Solved

VPN 2003 server

Posted on 2004-10-11
15
187 Views
Last Modified: 2013-12-04
Dear Experts,

I have a lot of clients that want to VPN into the company network.  I have setup a 2003 server box with a Public IP address on the outside of the firewall to let users VPN in through RRAS using the native VPN client in XP on their machines.  These are users wanting to work from home connected via Cable modems or DSL to the public Internet.

My worry is security.  Is there anyway to make this more secure using the software that comes with Windows?  I was thinking of Cisco's product which allows you to restrict users by MAC address.  Is there a way to only allow certain machines as well as users to connect via the VPN?

I do not have many users doing this yet but many are clammoring to get access and I am hoping to come up with an inexpensive solution that is secure.

I appreciate the help.

Reggie
0
Comment
Question by:ReggieM
  • 8
  • 7
15 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12275535
ReggieM
You can use RRAS on Winws 2003 so setup an L2TP/IPSec VPN that is highly secure (by current standards) and VERY easy to configure.

See my next post for information on working through the configuration wizard that comes up with RRAS when you enable it in the console.

Cheers

JamesDS
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 12275537
ReggieM
Configure VPN Access using the RRAS Wizard

Wizard options

Remote Access (dial-up or VPN)
VPN only
External WAN - disable security
Internal LAN
Automatic IP Address assignment
Use RRAS to authenticate


Routing and Remote Access

Server Properties
General: Enable the computer as a LAN Router only
General: Remote Access Server

Security: Allow custom IPSEC policy with shared key (enter text to act as shared key) "Stick Some Text in HERE"

IP: Enable IP Routing
IP: This server can assign addresses by using DHCP
IP: Enable broadcast name resolution (select internal NIC)

PPP: Check all

Logging: Log all Events only

Ports: Add 5 L2TP inbound only, turn everything else off

IP Routing: only General and Static Routes, remove everything else

Remote Access Policies: Delete default policies, add new policy where tunnel type = L2TP and access is granted

Registry Change to allow 2048bit Diffie-Hellman connections:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
DWORD: NegotiateDH2048
Value: 1

Firewall Settings:

L2TP Inbound Requirements: Protocol 50, IPSec NAT-T UDP 4500, IKE UDP 500
(Just in Case you need them PPTP Inbound Requirement: Protocol 47, PPTP TCP 1723)

You will need to configure your firewall to forward traffic on all the ports you configured above to the internal IP of the your server - or it won't see the VPN traffic.

Client Settings:
You can then use the standard VPN dial up network client that comes with windows:
Set Preshared Key in IPSec Properties "Stick the SAME Text in HERE"
Install IPSec NAT-T update for XP: http://support.microsoft.com/?kbid=818043

Cheers

JamesDS
0
 

Author Comment

by:ReggieM
ID: 12374661
JamesDS,

This is awsome thank you.  I plan to put this into action this coming week.  I will let you know how it works.

Thank you very very much for the help.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12374685
ReggieM

Welcome, let me know how goes
Cheers

JamesDS
0
 

Author Comment

by:ReggieM
ID: 12410771
JamesDS,

How do you setup preshared key IPSec on a W2K pro clent machine?

Thanks
0
 

Author Comment

by:ReggieM
ID: 12412652
JamesDS,

I am having trouble finding step by step instructions for setting up a W2K pro client machine..

Could you lead me in the correct direction or run the steps by me.

Also I tested a connection to the server from a client machine that does not have the preshared key and it looks as if it does connect.  Shouln't the person trying to connect get an error or a message?

Thanks for the help.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12413647
ReggieM
I am pretty sure that the Windows 2000 VPN client doesn't have the preshared key option.

If it it available, then it will be on the security tab in the DUN connection under network connections. I don't have any W2k noxes to check to be sure.

Cheers

JamesDS
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:ReggieM
ID: 12414176
JamesDS,

I am getting an error 791: The L2TP connection attempt failed because security policy for the connection was not found from XP client machine.  I am not geting this from my machine though.  Could you recommend anything?
0
 

Author Comment

by:ReggieM
ID: 12415369
JamesDS,

I am still trying to figure out how you setup a preshared key in W2K.

I figured out what was causing the errror though.  I updated sp2 on the xp machine and that fixed it.  I am not sure what part of the service pack though and I am trying to find out.

If you have any insight on any of these things or if anyone else does please let me know.

Thanks
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12419290
ReggieM
See my previous comment about Preshared keys in W2k

SP2 contains poliocy updates for VPN and that is what would have fixed it. The Fix I was aware of is IPSec NAT-T update for XP: http://support.microsoft.com/?kbid=818043 and is in my original postings.

Cheers

JamesDS
0
 

Author Comment

by:ReggieM
ID: 12421307
JamesDS,

Sorry abut the redundancy and thanks for all of the input.  I am looking into the W2K thing.  For some reason my W2K clients can access the network via the VPN with their old settings meaning no pre-shared key at all and no updates?  I do not have a lot of W2K clients at hand but I am going to do more testing.

Thanks again.
0
 

Author Comment

by:ReggieM
ID: 12422191
JamesDS,

The preshared key is not working.  I mean as long as I have the sp2 patch I am able to connect regardless of the Preshared key setting on the xp client.  That is why my w2k users are able to get access I am guessing.

I have checked what I have setup regarding your notes.  I believe everything is exactly as you stated.  Is there any reason it would not be working properly?

If you have any suggestion let me know?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12430840
ReggieM
If you have entered a pre-shared key on the server and yet your clients are able to connect whether you enter one or not, then you aren't connecting with only L2TP/IPSec.

It is possible that you also configured PPTP ports AND set your Remote Access Policy to allow PPTP connections.

Check your Remote Access Policy to ensure it only allows L2TP connections.

Cheers

JamesDS
0
 

Author Comment

by:ReggieM
ID: 12434837
JamesDS,

Thanks for the reponse.  I checked that right away.  Matter of fact if you try and connect without the sp2 patch you get an error referring to L2TP.  I am going to try a few more things befor I move onto a VPN client I have to pay for.

Thanks again for all of your assistance.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12436688
ReggieM
Welcome, glad to help

Cheers

JamesDS
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Folder Permissions 7 83
Malicius website protection from system 32? 15 74
PowerShell comparison operator -band returns wrong result 10 64
SSL certificate pack 6 153
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now