Blog: VPN

A problem I have had since upgrading to Vista was being unable to access domain resources once I connect a VPN session to a customer site. Accessing file shares on our network or connecting to Activity would require me to run "cmdkey.exe /delete /ras" to clear the RAS credentials cached when the VPN was established. I never had this issue with my Windows XP installation. So, after getting fed up with always having to run the command, I finally found a solution. Which is to disable using RAS credentials on my VPN connections. To do so, follow these steps: [more]

  1. Locate the .pbk file that contains the entry that you dial. To do so, click Start, type *.pbk in the Research Bar, and then press Enter.
    • Vista location (C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Network\Connections\Pbk
    • XP location (C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk)
  2. Open the file in Notepad.
  3. Locate the following entry: UseRasCredentials=1
  4. Modify the entry to the following: UseRasCredentials=0
  5. On the File menu, click Save, and the click Exit.

 

Connecting via VPN to a customer site has always caused problems with me trying to access the local network. My computer would try and use my VPN credentials to access the network, and naturally fail. A co-worker showed me the “cmdkey /delete /ras” command that would clear out those credentials so browsing the local network would work. [more]

So I, running Vista, fired up a command prompt with administrator privileges because I figured the cmdkey command required them. After running the command, I tried browsing the network and failed. Running cmdkey /list showed no credentials but my exchange credentials. I started a command prompt with regular privileges and ran the cmdkey /list. Sure enough, there were my dial-up credentials. Running the cmdkey /delete /ras cleared them out and everything worked.


 

Those of us that use Vista have learned to use VPNs sparingly due to the new TCP/IP stack.  In Vista, shortly after establishing a VPN using the Windows client (not the Cisco VPN client), you will lose authentication to your local domain resources, particularly file shares (including the DFS).  The only consistent workaround I’ve been able to find for this problem is to delete my VPN credentials right after I bring up the VPN (before my local authentication goes away).  Just open a command prompt once your VPN is established and type:

cmdkey /delete /ras

This will remove your VPN authentication and preserve access to local shared resources.  If you need to browse to something over the VPN, you will be prompted for credentials on the remote system.


 

Occasionally, when I am in a hotel, the IP address (or subsequent routing) conflicts with our own internal IP addresses or routing.  For example, I was in a hotel in Dallas recently and I got a 10.1.0.x address from their DHCP server.  Since the hotel was using the same IP addressing scheme as our office network, I was unable to VPN into our office. [more]

This is when it comes in handy to have a portable router.  [more] I personnaly carry with me a Linksys WTR54GS:

This is a wireless router but can be used as a wired router.  If I plug the router into the hotel's network then plug into the other side of the router, I get a 192.168.x.x address from the router and then I can VPN through the router to our internal network.

 The router I use also is handy since it's a wireless router with one Internet and one Ethernet RJ45 connection.  If the hotel is wireless only, I could configure the router to connect to the hotel’s wireless and then I could plug into the internal port to get behind the router.


 

We use the ip tcp adjust-mss command on Cisco routers to set the maximum segment size for TCP connections going over VPN connections.

To find the optimum maximum segment size, be sure to use the do-not-fragment option when pinging across the link.  Sending a regular ping will show you the largest packet size that will make it across the link; using the df flag will tell you the largest packet that can traverse the link without being broken into multiple parts.  To set the do-not-fragment flag using the Windows ping utility, add "-f" to the command line.

Also, be sure to perform the same test over the regular, non-tunneled connection to the destination router.  Make sure your adjust-mss value is lower than the maximum non-fragmented packet.


 

Recently as one or our Security and Compliance Consultants prepared to leave the office for an information security audit engagement he discovered that his VPN connection in Network Connections had disappeared and the on the Set-up Connection Wizard, the VPN options was “grayed-out.”  He received the following error:

"Cannot load the Remote Access Connection Manager Service.  Error 711: A Configuration error on this computer is preventing the connection. For further assistance, click More Info or search Help and Support Center for this error number."

He did not have time to follow up before I left the office, but performed some research later and found that the Remote Access Connection Manager required that the Telephony service be running.  http://support.microsoft.com/kb/330163 [more]

At a previous time he had disabled the Telephony service (in the spirit of doing away with unneeded services) because he never used laptop modem or any telephone type processes.  Once he enabled the Telephony service his original VPN connection reappeared and the Create New Connection wizard began working.