Solved

DI-808HV VPN Router and VPN Server Setup

Posted on 2006-06-18
13
1,903 Views
Last Modified: 2013-11-29
Greetings;

The topography of my network is at http://test.bachandbach.com/Visio-Network%20Topography.pdf

My forte is programming and not networking. Any assistance on getting VPN to work and clueing me in on what I need to obtain to make it work would be most helpful.

I want to allow one or more users to connect to my LAN using VPN through a DI-808HV VPN Broadband Router. I have attempting several tries using the manual which came with the router, the D-Link site and looking at a few posts in this forum. I'm not have good luck.

In the mean time I am going to attempt to tell ther VPN router to forward incoming packets for port 1723 to the specific box accepting incoming connections.

A specific question I have in this scenario, what is meant by a VPN Server? Does this refer to software on the box accepting connections or the VPN router or something else entirely? If its software on the box accepting connections is in built-in to Windows XP Pro SP2 or do I need to obtain a license for separate software?

Much thanks ... David
0
Comment
Question by:David Bach
  • 6
  • 5
  • 2
13 Comments
 
LVL 30

Expert Comment

by:ded9
ID: 16930541
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16930610
The simplest way to set up the VPN, would be to configure the D-Link to accept incoming PPTP VPN connections. The following link is quite specific as to how to set up th DI-808HV and the Windows client:
http://support.dlink.com/faq/view.asp?prod_id=1439&question=DI-804HV%20/%20DI-808HV

As for the rest of the configuration, leave DHCP enabled on the 808HV as you have now. On the other routers make sure it is disabled.
I fail to see the advantage of adding the BEFSR41. There is no need for it at all. If you need additional ports for multiple computers just add a basic switch, or you could use the 4 LAN ports only of the BEFSR41.
As for the wireless router, the WRT54G, it could be configured as an access point. To do so:
-do not configure the WAN section
-assign it's LAN configuration an IP in the same subnet as the existing 808HV LAN, such as 192.168.1.2
-again, make sure DHCP is disabled
-connect a cable between one of the LAN ports of the 808HV and one of the LAN ports of the WRT54G. Do not connect to the WAN port of the WRT54G
-now configure the wireless as you would normally. All users can connect and receive a DHCP IP from the 808HV and will be able to share local resources
-I believe both of these devices are auto-detect but check that a connection light come on on each when you plug in the cable. If not you will need a cross-over cable

As for Windows XP firewall settings. The connecting client will be using an outgoing connection. If any changes are required the firewall will ask if you want to allow the service. Click un-block and it will make any necessary configuration changes.
On the XP machines on the 192.168.1.x network. They will only need firewall adjustments if you wish to allow sharing of services. I assume you will want file and print sharing. When you enable file and print sharing it should automatically be configured, but if not open the firewall and make the necessary changes:
control panel | Windows Firewall |Exceptions |check File and Printer sharing.  You shouldn't have any problem with the VPN user accessing the shares but if you do , go back to the exception page, highlight File and Print Sharing and click edit, then change Scope. Check the box "any computer (including those on the Internet)".  The 808HV will actually not allow any Internet users access to the computer except the VPN users.
0
 

Author Comment

by:David Bach
ID: 16930970
Hi ded9;

In looking at the first link you mention (http://www.windowsnetworking.com/j_helmig/xpvpnsrv.htm) I read the following text:

============ START OF TEXT

When you connect directly via a modem, using a phone-line, or via broadband ( cable modem or DSL/ADSL modem), your systems is getting an Internet IP-address assigned.

when you connect via a router (often the functions of Modem and Router are integrated into a single box, called ADSL-router ) then the router will have an Internet IP-address assigned, while all connected systems will use a local network IP-address, the router handles the communication from the PC's to the internet via IP-address translation (NAT), but that makes it impossible to connect from the internet through the router to a system on the LAN, no connection can be established from the Internet to a VPN-server on the local network.

============ END OF TEXT

This would indicate it is impossible to establish a VPN connection when the VPN Server is a local resource behind a router.


Hi RobWill;

One aspect I do not understand in the DI-808HV instructions is the assignment of the Virtual IP of PPTP Server. This instructions state:

============ START OF TEXT

Insert the Virtual IP of the PPTP Server (IE 192.168.2.1). This must be different from the LAN IP Address.

============ ENDOF TEXT

My LAN addresses are from 192.168.1.100 to 192.168.1 199 and are assigned by the VPN router'S DHCP. If I assign the box accepting incoming connections to, for example, 192.168.2.1 this might satisfy the requirements of the VPN server via the VPN router, however, I would then not have access from other computers on my LAN to the computer accepting incoming connections and visa versa. (Very confused).

The User Name and Password I enter in the configuration for PPTP Server, does this need to match the user id and password in one of the user accounts on the box accepting incoming connections?


Much thanks ... David
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16931104
David I haven't set up the D-Link but VPN's require different subnets on the 2 ends of the tunnel. This is so that any routing devices know where to send the packets. If they were the same it wouldn't know where to send a packet to the local or remote  network. In the case of the D-Link I would say the office (192.168.1.0), the D-Link virtual network (192.168.2.0) and the remote site (192.168.x.0) all have to be different. However, that doesn't mean the devices cannot connect. Unlike a local network where they all have to be on the same subnet, the purpose of a router is to allow communications between 2 subnets. Therefore you shouldn't have any problem.

As for the user name and password, they do not need to match anything. Assign whatever you like on the router and that is what the user will need to connect to the VPN router. However, once connected when they try to access a resource such as a file share they will be asked to provide an acceptable network/windows user name and password for the first connection. Depending on how the D-Link works if the user is already logged on to their computer with acceptable credentials they may be passed on. The other extreme is they have to provide a domain name with user name and password such as  MyDomain.abc\MyName or MyName@MyDomain.abc

Also:
>>"This would indicate it is impossible to establish a VPN connection when the VPN Server is a local resource behind a router."
Is your modem a combined modem and router ? If not just ignore, if it is you will need to log on to the modem and change it from NAT mode to Bridge mode, effectively making it a basic modem.
0
 

Author Comment

by:David Bach
ID: 16931180
Hi RobWill;

The Comcast Cable modem I have is a SUREboard sb5100 modem. It has 1 cable input, 1 Ethernet port and 1 USB port. The USB port isn't in use. This does not sound like a router.

So ... if the office LAN has a subnet of 192.168.1.0, BUT the specific box designated as the PPTP server within the LAN has a subnet of 192.168.2.0 this doesn't preclude the sharing of resources between the PPTP server box and other boxes on the LAN?

The computer with the VPN client uses a Verizon broadband wireless connection. I will check what the IP is next time but I suspect it is a public IP.


Much thanks ... David
0
 

Author Comment

by:David Bach
ID: 16931201
I deactivated the entry in the Virtual Server administration of the D-Link router to handle PPTP traffic.
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 

Author Comment

by:David Bach
ID: 16931214
The current IP of the Verizon broadband wireless is 70.199.59.10 which is a public IP.

Much thanks ... David
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16931246
>>"SUREboard sb5100 modem"
Maybe Surfboard 5100 ? If so it's a basic modem and you will have no problem.

>>" if the office LAN has a subnet of 192.168.1.0, BUT the specific box designated as the PPTP server within the LAN has a subnet of 192.168.2.0 this doesn't preclude the sharing of resources between the PPTP server box and other boxes on the LAN?"
The virtual IP can be outside of the local subnet , but the configured LAN IP of the router must stay within the LAN subnet, i.e. 192.168.1.0  The D-ling will handle the routing between the 192.168.1.0 and 192.168.2.0 subnets. I suspect this is so that it can properly assign an IP to the VPN client.

>>"The computer with the VPN client uses a Verizon broadband wireless connection. I will check what the IP is next time but I suspect it is a public IP."
The WAN IP would be public but the LAN needs to be other than 192.168.1.0 or 192.168.2.0
If they have any problem connecting, try using a wireless connection, if possible, just as a test.

>>" deactivated the entry in the Virtual Server administration of the D-Link router to handle PPTP traffic."
Why?
0
 
LVL 30

Expert Comment

by:ded9
ID: 16931277
Hi Pal

You have not read the full article it further says

possible solution: if you can get from your ISP ( Internet Service Provider ) 2 IP-addresses,
one for the router and one for a second system and if you can configure the router to allow
to connect onto the local network to the VPN-server, to which the 2nd Internet IP-address
is assigned to.

please read the full article

Reps
0
 

Author Comment

by:David Bach
ID: 16931693
Hi RobWill;

Oops! ... I stand corrected ... it is SURFboard ... Thank you!

I deactivated the PPTP routing because it was something I tried not knowing what effect it might have. Since it does not appear to have an effect (at least at the moment) I reversed the change I made earlier which was to activate it. I like to keep administration as clean, neat and straight forward as possible.

To answer your ealier question as to why I have a LinkSys router, it was an extra router and I'm using it to expand the number of available Ehternet ports I have ... there is no other reason than this.

Ok. I did successfully connect to ... something ... from my VPN client. I say "something" because during the time I was connected I checked the status of the D-Link VPN router but it showed no VPN connections. I also checked the status of the box enabled to receive connections and it showed none. But I did successfully become authenticated on the client machine and when I executed the ipconfig command I saw 192.168.2.2 as the second IP associated with my laptop. (The first IP was public corresponding to the Verizon broadband wireless card.) So, progress has been made, I think. This is the first time I've connected to ... something.

On the VPN server box in the TCP properties of the VPN network object I indicated an address range from 192.168.2.1 through 192.168.2.250 which corresponds to the Vitural VPN Server subnet of 192.168.2.0. The LAN IP for this same box I left at 192.168.1.xxx where xxx is dynamically assigned via DHCP from the VPN router.

Does networking usually seem this complex?

I will continue this tomorrow evening.


Hi ded9;

Yes! ... I did read the entire article. I will investigate a second public IP from Comcast as a later resort if other solutions fail.


Much thanks ... David
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 16938446
It sounds like everything is configured correctly. Once you connect to the VPN server (the D-Link) you may not be able to "see" anything. One test is to connect to the D-Link using it's normal LAN IP 192.168.1.x   If you can do that the VPN is working. Next if you have any software firewalls on the PC/servers you wish to connect to, they must be configured to accept the connections. For now as a test just disable them. Then NetBIOS names are not often available over a VPN (there are ways around this) so try connecting to a share using the IP address such as \\192.168.1.123\ShareName  Remember the 192.168.2.0 network is virtual, pretend it doesn't exist.

>>"Does networking usually seem this complex?"
Mmmmmmm.....and you are just at the tip of the iceberg. When you get into serious networking there is as much to know about it, as there is server operating systems. On a scale of 1 to 10 I am a 2 but there are 9's and 10's here.
0
 

Author Comment

by:David Bach
ID: 17439065
Hi RobWill;

Thank you for you patience and perseverance in helping me. The client who was asking me for a solution decided not to implement VPN, however, I learned quite a bit from you.


Much thanks ... David
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17440342
Thanks David,
Hopefully it will be of some help in the future.
Cheers !
--Rob
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now