ReggieM
asked on
VPN 2003 server
Dear Experts,
I have a lot of clients that want to VPN into the company network. I have setup a 2003 server box with a Public IP address on the outside of the firewall to let users VPN in through RRAS using the native VPN client in XP on their machines. These are users wanting to work from home connected via Cable modems or DSL to the public Internet.
My worry is security. Is there anyway to make this more secure using the software that comes with Windows? I was thinking of Cisco's product which allows you to restrict users by MAC address. Is there a way to only allow certain machines as well as users to connect via the VPN?
I do not have many users doing this yet but many are clammoring to get access and I am hoping to come up with an inexpensive solution that is secure.
I appreciate the help.
Reggie
I have a lot of clients that want to VPN into the company network. I have setup a 2003 server box with a Public IP address on the outside of the firewall to let users VPN in through RRAS using the native VPN client in XP on their machines. These are users wanting to work from home connected via Cable modems or DSL to the public Internet.
My worry is security. Is there anyway to make this more secure using the software that comes with Windows? I was thinking of Cisco's product which allows you to restrict users by MAC address. Is there a way to only allow certain machines as well as users to connect via the VPN?
I do not have many users doing this yet but many are clammoring to get access and I am hoping to come up with an inexpensive solution that is secure.
I appreciate the help.
Reggie
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
JamesDS,
This is awsome thank you. I plan to put this into action this coming week. I will let you know how it works.
Thank you very very much for the help.
This is awsome thank you. I plan to put this into action this coming week. I will let you know how it works.
Thank you very very much for the help.
ReggieM
Welcome, let me know how goes
Cheers
JamesDS
Welcome, let me know how goes
Cheers
JamesDS
ASKER
JamesDS,
How do you setup preshared key IPSec on a W2K pro clent machine?
Thanks
How do you setup preshared key IPSec on a W2K pro clent machine?
Thanks
ASKER
JamesDS,
I am having trouble finding step by step instructions for setting up a W2K pro client machine..
Could you lead me in the correct direction or run the steps by me.
Also I tested a connection to the server from a client machine that does not have the preshared key and it looks as if it does connect. Shouln't the person trying to connect get an error or a message?
Thanks for the help.
I am having trouble finding step by step instructions for setting up a W2K pro client machine..
Could you lead me in the correct direction or run the steps by me.
Also I tested a connection to the server from a client machine that does not have the preshared key and it looks as if it does connect. Shouln't the person trying to connect get an error or a message?
Thanks for the help.
ReggieM
I am pretty sure that the Windows 2000 VPN client doesn't have the preshared key option.
If it it available, then it will be on the security tab in the DUN connection under network connections. I don't have any W2k noxes to check to be sure.
Cheers
JamesDS
I am pretty sure that the Windows 2000 VPN client doesn't have the preshared key option.
If it it available, then it will be on the security tab in the DUN connection under network connections. I don't have any W2k noxes to check to be sure.
Cheers
JamesDS
ASKER
JamesDS,
I am getting an error 791: The L2TP connection attempt failed because security policy for the connection was not found from XP client machine. I am not geting this from my machine though. Could you recommend anything?
I am getting an error 791: The L2TP connection attempt failed because security policy for the connection was not found from XP client machine. I am not geting this from my machine though. Could you recommend anything?
ASKER
JamesDS,
I am still trying to figure out how you setup a preshared key in W2K.
I figured out what was causing the errror though. I updated sp2 on the xp machine and that fixed it. I am not sure what part of the service pack though and I am trying to find out.
If you have any insight on any of these things or if anyone else does please let me know.
Thanks
I am still trying to figure out how you setup a preshared key in W2K.
I figured out what was causing the errror though. I updated sp2 on the xp machine and that fixed it. I am not sure what part of the service pack though and I am trying to find out.
If you have any insight on any of these things or if anyone else does please let me know.
Thanks
ReggieM
See my previous comment about Preshared keys in W2k
SP2 contains poliocy updates for VPN and that is what would have fixed it. The Fix I was aware of is IPSec NAT-T update for XP: http://support.microsoft.com/?kbid=818043 and is in my original postings.
Cheers
JamesDS
See my previous comment about Preshared keys in W2k
SP2 contains poliocy updates for VPN and that is what would have fixed it. The Fix I was aware of is IPSec NAT-T update for XP: http://support.microsoft.com/?kbid=818043 and is in my original postings.
Cheers
JamesDS
ASKER
JamesDS,
Sorry abut the redundancy and thanks for all of the input. I am looking into the W2K thing. For some reason my W2K clients can access the network via the VPN with their old settings meaning no pre-shared key at all and no updates? I do not have a lot of W2K clients at hand but I am going to do more testing.
Thanks again.
Sorry abut the redundancy and thanks for all of the input. I am looking into the W2K thing. For some reason my W2K clients can access the network via the VPN with their old settings meaning no pre-shared key at all and no updates? I do not have a lot of W2K clients at hand but I am going to do more testing.
Thanks again.
ASKER
JamesDS,
The preshared key is not working. I mean as long as I have the sp2 patch I am able to connect regardless of the Preshared key setting on the xp client. That is why my w2k users are able to get access I am guessing.
I have checked what I have setup regarding your notes. I believe everything is exactly as you stated. Is there any reason it would not be working properly?
If you have any suggestion let me know?
The preshared key is not working. I mean as long as I have the sp2 patch I am able to connect regardless of the Preshared key setting on the xp client. That is why my w2k users are able to get access I am guessing.
I have checked what I have setup regarding your notes. I believe everything is exactly as you stated. Is there any reason it would not be working properly?
If you have any suggestion let me know?
ReggieM
If you have entered a pre-shared key on the server and yet your clients are able to connect whether you enter one or not, then you aren't connecting with only L2TP/IPSec.
It is possible that you also configured PPTP ports AND set your Remote Access Policy to allow PPTP connections.
Check your Remote Access Policy to ensure it only allows L2TP connections.
Cheers
JamesDS
If you have entered a pre-shared key on the server and yet your clients are able to connect whether you enter one or not, then you aren't connecting with only L2TP/IPSec.
It is possible that you also configured PPTP ports AND set your Remote Access Policy to allow PPTP connections.
Check your Remote Access Policy to ensure it only allows L2TP connections.
Cheers
JamesDS
ASKER
JamesDS,
Thanks for the reponse. I checked that right away. Matter of fact if you try and connect without the sp2 patch you get an error referring to L2TP. I am going to try a few more things befor I move onto a VPN client I have to pay for.
Thanks again for all of your assistance.
Thanks for the reponse. I checked that right away. Matter of fact if you try and connect without the sp2 patch you get an error referring to L2TP. I am going to try a few more things befor I move onto a VPN client I have to pay for.
Thanks again for all of your assistance.
ReggieM
Welcome, glad to help
Cheers
JamesDS
Welcome, glad to help
Cheers
JamesDS
You can use RRAS on Winws 2003 so setup an L2TP/IPSec VPN that is highly secure (by current standards) and VERY easy to configure.
See my next post for information on working through the configuration wizard that comes up with RRAS when you enable it in the console.
Cheers
JamesDS