RV016 / Windos Server 2012 - Gateway to Gateway Vpn.

Similar Messages

• Server 2012 R2 RRAS NAT VPN connectivity issues

  Hello all,
  I'm having trouble making IKEv2 connections to my VPN server from the Internet after changing my home lab network infrastructure to use Server 2012 R2 RRAS NAT routing. Despite all of the appearances of a proper configuration, it appears that NAT-T is not
  working properly.
  Let me preface my questions/issues with some critical infrastructure disclosures/explanations to help troubleshoot this issue:
  1. This is a home lab environment with no impact to corporate production systems in any way. All information garnered from help in this session is understood to be as-is.
  2. The entire environment is on Server 2012 R2 Hyper-V. I’ve configured trunking on all of the layer 2 (Cisco Catalyst switch) etherchannels, and I’ve configured trunking on the Hyper-V vSwitches. I have no issue with internal routing or NAT or with attaching
  to VPN from an internal VLAN, which indicates that routing (Layer 3) is not at issue here since everything goes where it should.
  3. The NAT server and the VPN server are two separate Windows Server 2012 R2 Std. Hyper-V VMs. The NAT server has 1 NAT uplink to/from my ISP and 5 router interfaces (NICs with no gateways specified). I have a static IP, so it’s not an IP changing anywhere.
  I have all of the port forwarding on the public NAT interface configured properly. Email, web, and application access work fine from out-to-in. The VPN server has 2 NICs: one on a VPN VLAN and the other on an internal VLAN.
  4. I ran Netmon from my corporate office and saw that IKEv2 traffic to my host over UDP 500 was successful (I got a response back), but the connection to UDP 4500 was attempted 3 times and then fails. Since UDP 4500 is the NAT-T port, I’m thinking this is
  where the fault is occurring. I also ran Netmon from the NAT router itself and found that traffic was flowing from the Internet to the VPN server up the stack to Layer 3.
  5. As a test, I turned off Windows firewall on both the VPN server and the NAT server. This made no difference, so firewall is not at play here.
  6. My certificates are configured properly with my external VPN address and appropriate SANs pointing to the public IP address. These same certificates worked without issue prior to the migration to Server 2012 R2 RRAS as my NAT router.
  The actual error I'm receiving is Error 809 which indicates a problem with the connectivity to the VPN server, presumably through the NAT router. Prior to the change to virtual routing, I was using a Linksys E3000 with L2TP/PPTP passthrough enabled and had
  no issues connecting to my VPN server remotely.
  Some questions I have specifically regarding Server 2012 R2 RRAS and NAT:
  1. Is NAT-T "turned on" by default? Are there any settings required through netsh or elsewhere that I might have overlooked to enable NAT Traversal?
  2. How can I test if NAT-T is working outside of VPN testing?
  3. Is it Microsoft's recommendation/requirement that VPN and NAT be collocated on the same server? I noticed in the NAT forwarding rules that the pre-defined L2TP forwarder says "L2TP on this server." Does that indicate that L2TP can't pass beyond
  that server? What are the security implications for running VPN from the router?
  Any help would be appreciated. I've been troubleshooting this issue for 2 weeks and cannot seem to find any documentation or help on this issue. I'm hoping if others have similar issues, this post will help point them in the right direction. I have netmon
  captures to assist with troubleshooting if it comes to that. I'm certain this is NAT-T at this point, but I just can't prove it beyond a shadow of a doubt, and I have customers who have asked about using Microsoft RRAS for routing. I can't, in good conscience,
  recommend it if NAT-T is problematic since most companies want some sort of VPN solution for their environment.
  Respectfully yours,
  Ron Arestia

  Hi Ron,
  Please try to create and configure the AssumeUDPEncapsulationContextOnSendRule registry value.
  For detailed information, please refer to the link below:
  http://support.microsoft.com/kb/926179
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Server 2012 Built-In IPSec VPN & RAS & HyperV-Switch & Netgear Pro Safe Router, Tunnel Ok, but no Traffic

  Hello,
  i try to setup a IPSEC VPN (Site-by-Site or if not possible Client-BySite) between a Netgear Pro Safe Router and Windows Server 2012.
  The Problem: Tunnel is up and running, but no Ping, no traffic at all.
  the Server 2012 uses HyperV and has one hardware-NIC with public ip, lets say 123.123.123.1.
  if no site-by-site is possible in my situation with built-in-tools this server would be only a client-site which would "dial-up" to the netgear box.
  the server has a second virtual NIC with IP 192.168.137.1. Routing and RAS is enabled, because there are two virtual other servers whichs has 192.168.137.2 and 192.168.137.3.
  The Netgear-ProSafe has public ip 122.122.122.1 and LAN-Subnet 192.168.21.0/24.
  I created the Tunnel in the Advanced-Firewall-Options-Window. Both, Windows and the Router, say, the VPN-Tunnel is okay. Also, i can see ESP-Packets with wireshark.
  If i ping (from router to server and other direction) i get no response. Some people said, the RAS itselfe could not accept packages, but i tried from one of the virtual clients also (192.168.137.2) and no ping there also.
  i tried to add a route for subnet 192.168.21.0 with 192.168.137.1 as gateway but that didn't helped also.
  now, after all this time i spend today to this problem i'm a bit confused.
  as i know vpn-connections there are always virtual devices, and routes for the vpn-subnets assigned to this device.
  the windows firewall does not create any device, and it does not create any route - i suppose, this is because "routing and ras or windows firewall-service" does this work "internally". is that correct? do i need any routes?
  i was wondering why the ICMP packet from my ping in wireshark had the public ip as source (123.123.123.1) and not the "internal" 192.168.137.1 - and i tried to restrict the vpn-rule only for the virtual internal NIC but this isn't possible, as
  it is no option inside the gui.
  it would be great if somebody could explain me how config and packages SHOULD look....i've never used the built-in vpn/ipsec/ras services before, so i don't know how things has to be for a correct working environment. also, i need a solution and any help
  to solve the problem would be great also!
  now i try to sleep one night - maybe i get some nice idea after some hours of sleeping. good night.
  Addition: After some more tests i find out that if i change the local endpoint (endpoint 1) from the virtual network (192.168.137.0/24) to the public ip of the server (123.123.123.1) inside the tunnel-rule and inside the vpn-policy of the router i can access
  the netgear and other devices in the remote-network 192.168.21.0 over this ip-adresses. ping is not working, but other things seems to work fine. i want to be able to ping as well ofcourse and this wired configuration looks wrong to me...can some network-professional
  help out with an explanation?
  Second Addition: I can set the Local Endpoint also to "any" and it does work - but ping still does not work :-(
  Third Addition: The Ping does work if i disable the NAT-Functionality on the Physical NIC. ....mhm.....

  I would definitly recommend the usage of a virtual router instead using windows onboard-firewall to make the site-to-site tunnel!
  as you can see in my linked thread above (Link)
  this scenario is not supported from microsoft! you will run into problems!
  we do run a hyperv virtual machine and install the wonderful distribution pfsense inside this box. pfsense is a software-linux-router with ipsec-functionality, which works like a charm!
  and by the way i recommend to not use the products of netgear! they are expensive, very slow and the service is not good!
  we have good experience with Vigor-Routers! They are less expensive, the Service is very good, and the devices are much faster, AND! ...the vpn-connections stay stable up!
  this experience was very time-intensive to make! hope this will help someone else in the future.

• Network Positioning of a Windows Server 2012 R2 Direct Access & VPN Server

  Reposted moved from Windows Server Forums- Security
  Hi
  I'm in the process of creating a new active directory forest with a single domain using AD.Contoso.com to use the Microsoft example. The reason I have decided on AD.XXXXXXXXX.com is to get way from using split horizon (Split Brain) DNS. The requirements
  for our new domain are :-
  2012 R2 AD
  Direct Access & VPN
  Exchange 2013 OWA, Active Sync Outlook Anywhere (Possibly a Hybrid Config where we have on premises mailboxes and some exchange online mailboxes Office 365 etc)
  Lync 2013 ?
  SharePoint 2013 ?
  Microsoft Active Directory Certificate Services
  System Center Configuration Manager 2012 R2
  Two way trusts between old forest and new to enable Transition/Migration
  Ok so that's what I'm aiming for so now the question.
  They are allowing me to purchase a next Generation Firewall may be a Barracuda NG firewall or a Cisco ASA X series so I need some advice on what type of network topology I should configure. I've read that using the two NIC configuration for
  the 2012 R2 Direct Access Server is preferable, one nic on the internal network one on the perimeter. The problem I have with this is that it bridges the internal network and the perimeter bypassing the backend Firewall see image
  The other alternative is to dispense with the perimeter network use the Direct Access server with a single NIC and setup the NG Firewall in a three-legged config with the DA server on the DMZ.
  So all you security experts out there what would be your design for this simple domain? we don't need any HA or Load Balancing.
  Thanks
  Simon

  Ok I'm not sure we are going to get any advice on this subject but one last effort. Our budget can only stretch to one next generation firewall so I'm considering the following three legged firewall design with a two NIC 2012 R2 Direct
  Access server. If someone could validate this configuration or suggest an alternative then I would be grateful.

• Vpn connection from administration win server 2012 r2

  hello every one i have win server 2012 for the connection vpn i need make setting as like subnetwork get access to the from main office to the district office?

  Hi,
  Can you ping normally to other server from your server 2012 R2?
  Does user has enough permission for remoting?
  Can you telnet port 3389 and see whether RDP port is opened?
  Please try to perform remote desktop with “mstsc /admin” switch and check the result. Addition try to perform the remote session with IP address specified for that server. Also you can try PowerShell command to enable remote desktop.
  set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Upgrading Windows Server 2012 Essential Eval to Windows Server 2012 R2 Retail

  I need to upgrade from Windows Server 2012 Essential Eval version to Windows Server 2012 R2 Retail.  What would be the easiest way to upgrade if license $$ is not an issue? The Server is a DC.  Would the following works:
  1. Upgrade from Windows Server 2012 Essential Eval to Windows Server 2012 Essential Retail
  2. Do a conversion from Windows Server 2012 Essential Retail to Windows Server 2012 Standard Retail (I suppose this just require several command line to enable the 2012 Standard)
  3. Do an in-place upgrade from Windows Server 2012 Standard to Windows Server 2012 R2 Standard (there is no need to do migration, am I right?)
  Thanks.

  I just did a simulation using Hyper V.  It seems that I'm able to do the upgrade sequence as described but I'm not sure whether there are any side effect that not yet surface out.  Here is the details steps that I took:
  1. Under Windows Server 2012 Essential Eval
  convert the Windows Server Essential 2012 Eval to Windows Server Standard 2012 using the following command in an elevated command prompot
  dism /online /set-edition:ServerStandard /productkey:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx /accepteula
  press "y" and return to restart as prompted
  the productkey could be retail key or the KMS client keys (just for installation not for activiation)
  2. After reboot, the system become Windows Server 2012 Standard
  using admin account to login
  add admin account to the Enterprise Admins group and Schema Admins group if not already done so, logout and login again
  mount the Windows Server 2012 R2 Standard disk in, say, drive d:
  in an elevated command prompt, go the following:
  cd d:\support\adprep
  .\adprep.exe /forestprep
  .\adprep.exe /domainprep
  double click on d: in explore to run the Windows Server 2012 R2 Standard setup
  follow the instruction to complete the in-place upgrade from Windos Server 2012 to Windows Server 2012 R2
  3. After reboot into Windows Server 2012 R2 Standard, go to the charms bar, select setting -> server info, it will mention the server is not activated, click on Activate Windows and key in the Windows Server 2012 R2 Standard retail key

• Just FYI, new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide

  New! Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
  This new guide is available on the Web at
  http://technet.microsoft.com/en-us/library/dn641937.aspx. It is also available for download in Word format at TechNet Gallery at
  http://gallery.technet.microsoft.com/Windows-Server-2012-R2-37eb8e17
  If you work for a Cloud Service Provider (CSP) or an organization that's planning on deploying cloud technologies, you might be interested in the new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide.
  You may already know that in Windows Server® 2012 R2, the Remote Access server role includes the Routing and Remote Access Service (RRAS) role service. (It also includes DirectAccess and Web Application Proxy, however those role services will not be discussed
  in this article.)
  The new deployment guide demonstrates how to use Windows PowerShell to deploy RRAS as a virtual machine (VM)-based multitenant software gateway and Border Gateway Protocol (BGP) router that allows CSPs and Enterprises to enable datacenter and cloud network
  traffic routing between virtual and physical networks, including the Internet.
  You can use the gateway with VM networks by using either Hyper-V Network Virtualization or Virtual Local Area Networks (VLANs) - but using Network Virtualization is recommended due to VLAN limitations such as difficult management and a limited number of
  available VLAN IDs.
  If you're using System Center Virtual Machine Manager (SC VMM), you can use SC VMM to deploy Windows Server Gateway; however even if you are using SC VMM, you can manage the gateway with the same Windows PowerShell commands that are used for the RRAS Multitenant
  Gateway. (Some Windows Server Gateway features are configurable only with Windows PowerShell.)
  For information on deploying Windows Server Gateway with SCVMM, see the Test Lab Guide: Windows Server 2012 R2 Hyper-V Network Virtualization with System Center 2012 R2 VMM, at
  http://www.microsoft.com/download/details.aspx?id=39284
  With the RRAS Multitenant Gateway, you can create site-to-site VPN connections between your tenants' physical locations and your cloud datacenter. You can also provide tenants with point-to-site VPN connections that allow tenant Administrators to access
  and manage their VM resources from anywhere. The RRAS Multitenant Gateway also allows you to configure Network Address Translation (NAT), so that tenant VMs can access the Internet, and you can deploy dynamic routing by configuring the gateway and tenant gateways
  with BGP.
  Thanks -
  James McIllece

  Hi,
  It is very useful , thanks for your sharing .
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Server 2012 R2 RRAS Multitenant Gateway GUI

  "The new RRAS Multitenant Gateway Deployment Guide demonstrates how to use Windows PowerShell to deploy RRAS as a virtual machine (VM)-based multitenant software gateway and Border Gateway Protocol (BGP) router that allows CSPs and Enterprises to enable
  datacenter and cloud network traffic routing between virtual and physical networks, including the Internet." I have server 2012 R2 installed on a vm with Remote Access server role  and Routing and Remote Access Service (RRAS) role  installed
  how do I configure this for NAT? (I did find a powershell script but I want to do this through the ui) without SCVMM.
  Peplink Balance 210 dual wan router (Bell and Cogeco)
  2 ProLiant physical servers
  2 Nics per server
  5 static ips
  2 Virtual Switches
  Server 2012 R2 host
  Server 2012 R2 Essentials (Domain 1)
  Server 2012 R2 Essentials (Domain 2)
  Server 2012 R2 (Domain 3)
  http://technet.microsoft.com/en-us/library/dn641923.aspx
  New! Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
  http://blogs.technet.com/b/wsnetdoc/archive/2014/03/26/new-windows-server-2012-r2-rras-multitenant-gateway-deployment-guide.aspx
  Multitenant security and isolation with Hyper 2012
  http://blog.marcosnogueira.org/multitenant-security-and-isolation-with-hyper-2012/
  Here is the situation I have a client that operates 3 small companies out of one location he has a generator plus great physical security and relatively new network cabling I plan to create a couple of vlans on the peplink. I decided to go with server 2012
  essentials (he wants to use RWA) all of the vm’s will be under a very light load on the first server with 1 server to test backups and 2 IO safe drives.
  Diagram
  http://i61.tinypic.com/rct0ti.png
  Thanks in Advance.

  Hi,
  Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration.
  Don't hesitate to try your hand at it.
  Here are some articles about PowerShell,
  Using Windows PowerShell
  http://technet.microsoft.com/en-us/library/dn425048.aspx
  PowerShell
  http://technet.microsoft.com/en-us/library/ff950685.aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Remote Desktop Connection Client 9.3.9600 unable to connect to Server 2012 RDS via Gateway

  Hi,
  I have a Windows Sever 2012 R2 RDS environment with two Gateways servers configured in high availability mode (RD Web Access, RD Gateway, RD Connection Broker roles installed) and four Windows Server 2012 R2 RDS Session Hosts. The servers are all running
  the most recent public server updates. With this configuration I when connecting externally using a Windows 7 computer with the older Remote Desktop Connection client (6.1.7601) I am able to connect without any problems however when I try connecting with a
  newer client from a computer running Windows 8.1 and the 9.3.9600 client I am unable to connect. 
  At the moment a NAT rule is configured to pass 80/443 traffic to only one of the RDS gateway servers, I've removed our load balancer from the configuration for the moment to reduce the complexity. 
  No error is generated by the client when it tries to connect it just stops trying to connect after a while.
  On the Gateways servers event logs for 
  Things I have looked into so far.
  - I've double and triple checked the RDS configuration and checked it against one of my other clients configurations that is working and they are identical. 
  - Connecting from an older client version works fine.
  I'm not sure what else can be checked does anyone have any ideas?

  Hi,
  1. What entries are you seeing in the RD Gateway's log?  Event Viewer\ Applications and Services Logs\ Microsoft\ Windows\ TerminalServices-Gateway
  2. How come you are not forwarding UDP port 3391 in addition to TCP port 443?  It should work without UDP, but you will not have UDP support which is one of the benefits of RDP 8.0/8.1.
  3. Are there any non-default group policy settings being applied to the servers and/or client PCs?  To be clear, I'm asking if any changes have been made to the default local and domain security policies, group policy objects, new GPOs that may have
  been added, etc., that are applicable to the servers and or client PCs.
  -TP

• RV016 Gateway to Gateway VPN Internet Traffic

  I have a RV016 router in place that has numerous Gateway to Gateway VPNs connected to various sites over Comcast Cable. I would like to funnel all traffic through the RV016, but I am only seeing the tunnel traffic going between each.
  I think I saw some posts eluding to the fact that since the RV016 only deals with layer 3 that this is impossible. What if I added a route to each of my workstations that router all 0.0.0.0 traffic through the RV016 router. Would this work even if it's really ugly?
  What I am trying to avoid is having an open Internet connection at all of my sites. I would rather be able to control it here at the main office's RV016.
  Thanks in advance!

  tekliu,
  I actually found and tried this solution last night, but below is how my routing table looks on my RV042. When I do a tracert to www.google.com or whatever I can see that the traffic basically hits my router then out through the Comcast modem. If I do anything on the main office subnet 172.16.1.0 then I can see it hit both routers.
  Should I maybe reset the router to default and do this from the start? As you can see below all 0.0.0.0 traffic is set to go out through the Comcast gateway 74.94.253.10.
  Routing Table Entry List
  Destination IP Address
  Subnet Mask
  Default Gateway
  Hop Count
  Interface
  74.94.253.8
  255.255.255.252
  40
  ixp1
  74.94.253.8
  255.255.255.252
  45
  ipsec0
  192.168.3.0
  255.255.255.0
  50
  ixp0
  192.168.2.0
  255.255.255.0
  74.94.253.10
  10
  ipsec0
  192.168.2.0
  255.255.255.0
  50
  ixp0
  172.16.1.0
  255.255.255.0
  50
  ixp0
  default
  0.0.0.0
  74.94.253.10
  40
  ixp1
  I can send you all of my config data when if you need it.
  Thanks!

• Difference between Scom 2007 and Scom 2012 Gateway server setup.

  Hi All,
  Greetings!!
  I would like to know the differences for gateway server setup in Scom 2007 and 2012 versions..
  Are there any changes in the data collection or in the configuration? and also the prerequisites for it.
  Please let me know these info..
  Regards,
  Gokul

  There is no great different in settng up gateway server in SCOM 2007 R2 and SCOM 2012. As summary, it requires
  1.Request certificates.
  2. Import those certificates into the target computers by using the MOMCertImport.exe tool.
  3. Distribute the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe to the management server.
  4. Run the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe tool to initiate communication between the management server and the gateway
  5. Install the gateway server.
  However, the prerequisites has different between SCOM 2007 R2 and SCOM 2012
  SCOM 2007 R2 gateway server support folloiwng OS
  Windows Server 2003 Standard Edition with Service Pack 1 (SP1)
  Windows Server 2003 Standard Edition with Service Pack 2 (SP2)
  Windows Server 2003 Standard x64 Edition with SP1 or SP2
  Windows Server 2003 Enterprise Edition with SP1
  Windows Server 2003 Enterprise Edition with SP2
  Windows Server 2003 Enterprise x64 Edition with SP1 or SP2
  Windows Server 2003 R2 Standard Edition with SP1 or SP2
  Windows Server 2003 R2 Standard x64 Edition with SP1 or SP2
  Windows Server 2003 R2 Enterprise Edition with SP1 or SP2
  Windows Server 2003 R2 Enterprise x64 Edition with SP1 or SP2
  Windows Server 2008 Standard 32-Bit with SP1 or SP2
  The 64-bit edition of Windows Server 2008 Standard with SP1 or SP2
  Windows Server 2008 Enterprise 32-Bit with SP1 or SP2
  The 64-bit edition of Windows Server 2008 Enterprise with SP1 or SP2
  Windows Server 2008 Datacenter 32-Bit with SP1 or SP2
  The 64-bit edition of Windows Server 2008 Datacenter with SP1 or SP2
  Windows Server 2008 R2
  Windows Server 2008 R2 with SP1
  SCOM 2007 R2 gateway server
  CPU :2.8 GHz or faster
  Memory: 2 GB of RAM or more
  available Space: 20 GB of available hard disk space
  NET Framework 2.0
  Microsoft Core XML Services (MSXML) 6.0
  SCOM 2012 Gateway server
  Disk space: %SYSTEMDRIVE% requires at least 1024 MB free hard disk space.
  Server Operating System: must be Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 Core Installation or Windows Server® 2012 R2.
  Processor Architecture: must be x64.
  Windows PowerShell version: Windows PowerShell version 2.0, or Windows PowerShell version 3.0.
  Microsoft Core XML Services (MSXML) version: Microsoft Core XML Services 6.0 is required for the management server.
  .NET Framework 4 is required if the Gateway server manages UNIX/Linux agents or network devices.
  Roger

• Server 2012 VPN role

  Hi
  I have a VPN over SSTP feature over SSTP configured on a Server 2012 R2.
  It's running fantastic. The only issue I have is that when I am connected I can access only the gateway device, but no other devices on the network
  How do I enable that please?
  Many thanks

  Hi,
  According to your description, my understanding is that VPN client can’t see internal computers on network discovery when the VPN is connected.
  Have you tried type “\\<IP address>” to access one of the internal computer？Does this successfully?
  Besides, I suggest you to install a WINS server on the internal network, and specific the WINS server on all of the WINS clients, including the VPN client. For DHCP enabled client, you may specific the WINS server by DHCP option 44(WINS/NBNS Servers) . For
  clients which configured with statics IP, you may specific WINS on: TCP/IP properties->Advanced->WINS->Add.
  If the problem still exits, how does your VPN client get IP address? Form DHCP, or RRAS?
  Best Regards,           
  Eve Wang                                                                                                                                                  
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Site to site VPN with windows server 2012

  I am trying to connect our server to cisco site-to-site IPSec VPN with one of our partners servers, they asked us to implement the settings they gave us into our router, but actually we don't have access to the router, we are just connected directly with
  our ISP. alternatively, we were informed that we can use software VPN instead, and yes we found a working one, tested and verified, but we have to pay for it to keep running.
  Now my question is, having that we are running windows server 2012 R2, how can we establish this VPN connection directly from windows without the need to use third parties tools?
  The only parameter that we have to connect are:
  Gateway IP: xxx.xxx.xxx.xxx
  Authentication Pre-shared Key: ######
  Encryption: 3DES
  Hash authentication: MD5
  DH: Group1
  No username or password is needed with this type of VPN.
  Any help is appreciated.
  Best regards, Abed

  Hi,
  You may try to configure the Windows Server 2012 (RRAS) as VPN router to connect to the 3rd party VPN server(compatible with Windows Server VPN).
  Some samples just for your reference:
  Checklist: Implementing a Site-to-Site Connection Design
  https://technet.microsoft.com/en-us/library/ff687867(v=ws.10).aspx
  TMG Configuring site-to-site VPN access
  http://technet.microsoft.com/en-us/library/bb838949.aspx
  More about how to deploy the RRAS on TMG please post in the TMG forum:
  Forefront support forum
  http://social.technet.microsoft.com/Forums/forefront/en-us/home?category=forefront
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Quickvpn / client to gateway vpn rv042 can only ping router

  I am setting up remote access using an RV042 router.  Using quickvpn or a client-to gateway vpn and shrewsoft client,  I can only access/ping the LAN side of the remote router and one machine on the remote network.  The PPTP server and native Windows 7 connection provide access to all machines on the remote network.
  I have 2 possible reasons for this and would like to find the real reason:
  1) The remote RV042 is behind another router, and that router restricts access other than the PPTP traffic.
  2)  The VPN tunnels other than PPTP only allow access to the remote LAN side of the router and remote machines that have the remote router defined as their gateway in the IP configuration.
  Any ideas?

  I've narrowed the problem down to option 2 above. If I change the gateway of a LAN resource to point to the LAN side of the router, it can be accessed through the VPN tunnel. 
  I haven't had time to see if adding routing entries can fix this problem.  Any suggestions will be appreciated.
  Also, I would appreciate an explanation of why the PPTP connection works.  I will research this myself (eventually) but am  already backed up with other projects..

• SCOM 2012 Gateway fails to communicate - Certificate Problem?

  Hello SCOM Guru's
  I wonder if someone out there may be able to help.
  I have two (non-trusted) domains - both hosted in
  Azure. See graphic below (a picture paints a thousand words!)
  Just to put some context around the diagram - I have a two domains, the left-hand side contains the SCOM MS and the right-hand side is a non-trusted domain hosting the SCOM GW. The idea is that I want computers (agents) from the right-hand side domain to
  be able to talk back to the SCOM MS vai the SCOM GW.
  In a nutshell I have followed some great 'how to' guides - for instance:
  http://blogs.technet.com/b/pfesweplat/archive/2012/10/15/step-by-step-walkthrough-installing-an-operations-manager-2012-gateway.aspx
  After hours of messing around I still cannot get my Gateway Server to talk successfully back to the SCOM Management Server in the other domain. I have deployed my own Certificate Authority and followed documentation to put the relevant Certs on both
  servers. I have checked all Certs and they report 'The certificate is OK'.
  Also I can confirm that the MOMCertImport tool was run on both the SCOM MS and SCOM GW server (I did the MS 1st and GW 2nd) - both returned a 'Success' cmd prompt. I have also rebooted both servers - to restart all relevant SCOM Services.
  On the Azure VMs I have allowed TCP 5723 on both servers. Additionally, the SCOM MS can resolve the SCOM GW server in the other domain via a HOSTS file entry (and vice-versa). I have tested connectivity using
  telnet <FQDN> 5723 (both ends seem to connect). No internal Windows Firewalls are enabled on any servers.
  The cluster of errors reported by the
  SCOM Gateway server are (first to last):
  20057: Failed to initialize security context for target MSOMHSvc/SCOM-01.DOMAIN.local The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.
  21001: The OpsMgr Connector could not connect to MSOMHSvc/SCOM-01.DOMAIN.local because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust
  relationship between the two domains
  20071: The OpsMgr Connector connected to SCOM-01.DOMAIN.local, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the
  server .  Check the event log on the server and on the agent for events which indicate a failure to authenticate.
  The same events repeat every 15 mins in the Operations Manager event log - and thus the SCOM Gateway remains 'Not Monitored'.
  I don't get any relevant Events logged from the SCOM MS side - I guess cos it's not even got that far / authenticated?
  I'm sure this is a Certificate type of problem but I'm really not sure where I go from here - any suggestions?
  Many thanks
  Darren

  Hi,
  Check this post:
  Solving the Gateway 20071 event
  http://michelkamp.wordpress.com/2012/01/05/solving-the-gateway-20071-event/
  and this: Event ID 21001 and 20057 on SCOM agents - duplicate SPN:
  http://blogs.technet.com/b/kevinholman/archive/2011/08/08/opsmgr-2012-what-should-the-spn-s-look-like.aspx
  Similar answer has been provided by DKTOA Here:
  https://social.technet.microsoft.com/forums/systemcenter/en-US/05019b70-73a3-4a37-993b-66b607f3c222/scom-2012-gateway-server-isses-20057-21001-20071-ids
  Did it solve your problem?
  Regards
  Jure
  Jure Labrovic | Blog