Hosting a VPN Server

G'day, timabe
Actually, it is almost that simple. If you have a Linksys Cable/Dsl router for example, forward TCP port 1723 to the internal address of the server.

Cheers!

Ok, I forwarded Port 1723 to my VPN server address, set up a VPN connection on one of my clients, and tried to connect.  It hung on "verifying username and password".  I have enabled Dial-in rights for this user.  Is this error be because I am inside the same network?  In other words, do I have to be outside to fully test the VPN?

Here's some instructions for a win2k server. You should be able to get to work inside first.
What kind of router? If it is a Linksys, you have to turn off DHCP server.

1) Reinstall it, and choose " Virtual Private network ( VPN ) server " from the choices

click next

2) Remote Client Protocol - tcp/ip

click next

3) Internet Connection - CHOOSE--->                 "<NO internet connection>"                    <---HERE

binding to the internal network card / ip address here is what killed the lan clients connections, the server would ONLY accept vpn connections on that card / ip

click next

4) Network Selection - here you select the ip of the server

click next

5) IP Address Assignment - If using dhcp server, choose "automatically" and skip ahead to #  8

click next

6) choose " from a specified range of addresses" if no dhcp server available

click next

7) click " new " and fill in the range of ip's to use for vpn clients, click ok, high light new range created

click next

8) Managing Multiple Remote Access Servers - choose " no, I don't want to set up this server to use RADIUS now "

click next

finished

if you are using dhcp, you MUST enter the ip address of the server into DHCP relay agent, even ifs the same server as ras

Routing And Remote Access
--Server
----IP Routing
------DHCP Relay Agent

right click : dhcp relay agent" , choose properties, enter dhcp server address

If you are trying to use IPSEC as your VPN protocol you cannot use Network Address Translation (NAT).  You can however use PPTP as your VPN protocol

I've done all the steps that lrmoore sent (got me on step 3...I had bound the internal card) but I'm still getting hung on verifying.  Cyrobinson, how do I change the VPN protocol to PPTP (my router does use NAT)?

I had to add the VPN server to the "RAS and IAS" security group.  I have also read that Linksys says to diable the router DHCP server on their routers.

Mine works but I set it up through ISA/win2k server.

I'm sure we're getting close....It seems like the problem is router-based (although that's just a guess).

I'm sure we're getting close....It seems like the problem is router-based (although that's just a guess).

The above is true about the "RAS and Isa" group if the Domain controller is behind the VPN.  Try logging in to the VPN using a local account of the vpn server (log into the machine, not the domain).  This is how I found my troubles.  Buried way down deep in a MS KB file it said to add to the group.

The above is true about the "RAS and Isa" group if the Domain controller is behind the VPN.  Try logging in to the VPN using a local account of the vpn server (log into the machine, not the domain).  This is how I found my troubles.  Buried way down deep in a MS KB file it said to add to the group.

The above is true about the "RAS and Isa" group if the Domain controller is behind the VPN.  Try logging in to the VPN using a local account of the vpn server (log into the machine, not the domain).  This is how I found my troubles.  Buried way down deep in a MS KB file it said to add to the group.

The above is true about the "RAS and Isa" group if the Domain controller is behind the VPN.  Try logging in to the VPN using a local account of the vpn server (log into the machine, not the domain).  This is how I found my troubles.  Buried way down deep in a MS KB file it said to add to the group.

If you still can't do it from a cient on the inside, it's not the router.
Double check the IP address configuration on the server. Past results of C:\>ipconfig /all
here

The above is true about the "RAS and Isa" group if the Domain controller is behind the VPN.  Try logging in to the VPN using a local account of the vpn server (log into the machine, not the domain).  This is how I found my troubles.  Buried way down deep in a MS KB file it said to add to the group.

Why are my post being duplicated?????????  I am not doing this!  Unless it is because I am hitting the refresh button to check for new messages.  Sorry.

clarify something, where are you getting the "verifying username and password" hang up, from inside, or outside the local lan.

Shep

I checked the domain Controllers memberships.  It already is a member of "Domain Controllers" and "RAS and IAS Servers".  Is there anywhere else I need to check group membership?  By the way, DHCP is disabled on the router.

AltonD:  Outside the lan (error 650).  Inside I'm getting error 721.

No problem on the dups, I made the same mistake!

did you try to use a local account on the vpn?

Yes.  It worked.

Is this a first?

I can't find it but I know I read an article that said to uncheck "microsoft networks" and "file sharing" on the outside network card.  also, under the advanced tab, for dns, "do not register with a dns server" and under wins, diable netbios name resolution.

I was getting this far, could connect to machine, but not get to other network resources.  The VPN server was not a "RAS and ISA" group member.  Is the domain account allowed dial-in access?

Here is the ipconfig:

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : server
        Primary DNS Suffix  . . . . . . . : Home
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : Home

Ethernet adapter Home:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100+ PCI Adapter #2
        Physical Address. . . . . . . . . : 00-90-27-2E-94-4F
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.2.5
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.1
        DNS Servers . . . . . . . . . . . : 127.0.0.1

PPP adapter RAS Server (Dial In) Interface:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 169.254.103.38
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 127.0.0.1

The card settings are for the TCP/ip properties.

The outside adapter should have the gateway.  The inside adapter should be blank.  When you diable the netbios name resolution, it will add this to the listing.

connecting in on the local account, you should be able to map the local shares  \\vpnservername\sharename

If you are connected with the local account and try to map a domainserver share, you will get "not logged in" error

have a look at http://www.microsoft.com/windows2000/docs/VPNoverview.doc

this document states

"     PPTP clients and server can be placed behind a network address translator (NAT) if the NAT has the appropriate editors for PPTP traffic. L2TP/IPSec-based VPN clients or servers cannot be placed behind a NAT because Internet Key Exchange (IKE) (the protocol used to negotiate SAs) and IPSec-protected traffic are not NAT-translatable. "

See http://support.microsoft.com/default.aspx?scid=kb;en-us;308208 (Technet article number 308208).  This has a section titled "How to Configure PPTP Ports" this should be of interest to you.

Once you have configured this you will need to set the clients to connect using PPTP.  I would recommend disabling any IPsec ports on your VPN server since a client that is configured to automatically detect VPN protocols will always try to use IPSEC first.

One more last question.  Are you adding the vpnserver to the "RAS and IAS: group, or are you adding the user's account.  You need to add the computer.  You might have said this but I am just making sure.

If you can successfully authenticate from inside the LAN, it's a router problem. A very common one. As lrmoore pointed out, it's ALMOST as simple as setting up a port forward. You need to forward tcp 1723 but you also need GRE forwarded. This bit isn't so simple as it's not a port, it's a whole protocol (IP 47) See if your router is capable of doing this, if it doesn't you could use the DMZ option so that ALL incoming traffic to the router's WAN address gets forwarded to the vpn server. If you do this make sure you use input filters in RRAS to filter out all other unwanted traffic.

Ya know, I kind of thought all along it was a router problem.  While many of the suggestions were helpful (caught me in a couple of config errors), I don't think my Linksys router (WRT54G) will forward GRE.  If I understand correctly, I'm left with either a risky setup of using DMZ and traffic filters OR installing a router that will handle forwarding both 1723 and GRE.  This setup will be for a small office with little tech support, so I think a new router will be the safest solution.  Any suggestions?

If you use a linksys VPN router, or a Cisco, the router itself can terminate IPSEC VPN's so you don't have to risk putting a server in the DMZ.

I agree with lrmoore, get a router that incorporates a vpn server. The only downside is the additional authentication, although you could look at radius.

My linksys router works (thanks to lrmoore) Though the router I'm using is the VPN Endpoint, I'm not using the VPN features of it. It might have a difference from the regular router. But here's the important router settings:

Filters:
Block Wan Request - Disable
IPSec Pass Through - Disable
PPTP Pass THrough - Enable

Forwarding:
Port 47 and port 1723 have been forwarded to the IP of my VPN server (192.168.0.16)

Try that?

Oh and with that, the DMZ is disabled, and the server is NOT plugged into the DMZ port.

Thanks to all for your input and ideas.  Ultimately, the answer was that my router does not support GRE forwarding.  I have ordered a Linksys VPN endpoint that will solve the problem.  Points go to lrmoore for being the first person to point this out.  Thanks again for everyone's help and effort.  I suspect this is a very common problem for those trying to set up VPN's.  Hopefully, this exchange of info will make it easier for others.