Can't go from VPN to Net

[SuedeWorthey]

I have a Win2k Server set up with a MS VPN and ICS. I want to be able to access this VPN (from anywhere) and from there access the internet via ICS/NAT. I tried to set up NAT, but it doesn't recognize my internal ADSL modem as a network interface to configure, so I am stuck with ICS. Now, I checked on Microsoft's website, and they say that what I want to do is purposely impossible for security reasons. Is there any other VPN server/client software that will allow me to do this? I have tried just about everything I can think. Can anyone help?

 

[SuedeWorthey]

http://support.microsoft.com/?scid=kb;en-us;247431&spid=1131&sid=795

<- That is what MS has to say about it... No workarounds???

 

[pmf71]

what is the exact IP config of your server now?

please list all available adapters + config data.

 

[SuedeWorthey]

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Cable Disconnected
Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Eth
ernet NIC
Physical Address. . . . . . . . . : 00-50-2C-04-77-78

PPP adapter ADSL Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 81.242.198.4
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 81.242.198.4
DNS Servers . . . . . . . . . . . : 195.238.2.22
195.238.2.21

The one that says it's disconnected has a normal IP address of 192.168.0.1, SM of 255.255.255.0 and is normally the default gateway for ICS.

The IP pool for VPN is 192.168.0.100, and same SM. The WAN/PPP connection is my ADSL and is dynamic IP.

 

[pmf71]

What exactly is your intention. What you are saying can mean one of two things:

1. You want to be able to connect from anywhere with vpn, and access internet through your own vpn server, in which internet traffic would first come in on your vpn server and then be sent through the tunnel to your remote location. This scenario is perfectly possible.

2. You want "split tunneling". In this scenario, only WAN traffic is routed through the vpn tunnel (for example your shared folders on your server), and internet traffic is routed through the internet connection on the remote system, without being routed through the vpn tunnel. This secnario brings up certain security issues, microsoft purposely chose not no make this possible with their vpn client, because the VPN server does not perform SPI (stateful packet inspection) on vpn clients, which means that if the remote client does not have a firewall, the VPN server is open to attack because an attacker could route himself through the remote computer, and then through the vpn tunnel to the server.
It is possible though, but only by manually altering the routing table in the remote client.
Other solutions, like winroute firewall by Kerio Technogolies do allow split tunneling on their vpn clients because their firewall has a native VPN server and thus can also perform SPI on tunnel traffic.

 

[SuedeWorthey]

#1 is what I want to do. Dial in Via VPN, use remote server for internet and LAN.

 

[pmf71]

What you want is fairly straightforward. I think you are confused with other VPN issues, because what you want is possible without hassle in win2k vpn server.

http://support.microsoft.com/default.aspx?scid=kb;en-us;308208#41

This explains how to configure the RAS server as a router

Good luck, let me know if it helped.

 

[SuedeWorthey]

So, instead of setting up a regular VPN server set up a RAS server and it should let me VPN in, access the LAN and the internet from the server?

 

[pmf71]

Yes. the RAS server is in fact also the VPN server, VPN is nothing but an extension to regular RAS. In the port list you will see that the VPN port have been added as WAN miniports for PPTP and L2TP.

you can see all the settings in the routing and remote access snap-in in the mmc console.