I've configured a VPN (IPSec) between 2 sites on Cisco 881-K9.

The server "A", which have the address 192.168.0.X must be reachable on port 3389 from public network.

I've configured forwarding ports with the command:

ip nat inside source static TCP 192.168.0.X 3389 interface fastethernet 0 3389

The server is reachable from outside, from the site in which it is located.

But there is an issue with the second site:

• I can ping the server with its local address 192.168.0.X
• But telnet to port 3389 unreachable.

Resolurion: (conditional port-forwarding)

ip nat inside source static tcp 192.168.0.X 3389 x.x.x.x 443 route-map VPN

access-list 107 deny ip 192.168.0.X 0.0.0.255 any

access-list 107 permit ip any any

route-map VPN permit 10

match ip address 107

Issue: After upgrading to Windows 10 the VPN does not connect to the server (SBS 2011) anymore:

Error: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

Easy to resolve:

On client side go:

• Go into Control Panel\Network and Internet\Network Connections (the old Networking control panel, not the new one).
• find the vpn connection and open it's Properties dialog.
• On the Security tab make sure that "Allow these protocols" radio button is selected and that the Microsoft CHAP Version 2 (MS-CHAP v2) checkbox is selected.

First install the “Remote Access” via Server Manager or Windows PowerShell.

Select the “DirectAccess and VPN (RAS)” role services.

On the next steps just use the default settings.

After that you can have a look at the Overview screen and install the role.

After the features are installed, which can take a while to finish you see the link for the Getting Started Wizard. Click on “Open the Getting Started Wizard“. This opens the Routing and Remote Access MMC

Right click on the Server name and click on “Configure and Enable Routing and Remote Access“.

On the new wizard select “Custom configuration“.

Select “VPN Access“.

After you have click finish you can now start the Routing and Remote Access service.

If you have an other firewall between the internet and your Windows Server you have to open the following Firewall port sand forward them to your Windows Server:

For PPTP: 1723 TCP and Protocol 47 GRE (also known as PPTP Pass-through)
For L2TP over IPSEC: 1701 TCP and 500 UDP
For SSTP: 443 TCP

After the installation Users have to be enabled for Remote Access to connect to your VPN Server. On a standalone server this can be done in the Computer Management MMC, in a domain environment this can be done in the user properties of an Active Directory user.

If you don’t have a DHCP Server in your environment you have to add a static IP address pool. This is often needed if you have a single server hosted at a service provider. In the properties of your VPN server you can click on the IPv4 tab and enable and configure the “Static address pool”.

Porrible Issues:
Event ID 20271: The account does not have permission to dial in
Event ID 20258: user connected on port VPN3-127 does not have Remote Access privilege

Cause and Resolution: when we opened Network Policy Server (NPS) from the Administrative Tools, we found the Connections to Microsoft Routing and Remote Access server was set "Deny Access" as shown below.

To fix it, double clicked on the "Connections to Microsoft Routing and Remote Access server" and check "Grant access".

If you need to connect to a Virtual Private Network at windows startup, and you don't want to have the user push connect or enter the password do the following:
1) On the VPN Connect screen, check "Save this user name and password for the following users"
2) Select the "Anyone who uses this computer" radio button
3) Click "Properties" on the VPN Connect screen
4) On the "Options" tab, uncheck:
-"Display progress while connecting"
-"Prompt for name and password, certificate,etc."
5) In Windows Explorer, browse to C:\Documents and Settings\All Users\Start Menu\Programs\Startup
6) Open a new Windows Explorer and browse to Control Panel\Network Connections
7) Drag the icon of your VPN connection to the Startup folder. This will create a shortcut.

Windows does not really offer any good ways of setting up a permanent VPN connection that is stable.

A pretty nice solution to this problem by combining

• Windows Powershell
• Windows VPN Client
• Windows Task scheduler

1. Set up a new VPN Connection. Just follow the usual “Connect to a workplace” wizard. Make sure that the VPN connection works.
2. After creating the connection – set Redialing properties.

• Redeal attempts - 99
• Time between redial attempts - 1 minute
• Idle time before handing up - never
• Redial if line is dropped - ticket

3. Uncheck “Use default gateway on remote network” – in order to prevent all network/internet trafic to go through the VPN (unless this is what you want).

4.Since the Redial functionality of the VPN Connection isn’t trustable – it’s best to deal with this yourself. It’s powershell time. Create c:\vpn.ps1and add the following:

$ip = "10.20.30.40"
$result = gwmi -query "SELECT * FROM Win32_PingStatus WHERE Address = '$ip'"
if ($result.StatusCode -eq 0) {
    Write-Host "$ip is up."
}
else{
    Write-Host "$ip is down."
    Write-Host "Disconnecting..."
    rasdial.exe DegreeVPN /DISCONNECT
    Write-Host "Connecting..."
    rasdial.exe DegreeVPN vpnUsername vpnPassword12345
}

The script pings an IP that should be available through the VPN. If the ping is unsucecssfull – the connection is reestablished. You can also set up routes here (and get notifications by email every time the VPN was disconnected) if you add a few more lines to the script.

5. Start up a powershell and type “Set-ExecutionPolicy Unrestricted” order to allow the script to be executed.

6. Schedule this script to execute at startup (no user/login necessary) and also every 5 minutes.