VPN ports to allow for accessing shared folders

I have a VPN setup

WIndows 2003SBS/VPN Router on LAN, Client Laptop with remote sucurity client software for remote access

Successfully created IPsec tunnels and can connect Remotely to server from Outside LAN

Keep getting error 800 when connecting using Network Setup Wizard, COnnect VPN

DO i need to open more ports?

I have opened 1723

I think the connection is being made to the VPN router but i need to forward traffic from the
router to the server. I think i need to forward some authentication port and also Http etc ports

How does Windows XP pro VPN connection work, Do you just log in and network shares are created as when inside the LAN?

what do i put in the user name password box on XP client? How do you login at the client side? DO you need a new profile for VPN, new logon and password?


I know its a lot of questions but any help would be appreciated

Thanks in advance


usbcrazy1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

blin2000Commented:
In most cases, VPN error 800 is port is port issue. Make sure the the router is PPTP pass through and it is enabled. Also make sure the router firmware is update. these search result may help,

error 721 and error 800
Q: Error 721 and error 800. I have SBS 2003 Standard Edition. The server has two nic's for NAT on the RRAS. One nic is for an External IP address of ...
http://www.chicagotech.net/Q&A/vpn25.htm - Similar pages


ras error code
Error 797 Error 781 Error 783 Error 800 Error 806 - the VPN connection cannot be completed Error 913 ... Error 800: Unable to establish the VPN connection. ...
http://www.chicagotech.net/raserrors.htm 

0
usbcrazy1Author Commented:
thanks blin

My server has 1 NIC, is that bad?
0
blin2000Commented:
No, One NIC should work.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

usbcrazy1Author Commented:
any way i can test the ports

i could connect before and now that ive forwarded some ports

i cant. Maybe i need to restart the server too

i think the router prestige 662H-61  has already configured the prts to forward

I phoned the tech support they said it does,

they also said update fimware, to 7 the 8 but

the firmare that came with it is the latest one you can download

i know this is not that hard and its a couple more changes to go

but i guess its the same old story

HOw can i test from the WAN that the packets are getting to the VPN router and then forwarded to the

server?

0
Rob WilliamsCommented:
You say "Successfully created IPSec tunnels and can connect Remotely to server from Outside LAN"
But "Keep getting error 800 when connecting using Network Setup Wizard, Connect VPN"

Curious as to why you think you are connecting if you are getting an 800 error?

Have you actually set up IPSec tunnel or a standard Windows PPTP tunnel.
PPTP requires TCP port 1723 be forwarded to the computer you are using as the VPN server, and also GRE protocol 47 (not port 47). On most routers forwarding GRE is done by enabling "PPTP pass-through"
If you have actually used IPSec, also need to forward the following, based on the configuration you used (probably L2TP with IPSec):
L2TP with IPSec
  To allow IKE forward UDP port 500.
  To allow IPSec NAT-T forward port UDP 4500.
  To allow L2TP forward port UDP 1701.
  Enable IPSec protocols 50 ESP & 51 AH  pass-through.  May be called VPN or IPSec pass-through

IPSec
   To allow IKE forward UDP port 500.
   To allow IPSec NAT-T forward port UDP 4500.
   Enable IPSec protocols 50 ESP & 51 AH  pass-through.  May be called VPN or IPSec pass-through

Good information for port forwarding for most home office routers can be found at:
http://www.portforward.com/english/routers/port_forwarding/routerindex.htm
I don't see your router/modem but look under the Zyxel units until you find one with similar configuration console. On the page you follow from that link you will be able to choose Point to Point Tunneling Protocol to explain the specifics of PPTP pass through.

***Some basic information to possibly start over:***
I apologize will not be around much if at all the next 2 days to help. I do not like to start things and abandon people but I hope the following will be of some help.
I assume this is a combined ADSL and router unit, and there are no other routers attached in this configuration.

I suspect you have set up a PPTP tunnel. If you wish to confirm the details the following is a good site:
XP VPN server:
http://www.onecomputerguy.com/networking/xp_vpn_server.htm
XP VPN client:
http://www.onecomputerguy.com/networking/xp_vpn.htm
When setting up the client you will need to know the IP address of the location you are connecting to. This is the Public (assumed static) IP address of your router, provided by your ISP. If you do not know what it is, from the VPN server computer go to   http://www.whatismyip.com  and it will display the IP you need to enter in the "host name, IP address.." box.
 
Contrary to what support told you, I am very doubtful any port forwarding would be pre-configured on the router. You have to specify the service, port number and IP of the computer to which you are going to forward the traffic.
According to the online manual I looked at for a similar unit, port forwarding would be done on the "NAT-Mode" page. Select "SUA only" and then click edit details. Under start port enter 1723, under end port enter 1723, and under IP address enter the IP address of the computer running the VPN server, then click save.

To Allow PPTP and GRE you will probably have to create a firewall rule. It is possible the above will do this automatically, it does with some routers. However, check, and if the rule doesn't exist you will have to manually create a rule for both. To do so on the "Firewall-Summary" page select "insert" which I believe will open the "Firewall-Edit Rule" page, then make the following selections:
  Action for Matched Packets =Forward
  Source address = Any address (click add)
  Destination address =  Single address
  Start IP = The IP address of the VPN server
  End IP =  The IP address of the VPN server
  Subnet mask = 255.255.255.0 (click add)
  Service = PPTP (TCP:1723)  (click add)
  Service = PPTP_Tunnel (GRE:0)  (click add)
  Schedule/Day to apply = Everyday
  (Click Apply)

You can test if the PPTP traffic is able to reach the VPN server by opening a browser window on the VPN server and going to http://www.canyouseeme.org and testing for port 1723.

To connect, from the client machine open Network Connections and right click on your new VPN/Virtual connection and choose connect. Enter the user name and password of the user you added when you set up the VPN server above, and click the connect button.

You must have any software firewalls on the VPN server machine, such as the Windows firewall disabled (preferred for testing) or configured to allow PPTP traffic, as well.

Hope this is of some help and relevant to your equipment.
0
usbcrazy1Author Commented:
You were right Rob

I was connecting using PTPP Windows and hadnt created a ipsec tunnel at all

im gonna follow yer info and take it from there

Thanks A Bunch Rob!

0
usbcrazy1Author Commented:
I cant forward the ports

The canyouseeme.org test shows Connection refused for ALL ports

I can RDC so i know forwarding 3389 works

COuld it be the ISP is blocking ports, do i have to tell them to open them


This is driving me nuts

Help anyone, ive gotta get this done by Monday Morning!!
0
usbcrazy1Author Commented:
The firewall rule is WAN - LAN for forwarding ports 50,51,500,4500,1701,1723??

THen the SUA list forward 50,51,500,4500,1701,1723 to 192.168.X.X (vpn server IP)

DO i have to add the rule back from LAN - WAN or WAN to WAN/Router.??????

0
Rob WilliamsCommented:
Back for a little bit. For the record, though a very nice unit, this router/modem is not a simple unit to configure, and may require some trial and error. Should you need it the information I got was from:
http://us.zyxel.com/web/download/200409092732002004101914365120040811211941_20041105_3.40-P662H-HW_UG_V3-40_2004-11-5.pdf

I am assuming you choose to stick with the PPTP tunnel. IPSec is quite a bit more elaborate.

>>"COuld it be the ISP is blocking ports, do i have to tell them to open them"
Extremely rare that they would block it.

>>"The canyouseeme.org test shows Connection refused for ALL ports "
You went to that site from the VPN server computer right? It will only test from that machine as it requires the port forwarding.

>>"I can RDC so i know forwarding 3389 works"
So you are using remote desktop and connecting to the VPN server (without the VPN of course) from a remote site. Does the CanYouSeeMe site test OK for 3389?

>>"The firewall rule is WAN - LAN for forwarding ports 50,51,500,4500,1701,1723??"
Allow WAN -> LAN for TCP port 1723 and GRE only. Which is PPTP (TCP:1723), and PPTP_Tunnel (GRE:0) services. If you leave PPTP_Tunnel (GRE:0) out you will get a 721 error.

>>"THen the SUA list forward 50,51,500,4500,1701,1723 to 192.168.X.X (vpn server IP)"
SUA forward TCP 1723 to 192.168.x.x (vpn server) only.

>>"DO i have to add the rule back from LAN - WAN or WAN to WAN/Router.??????"
No.

When you are connecting there are no satellite services or additional routers at the VPN server site involved are there?
0
usbcrazy1Author Commented:
Why should ipsec be harder to configure than pptp, the only difference in config is opening different ports? as far as i can see?

My VPN Server is w2003sbs (i should hae said this earlier), yeh i did the cnayouseeme.org test from there. im sure i ve got to forward something or open someting
on the serevr too?

Do i have to set the  right order for the ipsec ports in the firewall rule, as ipsec nat-t 4500 happens before  ike 500??

I guess the end user doent know if there using ipsec or pptp  but i know the former is more secure

thanks again rob



0
usbcrazy1Author Commented:
when you say satellite services you mean terminal services?

Also i ve heard you need to disable pptp in order for ipsec l2tp to work on w2003sbs

How do i disable it, just by removing the ports in RRAS?

thanks
0
usbcrazy1Author Commented:
'this router/modem is not a simple unit to configure, and may require some trial and error'

you dont say :)
0
Rob WilliamsCommented:
>>"Why should ipsec be harder to configure than pptp, the only difference in config is opening different ports? as far as i can see?"
Nope, whole other "kettle of fish". You have to set up templates, certificates, authentication methods..........  The following is not a good tutorial, but does give you an idea of what is involved.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/rmotevpn.mspx#EQTAE

>>"My VPN Server is w2003sbs (i should hae said this earlier), "
Somehow I missed that.
The SBS should be your VPN server, not an XP machine. There are no ports to forward when you do that on the server, but the firewall must be configured to allow the traffic if enabled. The following is a link on setting up the VPN server on a 2003 server:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
HOWEVER, on a SBS there are a lot of integrated components. Only use the above to check the configuration afterwards. Use the Internet the "Configure E-Mail and Internet Security Wizard"  from the server management console to configure the VPN. You will have to make sure in Active Directory, under the user's profile, on the dial-in tab "allow access" is checked, for their account to work with the VPN.

>>"Do i have to set the  right order for the ipsec ports in the firewall rule, as ipsec nat-t 4500 happens before  ike 500??"
Allow PPTP, then allow GRE. Trust me you don't want to get into setting up IPSec. Or at least get PPTP working first, so you know your basic path is working.

>>"I guess the end user doent know if there using ipsec or pptp  but i know the former is more secure"
If the end user doesn't know then they will never connect as the client is also configured differently.
Yes IPSec is more secure.

>>"when you say satellite services you mean terminal services?"
No Satellite. Some internet services work over a Satellite connection rather than wires. VPN's won't work , as a rule. Several times after spending hours diagnosing I have discovered that so thought I had better check.

>>"Also i ve heard you need to disable pptp in order for ipsec l2tp to work on w2003sbs"
No you just don't need to set it up. Again, do not use IPSec until you have been able to get PPTP to work. It is quite a challenge.

>>"How do i disable it, just by removing the ports in RRAS?"
That would do it, but that doesn't enable IPSec.

>>"'this router/modem is not a simple unit to configure, and may require some trial and error'"
I think this will be your main hurdle, the port forwarding on the router.
Also, if your SBS server uses 2 network adapters and all traffic is routed through it the previous scenario would never work. Try setting up the SBS to be the VPN server, that is the right thing to do and you can then allow access to control any machine. Also XP will only allow multiple connection. SBS will allow pretty much as many as you have bandwidth to support.

If you really want to use IPSec, which I highly recommend, you should do so by using a router as the VPN endpoint/server. You use a 3rd party client and then set up the IPSec VPN on the router, rather than a Windows machine. The connection is made to the router, not Windows. With this scenario it is more secure, as no ports are forwarded or open on the firewall, and it gives you access to all resources on the remote network. It looks like your Prestige 662H-61  actually has that capability. However, without having access to one to experiment with I wouldn't want to tackle that. That should be your goal down the road.

Sorry, but I don't expect to be around again today.
--Rob
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
usbcrazy1Author Commented:
I got in touch with zyxel,

The firmware update was located under 662-HW (wireless) even thought there are 662-H folders,

my fault i guess...

I m not sure about vpn endpoint

Why is it better to make the zyxel router the end point and not SBS 2003?

Also if you do make the zyxel router the endpoint, when you forward traffic to the sbs, what part
of sbs authenticates and excrypts? is it RRAS.

Lets say i used Ipsec tunneling L2tp, pre- shared key to authenticate, and made the zyxel terminate the connection,    
then forward to sbs? would this be feasible on a one NIC sbs, 1 way vpn (WAN - LAN) requirement.?

DO i need to configure all Zyxel Router, Zyxel Remote Security CLient, Windows VPN on XP Pro, RRAS on w2003sbs? and put the shared key in ALL,
If the router is the enpoint do i need RRAS?

0
Rob WilliamsCommented:
>>"Why is it better to make the zyxel router the end point and not SBS 2003?"
Making the Zyxel router the endpoint is the better option. However, believe it or not, we were pursuing the simplest option. Making the Zyxel is a little more secure in that it does not require forwarding any ports, opening any "holes" in the firewall, and uses IPSec.

>>"Also if you do make the zyxel router the endpoint, when you forward traffic to the sbs, what part
of sbs authenticates and excrypts? is it RRAS."
You do not forward traffic to the SBS, the entire local subnet is available to the remote user, by default. You no longer need RRAS for the VPN. All authentication to the network and encryption is done by the Zyxel. The user will still have to authenticate to Windows to access resources as if they were on the same network within the same office.

>>"would this be feasible on a one NIC sbs, 1 way vpn (WAN - LAN) requirement.?"
Absolutely

>>"DO i need to configure all Zyxel Router, Zyxel Remote Security CLient, Windows VPN on XP Pro, RRAS on w2003sbs? and put the shared key in ALL,"
No. You configure access and matching security policies on the Zyxel and remote client only.

0
Rob WilliamsCommented:
If you wish to set it up with the Zyxel as the VPN end point the following document, starting on page 434 should be of some help. Sorry I have not worked with this unit and may not be much help. Before starting the configuration you should reset the unit to factory defaults or at least remove the port forwarding and firewall configurations you made.
http://www.zyxel.com/web/support_download_detail.php?sqno=335644
0
Rob WilliamsCommented:
Though this is for a different model Zyxel, it may be of some help:
http://www.dslreports.com/forum/remark,13823816?hilite=suggest
0
usbcrazy1Author Commented:

Thanks for all your help over the last couple of weeks RObWill
I dont think i could have done it without.

Heres the output for the successful ipsec connection, i ve faked the IPs?

The only thing is I cant RDC into windows (as soon as i removed the firewall rules), which is good news because the router is terminating the
connection right?

How do i treat port forwarding now, is my network different now that the router  is the endpoint

I cant make much of all the hash below (gettit Hash Algorithms!!) but where exactly below is the proof that an
IPSEC tunnel is formed?

 5-01: 12:44:24.530
 5-01: 12:44:24.530 My Connections\GM - Initiating IKE Phase 1 (IP ADDR=200.20.20.123)(fake IP)
 5-01: 12:44:24.530 My Connections\GM - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
 5-01: 12:44:24.874 My Connections\GM - RECEIVED<<< ISAKMP OAK MM (SA, VID)
 5-01: 12:44:25.014 My Connections\GM - SENDING>>>> ISAKMP OAK MM (KE, NON, VID 4x)
 5-01: 12:44:25.436 My Connections\GM - RECEIVED<<< ISAKMP OAK MM (KE, NON)
 5-01: 12:44:25.499 My Connections\GM - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_REPLAY_STATUS, NOTIFY:STATUS_INITIAL_CONTACT)
 5-01: 12:44:25.577 My Connections\GM - RECEIVED<<< ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
 5-01: 12:44:25.577 My Connections\GM - Established IKE SA
 5-01: 12:44:25.577    MY COOKIE f0 2e 9 d c6 1e 2a b8
 5-01: 12:44:25.577    HIS COOKIE 31 73 4b e2 fc 25 e5 15
 5-01: 12:44:25.639
 5-01: 12:44:25.639 My Connections\GM - Initiating IKE Phase 2 with Client IDs (message id: 566D46EA)
 5-01: 12:44:25.639 My Connections\GM -   Initiator = IP ADDR=10.0.0.9, prot = 0 port = 0
 5-01: 12:44:25.639 My Connections\GM -   Responder = IP SUBNET/MASK=192.168.x.x/255.255.255.0, prot = 0 port = 0
 5-01: 12:44:25.639 My Connections\GM - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
 5-01: 12:44:25.717 My Connections\GM - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
 5-01: 12:44:25.717 My Connections\GM - Filter entry 4: SECURE  010.000.000.009&255.255.255.255  192.168.007.000&255.255.255.000  200.20.20.123 added.
 5-01: 12:44:25.717 My Connections\GM - SENDING>>>> ISAKMP OAK QM *(HASH)
 5-01: 12:44:25.717 My Connections\GM - Loading IPSec SA (Message ID = 566D46EA OUTBOUND SPI = 45EFDFD6 INBOUND SPI = 225D8C15)
 5-01: 12:44:25.717

Obviously i will award you the points
0
Rob WilliamsCommented:
To be honest usbcrazy1, I don't understand all of the log outputs from IPSec connections, however none of the common connection issues/problems are present in that log, so looks good. I assume this is from the Zyxel and you have opted to use it's VPN connection. Better choice, but I'm not likely much help with it.

Can you ping any devices at the remote end as a test? Make sure any software firewalls such as Windows, McAfee, Symantec or ZoneAlarm are disabled, as least temporarily for testing.

As for port forwarding, none is necessary. That is the beauty of connecting to a VPN router rather than a VPN server behind the router. More secure as no ports are open/forwarded and you can connect to any device on the remote network as if you were on the same LAN. To use remote desktop now, use the local IP of the computer you want to connect to, as if you were in the same office, rather than the public/router WAN IP.
0
Rob WilliamsCommented:
Thanks usbcrazy1,
--Rob
0
usbcrazy1Author Commented:
I can ping but cant connect to the server

Im sooooo close
0
usbcrazy1Author Commented:
i can ping all devices in the network

i can see in the zyxel router the encapuslated IP  (its on a 10.0.X.X range and LAN on 192.168.x.x range)

its definatly a tunnel spock, but not as we know it?
0
usbcrazy1Author Commented:
i can see packets, secure packet, hundreds, nay thousands
being transferred across the network


SHEEEE 'sss ALIIIVEEEE!!!!!!!!!!!

However, still cant access my network places...

Im sure i  gotta tell SBS that dynamic IPs are coming in through VPN. I would do this through RRAS, where else?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.