Link to home
Start Free TrialLog in
Avatar of JasonBrownlee
JasonBrownleeFlag for United States of America

asked on

Simple VPN Setup

I want to set up a VPN that can be accessed anywhere in the world from a laptop.
I want the user to login to the VPN with local Active Directory username / password and have access to our exchange server.

We have a router that is managed by our ISP and behind that a tz170 sonicwall --
What will be the easiest way to get the users access with a VPN?
Should I use the sonicwall or is there some other software that is easy to configure.
I also have spare servers that can be used for this VPN.
Avatar of adolphus850
adolphus850

Use the sonicall VPN client which is purchased separately.  I've used it on the 2040pros.  i think you can get it for the tz170's too.

Adol
Avatar of Greg Jacknow
Using windows 2003R2 Routing and Remote Acces services should work.  Free and easy (other than server license)
http://technet2.microsoft.com/windowsserver/en/library/00c498a8-95e7-4780-942e-c4594b01f6151033.mspx?mfr=true
I prefer a dedicated unit for vpn purposes not a server but thats me.
Now to integrate with AD you need a radius server no matter what solution you go with.
Is it just one laptop or multiple?  If business process allows
I would go
http://products.nortel.com/go/product_content.jsp?segId=0&catId=null&parId=0&prod_id=53021&locale=en-US

Then use a radius server that talks to this unit and integrate with AD
Avatar of JasonBrownlee

ASKER

The company I work for is in big favor of free or use what we have. I believe our tz170 has the vpn license but the last IT person who was here told me he could never get it to work.
You just need to set the vpn up then I believe those units also have a vpn client.
You need to set the client up to match the tz unit.
This unit will not support radius.  
So the easiest way to get the user access to Exchange / Network files would be with the  tz170 setup with Radius?
No No.

Radius is not suport with your firewall which means they will not be able to authenticatw with AD.
BUt you configure the firewall with the client software with authentication (basically a username and password if you will....)
Then you load the client software on the laptop and the policy from the firewall.
Once finished the user will be able to get into your setup as if he was sitting in the office and access network files and the exchange box.  Of course as long as the settings and configuration is done right.
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If going with open VPN ---> Will exchange work over the connection?
you probably need to create a global vpn key on the sonicwall then import it into the client if you have all the software already.  A wizard should take you through it.

The VPN client should only cost around £30 per user if you don't already have it.
Any VPN, if properly configured, will tunell all traffic.  Therefore Exchange will work through it.

Open VPN seems like an interesting app.  It is not obvious how that can tie in ones AD username/password. I guess it it can use radius then you can do it that way.

BTW MS gives you IAS (internet authentication server?) which is a radius server linked in to the AD.

I still say the security concerns about PPTP are overblown and it works fine.   How many problems has anyone heard about with it?   All you have to do to disable acess fro old (win9x) clients in uncheck one check box and most of the issue are taken care of.

Greg J

@qjacknow1: If you use PPTP in China, you will have no secrets very soon ... This is no paranoia thing.

@JasonBrownlee: Of course Exchange will work that way.
what server version are you running?
I have both Server 2003 and Server 2000.
I would use either the 2003 or 2000 for a vpn server through routing and remote access

http://www.chicagotech.net/vpnsetup.htm#How%20to%20configure%20W2K%20server%20as%20VPN%20server
One more thing:

After setting up the VPN server will I need to assign any public ip to the server?
You should be able to set up portforwarding for pptp on your router to go to the private ip of the server
I don't have access to the router. The ISP we use has their own router. Would I then need to call them and have them do it?
I would imagine that would be your step.
If your ISP "router" is only a router, it is already forwarding a range of public IPs that are your to you and it should not be blocking any ports.

Your firewall is what would be blocking traffic to your internal network and is what would have to be configured to have a public IP mapped to a private IP and have certain ports (and protocals) opened for to the VPN server.

I found this:  For PPTP VPN connections, you need to open TCP port 1723 for PPTP tunnel maintenance traffic and permit IP Type 47 Generic Routing Encapsulation (GRE) packets for PPTP tunnel data to pass to your RRAS server's IP address.
It's just a router. A Cisco 2200 -- It does't block any ports. I've confirmed that with the ISP. Thanks for the information!
In the tz170 go to the firewall tab
then the access rules should be the first thing to come up
use the rule wizard on the top of the page
Click next
click public server rule
click next
Select PPTP from the services drop down menu
Server Ip address will be your local ip (192.168.x.x)
destination interface is LAN
Then clip next
and then click apply

Don't forget to go into active directory and add these users to remote web workers or individual accounts and allow user to dial in


So I went ahead and am using OpenVPN. Currently I've configured everything correctly I believe and the error I'm getting from the client side is this.

Fri Feb 08 10:35:58 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Fri Feb 08 10:35:58 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Feb 08 10:35:58 2008 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Feb 08 10:35:58 2008 LZO compression initialized
Fri Feb 08 10:35:58 2008 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Feb 08 10:35:58 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Feb 08 10:35:58 2008 Local Options hash (VER=V4): 'd79ca330'
Fri Feb 08 10:35:58 2008 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Feb 08 10:35:58 2008 UDPv4 link local: [undef]
Fri Feb 08 10:35:58 2008 UDPv4 link remote: 64.19.32.114:443
Fri Feb 08 10:35:58 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:00 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:03 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:05 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:07 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:09 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:11 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:14 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:16 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)


I've verified that I opened the right port on the firewall as well as checked with our ISP to make sure nothing needed to be done on their end.
I've taken one of the public IP's they've given us and used it as the connection ip and it doesn't seem to be working. Anybody have any clues?
The message tells us the OpenVPN Server does not respond. Either port forwarding is not working correctly, or the server does not react.
Could you try OpenVPN Client and Server in same net, with local addresses, and no route in OpenVPN config (Client config switch route-nopull)? That way, you should get more info.
This is what happens when I do everything on the local network

Fri Feb 08 11:14:51 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Fri Feb 08 11:14:51 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Feb 08 11:14:51 2008 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Feb 08 11:14:51 2008 LZO compression initialized
Fri Feb 08 11:14:51 2008 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Feb 08 11:14:51 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Feb 08 11:14:51 2008 Local Options hash (VER=V4): 'd79ca330'
Fri Feb 08 11:14:51 2008 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Feb 08 11:14:51 2008 UDPv4 link local: [undef]
Fri Feb 08 11:14:51 2008 UDPv4 link remote: 192.168.1.10:443
Fri Feb 08 11:14:51 2008 TLS: Initial packet from 192.168.1.10:443, sid=8079db79 b8dede30
Fri Feb 08 11:14:51 2008 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=Kansas/L=KansasCity/O=KornitzerCapitalManagement/CN=VPN/emailAddress=JBrownlee@Buffalofunds.com
Fri Feb 08 11:14:51 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Feb 08 11:14:51 2008 TLS Error: TLS object -> incoming plaintext read error
Fri Feb 08 11:14:51 2008 TLS Error: TLS handshake failed
Fri Feb 08 11:14:51 2008 TCP/UDP: Closing socket
Fri Feb 08 11:14:51 2008 SIGUSR1[soft,tls-error] received, process restarting
Fri Feb 08 11:14:51 2008 Restart pause, 2 second(s)
Here is my server config--------------------

port 443

proto udp

dev tap

dev-nod MyTap

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

ifconfig-pool-persist ipp.txt

server-bridge 192.168.1.9 255.255.255.0 192.168.1.14 192.168.1.19

keepalive 10 120

comp-lzo

status openvpn-status.log

verb 3

------------------------------------------

Here is my client config---------------------

client

dev tap

dev-node client-tap

proto udp

route nopull

remote 192.168.1.10 443

resolv-retry infinite

nobind

ca Jason-B.crt

cert Jason-B.crt

key Jason-B.key

comp-lzo

verb 3

---------------------------------------
Ok, two things to remark:

1. OpenVPN Server reacts, there is a difference. Port forwarding does not work with public ip for some unknown reason

2. "VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: ..."
Your Client should use ca of server, and cert /  key of client. The client's file must be signed with ca of server.
Alright got the ca cert changed to the right cert and it has connected fine over a local network. Should the settings transfer over fine if I switch to a computer outside of this local network?
This is the log after connection.

Fri Feb 08 13:01:52 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Fri Feb 08 13:01:52 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Feb 08 13:01:52 2008 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Feb 08 13:01:52 2008 LZO compression initialized
Fri Feb 08 13:01:52 2008 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Feb 08 13:01:52 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Feb 08 13:01:52 2008 Local Options hash (VER=V4): 'd79ca330'
Fri Feb 08 13:01:52 2008 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Feb 08 13:01:52 2008 UDPv4 link local: [undef]
Fri Feb 08 13:01:52 2008 UDPv4 link remote: 192.168.1.10:443
Fri Feb 08 13:01:52 2008 TLS: Initial packet from 192.168.1.10:443, sid=58d56b1a d4c3801d
Fri Feb 08 13:01:52 2008 VERIFY OK: depth=1, /C=US/ST=Kansas/L=KansasCity/O=KornitzerCapitalManagement/CN=VPN/emailAddress=JBrownlee@Buffalofunds.com
Fri Feb 08 13:01:52 2008 VERIFY OK: depth=0, /C=US/ST=Kansas/O=KornitzerCapitalManagement/CN=KCM2/emailAddress=JBrownlee@Buffalofunds.com
Fri Feb 08 13:01:53 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 08 13:01:53 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 08 13:01:53 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 08 13:01:53 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 08 13:01:53 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Feb 08 13:01:53 2008 [KCM2] Peer Connection Initiated with 192.168.1.10:443
Fri Feb 08 13:01:54 2008 SENT CONTROL [KCM2]: 'PUSH_REQUEST' (status=1)
Fri Feb 08 13:01:54 2008 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.1.0.8,ping 10,ping-restart 120,ifconfig 10.1.0.50 255.255.255.0'
Fri Feb 08 13:01:54 2008 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 08 13:01:54 2008 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 08 13:01:54 2008 OPTIONS IMPORT: route options modified
Fri Feb 08 13:01:54 2008 TAP-WIN32 device [vpn-tap] opened: \\.\Global\{AFA92259-1A1A-45D4-827C-76ADB8B2B11C}.tap
Fri Feb 08 13:01:54 2008 TAP-Win32 Driver Version 8.4
Fri Feb 08 13:01:54 2008 TAP-Win32 MTU=1500
Fri Feb 08 13:01:54 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.1.0.50/255.255.255.0 on interface {AFA92259-1A1A-45D4-827C-76ADB8B2B11C} [DHCP-serv: 10.1.0.0, lease-time: 31536000]
Fri Feb 08 13:01:54 2008 NOTE: could not get adapter index for \DEVICE\TCPIP_{AFA92259-1A1A-45D4-827C-76ADB8B2B11C}, status=55 : The specified network resource or device is no longer available.  
Fri Feb 08 13:01:54 2008 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Fri Feb 08 13:01:54 2008 Initialization Sequence Completed
Yes, you should be able to use the same settings,. First I would try to use public ip with client inside LAN, if that works, from outside.
Why not use http://support.microsoft.com/kb/833401? I use RPC over HTTP. All it would require your user to do is to login using their AD credentials, and then use outlook.
Funny enough I actually found RPC a few weeks ago and have implemented it. Although the user that I originally setup a VPN for needs access to company docs as well.
Jason,

Yes. That can be a tricky issue when dealing with traveling personel. I use the SonicWall 2040 as well and the VPN client. Nothing wrong with using a website utilizing SharePoint Services and AD authentication for travelers and interoffice personel.  Just a thought.