DI-808HV VPN Router and VPN Server Setup

Check this out
1. http://www.windowsnetworking.com/j_helmig/xpvpnsrv.htm
2.
http://www.windowsnetworking.com/j_helmig/vpn.htm
3.
http://www.onecomputerguy.com/networking/xp_vpn_server.htm
4.
http://en.wikipedia.org/wiki/Virtual_private_network

All queries answered .

If you liked it.

Reps
points

The simplest way to set up the VPN, would be to configure the D-Link to accept incoming PPTP VPN connections. The following link is quite specific as to how to set up th DI-808HV and the Windows client:
http://support.dlink.com/faq/view.asp?prod_id=1439&question=DI-804HV%20/%20DI-808HV

As for the rest of the configuration, leave DHCP enabled on the 808HV as you have now. On the other routers make sure it is disabled.
I fail to see the advantage of adding the BEFSR41. There is no need for it at all. If you need additional ports for multiple computers just add a basic switch, or you could use the 4 LAN ports only of the BEFSR41.
As for the wireless router, the WRT54G, it could be configured as an access point. To do so:
-do not configure the WAN section
-assign it's LAN configuration an IP in the same subnet as the existing 808HV LAN, such as 192.168.1.2
-again, make sure DHCP is disabled
-connect a cable between one of the LAN ports of the 808HV and one of the LAN ports of the WRT54G. Do not connect to the WAN port of the WRT54G
-now configure the wireless as you would normally. All users can connect and receive a DHCP IP from the 808HV and will be able to share local resources
-I believe both of these devices are auto-detect but check that a connection light come on on each when you plug in the cable. If not you will need a cross-over cable

As for Windows XP firewall settings. The connecting client will be using an outgoing connection. If any changes are required the firewall will ask if you want to allow the service. Click un-block and it will make any necessary configuration changes.
On the XP machines on the 192.168.1.x network. They will only need firewall adjustments if you wish to allow sharing of services. I assume you will want file and print sharing. When you enable file and print sharing it should automatically be configured, but if not open the firewall and make the necessary changes:
control panel | Windows Firewall |Exceptions |check File and Printer sharing.  You shouldn't have any problem with the VPN user accessing the shares but if you do , go back to the exception page, highlight File and Print Sharing and click edit, then change Scope. Check the box "any computer (including those on the Internet)".  The 808HV will actually not allow any Internet users access to the computer except the VPN users.

Hi ded9;

In looking at the first link you mention (http://www.windowsnetworking.com/j_helmig/xpvpnsrv.htm) I read the following text:

============ START OF TEXT

When you connect directly via a modem, using a phone-line, or via broadband ( cable modem or DSL/ADSL modem), your systems is getting an Internet IP-address assigned.

when you connect via a router (often the functions of Modem and Router are integrated into a single box, called ADSL-router ) then the router will have an Internet IP-address assigned, while all connected systems will use a local network IP-address, the router handles the communication from the PC's to the internet via IP-address translation (NAT), but that makes it impossible to connect from the internet through the router to a system on the LAN, no connection can be established from the Internet to a VPN-server on the local network.

============ END OF TEXT

This would indicate it is impossible to establish a VPN connection when the VPN Server is a local resource behind a router.


Hi RobWill;

One aspect I do not understand in the DI-808HV instructions is the assignment of the Virtual IP of PPTP Server. This instructions state:

============ START OF TEXT

Insert the Virtual IP of the PPTP Server (IE 192.168.2.1). This must be different from the LAN IP Address.

============ ENDOF TEXT

My LAN addresses are from 192.168.1.100 to 192.168.1 199 and are assigned by the VPN router'S DHCP. If I assign the box accepting incoming connections to, for example, 192.168.2.1 this might satisfy the requirements of the VPN server via the VPN router, however, I would then not have access from other computers on my LAN to the computer accepting incoming connections and visa versa. (Very confused).

The User Name and Password I enter in the configuration for PPTP Server, does this need to match the user id and password in one of the user accounts on the box accepting incoming connections?


Much thanks ... David

David I haven't set up the D-Link but VPN's require different subnets on the 2 ends of the tunnel. This is so that any routing devices know where to send the packets. If they were the same it wouldn't know where to send a packet to the local or remote  network. In the case of the D-Link I would say the office (192.168.1.0), the D-Link virtual network (192.168.2.0) and the remote site (192.168.x.0) all have to be different. However, that doesn't mean the devices cannot connect. Unlike a local network where they all have to be on the same subnet, the purpose of a router is to allow communications between 2 subnets. Therefore you shouldn't have any problem.

As for the user name and password, they do not need to match anything. Assign whatever you like on the router and that is what the user will need to connect to the VPN router. However, once connected when they try to access a resource such as a file share they will be asked to provide an acceptable network/windows user name and password for the first connection. Depending on how the D-Link works if the user is already logged on to their computer with acceptable credentials they may be passed on. The other extreme is they have to provide a domain name with user name and password such as  MyDomain.abc\MyName or MyName@MyDomain.abc

Also:
>>"This would indicate it is impossible to establish a VPN connection when the VPN Server is a local resource behind a router."
Is your modem a combined modem and router ? If not just ignore, if it is you will need to log on to the modem and change it from NAT mode to Bridge mode, effectively making it a basic modem.

Hi RobWill;

The Comcast Cable modem I have is a SUREboard sb5100 modem. It has 1 cable input, 1 Ethernet port and 1 USB port. The USB port isn't in use. This does not sound like a router.

So ... if the office LAN has a subnet of 192.168.1.0, BUT the specific box designated as the PPTP server within the LAN has a subnet of 192.168.2.0 this doesn't preclude the sharing of resources between the PPTP server box and other boxes on the LAN?

The computer with the VPN client uses a Verizon broadband wireless connection. I will check what the IP is next time but I suspect it is a public IP.


Much thanks ... David

I deactivated the entry in the Virtual Server administration of the D-Link router to handle PPTP traffic.

The current IP of the Verizon broadband wireless is 70.199.59.10 which is a public IP.

Much thanks ... David

>>"SUREboard sb5100 modem"
Maybe Surfboard 5100 ? If so it's a basic modem and you will have no problem.

>>" if the office LAN has a subnet of 192.168.1.0, BUT the specific box designated as the PPTP server within the LAN has a subnet of 192.168.2.0 this doesn't preclude the sharing of resources between the PPTP server box and other boxes on the LAN?"
The virtual IP can be outside of the local subnet , but the configured LAN IP of the router must stay within the LAN subnet, i.e. 192.168.1.0  The D-ling will handle the routing between the 192.168.1.0 and 192.168.2.0 subnets. I suspect this is so that it can properly assign an IP to the VPN client.

>>"The computer with the VPN client uses a Verizon broadband wireless connection. I will check what the IP is next time but I suspect it is a public IP."
The WAN IP would be public but the LAN needs to be other than 192.168.1.0 or 192.168.2.0
If they have any problem connecting, try using a wireless connection, if possible, just as a test.

>>" deactivated the entry in the Virtual Server administration of the D-Link router to handle PPTP traffic."
Why?

Hi Pal

You have not read the full article it further says

possible solution: if you can get from your ISP ( Internet Service Provider ) 2 IP-addresses,
one for the router and one for a second system and if you can configure the router to allow
to connect onto the local network to the VPN-server, to which the 2nd Internet IP-address
is assigned to.

please read the full article

Reps

Hi RobWill;

Oops! ... I stand corrected ... it is SURFboard ... Thank you!

I deactivated the PPTP routing because it was something I tried not knowing what effect it might have. Since it does not appear to have an effect (at least at the moment) I reversed the change I made earlier which was to activate it. I like to keep administration as clean, neat and straight forward as possible.

To answer your ealier question as to why I have a LinkSys router, it was an extra router and I'm using it to expand the number of available Ehternet ports I have ... there is no other reason than this.

Ok. I did successfully connect to ... something ... from my VPN client. I say "something" because during the time I was connected I checked the status of the D-Link VPN router but it showed no VPN connections. I also checked the status of the box enabled to receive connections and it showed none. But I did successfully become authenticated on the client machine and when I executed the ipconfig command I saw 192.168.2.2 as the second IP associated with my laptop. (The first IP was public corresponding to the Verizon broadband wireless card.) So, progress has been made, I think. This is the first time I've connected to ... something.

On the VPN server box in the TCP properties of the VPN network object I indicated an address range from 192.168.2.1 through 192.168.2.250 which corresponds to the Vitural VPN Server subnet of 192.168.2.0. The LAN IP for this same box I left at 192.168.1.xxx where xxx is dynamically assigned via DHCP from the VPN router.

Does networking usually seem this complex?

I will continue this tomorrow evening.


Hi ded9;

Yes! ... I did read the entire article. I will investigate a second public IP from Comcast as a later resort if other solutions fail.


Much thanks ... David

Hi RobWill;

Thank you for you patience and perseverance in helping me. The client who was asking me for a solution decided not to implement VPN, however, I learned quite a bit from you.


Much thanks ... David

Thanks David,
Hopefully it will be of some help in the future.
Cheers !
--Rob