Cannot see any files or computers through VPN

[handlebars]

I have set up a VPN using a Draytek 2600 router but cannot see any files or log onto the domain. Do i need to have windows 2003 server acting as vpn server to provide domain authenication or can it be done this way??

Once the connection is established I can ping local computers by ip address (ie 192.168.1.3, etc).

I have added the vpn client WINS server as the LAN server (which is the internal WINS server).

Can anyone point out what glarring point(s) I have overlooked!

Thanks in advance

Andrew

 

[ChicagoTechNet]

you may need to add dns and wins on the VPN server.

Robert Lin, MS-MVP, MCSE & CNE
Windows, Network, Internet, VPN, Routing and How to at

http://www.ms-mvps.com

 

[handlebars]

Robert

Can this be done on most routers or is it a w2k server feature only?

 

[ChicagoTechNet]

it depends on which router you are using. for example, quoted from

http://www.ms-mvps.com/

How to add DNS and WINS into your Cisco VPN server

If your VPN client cannot find servers or cannot ping computernmae, you may need to add DNS and WINS into your VPN server. For example, to add DNS and WINS on a Cisco Firewall PIX, add vpdn group 1 client configuation dns dnsservername and vpdn group 1 client configuration wins winsservername..


Robert Lin, MS-MVP, MCSE & CNE
Windows, Network, Internet, VPN, Routing and How to at

http://www.ms-mvps.com

 

[handlebars]

I have managed to get it sorted. I think it was the fact that i was using a computer that was part of the domain (dialing in via a modem). I am now accessing from home no problem and have not had to change anything!

One thing that i am not sure about is how I can access resources on the domain when I have not logged in as an active directory user (would i just have guest previllages?)

Andrew

 

[pmf71]

I have used the vigor 2600 to create a both gateway to gateway and client to gateway vpn and what i noticed, is that the DHCP server in the vigor 2600 refused to configure it's dhcp clients with the specified dns server address. It relayed it's own internet dns ip address to the clients (my own dns server in w2k server was 10.0.1.2 and the vigor relayed the ISP's dns server to the dhcp clients while i had set 10.0.1.2 in the vigor's dhcp server as being the DNS server). So a solution may be to manually set the dns server in your workstations. That's the way i solved it. Less than elegant, i admit, but it should do the trick.

 

[gacollier]

Andrew,

If the remote computer is a Win2K Pro machine, and at logon time, you're choosing the main domain as the logon domain, your actually using your account information when you attempt to get to network resources once connected via the VPN. It doesn't matter that you're not actually connected to the domain at logon time. You're system will attempt a "Kerbos AS exchange" between your computers SSP and the KDC once you attempt to get to a shared resource on the network. So in short, you're not using guest services, as long as you're logging onto the main site domain while remote.

 

[handlebars]

Is it only the computer's profile that is authenticated by the server when trying to access domain resouces?

Is this simply the user name and password supplied when user logs onto PC? (or is the actual full computer name needed?)

It seems that one of our remote sites does not authenticate automatically and means the user has to provide two sets of details - one for the vpn (on router) and one for the domain resources.

Any suggestions would be much appreciated.

Andrew

 

[gacollier]

Handle,

Yes and no to your questions above.

I'm assuming two things...

1. You're using Windows 2000 server for your domain (and using Kerbos V5 and not NTLM for authentication).
2. You're using an IPSec tunnel for your VPN connection (becuase you stated above that you're not using a Windows 2000 VPN server, or PPTP).

Active Directory does require that the computer attempting to access a resource is registered as a computer object for your domain. Actually, what it's looking for is a combination of things. Domain/Username/Password. When you log onto a Win2K machine that's part of a domain, your PC's authentication client creates an encryption key based on your username and password which it caches, and then tries to contact the domain conroller (more accurately the Key Distribution Center or KDC) specified at machine logon, just after boot-up. If it's able to contact a KDC in that domain then an exchange occurs and your machine is issued a "Logon session key". Your client then uses this key for the duration of your logon session (or until the expires) when attempting to access domain resources.

Now, if during the machine logon process it can't reach a KDC, you computer still caches the first encryption key. When you attempt to access a domain resource later, your client again attempts to access the KDC for a "Logon session key". If you machine can't secure a logon session key, the computer you're attempting to access will send a user prompt looking for domain credeintials. (ie. domain/username and password). Which I think is happening for your remote client.

Clear as mud right? Not sure if that answered your question. Post back if it didn't.