internet and use the VPN connection only for corp traffic, then this setting should be unchecked.

If I understand your question correctly, you can install IPv4 using the command "netsh interface ipv4 install" and uninstall using "netsh interface ipv4 uninstall"

-Janani

re: Troubleshooting Vista VPN problems

yuguang — Tue, 17 Apr 2007 16:12:16 GMT

I got the reason about "why vista pptp client can't dial itself when vista firewall is enabled"

There are two registry keys in

Service\SharedAccess\Defaults\FirewallPolicy\DisableStatefulPPTP

Service\SharedAccess\Parameters\FirewallPolicy\DisableStatefulPPTP

the default value is 0, change them to 1 will make everything works fine.

I don't know if it's firewall's bug or MS don't want users establish PPTP connections to 127.0.0.1.

Anyway, it provide a workaround solution.

re: Troubleshooting Vista VPN problems

Nóri — Sat, 21 Apr 2007 22:02:18 GMT

I've enabled split tunneling on the VPN entry. Doesn't seem to fallback to our DNS server.

Regardings Split DNS. We have the same server names for both external and internal. So for example my Outlook client connects to the same DNS name for both internal and external requests.

re: Troubleshooting Vista VPN problems

Matt — Sun, 22 Apr 2007 18:01:03 GMT

I've recently installed Vista Ultimate on one of my laptops, XP Pro is still on another. Using the native VPN client (IPSec) on the XP laptop I'm able to connect with no problems to a Linksys BEFVP41 endpoint. Unfortunately I've had no such luck with Vista. I'm this }{ close to getting it to work...looking at the VPN log on the Linksys I can see negotiations beginning, but then I get an error to the effect of "check Perfect Forward Secrecy settings" (PFS is enabled on the endpoint). I can't find where in the Consec rule to enable PFS...in fact I can't seem to find it anywhere in AdvFirewall Configuration. Can someone help me out? What reg key do I need to hack, what little-known menu do I need to access? I've about worn out Google looking for the solution.

Love Vista so far, but this may be a deal-breaker for me. Help me MS!