[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

DrayTek Vigor 2830 VPN domain authentication

Posted on 2011-10-14
8
Medium Priority
?
7,648 Views
Last Modified: 2013-12-02
Router: DrayTek Vigor 2830
Server: Windows SBS 2011
 
How and is it possible to configure the DrayTek Vigor 2830 VPN for domain authentication or for the client to immediately prompt my domain credentials?
 
I’m quite a novice when it comes to VPNs however I have configured the VPN on the DrayTek and it connects perfectly fine... but when I connect via VPN from home and navigate to a server IP from Windows Explorer it prompts for my username and password.  
   
Is there any way to avoid this and add an account within the configuration of the router? Or alternatively I would like for when I connect to be prompted for my domain username and password.
   
Your advice would be much appreciated.
   
Thank you
0
Comment
Question by:the_omnific
  • 4
  • 4
8 Comments
 
LVL 1

Author Comment

by:the_omnific
ID: 36972460
I can connect via PPTP. But when I navigate to a server IP from Windows Explorer it prompts for my username and password.
   
I suspect that I should be using L2TP over IPSec ? How do i configure it?
0
 
LVL 18

Assisted Solution

by:Andrej Pirman
Andrej Pirman earned 2000 total points
ID: 36972507
For the proper setup you should disable VPN PPTP service on Vigor 2830, then setup VPN PPTP pass-thru in Vigor, and let Windows server accept tje dial-in call and authenticate.
If you go this way, I can provide you step-by step instructions.
0
 
LVL 1

Author Comment

by:the_omnific
ID: 36972533
That sounds great. Can you provide me with step by step instructions please?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 18

Assisted Solution

by:Andrej Pirman
Andrej Pirman earned 2000 total points
ID: 36973774
Here we go:

NAT --> Port Redirection
Click on one of free redirections, and create new redirection rule:

ENABLE: Yes
Mode: Single
Service Name: VPN  
Protocol: TCP
WAN IP: Any
Public Port: -
Private IP: 192.168.0.10 (LAN IP of your windows server)
Private Port:1723



FIREWALL --> Filter Setup --> 2. Default Data filter

Click on one of free filter numbers, and create new filter rule:

Comments: VPN pass
Index(1-15) in  Schedule Setup: (leave default blank)  
Direction: WAN -> LAN
Source IP:  Any  
Destination IP: 192.168.0.10 (LAN IP of your windows server)  
Service Type --> EDIT
    Protocol: TCP  
    Source Port: 1 - 65535  
    Destination Port: 1723
    (other leave default)
Fragments: Don't Care
Filter: Pass Immiduatelly


VPN AND REMOTE ACCESS --> Remote Access Control
Enable PPTP VPN Service=DISABLE (un-check)
 



Then on your Windows server you must configure VPN server role.

Server Management --> Roles --> Add Role
You add "Network Policy and Access Services"

Under this service you enable:
- Routing and remote Access service
- Remote Access Service
- Routing

When services are installed, you navigate onto "Routing And Remote Access Service" role, right-click on it, and select PROPERTIES:
GENERAL
Lan IPv4 router --> LAn and demand-dial routing

SECURITY
Authentication provider: Windows Auth
Methods: MS-CHAPv2
Accounting provider: Windows Accounting

IPv4
Enable IPv4 Forwarding= ENABLE
DHCP= Enable
Broadcast name resolution=ENABLE

PPP
All boxes checked



   
Also check your WINDOWS FIREWALL, if wizard enabled VPN port 1723 to be opened in direction "INBOUND" on this server. If not, create new rule and let port 1723 pass in.
0
 
LVL 1

Author Comment

by:the_omnific
ID: 36974308
Sorry but this method is bypassing the VPN function on the DrayTek completely. I know how to do this. I would prefer to use the DrayTek -it would be a bit of a learn curve for me as well. I just need to create some authentication for the domain on the DrayTek device somehow? Is it possible?
0
 
LVL 18

Accepted Solution

by:
Andrej Pirman earned 2000 total points
ID: 36975717
Aha...ok, no problemo.
You are lucky having LDAP authentication built-in firmware.

So, first I suggest you check router's firmware and if it is lower than 3.3.6.1 upgrade to latest FW.

Then you create new user, but do not chose default authentication, but rather auth against LDAP server. You have it on page 161 and further in user's manual http://www.draytek.com/user/PdInfoDetail.php?Id=126#PdQuLinkInfo
This user will then be able to dial-in via VPN, being it authenticated by LDAP server....but since I did not test this feature, I am not 100% how it will behave agains server resources. It is not VPN dial-in the only mechanism involved - it is caller's PC and his/her login on client PC more related to server resources, rather than VPN dial-in user.
So if you are logged-in your client PC with domain credentials, any VPN connection to domain LAN network should pass you thru.
The only prerequisite is to set on VPN connection to pass-thru NET-BIOS traffic (you set ti on Vigor VPN user's properties)
0
 
LVL 18

Assisted Solution

by:Andrej Pirman
Andrej Pirman earned 2000 total points
ID: 36975722
One other thing I forgot - SUBNETS.

If your Office LAN subnet and VPN client's home LAN are both on the same subnet, then it means trouble.
For example, both are in 192.168.0.1/24 subnet.

VPN router tries to create ROUTE for remote VPN user's LAN subnet to Server's LAN subnet. If subnets are different, route can be created in Vigor's routing table.
But if subnets are the same, route cannot be created, because it already exists. Meaning, server cannot distinguish between LOCAL client and VPN client, and does not know, that user, for example 192.168.0.20 is on local LAN, and 192.168.0.21 is NOT on local LAN, but must route through Vigor.

So, easiest way to prevent this to happen is to use some non-common IP subnet on SERVER-side, for example 10.11.22.0/24 or 192.168.163.0/24, which is very unlikely any other dial-in user would have setup at home.
0
 
LVL 1

Author Closing Comment

by:the_omnific
ID: 37030170
Thanks for your advise
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question