Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Basic VPN Setup.

Status
Not open for further replies.
jjjax

jjjax

MIS
Sep 25, 2002
114
US
We are running Windows 2000 server and have a Watchguard Firebox. We'd like to use Windows VPN to be able to connect from remote locations. We have only 1 nic card in the server that we'd like to use as our VPN server and have assigned an internal i/p address to it. I have basically configured it following Microsoft's instructions for one nic card and know that I will probably have to contact our isp to have them route vpn connections to us and then configure our firebox to route connections trying to come in on the vpn ports to the vpn server. We do it now for other things so hopefully that won't be an issue. My questions are:
1. What port(s) does vpn try to use? 1723?
2. Can it be done with one nic card? From what I read, it appears ok because our firebox will route it to an internal address.
3. Is there a way to test it internally without going through the firebox? I setup a vpn connection on my local windows 2000 pro client to point to our internal address of our vpn server but get a 678 Error: There was no answer. Can this be done this way?

Thanks, Joe

 
Sort by date Sort by votes
You can't test it internally with just one NIC.

Why do you want to use Windows 2000 Server for your VPN if you have a WatchGuard firewall? The Firebox will handle PPTP or IPSec VPN connections at no additional cost, and you won't have to expose any services on your Win2K box to allow VPN.
 
Upvote 0 Downvote
Any ideas why I would get the no answer error when I try internally?

I looked at setting up in the firebox but not sure how to configure and we don't have support on it anymore. It has a branch office vpn option but that looks like it's looking for an external firebox address, like it's for connecting 2 firboxes? Also, looked at setting up pptp service on firebox but not sure how that works because it doesn't give option to route to an internal address? Do you need RAS running anywhere? Can you give me some more info on setting this up? Thanks, Joe
 
Upvote 0 Downvote
You don't need to route to an internal address with the PPTP service on the Firebox. In Policy Manager, Go to Network-->Remote User. Click the PPTP tab and click "activate remote user" (that enables PPTP VPN). (Mobile User VPN IPSec-based and requires software to be installed on client computers). You might also enable the security drop from 128 bit, depending on the clients that are connecting. Add some IP addresses to the pool that PPTP will assign to VPN connections in the box indicated.

Now click Setup--Authentication Servers. The first tab lists "Firebox Users". You need to add a user/password for everyone connecting here, and add them to the pptp_users group.

That's all you need -- if you have a large numer of VPN users, there is an option to use a RADIUS server (also one to use SAM-type Windows NT user authentication, but that's been touch-and-go for me in the past, so I don't recommend it).

Good luck!

 
Upvote 0 Downvote
Thanks, I am now able to connect to the firebox remotely via my vpn connection but I'm still a little confused on how I can now get out to my network? Since I added a user to the firebox, can I assume that it is not authenticating through our network? Do I need to somehow point it to our VPN server or is that not required now? Is there something else that I am missing? Thanks yet again, Joe
 
Upvote 0 Downvote
In the Firebox network config somewhere, you can indicate DNS/WINS servers for it to assign the VPN client upon connection. The VPN is automatically (or should be, anyway) passing traffic through the VPN to the Trusted interface -- so at the very least, you should be able to RDP to a machine by IP address. If DNS/WINS works through the VPN correctly, you should also be able to do so by name.

And no - the username/password used to VPN to the Firebox is not related to your internal network in any way -- it only exists on the Firebox. Your VPN client will still point to your External IP as before, and establish a connection to the Firebox.

Note that connecting to the VPN does not automatically authenticate you on a domain/local network resources, either - you'll still need to be using cached credentials or some other method (I just RDP to a box inside the network to work).


Hope this helps...
 
Upvote 0 Downvote
Don't think watchguard is going to work as we'd like because we don't want to do the remote desktop type connection. We want to basically try to connect remotely as if we are connecting locally, not remote controlling or even like Citrix using a terminal server type connection, which we currently use. Is there a way to do this with what is already built into Windows?

Any ideas as to why I can't connect locally without going through watchguard? Then, maybe I can create a user defined conenction forwarding in watchguard to our vpn server?
 
Upvote 0 Downvote
You need to describe what you're trying to do across the VPN. The applications that would have trouble like I mentioned would be Active-Directory related credential issues, nothing with the Firebox not being compatible.

What kind of "remote locations" do you have and what will they be doing? Do you need to connect entire branch offices with a dozen users? One user at a time?

Yes, you an also create a rule to forward the appropriate ports to the Windows server for a Microsoft VPN solution. But it's safer to use the Firebox if you can.
 
Upvote 0 Downvote
We have only couple of people, maybe 3-5 total, that through either their laptop or home computer will basically be able to remotely, anything that they can do here. It won't be used much and probably one or two at the most at a time. It's mainly going for be for the owner of the company who likes things simple so that when he does it once every couple of months, he doesn't have to remember too much. They will run program like MS Access databases that connect to our sql server, outlook to check there email, our app server with programs like Ceridian, Quickbooks data, etc. Most of them will be using the same laptop that they use here in the office as they do remotely so we'd like them basically to just connect remotely and once they have that connection established and authenticated then they wouldn't see a different. Their desktop, their start menu, odbc links, mapped drives, etc will be the same and so on.

I would like to use the firebox but don't want to get into them having a remote desktop situation because we can just use Citrix for that. I might be wrong but if you use Microsoft's VPN server solution then, it should connect as we hope without having to run another program after establishing a connection?

Thanks, Joe
 
Upvote 0 Downvote
Just a quick follow up. I got it to connect locally using MS VPN but having a problem with going through watchguard. I can setup a user defined service with port 1723 as tcp and nat to forward to our vpn server address but when port 47 is set to type ip, it doesn't let you do nat? Can you tell me how to configure watchguard to forward port 47 and 1723 using nat to our vpn server address? Thanks again, Joe
 
Upvote 0 Downvote
Didn't know you were using Citrix -- that helps a lot on the application side; WatchGuard's VPN will do fine for that. (It will work the same as any VPN; I was a bit confusing earlier about the proper roles for a VPN in an organization).

I'd test using the WatchGuard as the VPN server and see if you have any problems with Citrix (be sure to tell the Firebox your DNS/WINS server IPs).

You don't need to setup a user-defined service to forward PPTP. There's a Packet Filter for it under 'Add Service' that will forward both ports. :)
 
Upvote 0 Downvote
I guess the thing I'm not getting is that how does watchguard know where to forward it? If I use their built in pptp service, it doesn't allow you to do a nat like say Citrix service does so you can't forward to a specific server so how will it know to go to our vpn server? Is there something we need to do with DNS? If I do them manually, I can't set port 47 as type ip and do nat because that option is not available for type ip. Before I go crazy, can you just clear up if what we want to do is possible? We want to basically to have remote access so once they signon, they don't have to use any other software but it will be just like as if they signed on in the office. I think from what you said about watchguard vpn pptp, that they would need another remoted desktop program of some kind? If they do it using MS VPN sever then will that work without a remoted desktop type program as we want? Sorry for all the questions and I'm sure I could explain it better but thanks for the help. Joe
 
Upvote 0 Downvote
You can do exactly what you describe, no problems.

Any VPN will allow you access to Citrix/Outlook(Exchange)/etc.

You need to use the built-in "Remote User" VPN, without configuring any forwarders in the Firebox.

What this VPN does is connects your client's remote network to your ENTIRE Trusted network. There is no need to point them anywhere to access certain applications if they are using their laptop, because the WatchGuard will have DNS set for them, and all TCP/IP traffic (by default) leaving their network will come to yours (so be sure their systems are patched and virus free!)

If DNS works right through the VPN connection, and Citrix Program Neighborhood/NFuse/etc. uses DNS, then they have no problems. If they double-click on Program Neighborhood, ALL of their traffic gets sent to your network, and the Citrix server responds as it normally would.


Does this help?
 
Upvote 0 Downvote
It would be great if we can Watchguard to do all you say and eliminate the need for a separate VPN server. I have deleted the 2 user defined services that I created for port 47 and 1723 then added the built in pptp service in Watchguard and left default settings as they were. I activated remote user on ppp tab, enabled drop in secuirty from 128 to 40 and added a couple available internal ip addresses to the pool. Then, I went to setup-authentication and then under the firebox tab, I added me as a user and paasword and added to group pptp_users. Then under Network-Conguration, I added our internal wins and dns servers and out internal domain name. Is that it? Dod we need to do anything with the trusted stuff? Right now, the only place I see anything about trusted is under network configuration and the trusted tab where it has our external i/p address /30 and in the secondard network, it only has the internal address of our firebox /24. That's about all I see for trusted. Do we need to enable dvcp vpn on this firebox? Do I have to do anything with DNS on out DC? Thanks again, every little bit helps! Hopefully we'll get it soon.
 
Upvote 0 Downvote
I hope you meant to say that the TRUSTED interface has your internal Firebox IP and the EXTERNAL has your public (ISP) IP address. Unless you're running a DMZ of some kind, you shouldn't be using the secondary port :(

If yours IS setup wrong, I don't know if it's going to cause problems. I didn't think you could setup a Firebox in routed mode like that.

DVCP is for permanent VPN tunnels (like for a branch office or secondary location). DNS on the DC should be fine -- do note that because the Windows DHCP server isn't handing out the addresses, you might get duplicate entries for laptops in DNS if the clients are set to do dynamic DNS updates. (That's a limitation with lots of non-MSFT VPN appliances. There's not a quick or easy solution for it, and most of the time it won't cause problems).

But yes - it sounds like you have everything setup. I'd test a connection from outside your firebox (if you have more than one Public IP and some spare ones aren't assigned to the firebox, you can put a test box outside your network and try to connect back in. Just be sure you have a firewall on that outside box (temporary software firewall like Windows Firewall will work in a pinch). Check IPCONFIG /ALL and see what the VPN connection was assigned. If it was correct, see if you can access the services you want!
 
Upvote 0 Downvote
Nope, it's setup the way I said originally. I can make the vpn connection to the firebox but seems like the dns stuff isn't working because I can't browse the network or anything. It's weird, I can't ping from the remote connection to the network but I tried pinging from the local network to the remote computer and it actually gave a reply to the the first then timed out the next 3 attemps. Does the WINS matter because we don't have a WINS server setup on our network?
 
Upvote 0 Downvote
Are you try pinging by IP address? Doesn't make sense for them to timeout like that, unless there's a REALLY slow connection.

PPTP is probably meant to forward traffic to the trusted interface by default...Your ISP connection belongs in the EXTERNAL port(eth0), and your internal network in the TRUSTED port...If you still have LiveSecurity service for this Firebox, have WatchGuard step you through the process to fix it...
 
Upvote 0 Downvote
Got a little further. I setup the any service as described in a watchguard article I found on their site where only letting pptp_users in to trusted and out from trusted to pptp. Now, I can ping addresses our internal network remotely and also the other way. But, still can't browse or map drives, etc... I called Watchguard and of course our Firebox II is not supported anymore so can't even renew support.
 
Upvote 0 Downvote
WatchGuard is always running trade-in programs for the new FireboxX, if you want to upgrade. ;-)

Are you getting the correct DNS servers? What happens when you try 'nslookup' on the command line from a connected client machine?

 
Upvote 0 Downvote
Well, it looks better. I can browse now and map drives but it'd very slow. Hopefully, mostly because I am just using our emergency dialup account from work to connect remotely but will try from my cable connection from home at lunchtime. Possibly one of two things helped, I had just rebooted out wins server which I hadn't done nor did it ask me to after setting that up yesterday. Also, I noticed in the firebox config under the dns and wins information, it was looking for domain and it have just our domian name, ourdomain but noticed when doing ipconfig, it was saying ourdomain.local so maybe that would have caused some issues? Anyway, I will test speed at lunch and let you know. Is the speed normally pretty good with all hi speed connections? What is the best sequence to connect remotely from a 2000 pro machine so that it gets the login scirpt and so on? Thanks, Joe
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
103
DrB0b
DrB0b
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
113
StevenFromSouth
StevenFromSouth
bechna
  • Locked
  • Question
Unable to connect to VPN windows server 2019
Replies
0
Views
84
bechna
bechna
FreeSoldier
  • Locked
  • Question
Server 2012 R2 VPN Encryption
Replies
1
Views
98
tacohunter
tacohunter
intel233
  • Locked
  • Question
Setup Remote Desktop Licensing Server
Replies
1
Views
94
Mshen
Mshen

Part and Inventory Search

Sponsor

Back
Top