VPN versus Remote Desktop Connection

pgordon · 26 Dec 2009

No luck.

First, I run Shrew Soft VPN Access Manager. I click on connect for "My-Office-PC" connection, and I eventually get the message "tunnel enabled."

Second, I run Remote Desktop Connection, and I get the message: Remote Desktop can't find the computer "My-Office-PC."

When I run RDC on a different computer at the office, I able to remote into "My-Office-PC," but when I do the same thing from home, I get the error message above, even through I have "tunnel enabled" and I use the same RDC settings that were successful on the office LAN. Suggestions?

RedBirdDad · 26 Dec 2009

A VPN is actually a secure, encrypted pathway ("tunnel") from one machine to another. All data through the tunnel is protected. An RDP connection would traverse the tunnel. So under normal conditions the VPN must be up, then start the RDP.

In your case the tunnel may be up but not configured correctly. When Shrewshoft says the tunnel is established, can you ping any device on the other side? If not the tunnel isn't right. You can be authenticated but if the VPN client and Server parameters don't match *perfectly* you won't pass anything through the tunnel.

What VPN server are you using?

pgordon · 26 Dec 2009

I was able to ping the DNS (WAN1) IP Address with success. Thus, I have "tunnel enabled" and I can ping the DNS. But when I try to establish a remote desktop connection, I get the following message:

"The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly."

I am not sure what is meant by "VPN server." I am using a VPN router (Linksys RV042) put in Gateway Mode. Suggestions?

RedBirdDad · 26 Dec 2009

The Linksys is the VPN server. A VPN tunnel is a point to point connection. The IP Address of the connection is probably the Linksys so that makes it the server.

Where is the WAN1 interface you refer to? Is it on the Linksys? Since the PC you want to RDP to is most likely on the other side of the Linksys (inside interface), that's where you need to be able to ping. If you can ping the inside interface or any PC on the inside the VPN tunnel is probably ok. If you can only ping the outside (WAN1 I'll bet), then you're not getting through the router. What kind of VPN connection is it? IPSec? PPTP?

pgordon · 26 Dec 2009

First, you're being very helpful. Thank you.

Second, I am not able to ping my office computer on the other side of the router. I tried using both my office computer LAN IP and my office computer LAN IP with the listening port added. Both timed out.

The WAN1 port is attached to the router. Thus, the topology is as follows:

HomePC >> {{{Internet}}} >> DSLModem(Bridged) >> VPNRouter >> Switch >> OfficePC

All computers are using Windows 7 Professional. If I try to use the native VPN client, I set the connection to automatically cycle through four protocols: PPTP, L2TP/IPsec, SSTP, and IKEv2. I end up with the same error message.

I have multiple devices on the inside of the router, so I set my office computer (I'll call "My-PC") to listen to a particular port (I'll call "12345") and made all the necessary (I think) adjustments. I just checked my notes for the VPNRouter setting. Here are the settings (with changes to protect the innocent):

Router

Model - Linksys RV042Firmware - 1.3.12.19-tm (Feb 13 2009 13:03:21)ConfigurationLAN IP - 11.22.33.1Subnet Mask - 255.255.255.0WAN1 IP - 99.888.777.66PPPoEfake@fake.netpasswordconnect on demandMTU - autoWAN2 - obtain an IP automaticallyMTU - autoMode - GatewayRIP - disabledDNS (WAN1) - 222.444.3.66DDNS - offDMZ Host - disabledPrivate IP Address - 11.22.33.1Port Range ForwardingTCP 12345~12346 to 11.22.33.111UDP 12345~12346 to 11.22.33.111TCP 3389~3389 to 11.22.33.111Port TriggeringTCP 12345~12345;3389~3389]UPnP Function - noOne-to-One NAT - disabledDHCP Server - enabledMy-PC - 11.22.33.111Printer-Host - 11.22.33.116Partner1-PC - 11.22.33.103Partner2-PC - 11.22.33.108SNMP enabledDiagnostic - pingFirewall - enabledSPI - enabledDoS - enabledBlock WAN Request - enabledRemote Management - Port 80HTTPS - enabledMulticast Pass Through - enabledPorts 12345~12346 allowed to 11.22.33.111 (TCP)Ports 12345~12346 allowed to 11.22.33.111 (UDP)Port 1723 allowed to any destinationVPN Tunnel Group No. 1WAN1Local Security Group Type - subnetIP Address - 192.168.1.0Subnet Mask - 255.255.255.0Remote Client - shrew.netIPSec SetupIKE with Preshared keyPhase 1Group 2AES-256SHA1Perfect Forward Secrecy28800Phase 2Group 2AES-256SHA1Preshared Key - FakeKey3600Aggressive Mode - yesCompress - noKeep-Alive - yesAH Hash Algorith MD5 - noNetBIOS broadcast - yesNAT Traversal - yesVPN Client AccessMy-VPN - activeVPN Pass ThroughIPSec Pass Through - enabledPPTP Pass Through - enabledL2TP Pass Through - enabledPPTP Server - enabledRange Start - 11.22.33.200Range End - 11.22.33.204User - MyVPNPPTP (FakeVPNPassword)

Any ideas?

RedBirdDad · 26 Dec 2009

When you said you changed the port numbers the Office PC listened to is that for RDP? You shouldn't need to do that. A VPN makes the remote PC look like it's directly connected to the local LAN. In fact you shouldn't need to change any ports at all. That may be part of the problem.

Can you ping any other device on the office LAN?

pgordon · 26 Dec 2009

Because I am using a VPN router instead of box with WinServer2008R2, I thought I needed to change each office computer to listen to a unique port. For our purposes, my office computer is set to listen to Port 12345. The other office computers are set to listen to other ports. I thought I addressed this problem with port forwarding and port triggering. On my office computer, the Registry line item was originally set to listen to 3389, and I changed it to 12345. I then configered the forwarding and triggering settings on the router as follows:

Port Range Forwarding
TCP 12345~12346 to 11.22.33.111
UDP 12345~12346 to 11.22.33.111
TCP 3389~3389 to 11.22.33.111

Port Triggering
TCP 12345~12345;3389~3389

(With 11.22.33.111 representing my office computer's LAN IP Address.) Thoughts?

RedBirdDad · 26 Dec 2009

Once the tunnel is set, the router will (should) assign an IP address to your VPN client so that it can route packets to the local LAN. I have a VPN setup similar to this and never had to change any ports.

VPN's are *very* picky and the settings on the server and client must match. You need to tell the Shrewsoft VPN what network it will be connecting to. It looks like your inside network is 11.22.33.0/24 (255.255.255.0) so that's what you'd configure in the Shrewsoft VPN client.

pgordon · 26 Dec 2009

To answer your earlier question, I am not able to ping any computer or printer inside the router.

I want to make sure I understand: The "VPN Client" is my home computer. Correct? Whereas the "Shrewsoft VPN Client" is something different?

Also, I don't understand "/24" in your description of the network as "11.22.33.0/24 (Subnet Mask 255.255.255.0)." I just looked at the configurations for the Shrew Soft connection. I'm not sure which setting should be changed. Here are some possibilities:

Local Host Address
DNS Server Address
Maintain Persistent Security Associations (Topology entry)

RedBirdDad · 26 Dec 2009

The VPN client would be the Shrewsoft VPN software on your home PC.

Sorry, the "/24" refers to the subnet mask: 255.255.255.0 which is a 24 bit mask.

There should be something in the Shrewsoft setup that tells it what remote network it's to connect to. Not to be confused with the router's outside address. It's the inside network where the router will send the packets from your home PC. Remember, the VPN is a tunnel. The tunnel itself terminates at the router's outside interface but packets *inside* the tunnel need to get to the inside interface.