Working With RRAS for NAT and VPN

I’ve recently done some work with RRAS for the first time, and had a lot of trouble getting things together.

Issue 1 – NAT\VPN is Unreliable

I installed a VPN with RRAS, and couldn’t for the life of me figure out why it would randomly disconnect all the time. It turns out that my problem was that I had 2 default gateways specified. When using RRAS as a NAT Gateway + VPN, the Internal\Private interface should _not_ have a default gateway. This cleared things up like magic.

Issue 2 – RRAS on VMWare Is Not Working

This took a while to figure out. It turns out that RRAS is currently incompatible with VMXNet3 ethernet adapters. Switching to E1000’s (eww…I know) was like throwing the magic switch (like Issue 1!). Please post on the VMWare forum here asking them to get things fixed. If you figure out how to work around the issue, please leave a comment below.

Issue 3 – What Protocol Should I Use?

There are 4 available protocols and a quick summary based on my limited knowledge and research.

  • PPTP – Insecure (cryptographically broken). Do not use.
  • L2TP\IPSec – Requires client certificate. XP+.
  • SSTP – Great when inside restricted firewalls; works over 443 only. Requires a web server cert on the server. Compatible with Vista+.
  • IKEv2 – Enabled ‘VPN Reconnect’, which means that you can switch from LAN to WiFi and back without dropping the VPN, etc. Win7+.

Issue 4 – Can the Windows VPN Client Auto-Map Drives?

You can use the Connection Manager Administration Kit (CMAK) to create bundled ‘profiles’ that will do things like:

  • Configure a default primary and fall-back protocol. For example: “try IKEv2 then SSTP”.
  • Configure whether the client should use the default gateway on the WAN interface for all traffic.
  • Run a script on successful connect or disconnect.

The last one there is the key — you can run a vbscript to map necessary drives and printers on a connection, based off of any LDAP info like the connecting user’s group membership. CMAK is available as a ‘feature’ to be installed from Server Manager on Windows 2008+. Bug me and I’ll throw up a blog post about using it!


1 thought on “Working With RRAS for NAT and VPN

  1. Hey, misery loves company. I am also, for the first time, working on setting up RRAS on a 2008r2 guest running on an ESXi box. It’s been… maddening! I can get some clients to connect but not others. There is no rhyme or reason to it. Once I can figure out the anomaly, I will be configuring all my Win7 clients to use SSTP and XP clients to use PPTP. If you’d like to commiserate on this project, let me know. I would be happy to share my findings so far, and 2 people testing is definitely better than one!

    FWIW, I am trying to get RRAS working without having to set up AD or DNS. I have gotten along so far without either, and I am managing a 200+ client infrastructure.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s