Solved

VPN 2003 server

Posted on 2004-10-11
15
185 Views
Last Modified: 2013-12-04
Dear Experts,

I have a lot of clients that want to VPN into the company network.  I have setup a 2003 server box with a Public IP address on the outside of the firewall to let users VPN in through RRAS using the native VPN client in XP on their machines.  These are users wanting to work from home connected via Cable modems or DSL to the public Internet.

My worry is security.  Is there anyway to make this more secure using the software that comes with Windows?  I was thinking of Cisco's product which allows you to restrict users by MAC address.  Is there a way to only allow certain machines as well as users to connect via the VPN?

I do not have many users doing this yet but many are clammoring to get access and I am hoping to come up with an inexpensive solution that is secure.

I appreciate the help.

Reggie
0
Comment
Question by:ReggieM
  • 8
  • 7
15 Comments
 
LVL 16

Expert Comment

by:JamesDS
Comment Utility
ReggieM
You can use RRAS on Winws 2003 so setup an L2TP/IPSec VPN that is highly secure (by current standards) and VERY easy to configure.

See my next post for information on working through the configuration wizard that comes up with RRAS when you enable it in the console.

Cheers

JamesDS
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
Comment Utility
ReggieM
Configure VPN Access using the RRAS Wizard

Wizard options

Remote Access (dial-up or VPN)
VPN only
External WAN - disable security
Internal LAN
Automatic IP Address assignment
Use RRAS to authenticate


Routing and Remote Access

Server Properties
General: Enable the computer as a LAN Router only
General: Remote Access Server

Security: Allow custom IPSEC policy with shared key (enter text to act as shared key) "Stick Some Text in HERE"

IP: Enable IP Routing
IP: This server can assign addresses by using DHCP
IP: Enable broadcast name resolution (select internal NIC)

PPP: Check all

Logging: Log all Events only

Ports: Add 5 L2TP inbound only, turn everything else off

IP Routing: only General and Static Routes, remove everything else

Remote Access Policies: Delete default policies, add new policy where tunnel type = L2TP and access is granted

Registry Change to allow 2048bit Diffie-Hellman connections:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
DWORD: NegotiateDH2048
Value: 1

Firewall Settings:

L2TP Inbound Requirements: Protocol 50, IPSec NAT-T UDP 4500, IKE UDP 500
(Just in Case you need them PPTP Inbound Requirement: Protocol 47, PPTP TCP 1723)

You will need to configure your firewall to forward traffic on all the ports you configured above to the internal IP of the your server - or it won't see the VPN traffic.

Client Settings:
You can then use the standard VPN dial up network client that comes with windows:
Set Preshared Key in IPSec Properties "Stick the SAME Text in HERE"
Install IPSec NAT-T update for XP: http://support.microsoft.com/?kbid=818043

Cheers

JamesDS
0
 

Author Comment

by:ReggieM
Comment Utility
JamesDS,

This is awsome thank you.  I plan to put this into action this coming week.  I will let you know how it works.

Thank you very very much for the help.
0
 
LVL 16

Expert Comment

by:JamesDS
Comment Utility
ReggieM

Welcome, let me know how goes
Cheers

JamesDS
0
 

Author Comment

by:ReggieM
Comment Utility
JamesDS,

How do you setup preshared key IPSec on a W2K pro clent machine?

Thanks
0
 

Author Comment

by:ReggieM
Comment Utility
JamesDS,

I am having trouble finding step by step instructions for setting up a W2K pro client machine..

Could you lead me in the correct direction or run the steps by me.

Also I tested a connection to the server from a client machine that does not have the preshared key and it looks as if it does connect.  Shouln't the person trying to connect get an error or a message?

Thanks for the help.
0
 
LVL 16

Expert Comment

by:JamesDS
Comment Utility
ReggieM
I am pretty sure that the Windows 2000 VPN client doesn't have the preshared key option.

If it it available, then it will be on the security tab in the DUN connection under network connections. I don't have any W2k noxes to check to be sure.

Cheers

JamesDS
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:ReggieM
Comment Utility
JamesDS,

I am getting an error 791: The L2TP connection attempt failed because security policy for the connection was not found from XP client machine.  I am not geting this from my machine though.  Could you recommend anything?
0
 

Author Comment

by:ReggieM
Comment Utility
JamesDS,

I am still trying to figure out how you setup a preshared key in W2K.

I figured out what was causing the errror though.  I updated sp2 on the xp machine and that fixed it.  I am not sure what part of the service pack though and I am trying to find out.

If you have any insight on any of these things or if anyone else does please let me know.

Thanks
0
 
LVL 16

Expert Comment

by:JamesDS
Comment Utility
ReggieM
See my previous comment about Preshared keys in W2k

SP2 contains poliocy updates for VPN and that is what would have fixed it. The Fix I was aware of is IPSec NAT-T update for XP: http://support.microsoft.com/?kbid=818043 and is in my original postings.

Cheers

JamesDS
0
 

Author Comment

by:ReggieM
Comment Utility
JamesDS,

Sorry abut the redundancy and thanks for all of the input.  I am looking into the W2K thing.  For some reason my W2K clients can access the network via the VPN with their old settings meaning no pre-shared key at all and no updates?  I do not have a lot of W2K clients at hand but I am going to do more testing.

Thanks again.
0
 

Author Comment

by:ReggieM
Comment Utility
JamesDS,

The preshared key is not working.  I mean as long as I have the sp2 patch I am able to connect regardless of the Preshared key setting on the xp client.  That is why my w2k users are able to get access I am guessing.

I have checked what I have setup regarding your notes.  I believe everything is exactly as you stated.  Is there any reason it would not be working properly?

If you have any suggestion let me know?
0
 
LVL 16

Expert Comment

by:JamesDS
Comment Utility
ReggieM
If you have entered a pre-shared key on the server and yet your clients are able to connect whether you enter one or not, then you aren't connecting with only L2TP/IPSec.

It is possible that you also configured PPTP ports AND set your Remote Access Policy to allow PPTP connections.

Check your Remote Access Policy to ensure it only allows L2TP connections.

Cheers

JamesDS
0
 

Author Comment

by:ReggieM
Comment Utility
JamesDS,

Thanks for the reponse.  I checked that right away.  Matter of fact if you try and connect without the sp2 patch you get an error referring to L2TP.  I am going to try a few more things befor I move onto a VPN client I have to pay for.

Thanks again for all of your assistance.
0
 
LVL 16

Expert Comment

by:JamesDS
Comment Utility
ReggieM
Welcome, glad to help

Cheers

JamesDS
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now