Editor'due south notation: In the video, Brandon Vigliarolo uses Microsoft Windows Server 2016 , and some of the steps and menus are unlike from the following tutorial by Brien Posey. This tip was first published in May 2003.

VPNs have gone from obscurity to being a common method of linking individual networks together beyond the Cyberspace. Although VPNs initially became popular because they complimentary companies from the expense of connecting networks with dedicated leased lines, office of the reason that VPNs accept become and then accustomed is that they tend to be very reliable. Nevertheless, VPN connections do occasionally experience problems. Here are several techniques you tin can use to troubleshoot VPN connections.

SEE: How to work from habitation: Information technology pro's guidebook to telecommuting and remote work (TechRepublic Premium)

What's the problem?

There are four types of problems that tend to occur with VPN connections. These include:

  • The VPN connexion being rejected.
  • The acceptance of an unauthorized connection.
  • The inability to reach locations that prevarication beyond the VPN server.
  • The inability to establish a tunnel.

1: The VPN connectedness is rejected.

Having a VPN client'south connection rejected is perhaps the virtually common VPN trouble. Office of the reason this problem is and then common is that there are a lot of bug that tin can cause a connection to be rejected. If your VPN server is rejecting customer connections, the first thing yous need to exercise is to bank check to brand certain the Routing And Remote Access service is running. You tin can check this by opening the server's Command Panel and clicking on the Authoritative Tools icon, followed by the Services icon.

One time you've verified that the necessary services are running, try pinging the VPN server past IP accost from the VPN client. You lot should ping by IP address initially and then that yous can verify that basic TCP/IP connectivity exists. If the ping is successful, then ping the server once again, but this fourth dimension ping by the server'due south fully qualified domain proper noun (FQDN) rather than by its address. If this ping fails where the IP address ping succeeded, y'all take a DNS problem, because the client is unable to resolve the server's name to an IP address.

Check on the authentication process

Once yous've established that there is a valid TCP/IP connectedness between the VPN customer and server, and that proper noun resolution is working correctly, the side by side affair to check is the authentication process. Every bit you lot may know, there are a lot of different hallmark methods available to a VPN connectedness. Both the VPN client and the VPN server must have at to the lowest degree i hallmark method in common.

Yous can check to meet which authentication methods the VPN server is configured to use by entering the MMC control at the Run prompt. When you practise, Windows volition open an empty Microsoft Direction Console session. Now, select the Add / Remove Snap In command from the Console carte. When you run across the Add / Remove Snap In backdrop sheet, click the Add button on the Standalone tab. This will reveal a list of the available snap-ins. Select Routing And Remote Access from the listing and click the Add together button, followed by the Close and OK buttons.

At present, the Routing And Remote Admission snap-in should be added to the panel. Correct-click on the listing for your VPN server and select the Properties command from the resulting shortcut carte du jour. This will display the server'south properties sheet. Select the Security tab and click the Hallmark Methods button. This will cause Windows to display a dialog box with all of the bachelor authentication methods. Y'all tin can enable or disable authentication methods by selecting or deselecting the appropriate check boxes.

The method for checking the authentication method on the client end varies depending on the client's operating organisation. For a Windows XP system, right-click on the VPN connection and select the Properties command from the resulting shortcut menu. This will reveal the connection'southward properties canvas. At present, select the properties sheet's Security tab, select the Advanced radio push, and click the Settings button to reveal the bachelor authentication methods.

I usually adopt to use Windows Authentication in VPN environments, merely RADIUS is too a pop pick. If yous are using RADIUS Authentication, you must verify that the client supports RADIUS and that the VPN server has no trouble communicating with the RADIUS server.

Run into: Understanding VPNs and how to choose one (CNET)

More things to check

If the authentication methods appear to exist gear up correctly, the side by side step is to bank check the technique by which the customer is trying to connect to the VPN server. If the customer is dialing in to the server, rather than connecting through the Internet, information technology could be that the remote user has no dial-in privileges. You can cheque the privileges either past looking at the Punch In tab on the user's properties canvas in Agile Directory Users And Computers, or past looking at the domain's remote access policy. This would too exist a good fourth dimension to verify that the user actually knows how to establish the VPN connection and that the user is using the correct username and password.

This may sound obvious, simply if your domain is running in Windows 2000 Native Manner, your VPN server needs to be a member of the domain. If the VPN server hasn't joined the domain, it will be unable to cosign logins.

Y'all as well need to take a expect at IP addresses. Each Web-based VPN connectedness really uses two different IP addresses for the VPN client computer. The first IP address is the one that was assigned past the client's Internet service provider. This is the IP address that's used to found the initial TCP/IP connection to the VPN server over the Cyberspace. However, once the client attaches to the VPN server, the VPN server assigns the client a secondary IP address. This IP address has the same subnet as the local network and thus allows the client to communicate with the local network.

At the fourth dimension you prepare the VPN server, you must either specify that the server will use a DHCP server to assign addresses to clients, or you lot can create a bank of IP addresses to assign to clients straight from the VPN server. In either example, if the server runs out of valid IP addresses, it will exist unable to assign an accost to the customer and the connection will be refused.

For environments in which a DHCP server is used, one of the more common setup errors is specifying an wrong NIC. If yous correct-click on the VPN server in the Routing And Remote Access console and select the Properties command from the resulting shortcut menu, you'll see the server's properties canvass. The properties sheet's IP tab contains radio buttons that allow you to select whether a static address puddle or a DHCP server will be used. If you lot select the DHCP server option, you must select the appropriate network adapter from the driblet-downwards listing at the lesser of the tab. You lot must select a network adapter that has a TCP/IP path to the DHCP server.

two: The credence of unauthorized connections.

Now that I've discussed reasons why a connection might exist refused, let's take a look at the opposite problem in which unauthorized connections are accepted. This problem is much less common than not getting connected at all, but is much more serious because of the potential security issues.

If you look at a user'southward properties sail in the Active Directory Users And Computers console, you'll notice that the Dial In tab contains an selection to command admission through the remote access policy. If this option is selected and the effective remote access policy is set to allow remote admission, the user volition exist able to attach to the VPN. Although I accept been unable to copy the state of affairs personally, I have heard rumors that a bug exists in Windows 2000 that causes the connection to be accepted even if the constructive remote access policy is set to deny a user'southward connexion, and that information technology'southward best to allow or deny connections directly through the Agile Directory Users And Computers console.

See: The best mobile VPNs can ensure your privacy anywhere (ZDNet)

iii: The disability to attain locations beyond the VPN server.

Another mutual VPN problem is that a connexion is successfully established, only that the remote user is unable to access the network lying beyond the VPN server. By far, the well-nigh common cause of this problem is that permission hasn't been granted for the user to admission the entire network. If yous have ever worked with Windows NT 4.0, yous may recollect a setting in RAS that allowed you to control whether a user had access to 1 reckoner or to the unabridged network. This item setting doesn't exist in Windows 2000, but there is some other setting that does the same thing.

To allow a user to access the unabridged network, go to the Routing And Remote Access console and right-click on the VPN server that's having the problem. Select the Properties command from the resulting shortcut menu to display the server's properties canvas, then select the backdrop canvass's IP tab. At the top of the IP tab is an Enable IP Routing cheque box. If this check box is enabled, VPN and RAS users volition be able to get to the rest of the network. If the bank check box is not selected, these users volition be able to access only the VPN server, but nothing beyond.

The problem could also be related to other routing issues. For example, if a user is dialing directly in to the VPN server, it's usually all-time to configure a static road between the client and the server. You can configure a static route by going to the Dial In tab of the user's properties sheet in Active Directory Users And Computers, and selecting the Utilize A Static Route check box. This will cause Windows to brandish the Static Routes dialog box. Click the Add Route push button and then enter the destination IP address and network mask in the space provided. The metric should exist left at 1.

Meet: Cybersecurity in an IoT and mobile globe (ZDNet special report) | Download the report equally a PDF (TechRepublic)

If yous're using a DHCP server to assign IP addresses to clients, there are a couple of other issues that could cause users not to be able to become across the VPN server. One such problem is that of duplicate IP addresses. If the DHCP server assigns the user an IP address that is already in apply elsewhere on the network, Windows will detect the conflict and prevent the user from accessing the rest of the network.

Another common problem is the user non receiving an address at all. Most of the time, if the DHCP server tin't assign the user an IP accost, the connection won't make it this far. However, there are situations in which an accost assignment fails, so Windows automatically assigns the user an address from the 169.254.x.x range. If the customer is assigned an accost in this range, but this address range isn't present in the system's routing tables, the user will be unable to navigate the network beyond the VPN server.

iv: Difficulty establishing a tunnel.

If everything seems to be working well, but you can't seem to establish a tunnel between the customer and the server, there are ii main possibilities of what could be causing the problem. The kickoff possibility is that one or more of the routers involved is performing IP packet filtering. IP package filtering could prevent IP tunnel traffic. I recommend checking the client, the server, and any machines in between for IP packet filters. You can exercise this by clicking the Advanced button on each machine's TCP/IP Properties sheet, selecting the Options tab from the Advanced TCP/IP Settings Properties sheet, selecting TCP/IP Filtering, and clicking the Properties button.

The other possibility is that a proxy server is standing betwixt the client and the VPN server. A proxy server performs NAT translation on all traffic flowing between the client and the Internet. This means that packets appear to be coming from the proxy server rather than from the client itself. In some cases, this interaction could prevent a tunnel from existence established, especially if the VPN server is expecting the customer to accept a specific IP address. Yous must besides keep in mind that a lot of older or low-terminate proxy servers (or NAT firewalls) don't support the L2TP, IPSec, or PPTP protocols that are often used for VPN connections.


Image: Getty Images/iStockphoto