Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 779
  • Last Modified:

Remote XP Pro VPN Access to BEFVP41/DSL Connection?

I have a XP Pro laptop and want to access from the Internet using DHCP my BEFVP41 Linksys router that is also using DHCP with a BellSouth DSL connection.  I want to be able to network and back-up my laptop to the XP Pro desktop behind the router.  I am trying to set-up onsite with the BEFVP41 now.  Can I do all of this onsite and test using wireless or wired connection by going out through router and coming back to set-up VPN connection?  Not sure how to test when I am off site.

I have found instructions on how to set up XP VPN connection as well as configuring BEFVP41 but am fuzzy on some of the IP addresses and know that they will eventually expire and need to go with DDNS as well.

Basically, I need someone to step me through and I can feedback what is going on.
0
pfernald
Asked:
pfernald
  • 22
  • 19
  • 7
  • +1
1 Solution
 
Rob WilliamsCommented:
There are several steps to this.
A) You have a Bell South DSL connection. What do you have for a modem? Is it a combined router & modem such as a Westell ? If it is a combined unit it will be performing NAT (Network Address Translation). You can confirm this by seeing if it is assigning the WAN port of the BEFVP41 a private address of 192.168.x, 10.x.x.x, or 172.16-31.x  If it is, you will need to change the modem to Bridge mode, if it is a public IP there is nothing to be changed on the modem.

B) Note, the BEFVP41 site needs to be a different IP range, or subnet, than the remote site in order to function properly. To avoid conflicts where the default router subnet is 192.168.1.x change the router's LAN configuration to something less common like 192.168.123.x  Also because you want to connect to a specific PC, the PC should have a fixed, static, IP address rather than using DHCP for that PC.

C) The VPN server end can be configured on the BEFVP41 or on an XP machine behind the router. The latter is probably easier if you are not familiar with VPN's. Assuming this is the case, the following sites will tell you how to set up the XP server and client ends:
Windows XP VPN server:
http://www.onecomputerguy.com/networking/xp_vpn_server.htm
Windows XP VPN client:
http://www.onecomputerguy.com/networking/xp_vpn.htm

D) You will also have to enable forwarding for the VPN traffic from the router to the XP VPN server. To do so, on the router you need to enable PPTP pass-through, and also forward TCP port 1723 to the IP of the VPN server. Instructions for your router can be found at:
http://www.portforward.com/english/routers/port_forwarding/Linksys/BEFVP41/Point-to-Point_Tunneling_Protocol.htm

E) Because you have a dynamic WAN address you will also need a DDNS service. Below is a copy of an earlier post of mine explaining DDNS services and how to configure:
DDNS, and static IP's: In case you are not familiar with DDNS (Dynamic Domain Name Service), they are free services that give you a name like myname.dnsalias.org and they track your dynamic IP. You either have to configure the router for the service, or download a little piece of software for your computer, and it advises the DDNS service of any changes to your dynamic IP. The recommended method is using the router, otherwise the computer with the installed software has to be left on. Now whenever you enter myname.dnsalias.com, the FQDN (Fully Qualified Domain Name), it directs you to your WAN IP or the router. There are numerous free services available; www.dyndns.com, www.dns2go.com, and www.no-ip.com, to name a few. I prefer www.dyndns.com. You need to contact the service provider such as http://www.dyndns.com and set up a free account, and a host name/Dynamic DNS service for your IP. You can have 5 IP's with a free account. Once done you will have a host name like myname.dnsalias.com, a user name, and a password. Enter these in the router's DDNS page.
Note: There is a catch with the free www.dyndns.com service and possibly some of the others. If the IP doesn't change for 35 days, it needs to be manually updated, otherwise your account is considered dormant and the Host name, not your account, will be dropped. They usually send you a warning a few days in advance. If the service works for you, I would recommend paying the $9.95 a year that overrides the 35 day limit. It also allows you to list 20 IP's with a paid account.
Specific instructions for www.dyndns.com;
After you create an new user account with www.dyndns.com ,  log in and at the top of the page click on 'Account' and then middle of the page choose 'My services'. Near the bottom of the page you will see Host Level Services. If you haven't done so you will need to set up a domain name. I would recommend starting with a fresh one regardless. Do so by clicking "Add host service", then "Add Dynamic DNS Host". Now fill in a Host name of your choosing like "myname" and choose a suffix like "dnsalias.org" (any one in the list will do). Your current IP, if you are connecting from the site where you will be using this, will be displayed in the next box. If not, change it to the current IP.  If you don't know it you can find by going to  http://www.whatismyip.com  Now click "Add Host". Leave Wildcards and Mail fields empty.
Now in your router set up (my recommendation), or in your DDNS software application enter your hostname myname.dnsalias.org, or what ever you choose, your password and choose the service, dyndns if asked and you are done. Make sure you only use one, the router or the application, not a good idea to use both.
Now to test. You know how to find your IP by going to http://www.whatismyip.com so verify that. Now at a command prompt (DOS window) enter nslookup  myname.dnsalias.org  (substitute your domain name) and it should resolve/return the proper WAN IP you located above.

F) You asked "Can I do all of this onsite and test using wireless or wired connection by going out through router and coming back to set-up VPN connection?" No, I am afraid you will have to use a separate connection such as a remote site or a dial up connection, unless you have two public IP addresses provided by your ISP.
0
 
pfernaldAuthor Commented:
A) Westell must also be a NAT as WAN port of BEFVP41 has IP address of 192.168.X.X.  I'll investigate changing the modem to Bridge mode, do you know more specifically how to do this?  Noticed that I could not send email at the server site but had no problem at remote site.  Perhaps it was having two NAT/firewalls in play.

B) Do you know how to change the router's LAN configuration to something less common in case I get stuck?  Can't I use DDNS functionality on both the router in front of the server as well as on the remote laptop that I'll be coming in from the outside?  I don't want to pay for static IP on either end if I don't have to.  I have a WRT54G at the remote location but not sure if that helps or not.

C) So I would not have to configure anything other than LAN configuration in the BEFVP41 and PPTP pass through if I configure the VPN on the XP machine behind the router?  I"ll check out the sites you provided.

D) Does it matter if any of the other passthrough settings are enabled or not?  Figure probably not as not using them but just in case for security considerations.

E) Can't I use DDNS on the router that server is sitting behind as well as on the remote machine? (both are dynamic IPs).

F) I'll use dial-up or go to a neighbors house close by if too painful.
0
 
Rob WilliamsCommented:
I am assuming from above the following configuration:
remote site=>WRT45G=>modem=>Internet=>Westell=>BEFVP41=>XP VPN server

A) Here is a good link as to how to configure the Westell:
http://www.dslreports.com/faq/6323
>>"Noticed that I could not send email at the server site but had no problem at remote site.  Perhaps it was having two NAT/firewalls in play."
Two NAT devices can block some services such as an incoming VPN but I am surprised you couldn't send e-mail. I assuming at this point the VPN is not set UP. Once the VPN is set up if you want to send e-mail or browse the Internet while connected to the VPN, there is an option "use default gateway on remote network" in the Virtual client adapter under advanced TCP/IP configuration that needs to be disabled.

B) >>"Do you know how to change the router's LAN configuration to something less common in case I get stuck?"
Best bet is to do this on the VPN server site. On the Network Set Up page under Local IP Address it will likely show 192.168.1.1, just change to 192.168.123.1
You can use the DDNS service from both locations without a problem. The basic/free www.dyn.dns.com service allows up to 5 locations with the one account. However, if connecting as described above, client to server configuration, there is no need for static IP or DDNS service for the client machine.

C) >>"So I would not have to configure anything other than LAN configuration in the BEFVP41 and PPTP pass through "
Also port forwarding of TCP port 1723 as described.

D) >>"Does it matter if any of the other passthrough settings are enabled or not? "
No, but best to leave the others disabled, very slightly more secure.




0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
pfernaldAuthor Commented:
"...there is an option "use default gateway on remote network" in the Virtual client adapter under advanced TCP/IP configuration that needs to be disabled." - Where do I access this, on the server behind the router?  How?

Yeah, not sure what's going on with email as it's fine on my router at home but when I'm out and about off of various WAPs I can only receive and not send.

Gotcha on the rest.  I'll try all of this tomorrow.  I really like this resource!  I'm an aspiring MCSE that does some database application consulting and like to know how things work and fix them.  This makes it much easier as finding the answers seems to be hard part.
0
 
Rob WilliamsCommented:
>>""...there is an option "use default gateway on remote network" in the Virtual client adapter under advanced TCP/IP configuration that needs to be disabled." - Where do I access this, on the server behind the router?  How?"
On the VPN client machine go to:
Control Panel | Network Connections | right click on the Virtual Network adapter and choose properties | Networking | Internet protocol TCP/IP properties | Advanced | General | use default gateway on remote network | un-check

>>"can only receive and not send."
Most sites will only allow you to send using their SMTP server in the account connection information. It is to prevent mail relaying

Basic VPNs are pretty straight forward, but the information seems to be quite scattered. Once you get the hang of one or two you can pick up the details as you go.
0
 
scrathcyboyCommented:
First, you cannot VPN into a normal ADSL router, ADSL does not provide a real IP, it is virtualized at the telco headend.  If you plan to VPN, you need to purchase a "static IP" from them.  Once you have that, you need to set the router separate on the domain with the static IP and VPN to that router, and it has to be a VPN endpoint-capable router, then you can connect to the computer behind it; otherwise NO you cant.
0
 
Rob WilliamsCommented:
scrathcyboy, Not directly VPNing in to a ADSL router, it is in bridge mode to a standard router and then using the router's VPN pass-through capabilities to the Windows VPN server. So long as the router receives a public IP, it will be unique to the router. Also, although a static IP is always preferred, DDNS services work fine with most VPNs. Generally this configuration works fine.
0
 
CKWTCommented:
all correct... just wanna say, that the DHCP lease can be forgotten if you increment to lease time. 9999 is a good number, then you'll have to spend really long time without turing your PC for it to expire.

Not a VPN wiz. but if u dont or cannot buy a public IP then maybe you could work out a deal with them to enable the VPN port forwarding as a favor to a loyal long time customer, who helps pay there bills. right?. If you can? then follow the response from the guys above... if cannot do either scratchyboy is right,, you cannot do it.
0
 
scrathcyboyCommented:
I know that the ADSL is not the VPN endpoint, they NEVER are, they all only "pass through".
But the BEFSVP41 does not have the capability to see across class C domain boundaries.
I know, I have used them -- they make great VPN endpoints to ONE class C, and only one, that is it.
So my comment is accurate, with this VPN endpoint router, you will not see outside 1 class C domain.
0
 
pfernaldAuthor Commented:
Not sure what last comment means.  I need to access a server behind the BEFVP41 router from a remote client using XP or client software.  All IP addresses are dynamic so RobWill's approach seems plausible.  SCRATHCYDOY are you saying that it will not work and I have to get a static IP?  Not clear at this point but will keep moving in current direction.  Thanks.
0
 
scrathcyboyCommented:
sorry, that was for another question where person was trying to see computers on two different domains.  

As I said above, you have to be assigned a static IP address by the telco, and that IP number should be assigned to the BEFVP41 router, as Robwill says, the DSL router just passes thru the VPN request to the Linksys router.  I have tested VPN on this router with Qwest ADSL, and NO, it does not work unless you get a static IP address from them.  The ADSL head end in the telco assigns every DSL modem a virtual IP address, it is not real, i.e. resolvable, as a IP that you can VPN into.  You can try, but 90% sure you will not get VPN to work without a true static IP address that you can assigne to the Linksys router.
0
 
scrathcyboyCommented:
Maybe Bell south is different, dont know, but Qwest charges $5 per month for static IP address, if it is worth it to you, then it is worth it - for me I was only testing, and no amount of dynamic DNS made any difference it simply does not work without a static on QWest ADSL, the Linksys needs a true IP number.
0
 
scrathcyboyCommented:
But try it anyway, all you have to lose is time. If can get it to work, great, that saves $60 a year, no?
0
 
Rob WilliamsCommented:
pfernald, it likely depends on the service provider. Try going to  http://www.whatismyip.com  and see what your public IP is. Post it here, but for security reasons just the first two octets like 69.88.x.x

scrathcyboy, if we are on the same wavelength some ISP's NAT the address and provide their end users with a private IP, which of course will not work. Is that what you are saying? If so I think BellSouth is OK.

You say you have tested with this router, is the router itself a problem? I wouldn't think so. I have set up similarly in several situations without a problem, but must say I haven't used this model Linksys, but I don't see why it would be different.
0
 
scrathcyboyCommented:
every ADSL router gets a seemingly static IP address, only problem is, it really isnt, it is virtual from the DSL headend in the telco rack.  You only find this out when VPNing across the DSL router, you cannot resolve the IP you think you have.  The Linksys BEFVP41 is a superb VPN endpoint, good as any Cisco, since it is "made by cisco", but they really took Linksyss design before the buyout, it was so well done.
0
 
Rob WilliamsCommented:
>>" only problem is, it really isnt, it is virtual from the DSL headend in the telco rack."
Must depend on the ISP. Currently logged on to Boston from Canada connecting to an ADSL site resolved by DDNS. I don't doubt this is true with some services, but I don't believe all. Also, connected to New York where it is a PPPoE. However, perhaps this explains some difficulties some folks have.

I would always prefer a static cable modem connection, but it is not always an option.
0
 
scrathcyboyCommented:
always use IPsec, especially on this Linksys.  With dyndns.org and PPPoE you are hackable.  Good luck //
0
 
pfernaldAuthor Commented:
Thanks guys for your insights!  I'll start working on today.  Perhaps I will go to static IP if necessary.  Will post later on.
0
 
Rob WilliamsCommented:
Good luck, let us know how you make out.
I have more than a dozen VPNs working with DDNS, but if you have the option Static is always better, if nothing else it eliminates 1 point of failure. However, I know it may be an extra cost for a single user. For $5/month I wouldn't hesitate. Here a dynamic IP is $50/month a static is $150/month, because the latter is considered a commercial account. You get a lot of other bells an whistles with that, but if all you want is a single static IP, $1200/year per location for single user is a lot.
0
 
pfernaldAuthor Commented:
Again thanks for all your help.  This is a pretty involved process!  You are correct in your assumption that my configuration is:  remote site=>WRT45G=>modem=>Internet=>Westell=>BEFVP41=>XP VPN server.  My comments are below, sorry for the length.  I just wanted to provide enough detail so you could help me to finish-up this project and minimize interations.

A) The Westell was a combined router/modem as IP of BEFVP41 was 192.168.x.x, so I changed the modem to Bridge mode.  

B) I changed the BEFVP41 IP to something less common.  

C) I configured the VPN server end on the BEFVP41.  Does it matter which user accounts I include for connection? (i.e. Admin, Guest, HelpAssistant or Personal account).  Noticed my father's name/my name.  Is this because I networked the Server and Laptop using the same Group and logged onto the laptop from the server?  I was prompted for User ID and password so I entered my credentials to connect to the laptop.  Perhaps XP Pro took that information and populated the Server side as well and that is why I am seeing a joint type account.  Should I just create a new user is or this already covered with what is going on.  Should I select more that one account?  What's the most secure approach?  Sorry I have not taken that class yet!

Windows XP VPN Server:

Should I assign IP addresses dynamically or set them specifically for incoming computers, the example set them and used a range that was the same as on the server?  Not sure how to proceed here.  What IP address range should I use?  Perhaps you could provide detail in terms of your examples and any constraints in doing so that I need to keep in mind (i.e. step 14) http://www.onecomputerguy.com/networking/xp_vpn_server.htm

Step 20 says "If the VPN server is behind a router, Port Mapping will need to be done on the router. Standard port usage is 1723 for PPTP.  You might also need to configure your router for PPTP Passthrough. Port usage for IPSec is 500, 50-51. These ports will have to be forwarded to the VPN server's IP."  Am I correct to assume that your other step for port forwarding and setting PPTP for passthrough covers this?  What about IPSec, is that supposed to be enabled and set as well?  Does this relate in some way to what Scryboy said at the end of this note below in regards to IPSEC is more secure (i.e. less hackable)?

Windows XP VPN client:

For Step 10, what IP address do I enter (http://www.onecomputerguy.com/networking/xp_vpn.htm)?  Do I enter the host or domain name that I created on DYNDNS?  The actual IP address or the new subnet address I created?  Not sure here as I don't quite have the big picture yet!

I did'nt do anything with:  "Note: To make browsing work a little easier, you might want to edit the HOSTS and LMHOSTS files.

These are in the C:\Windows\System32\drivers\etc directory for XP. Just add a line with the IP address of the server followed by it's name. Do I need to do this and if so can you be specific so I don't get lost?  The workgroup name is the same on all computers.

I also went to the properties for the VPN Client connection I just created above and unchecked "Use default gateway on remote computer."  Previously I did this for the BellSouth connection on the Server before getting to these instructions and your additional comments, so I reenabled the virtual connection on the server.  Correct?

D) I enabled PPTP pass-through and forwarded TCP port 1723 to the IP of the VPN Server per your instructional link (http://www.portforward.com/english/routers/port_forwarding/Linksys/BEFVP41/Point-to-Point_Tunneling_Protocol.htm).  

Not sure if this applicable or not as not using static IP address:  "To setup port forwarding on this router your computer needs to have a static ip address. Take a look at our Static IP Address guide to setup a static ip address. When you are finished setting up a static ip address, please come back to this page and enter the ip address you setup in the Static IP Address box below. Do not skip this step!  Please enter the static ip you want to forward to:  192.168.1.X.  What do I do here?

I blocked WAN request in Filters on BEFVP41 and then on Forwarding tab entered the settings provided (Customized Applications/PPTP1; Ext Port/1723 to 1723; Protocol/TCP; Protocol/UDP; IPAddress/Enable.  In the example the last octet was blank.  Do I do the same thing for my configuration?

E) I configured the router for DDNS using DYNDN and everthing seemed to go just fine.

F) Can I dial out on landline that is also the line that DSL is running on top of and then come back in for VPN connection?  
Figured you can as separate frequencies/streams etc.  This would make my life easier so I could do all on site as I don't
have wireless PDN access at this point (i.e. Verizon Wireless - VZW).

Other:

- When I am at home behind the WRT54G do I need to change any settings there (i.e. IPSEC passthrough) to be able to VPN to Server/BEFVP41 location?

- Should I do anything for lease time as scrathcyboy suggests? (i.e .9999).

- I went to http://www.whatismyip.com and public IP is:  to be provided when I get over to server location as had to write this up at home and cache didn't have the page I viewed where is was provided using MS Explorer.  I was off-line with laptop when I reconfigured the modem and router and forgot and hit the back/forward button and lost my notes!

- What does "always use IPsec, especially on this Linksys.  With dyndns.org and PPPoE you are hackable.  Good luck //.   I  asked above about IPSEC settings on both routers.

Thanks much and as I rev up hopefully I can be more brief!

Pete
0
 
Rob WilliamsCommented:
Wow !  You must have been typing since yesterday. <G> Detail is good though. Makes life much easier.

You mentioned you configured the VPN services on the BEFVP41. You have the option of connecting the VPN to the BEFVP41 or the Windows VPN server. You can't do both. We were discussing using a Windows VPN server which is the easier way to go where you haven't done this before. Connecting to the router is actually better and slightly more secure and it is the way I usually do it. However, I have never done so on that unit. I can try to walk you through it if you want to go that route.
If using the windows VPN server only enable the following, as mentioned above (do not configure the BEFVP41's VPN configuration:
"You will also have to enable forwarding for the VPN traffic from the router to the XP VPN server. To do so, on the router you need to enable PPTP pass-through, and also forward TCP port 1723 to the IP of the VPN server. Instructions for your router can be found at:"
http://www.portforward.com/english/routers/port_forwarding/Linksys/BEFVP41/Point-to-Point_Tunneling_Protocol.htm

Using the Windows VPN option I would choose assign IP's dynamically for your VPN clients. If you choose specify with the XP server it is still DHCP but you can choose a range of IP's. You may want this just for control. For example if the DHCP range for your network is 192.168.1.50-99 you might want your VPN clients to be 192.168.1.100-109 However always best to keep initial configuration as simple as possible, then add the bells and whistles.

>>"Am I correct to assume that your other step for port forwarding and setting PPTP for pass-through covers this? "
Yes as above.
>>" What about IPSec, is that supposed to be enabled and set as well?"
No, nor L2TP.
There are different encapsulation protocols that can be used for VPN's; PPTP (which is what you are working with here) L2TP and IPSec. scrathcyboy  is quite right, IPSec is the most secure and is usually used with hardware based tunnels and 3rd party VPN client software. It is possible to set up a Windows VPN server using L2TP and IPSec, but it is not easy, and I think you would need RRAS and Windows server as the VPN server to do it.  The Linksys RV042 and WRV54G offer an IPSec client for those routers.

>>"what IP address do I enter (http://www.onecomputerguy.com/networking/xp_vpn.htm)?  Do I enter the host or domain name that I created on DYNDNS?  "
Enter the domain name. For test purposes, to keep things simple, you can use the router's Public WAN IP. This IP will change, which is why you want to use the DDNS assigned domain name, but for testing, the IP eliminates one possible problem.

>>"I didn't do anything with:  "Note: To make browsing work a little easier, you might want to edit the HOSTS and LMHOSTS files."
I wouldn't worry about that yet. Get a connection first. With the Windows client sometimes you don't need that. In any case if you think you are connected but cannot connect to a share try using the IP of the computer and sharename such as;  \\192.168.1.123\ShareName  

>>"I also went to the properties for the VPN Client connection I just created above and unchecked "Use default gateway on remote computer.""
At this point you don't need to. That should remained checked unless down the road you need to access the local network and Internet at the same time as the VPN. Enabling is a security feature.

>>"  Previously I did this for the BellSouth connection on the Server before getting to these instructions and your additional comments, so I reenabled the virtual connection on the server.  Correct?""
** Why is there a VPN connection to Bell South? Very curious about this?

>>"Not sure if this applicable or not as not using static IP address:"
The PC you are connecting to, the VPN server, needs to have a static IP, otherwise it may change and you will not be able to connect.

>>"In the example the last octet was blank.  Do I do the same thing for my configuration?"
Same except you need to add the IP of the VPN server PC in the last octet. This is why it needs a static IP (just local static IP like 192.168.1.10).

>>" Can I dial out on landline that is also the line that DSL is running on top of and then come back in for VPN connection?  "
Yes

>>"- When I am at home behind the WRT54G do I need to change any settings there (i.e. IPSEC pass-through) to be able to VPN to Server/BEFVP41 location?"
You shouldn't have to but some people report having to enable PPTP pass-through. Nothing else, and no port forwarding.

>>"- Should I do anything for lease time as scrathcyboy suggests? (i.e .9999)."
The concept is to extend the length of time you retain the same WAN IP, however I doubt you have that option and with DDNS it is not necessary. You may have on your router a "Keep alive" feature. If so I would enable that.

>>"- I went to http://www.whatismyip.com and public IP is: "
Don't forget you want to do this from the VPN server site.

IPSec discussed above. If you want to look at options of connecting to the router rather than Windows VPN server I can certainly try to help you, or at least find links. But I would complete testing with this route first as it is easier and will verify your DDNS service, IP configurations and basic connectivity.
0
 
pfernaldAuthor Commented:
Maybe I was confusing, I set-up the VPN on the server side using Windows XP based on the links you provided and not on the BEFVP41 router.  Any of the defined VPN tunnels including the one I tried to do previously based on Linksys instructions are disabled.  Went with Dynamic IP setting on VPN XP Server as you suggested.

** Why is there a VPN connection to Bell South? Very curious about this? - There's not, I was just confused and tweaked the dialup connection, that's all.  I put it back now that I know better what is going on.

Public IP is 68.221.x.x

Testing now.





0
 
pfernaldAuthor Commented:
Opened VPN Connection from Laptop via dial-up and got 800 error.  Disabled "use default gateway on remote network" but did not make a difference.  Any ideas?
0
 
pfernaldAuthor Commented:
I'll try entering public IP to see if that solves anything.
0
 
pfernaldAuthor Commented:
Didn't matter, still 800 error.  Says "unable to establish VPN connection.  The VPN server may be unreachable, or security parameters may not be configured properly for this connection.  Dial up connection was through Earthlink so not sure if firewall issue on their end.  I used petefernald.dnsalias.org as host name.
0
 
Rob WilliamsCommented:
Sounds like a basic connectivity issue.
I would enable remote management on the router and see if you can connect, as a test. To enable remote management on the router, in the Administration section, on the management page enable remote management and choose a port. The default is 8080.  Then connect using the appropriate port in an Internet Explorer browser using:
http://68.221.x.x:8080  and see if you can log on using your dial-up connection.
This will verify at least the connection/routing to the router is correct.
Your DDNS is working by the way. I can resolve the name with nslookup. Since you posted that here you might want to change in a few days once working so others don't try and access your system. They can't, but it is a beginning hackers target.
0
 
pfernaldAuthor Commented:
So I could access the router using remote management.  I'll change my domain as well.  What next?
0
 
pfernaldAuthor Commented:
Still get 800 error so perhaps I not out from behind my laptop as the error comes immediately.
0
 
Rob WilliamsCommented:
The good news is, that confirms you have a true public IP.
The problem is probably with the port forwarding. Double check the configuraton.
I am on the fly but will be back in a couple of hours. If you look at my profile (click on RobWill) there is an e-mail address there you can send me private information. Send me an e-mail address with which i can contact you (do not post here) and I will set up a Windows VPN here so you can connect and verify that part of your configuration is correct. I should be back in 2.5 hours or less.
0
 
pfernaldAuthor Commented:
Yeah, not sure I totally understand all of the concepts here but getting closer.

Thanks,

Pete
0
 
Rob WilliamsCommented:
Pete I sent the connection information to you, but had to apply for e-mail acceptance so i don't know how long that takes. I'm not going to be around much for 20 hours but try that at least. As for your router it is quite basic. Port forwarding to the VPN PC, as we discussed, and enable PPTP pass-through. I am wondering if some of the other temporary changes you made haven't been cleared on the router. If stuck you might want to reset to factory defaults and reconfigure.
--Rob
0
 
Rob WilliamsCommented:
Pete, should keep discussions of the problem here, as per Experts-Exchange rules. Then it assists others down the road.
>>"Why am I mapping a drive ? "
If you connect using remote desktop there is no need to do anything else. However, you can connect through a VPN in different ways and using different services. One would be to continue using your remote/client PC normally, but have access to files by mapping a drive to a share at the office. The suggestion was this works more consistently using IP's, rather than NetBIOS (Computer) names.

If you are getting an 800 error it is probably not an authentication error, but rather packets being blocked somewhere.

>>"I had entered the wrong IP address and needed to put the one not for the server .1 but for either the modem or the gateway "
To find the IP you want to use; on the PC running the Windows VPN server, at a command line (DOS Window) run:
ipconfig  /all
The value it returns for the "IP Address" of the appropriate adapter (you may have more than one such as wired and wireless) is the one you want to use for Port Forwarding. Ultimately this should be a manually/statically  set address, in case it changes, but if dynamic, that is fine for now.

A 721 error sounds like you might be getting closer. This is often caused by blocked GRE packets. This is why PPTP pass-through needs to be enabled.
0
 
pfernaldAuthor Commented:
I'll be networking a database between the remote and server so do need to map a drive.  Can't I just do that with Win Explorer with tools after VPN is set-up?  Not sure I know how to properly use the command line your provided as I don't understand fully the proper syntax.

I'll do an ipconfig /all on the server side.  Pretty sure it will kick back the new IP subnet address I put into the router.  Wondering if it really is a User account issue.  I still need to verify, tomorrow.

Almost there!
0
 
Rob WilliamsCommented:
>>"I'll be networking a database between the remote and server so do need to map a drive.  Can't I just do that with Win Explorer with tools after VPN is set-up?"
You can try that method, but you probably won't see the other computer.
There are a few things once you have the basic connection that you may want to "fix up". Often you cannot locate computers over a VPN in the same way. 1) the browsing service often doesn't work and 2) NetBIOS names (computer names) are generally not broadcast over a VPN. There are a series of workarounds or you can simply use the IP address. I can post the list of work arounds, but though we should focus on the connection. Therefore in the meantime if you simply want to access some files you usually map a drive by using a command line. To do so in the start/Run box enter CMD. This then opens a DOS Window. In the Dos Window enter:
net  use  <drive letter>:  \\<IP address of PC>\<ShareName of PC>
such as:
net  use  Z:  \\192.168.1.123\Data
You will then see in My computer the Z: drive

Another method is just entering  \\192.168.1.123  in an Internet Explorer window or the run box and you will then see the shares available and you can browse to them.

>>"Wondering if it really is a User account issue. "
You did add the user name to the new connection when setting up the Windows VPN server, right?  If you want to check go to; Control panel | Network Connections | right click on "Incoming Connections" and choose properties | Users | make sure the appropriate user is there and checked

>>" If you are still having problems I am willing to log on to the router and verify it's configuration. If you wish to do so we can arrange an approximate time and you can disconnect your network so I don't have access. Then change the password once done. Remote management of the router is reasonably safe, but once all of this is complete would disable it.

I noticed your other question:
http://www.experts-exchange.com/Networking/Q_21820099.html
Is this the same VPN connection? If so that is important information.
--Rob
0
 
pfernaldAuthor Commented:
No, other question relates to my wife's laptop that she is accessing her corporate network over our wireless network at home using a VPN client.
0
 
pfernaldAuthor Commented:
Thanks, I'll work on this tomorrow!
0
 
pfernaldAuthor Commented:
RobWill, I confirmed correct IP address for port forwarding and setting is 1723 to 1723 with PTPP enabled.  I check user accounts and I cannot log on to new created one or others.  Noticed that remote and server are attempting to talk to each other based on CPU activity but then get 721 error.

Not sure where to go from here, but almost there and now understand how and why to map a drive using CMD line prompt.

Pete
0
 
pfernaldAuthor Commented:
So any thoughts?
0
 
Rob WilliamsCommented:
Sorry Pete, I have been on the road last half of the week and behind here. I'll do a little more digging in the morning, but I am on the run still. Just wanted to let you know I haven't forgotten you.
There is something we are overlooking . You have verified your client is working and the issue of whether you have a true public IP has been verified, and you can connect to the router. The 721 error should indicate there is communications but it is not completing the handshaking, most often due to blocked GRE packets. Two things that come to mind:
1) Make sure any software firewalls on the XP VPN server you are connecting to are turned off, such as the Windows firewall
2) I know we discussed before, but is the XP client's "Local Area Connection" on a different subnet than the VPN server? It should be.

As I said, I'll re-read all the above more carefully in the morning and get back to you. Let me know if you want m to log onto the router and have a look.
0
 
pfernaldAuthor Commented:
Windows Firewall is probably on -- I'll check Saturday.  I think the XP client is on a different subnet as we changed the XP server third tuplet, etc.  I'll try and then if still doesn't work then if you could take a look that would be great.  Advise times with EST in mind.  2PM onward I'm busied out.  Sunday's better in the PM, else into Monday.

Pete
0
 
Rob WilliamsCommented:
Pete, ended up tied up all weekend. May be free this afternoon. I will post if so, if not perhaps tomorrow. For the record AST here (1 hour ahead of you)
0
 
pfernaldAuthor Commented:
So I turned off the Windows firewall but that didn't help.  All setting appear to be correct per directions on gateway/router, server and client systems.  I turned off the server so you could verify the gateway/router settings.  I guess you can email or call me for the ID/password.  I will change after you are done.  I will not be on site.  Let me know how you wish to proceed.  Still 721 error and I verified user is the same on both systems in terms of access.  I assume I can be logged onto the client as well as the VPN/server connection using the same ID/password.

Thanks,

Pete
0
 
Rob WilliamsCommented:
Sorry Pete, I haven't been around much the last couple of days. Tax season here. I can log on and check out the router if you like. Send me an e-mail with the connection information and password. If possible disconnect your network for security, and change the password once I am done. I should be around at least all morning tomorrow, Wednesday, starting 8:00-8:30 EST.
--Rob
0
 
Rob WilliamsCommented:
Mmmmmm....
Noticed a couple of things:

- Noticed you have DHCP enabled, with range starting at x.x.x.100 and forwarding is to IP x.x.x.100  
  A) Is x.x.x.100 the correct IP to which you are trying to connect ?  
  B) Best to have the VPN server computer as a static IP, as it may change and your connection will no longer work
  C) If you have statically assigned x.x.x.100 to the VPN server computer, it is possible DHCP has also assigned the same IP to another computer, causing conflicts and forwarding problems. Static IP's should be outside the DHCP range/scope.

- Noticed MTU is set to 1492 This is correct for a PPPoE connection however if using a PPTP VPN it needs to be 1430 or lower. This should not cause a 721 error but will affect performance and you may not be able to view any files. Regardless I would change to 1430 for now. Once you do get the VPN working, you could have a look at the following links as to how to "tweak" the MTU:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnslow.htm
http://help.expedient.net/broadband/mtu.shtml

- The connection to your site seems slow. I did a ping test to the WAN port of the router and I get a response time of about 130ms. Other sites in the US are 35-45ms  Once the VPN is establish the connection to the actual computers may be a little slower again. For reasonable performance you want the computer to computer response time to be 150ms or less. That is really out of your hands and shouldn't cause the VPN to not connect, but might be a performance issue down the road. Then again from your sites it may not be an issue.

-So....router seems fine assuming IP and DHCP configuration above is OK
-I tried to connect, to the non existent VPN server, and the router's log file records the attempted connection.
-Thus the problem is probably the VPN server, or it's IP as stated above.
There was a fellow with similar problems a while ago who hit the reset button on the router to set it back to factory defaults, and then set up the WAN connection and forwarding all over again and it worked. He felt he had made so many changes to the router that it was "confused". I am doubtful but......
Recreating the VPN server end might be more beneficial.
-I know we have discussed before, but make sure all firewalls are off on the VPN server machine; Windows, Norton, McAfee, ZoneAlarm, etc. Also Internet Worm blocking in Norton's virus software can block PPTP tunnels.
-You change the router password now. I am finished.
--Rob
0
 
pfernaldAuthor Commented:
VPN Server is using dynamic IP and I thought that DDNS helped with the issue of changing IP address resolution.

x.x.x.100 is the correct address of the VPN server that I am trying to connect to from the outside client.

Changed MTU to 1430.  I'll look at links once I get VPN working.

I'll check all firewall and Internet worm blocking settings.  Then I'll rebuild the VPN Server connection.  If neither of those work I'll reset the router again.

Thanks, get back to you in a day or so.  Else I can get a static IP but was hopeful that DDNS solved this issue per our prior discussions above.

Pete

0
 
pfernaldAuthor Commented:
Actually x.x.x.101 is the address of the VPN server but when I used that setting before I got the 800 error.  When I set it to x.x.x.100 I got the 721 error.  Should starting IP address be something different that x.x.x.100?  The server is .101 and I'm assuming the internal address of the router is .100.  When I log onto WLAN with laptop when local to server then it pulls .102.  Made the changes above and will test later PM then start rebuilding VPN server connection and resetting router tomorrow.
0
 
Rob WilliamsCommented:
>>"VPN Server is using dynamic IP and I thought that DDNS helped with the issue of changing IP address resolution."
Using DDNS is fine, but it is dealing with the public IP, the 68.221.x.x address, not the local address. Local should be static in case it is assigned a different IP.

>>"Should starting IP address be something different that x.x.x.100?"
Starting address can be anything between 1 and 254, however it cannot conflict with any other address such as itself and any statically assigned devices, 100 is fine.
The forwarding must point to the computer running the VPN server though, or it will not work. I would manually assign the VPN server computer something like .10 in it's TCP/IP configuration of the network adapter, and change the port forwarding to point to that.
0
 
pfernaldAuthor Commented:
So how do I make the local IP address static in case it is assigned a different IP?  Not sure how to statically assign an IP to a device.

Do I manually assign the VPN server computer .10 for example using properties with respect to the TCP/IP configuration of the network adaptor.  Is this how you statically assign on IP address to a local address.

Sorry, still learning but am enjoying building the knowledge.  Finishing up Network+ and moving into MSCE training in a couple of weeks.

PF
0
 
Rob WilliamsCommented:
It's a long slow learning curve for all of us. Never sems to end. <G>
Yes on the network adapter. Go to:
Control panel | Network connections | right click on your network adapter and choose properties| highlight TCP/IP Internet protocol and click properties|
Then you have a choice of DHCP "Obtain an IP address Automatically " (the default -which is Dynamic) or "Use the following IP address" (which is static). Select the latter and enter the IP address you wish to use 192.168.x.10 then the subnet mask 255.255.255.0 and the gateway, which is the LAN address of your router 192.168.x.x.  Next you will need choose the "Use the following DNS server addresses". If the router is configured properly you can simply enter the primary as the routers LAN IP but better to enter the ISP's primary and secondary IP's. You can get those from the Status page of the router.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 22
  • 19
  • 7
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now