I’ve recently done some work with RRAS for the first time, and had a lot of trouble getting things together.
Issue 1 – NAT\VPN is Unreliable
I installed a VPN with RRAS, and couldn’t for the life of me figure out why it would randomly disconnect all the time. It turns out that my problem was that I had 2 default gateways specified. When using RRAS as a NAT Gateway + VPN, the Internal\Private interface should _not_ have a default gateway. This cleared things up like magic.
Issue 2 – RRAS on VMWare Is Not Working
This took a while to figure out. It turns out that RRAS is currently incompatible with VMXNet3 ethernet adapters. Switching to E1000’s (eww…I know) was like throwing the magic switch (like Issue 1!). Please post on the VMWare forum here asking them to get things fixed. If you figure out how to work around the issue, please leave a comment below.
Issue 3 – What Protocol Should I Use?
There are 4 available protocols and a quick summary based on my limited knowledge and research.
- PPTP – Insecure (cryptographically broken). Do not use.
- L2TP\IPSec – Requires client certificate. XP+.
- SSTP – Great when inside restricted firewalls; works over 443 only. Requires a web server cert on the server. Compatible with Vista+.
- IKEv2 – Enabled ‘VPN Reconnect’, which means that you can switch from LAN to WiFi and back without dropping the VPN, etc. Win7+.
Issue 4 – Can the Windows VPN Client Auto-Map Drives?
You can use the Connection Manager Administration Kit (CMAK) to create bundled ‘profiles’ that will do things like:
- Configure a default primary and fall-back protocol. For example: “try IKEv2 then SSTP”.
- Configure whether the client should use the default gateway on the WAN interface for all traffic.
- Run a script on successful connect or disconnect.
The last one there is the key — you can run a vbscript to map necessary drives and printers on a connection, based off of any LDAP info like the connecting user’s group membership. CMAK is available as a ‘feature’ to be installed from Server Manager on Windows 2008+. Bug me and I’ll throw up a blog post about using it!