How to set up a VPN

I have the following hardware setup: IBM Firewall with Comodo Trustix software installed and a W2K server. The firewall is split into 3 zones (LAN, DMZ & Internet). What I want to do is create a VPN thru the firewall to the W2K Server.

I know you can set RRAS on the W2K Server but since my LAN is protected by the Comodo firewall do I also need to setup VPN tunnels on this box?

I'm also planning on simply using Windows XPs built in VPN connection. Is this recommended? If not then what would be a better solution?

I have a head office (which holds the main servers) and a number of regional offices (simply LANs with DSL connections to the Internet). I was planning on buying a VPN router for some of the regional offices (as there are a number of users at each) but I also have a number of roaming users who I would like to simply dial into the network.

Can anyone advise (and I'm sure there's a lot of you out there) on the best course of action?
Steven O'NeillSolutions ArchitectAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi u101440,
If you wish to have clents use the built in VPN client and connect to the W2K server you will need to configure the firewall to direct incoming connections to UDP port 1723 and GRE (IP protocol number 47) to the W2K server.

Personally I would recomend that you get VPN routers at the remote sites (Such as the PIX 501 or 506E) and get a Cisco PIX 515-R-DMZ for your main site.
That way you can have LAN-LAN fixed VPNs configured on the PIX and also have users use the Cisco client (more secure than Windows native one) to make remote VPN connections. You can configure the PIX to use the W2K server for authentication if you wish.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I wouldn't recommend using the Win2000 server as an endpoint.    A hardware solution is more secure.    One important thing to note is that you need a PPTP VPN not an IPSEC.   Not many hardware solutions support PPTP.  The PIX does and I like the Snapgear range.   You need to also make sure the firewall supports VPN passthrough.   I use the Windows client which works fine.
Steven O'NeillSolutions ArchitectAuthor Commented:
Okay guys thanx for the comments. I'm now a bit confused though (really easy to do). I have firewall server in the office (the Comodo Trustix on the IBM Server) which has split into 3 zones (LAN - which contains my internal network (obviously); internet - allowing me access to the net and DMZ which has my mail server on it).

I don't understand why I'm now being recommended to by PIX boxes when I already have the firewall hardware/software in place? lnwright, if I cannot use the W2K server as endpoint how is it supposed to be contacted?

All I was thinking of doing was setting some VPN tunnels (as grblades suggests above) on the Trustix box and then using the Windows client to talk to the network. I just wasn't sure if I also had to configure the W2K box as well as the Trustix box to accept VPN passthru transactions.

I also have a couple of remote offices and rather than set them up with individual access I was simply going to buy something like the DLink DI-804HV which would allow me to connect the 3 PCs at the remote office to the one router, connect their broadband to this for sharing and then setup the VPN so that this router/firewall could communicate with the Trustix box at the head office.

Does this sound feasible or am I missing something?

Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

You could setup IPSEC LAN-LAN VPN tunnels on the Trustix box and also forward TCP port 1723 and GRE (IP protocol 47) to your Windows server so that individual clients could use the built in Windows PPTP VPN client to connect. This relies on you being able to redirect this port and GRE on the Trustix.

At the remote site you will need something better than the D-Link. Trying to setup a VPN between the D-Link and Trustix could be problematic and there will be very few people who have done it before which is why I recomended the Cisco equipment as many people use it and you will get lots of assistance setting it up.
If you wish to cut costs then consider a Trustix box at each remote site as creating the VPN between identical equipment will be far easier to do.
OK If your Trustix can act as a VPN server then that is great.  I am not familiar with the product. The way these hardware VPN's work is that you put your client login details into the router itself.    You log into the box and it gives you a local IP address just as if you were attaching a workstation directly to the network.  You can then log into your Win2000's domain.   Again the question to be answered is , does the Trustix provide PPTP or IPSEC VPN?  

I have a DLink DI-804V.   It only supports IPSEC.    Believe me you don't want to connect to it from a Windows client.   If you look at the manual you will see that there are over 70 steps to configure windows to act as a IPSEC client and even then there is no easy support for dynamic addressing (eg your mobile workers).   The 804 is probably good if you join them at each end using IPSEC.   PPTP is better for the Windows client.  It takes about 5 seconds to configure.  When you go to the network connections wizard in Windows to set up a VPN, it is is PPTP VPN that it is talking about.

Hope this helps.
Steven O'NeillSolutions ArchitectAuthor Commented:
Guys again many thanx for this, I'll be looking into tis again tomorrow and over the weekend. I've just started with this new area and their systems appear a little backward but I'll slowly pull them away from the 19th century. Grblades, the problem I have with costs is that the organisation I'm with now is a charity and their only wanting to connect 3 machines at the branch office to the network and do't want to spend a lot of money in doing so. They already had the Trustix box in place so I'm forced to work with it! I may look at the cost of a second Trustix box but I don't hold out much hope.

lnwright, don't know about what the Trustix provides. If you didn't have the DI-804V would you have chosen another model to make you life easier? I've looked at the documentation at the D-Link site and setting up the VPN with a Windows client didn't look all that difficult but I can see there are a great many steps compared with the built in PPTP.

One last thing, if the Trustix box can forward port 1723 and GRE (IP Protocol 43) do I still need to set the W2K server up to accept VPN connections?
I assume your Windows box is behind the Trustix. The Windows box is therefore protected from the Internet and so you need to forward the protocols used by PPTP VPN through to the Windows box. This means you need to forward TCP port 1723 and GRE (IP Protocol 47) and then setup the Windows box as a VPN server.
Steven O'NeillSolutions ArchitectAuthor Commented:
Guys, sorry for not getting back to you on this one. I've increased the points to 500 and split it 2 ways. Hope this is okay.

I've sorted this problem as I now have an SBS 2003 Premium box which allows me to created RWW and Connection Manager access for my clients.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.