Basic VPN Setup.

[jjjax]

We are running Windows 2000 server and have a Watchguard Firebox. We'd like to use Windows VPN to be able to connect from remote locations. We have only 1 nic card in the server that we'd like to use as our VPN server and have assigned an internal i/p address to it. I have basically configured it following Microsoft's instructions for one nic card and know that I will probably have to contact our isp to have them route vpn connections to us and then configure our firebox to route connections trying to come in on the vpn ports to the vpn server. We do it now for other things so hopefully that won't be an issue. My questions are:
1. What port(s) does vpn try to use? 1723?
2. Can it be done with one nic card? From what I read, it appears ok because our firebox will route it to an internal address.
3. Is there a way to test it internally without going through the firebox? I setup a vpn connection on my local windows 2000 pro client to point to our internal address of our vpn server but get a 678 Error: There was no answer. Can this be done this way?

Thanks, Joe

 

[JimWells]

Speed over cable should be fine. Browsing and such over dialup WILL be painfully slow. Citrix should be okay (not the best, but things like Outlook will work).

The easiest way to run a login script via VPN is to choose the "use dial-up networking" option at the Logon box (or whatever it's called), then choose the VPN connection. It'll connect to the VPN before trying to authenticate against AD. This all depends upon whether or not the machine is joined to the domain, obviously.

Not sure how to run the script automatically after VPN connection, but there's probably a way. Try posting that question by itself, perhaps.

 

[jjjax]

Thanks again for all your help! I'll post a reply later on how we make out.

 

[JimWells]

No problem - good luck with everything.

 

[jjjax]

Ok, works a lot better using cable instead of dial-up but still not great. I'm use to Citrix where it basically is like being in the office. Anyway, just found watchguard's site forum and found an existing issue about slowness and wanted to see if you had come tried this or knew about it? Here is the post.
--------------------------------------------------------
Topic: RE: Slow PPTP, FB limits MTU to 310bytes?! (5 of 9), Read 247 times
Conf: PPTP
From: W G Moderator
Date: Tuesday, July 27, 2004 08:51 AM

OK, I found the problem, and it's not just a client-side issue. The FB is for some reason negotiating differently with XP machines from the way it talks to other OS's. Add this line to your .cfg file:

networking.remote_vpn.pptp.pptpd_args: debug mru 1400 mtu 1400

This does a couple things. It turns on data channel debug logging, and it sets the arguments sent during LCP to acceptable values.

-----------------------------------------------------------

 

[JimWells]

I've never run across that issue; our Firebox III and Firebox X models never had problems on XP.

Performance won't be equivalent, but should be reasonable on a decent broadband connection, unless you're got apps that just need a great refresh (word processing, for example).

Have you considered NFuse as an alternative to VPN? You could deliver all of your Citrix apps over a web-based ICA instead of having to worry about VPNs -- and NFuse can add a large number of extra security options, too.

 

[jjjax]

I'm going to look into the NFuse but after all that, they will probably just continue to use the Citrix ICA client that we've been using without a problem for 5 years! Thanks, Joe