This article will discuss several techniques for troubleshooting a Windows 2000 VPN connection. A VPN connection is established across a shared infrastructure (i.e. the Internet) in order for an end user to reach internal network resources from remote locations. In most cases VPN software has been installed on the end user's PC or the internal Windows 2000 VPN software is being utilized to establish a VPN tunnel between the client and the server. The server generally resides in a secure location. Traffic from the client to the server is encrypted over the shared backbone. This process allows for emulation of a point to point link between the client and the server.
This article focuses on the client side of the VPN connection. Windows supports 2 types of Point to Point Protocol (PPP) based VPN technologies. They are as follows:
PPTP – PPTP is Point to Point Tunneling Protocol. PPTP uses PPP for user level authentication and Microsoft Point to Point Encryption (MPPE) for encryption.
L2TP w/IPSec – L2TP uses PPP Authentication and IPSec encryption.
If your users are having trouble establishing a VPN connection, have them follow these steps:
- Validate that they have IP connectivity to the Internet. This means that they have either dial up or broadband (home users) or publicly accessible Internet access (office space, hotel room, etc.). Connect and launch the Web browser to a public Internet site (not a site Internal to your organization). I use www.google.com. Most VPN connections will establish this connectivity to the Internet first. You can validate whether or not your VPN connection is doing this by looking to see if the VPN is set up to "first connect" to the Internet. This is found here: Start->Settings->Control panel->Network & Dial-up Connections->General
- If possible, ensure that they have IP connectivity to the VPN server that they are going to connect to. The easiest way to do this is to ping the VPN server. The IP address (or name) of the VPN server is found under the general tab of the VPN connection. This can be accessed via Start->Settings->Control panel->Network & Dial-up Connections->General. In most cases there are filters set up on the VPN server to prevent pings. If the user pings the VPN server and it fails, you might need the IP address of the Internet router the user will be coming across to access the VPN server. Or you can have the user do a trace route to the VPN server to see if the packets are being routed over the Internet to your location. Both ping and trace router can be done via the DOS command window. Click on Start->Run, type in CMD at the Open: prompt. This will launch a DOS command window. At the window type in the following:
Ping <VPN server name or IP address>, then hit return. This will attempt to ping the server. If this fails, try the following:
Tracert <VPN server name or IP address>, then hit return. This will attempt to trace the route to the server over the internet. Output should look something like the following:
C:\Documents and Settings\RH1728>tracert microsoft.com
Tracing route to microsoft.com [188.8.131.52] over a maximum of 30 hops: 1 78 ms 74 ms 71 ms txempvpn2-e0.vpn.swbt.sbc.com [184.108.40.206] 2 72 ms 73 ms 75 ms dllstxcfcraenaffl1-v2.enaf.swbt.sbc.com [10.226.17.1] 3 75 ms 72 ms 90 ms dllstxcfcraeninet1-ge11.enaf.swbt.sbc.com [10.226.27.40] 4 75 ms 85 ms 71 ms txintdeff10-s2s1p1c0-vir1.pst.sbc.com [10.226.67.16] 5 80 ms 80 ms 76 ms dllstxcfxraenpmtr1-ge11.enaf.irc.sbc.com [220.127.116.11] 6 74 ms 86 ms 90 ms ^C
If the user can ping the Internet router (or a DMZ server address), you most likely will have connectivity to the VPN server.
- Validate the VPN Connection Configuration - The client side of the VPN must be configured for PPTP or L2TP. First of all ensure that the automatic setting is not chosen for VPN and secondly ensure that they have chosen the right type of VPN connection. These settings are found under the "NETWORKING" tab under VPN Properties. The VPN connection is found by going to Start->Settings->Control panel->Network & Dial-up Connections. Make sure this is configured properly for the VPN connection type your server supports.
If your users still cannot connect to the VPN server, there is potentially a problem with the authentication process between the windows client and the VPN server itself. The next Windows VPN article will discuss steps that can be used to isolate and remedy this issue.
Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has over 10 years of experience providing strategic, business, and technical consulting services to clients. Robbie resides in Atlanta, and is a graduate of Clemson University. His background includes positions as a Principal Architect at International Network Services, Lucent, Frontway and Callisma.