?
Solved

Hosting a VPN Server

Posted on 2003-03-01
36
Medium Priority
?
831 Views
Last Modified: 2008-02-26
I have a Win2000 Server that I would like to use to host a VPN.  I know how to set up the VPN on the server, and I already have a static IP.  Now, what kind of router will I need to install that will manage the VPN?  I assume it must be more complex than just using port forwarding on an inexpensive DSL router...or is it?  Thanks.
0
Comment
Question by:timabe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 10
  • 5
  • +4
36 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8048818
G'day, timabe
Actually, it is almost that simple. If you have a Linksys Cable/Dsl router for example, forward TCP port 1723 to the internal address of the server.

Cheers!
0
 

Author Comment

by:timabe
ID: 8048907
Ok, I forwarded Port 1723 to my VPN server address, set up a VPN connection on one of my clients, and tried to connect.  It hung on "verifying username and password".  I have enabled Dial-in rights for this user.  Is this error be because I am inside the same network?  In other words, do I have to be outside to fully test the VPN?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8048965
Here's some instructions for a win2k server. You should be able to get to work inside first.
What kind of router? If it is a Linksys, you have to turn off DHCP server.

1) Reinstall it, and choose " Virtual Private network ( VPN ) server " from the choices

click next

2) Remote Client Protocol - tcp/ip

click next

3) Internet Connection - CHOOSE--->                 "<NO internet connection>"                    <---HERE

binding to the internal network card / ip address here is what killed the lan clients connections, the server would ONLY accept vpn connections on that card / ip

click next

4) Network Selection - here you select the ip of the server

click next

5) IP Address Assignment - If using dhcp server, choose "automatically" and skip ahead to #  8

click next

6) choose " from a specified range of addresses" if no dhcp server available

click next

7) click " new " and fill in the range of ip's to use for vpn clients, click ok, high light new range created

click next

8) Managing Multiple Remote Access Servers - choose " no, I don't want to set up this server to use RADIUS now "

click next

finished

if you are using dhcp, you MUST enter the ip address of the server into DHCP relay agent, even ifs the same server as ras

Routing And Remote Access
--Server
----IP Routing
------DHCP Relay Agent

right click : dhcp relay agent" , choose properties, enter dhcp server address

0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Expert Comment

by:cyrobinson
ID: 8049123
If you are trying to use IPSEC as your VPN protocol you cannot use Network Address Translation (NAT).  You can however use PPTP as your VPN protocol
0
 

Author Comment

by:timabe
ID: 8049248
I've done all the steps that lrmoore sent (got me on step 3...I had bound the internal card) but I'm still getting hung on verifying.  Cyrobinson, how do I change the VPN protocol to PPTP (my router does use NAT)?
0
 

Expert Comment

by:AltonD
ID: 8049316
I had to add the VPN server to the "RAS and IAS" security group.  I have also read that Linksys says to diable the router DHCP server on their routers.

Mine works but I set it up through ISA/win2k server.
0
 

Author Comment

by:timabe
ID: 8049317
I'm sure we're getting close....It seems like the problem is router-based (although that's just a guess).
0
 

Author Comment

by:timabe
ID: 8049329
I'm sure we're getting close....It seems like the problem is router-based (although that's just a guess).
0
 

Expert Comment

by:AltonD
ID: 8049330
The above is true about the "RAS and Isa" group if the Domain controller is behind the VPN.  Try logging in to the VPN using a local account of the vpn server (log into the machine, not the domain).  This is how I found my troubles.  Buried way down deep in a MS KB file it said to add to the group.
0
 

Expert Comment

by:AltonD
ID: 8049347
The above is true about the "RAS and Isa" group if the Domain controller is behind the VPN.  Try logging in to the VPN using a local account of the vpn server (log into the machine, not the domain).  This is how I found my troubles.  Buried way down deep in a MS KB file it said to add to the group.
0
 

Expert Comment

by:AltonD
ID: 8049355
The above is true about the "RAS and Isa" group if the Domain controller is behind the VPN.  Try logging in to the VPN using a local account of the vpn server (log into the machine, not the domain).  This is how I found my troubles.  Buried way down deep in a MS KB file it said to add to the group.
0
 

Expert Comment

by:AltonD
ID: 8049366
The above is true about the "RAS and Isa" group if the Domain controller is behind the VPN.  Try logging in to the VPN using a local account of the vpn server (log into the machine, not the domain).  This is how I found my troubles.  Buried way down deep in a MS KB file it said to add to the group.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8049383
If you still can't do it from a cient on the inside, it's not the router.
Double check the IP address configuration on the server. Past results of C:\>ipconfig /all
here
0
 

Expert Comment

by:AltonD
ID: 8049390
The above is true about the "RAS and Isa" group if the Domain controller is behind the VPN.  Try logging in to the VPN using a local account of the vpn server (log into the machine, not the domain).  This is how I found my troubles.  Buried way down deep in a MS KB file it said to add to the group.
0
 

Expert Comment

by:AltonD
ID: 8049396
Why are my post being duplicated?????????  I am not doing this!  Unless it is because I am hitting the refresh button to check for new messages.  Sorry.

0
 
LVL 4

Expert Comment

by:Shep
ID: 8049405
clarify something, where are you getting the "verifying username and password" hang up, from inside, or outside the local lan.

Shep
0
 

Author Comment

by:timabe
ID: 8049433
I checked the domain Controllers memberships.  It already is a member of "Domain Controllers" and "RAS and IAS Servers".  Is there anywhere else I need to check group membership?  By the way, DHCP is disabled on the router.
0
 

Author Comment

by:timabe
ID: 8049442
AltonD:  Outside the lan (error 650).  Inside I'm getting error 721.

No problem on the dups, I made the same mistake!
0
 

Expert Comment

by:AltonD
ID: 8049454
did you try to use a local account on the vpn?
0
 

Author Comment

by:timabe
ID: 8049466
Yes.  It worked.
0
 

Expert Comment

by:AltonD
ID: 8049486
Is this a first?

I can't find it but I know I read an article that said to uncheck "microsoft networks" and "file sharing" on the outside network card.  also, under the advanced tab, for dns, "do not register with a dns server" and under wins, diable netbios name resolution.

I was getting this far, could connect to machine, but not get to other network resources.  The VPN server was not a "RAS and ISA" group member.  Is the domain account allowed dial-in access?

0
 

Author Comment

by:timabe
ID: 8049488
Here is the ipconfig:

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : server
        Primary DNS Suffix  . . . . . . . : Home
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : Home

Ethernet adapter Home:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100+ PCI Adapter #2
        Physical Address. . . . . . . . . : 00-90-27-2E-94-4F
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.2.5
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.1
        DNS Servers . . . . . . . . . . . : 127.0.0.1

PPP adapter RAS Server (Dial In) Interface:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 169.254.103.38
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 127.0.0.1
0
 

Expert Comment

by:AltonD
ID: 8049493
The card settings are for the TCP/ip properties.
0
 

Expert Comment

by:AltonD
ID: 8049502
The outside adapter should have the gateway.  The inside adapter should be blank.  When you diable the netbios name resolution, it will add this to the listing.
0
 

Expert Comment

by:AltonD
ID: 8049520
connecting in on the local account, you should be able to map the local shares  \\vpnservername\sharename

0
 

Expert Comment

by:AltonD
ID: 8049534
If you are connected with the local account and try to map a domainserver share, you will get "not logged in" error
0
 

Expert Comment

by:cyrobinson
ID: 8049563
have a look at http://www.microsoft.com/windows2000/docs/VPNoverview.doc

this document states

"     PPTP clients and server can be placed behind a network address translator (NAT) if the NAT has the appropriate editors for PPTP traffic. L2TP/IPSec-based VPN clients or servers cannot be placed behind a NAT because Internet Key Exchange (IKE) (the protocol used to negotiate SAs) and IPSec-protected traffic are not NAT-translatable. "

See http://support.microsoft.com/default.aspx?scid=kb;en-us;308208 (Technet article number 308208).  This has a section titled "How to Configure PPTP Ports" this should be of interest to you.

Once you have configured this you will need to set the clients to connect using PPTP.  I would recommend disabling any IPsec ports on your VPN server since a client that is configured to automatically detect VPN protocols will always try to use IPSEC first.
0
 

Expert Comment

by:AltonD
ID: 8049566
One more last question.  Are you adding the vpnserver to the "RAS and IAS: group, or are you adding the user's account.  You need to add the computer.  You might have said this but I am just making sure.
0
 
LVL 9

Expert Comment

by:drev001
ID: 8051429
If you can successfully authenticate from inside the LAN, it's a router problem. A very common one. As lrmoore pointed out, it's ALMOST as simple as setting up a port forward. You need to forward tcp 1723 but you also need GRE forwarded. This bit isn't so simple as it's not a port, it's a whole protocol (IP 47) See if your router is capable of doing this, if it doesn't you could use the DMZ option so that ALL incoming traffic to the router's WAN address gets forwarded to the vpn server. If you do this make sure you use input filters in RRAS to filter out all other unwanted traffic.
0
 

Author Comment

by:timabe
ID: 8051693
Ya know, I kind of thought all along it was a router problem.  While many of the suggestions were helpful (caught me in a couple of config errors), I don't think my Linksys router (WRT54G) will forward GRE.  If I understand correctly, I'm left with either a risky setup of using DMZ and traffic filters OR installing a router that will handle forwarding both 1723 and GRE.  This setup will be for a small office with little tech support, so I think a new router will be the safest solution.  Any suggestions?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8051806
If you use a linksys VPN router, or a Cisco, the router itself can terminate IPSEC VPN's so you don't have to risk putting a server in the DMZ.
0
 
LVL 9

Expert Comment

by:drev001
ID: 8051851
I agree with lrmoore, get a router that incorporates a vpn server. The only downside is the additional authentication, although you could look at radius.
0
 
LVL 4

Expert Comment

by:gozoliet
ID: 8081775
My linksys router works (thanks to lrmoore) Though the router I'm using is the VPN Endpoint, I'm not using the VPN features of it. It might have a difference from the regular router. But here's the important router settings:

Filters:
Block Wan Request - Disable
IPSec Pass Through - Disable
PPTP Pass THrough - Enable

Forwarding:
Port 47 and port 1723 have been forwarded to the IP of my VPN server (192.168.0.16)

Try that?


0
 
LVL 4

Expert Comment

by:gozoliet
ID: 8081778
Oh and with that, the DMZ is disabled, and the server is NOT plugged into the DMZ port.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 8082322
The pass through is only from the inside out, not from the outside in.
Port 47 is irrelevant, it is Protocol 47 (GRE), which your router cannot forward.
TCP port 1723 forwarded to the VPN server, DHCP service turned OFF on the Linksys (don't ask why, it's just in the fine print of the manual that if you want to do port forwarding, you have to turn off the dhcp server)
0
 

Author Comment

by:timabe
ID: 8083740
Thanks to all for your input and ideas.  Ultimately, the answer was that my router does not support GRE forwarding.  I have ordered a Linksys VPN endpoint that will solve the problem.  Points go to lrmoore for being the first person to point this out.  Thanks again for everyone's help and effort.  I suspect this is a very common problem for those trying to set up VPN's.  Hopefully, this exchange of info will make it easier for others.
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question