I need help setting up a VPN over the internet between my servers (Windows Server 2003/Netscreen 5GT) and the outside world (Windows XP/Linksys WRT54G)

I am looking for help through the process of setting up a VPN.  I am assigning 500 points to this question because I will need help thorugh each of the steps.  I do have a current Netscreen tech support contract which I will be using and I am familiar with configuring servers and desktop computers.  I mainly need guidance throughout the processes as this is the first time I have setup a hardware VPN and I can't seem to firgure it out.

I have two servers running Windows Server 2003 behind a Netscreen 5GT firewall.  I want to connect to those servers using a VPN over the internet from computers running Windows XP behind Linksys WRT54G routers.

After doing some reading I beleive that L2TP over IPSec will work for me.  Does that make sense?  To that end I have already setup the Linksys routers with L2TP and IPSec passthrough enabled and PPTP passthrough disabled.

Here are the steps that I think may need to be taken.  There may be more or less but this seems to be it from what I know right now.

  1 - Do any needed domain controller configuration
  2 - THIS IS THE BIG ONE - Do any needed Netscreen 5GT firewall configuration
  3 - Do any needed remote computer connection setup and configuration

Who is Participating?
Rob WilliamsConnect With a Mentor Commented:
Hi Todd. Sorry I read too much into "I want to connect to those servers using a VPN". Thought you were wanting to use the servers as VPN end points.
Lets start over. <G> and I won't be much help I'm afraid.

1) There is no configuration of the domain controller, but you will want to add the DC's, or rather internal DNS server's,  IP in the VPN configuration to allow for name resolution
2) Yes lots! There is no port forwarding required at all but the Netscreen will be your VPN end point and require configuration
3) Computer configuration
   a) Netscreen site, only need to configure a user account, which is likely done, and if any software firewalls such as the Windows firewall are in place, you will probably have to configure to allow the services you wish to use. Best bet with the software firewalls is to disable during testing and deal with after
   b) client site, install and/or configure the appropriate client software, and map the drive/s or configure services you wish to use.

However, I am afraid that information is of little help in assisting you to configure. Netscreen are in the top 5 firewalls as far as features, dependability and security, but there is little or no documentation available without a support contract. With others such as Cisco you can get a lot of support on this site but there are only a few experienced Netscreen users here to assist, and sometimes hard to get their attention. Since you have a support contract you could browse their site for documentation, or perhaps call to see how much assistance they can give you. Cisco will actually log on to your router, and set it up for you ,with the right support contract. In any case I would think you might want to use the IPSec client as it is the most secure and reasonably straight forward to set up.
1- No
2- You will need to open ports for IPSec Traffic on both ends so the servers can accept incomming VPN tunnels.
3- Depends if you need remote desktop connection?

If you can afford a VPN capable router on XP computers side it would be better. Otherwise, setup the VPN users on the Netscreen 5GT instead on Windows servers. It is more secure and reliable.
Todd_AndersonAuthor Commented:
1 - Hmm...  That sounds nice.  Keeps it simple.  I thought I would have to setup my DNS (HOST, PTR, ...) for the computers that are going to access my domain throught the VPN?

2 - As I mentioned I already opened the ports on the remote computer's side (in the Linksys WRT54G the L2TP and IPSec passthrough ahve been enabled).  Setting upt the Netscreen 5GT appears to be the big task.  I will talk with Juniper about this in the morning but I may need some advice here.

3 - May have said something misleading above.  Remote desktop is unrelated to VPNs.  Already have that all setup and running.  I am using Remote Desktop to configure my servers and the Netscreen 5GT which are at a colocation site.  What I am talking about here is the configuration of the new 'Connection' for the VPN on the remote XP machines that are behind the Linksys routers.  There are a lot of options there that I am not sure about.
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

Rob WilliamsCommented:
If configuring an L2TP/IPSec VPN on the server at the office you should enable L2TP and IPSec pass-through on the WRT54G as you have done.
On the Netscreen you need to configure port forwarding to the server:
  To allow IKE forward UDP port 500.
  To allow IPSec NAT-T forward port UDP 4500.
  To allow L2TP forward port UDP 1701.
Then also  Enable IPSec protocols 50 ESP & 51 AH  pass-through.  May be called VPN or IPSec pass-through, or on a Netscreen it may be a specific command or rule.
Setting up the L2TP/IPSec VPN is not an easy task. The following article will outline the steps:

A simpler option would be to use a PPTP tunnel, which is quite straight forward to set up. The basic server and client configurations can be found at the following sites with good detail:
Server 2003 configuration:
Windows XP client configuration:
You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details about that see the following link. Click your router make and model # which will take you to another page where you need to click on PPTP forwarding for details specific to your router:
The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office , the remote should be something like 192.168.2.x

Your 3rd and best option is to configure an IPSec tunnel that connects directly to the Netscreen using their VPN client. I am afraid I have not configured the Netscreen, but they are a very good unit. Using this configuration requires no port forwarding which increases security as well as a more secure IPSec tunnel.
Todd_AndersonAuthor Commented:

Thanks you for your response.

In your comments above am I correct in understanding that in the first two options the VPN would be using the VPN software built into Windows Server 2003 and in the third option it would be using the hardware in the Netscreen?  If so, your third option is what I have been trying to do.

Todd_AndersonAuthor Commented:

Your comments have cleared up several issues already for me.  I have two goals here.  One is two get the VPN setup but the other is to understand what I am doing!  This is helping me a lot with the second goal.

I have been reading the Netscreen documentation and it is so complicated I can't even get started.  There main manual for the 5GT is over 1800 pages long!

I am getting ready for a big call to Juniper this morning.  I will be back this afternoon to continue this discussion.


Rob WilliamsCommented:
If you haven't configured a VPN before there can be a lot to learn and do. Netscreen is one of the few I have never worked with and cannot help much, but if you can get help locally, or through Netscreen, at least with the initial configuration it should help quite a bit. Some manufactures have sample configurations you can download and install. After that you mostly just change for your IP configuration.

Let us know how it goes with Netscreen.
Todd_AndersonAuthor Commented:
Ok, got it working but it took purchasing Juniper's Remote VPN Client software ($100 for 10 seats) and their support contract for them ($20 per year).  After several marathon phone calls to tech support it is working.  I'm still working out some bugs.  For example, I have to use the fully qualified name of each computer on the network.  I seem to remember that there is a way to tell Windows Server 2003 to substitute a domain if one isn't present.  Anyone else remember that or know how to do that?

Thanks for the help.  I've learnined a lot in the last couple of weeks!

Rob WilliamsCommented:
Thanks Todd.

As for name resolution/FQDN try on the properties for your client PC's network adapter, under advanced TCP/IP properties:
1) under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
2) under DNS in the "DNS suffix for this connection" box add your domain such as  mydomain.com
Todd_AndersonAuthor Commented:

Already had 1 as you described but 2 did the trick.


Rob WilliamsCommented:
Glad to hear Todd.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.