Configuring a VPN Server on Windows 2000

[stoormz]

I have a Windows 2000 Server and I have SBC/DSL. The DSL People gave me a Netopia Cayman 3546 Router. This server has one NIC Card and it is connected to my network. How do I setup VPN on this server with only one NIC Card. I have setup my Netopia 3546 Router to pass PPTP and GRE. Please help.

Thanks in advance.

 

[ChicagoTechNet]

quoted from

http://chicagotech.net/

How to configure W2K server as VPN server

To setup a Windows 2000 server for VPN, open Routing and Remote Access console in the Administrative Tools folder, right-click the server and then click Configure and Enable Routing and Remote Access>Virtual private network [VPN] server. Click Next if TCP/IP is only protocol you will use. Select a connection you will connect to on the Internet Connection. You will have two options to assign IP to VPN clients. The default is Automatically. It is recommended to configure the server to assign client addresses from a static address pool, rather than assigning addresses from a DHCP server. If you configure RAS to assign client addresses from a static address pool, clients inherit the DNS and WINS settings from the RAS server. If your RAS server can browse the network, clients should also be able to browse the network with the same settings. If you prefer DHCP, verify that DHCP scope option 44 (WINS/NetBIOS name server) points to the WINS server and scope option 6 shows the address of your DNS server. When you don't define these options, you almost guarantee problems with client browsing. Finally, you can select using RADIUS or not.

NOTE: If VPN traffic is traveling through a router or firewall, configure the router or firewall to pass PPTP (TCP Port 1723 and IP Protocol ID 47 [GRE - Generic Routing Encapsulation]) or L2TP over IPSec (UDP Port 500 and IP Protocol ID 50 [Encapsulating Security Payload]) traffic to and from the VPN server.


Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www.ChicagoTech.net

 

[stoormz]

Thank you for the quick response:

I go through the same steps that you described but when I pick "Virtual private network (VPN) server" in the common configuration. Then I pick TCP/IP in the Remote client protocols. Then it asks me for Internet Connection. I only have one network card in the machine. When I pick my network that is in the lan i get this message:

You have chosen the last available connection as the internet connection. A VPN server requires that one connection be used as the private network connection.

I can pick No internet conncetion but then what do I do?
I only have one NIC card on this sever. It seems that Windows 2000 need 2 NIC card for VPN to work. One NIC On the internet and One NIC on the LAN a multi-homed machine.

Please help..

Thanks

 

[John Lewis]

RRAS likes 2 network cards. One on the private network, one on the internet.

Having said that, I have configured W2K using a single card. I tried to walk someone through the process a few weeks ago, but found I couldn't remember how to get RRAS to deal with a single card. Since then, it has come to mind that the work around is to bypass the RRAS console and use the same procedure used to configure a VPN server in W2K Pro. Note that I have not had a chance to get back to that one, and I don't have W2K server on site anymore, so I won't promise this works. Again, something does work, it can be done, and I think this is the way, working from memory.

Start --> Network Connections --> New connection.

Click Next on the welcome dialog box.

On the connection type box, mark Accept Incoming Connections and click next.

On the devices page, unmark all devices. Yep, that's right. None of them should be marked. Doesn't matter that your internet connection isn't there. Click next.

Should get the Incoming Virtual Private Connection box next, mark the Allow Virtual Private Connections box and click next.

Now you should have the Allowed Users dialog, mark all accounts that are to be allowed access and click next.

On the networking components page, select the protocols you need. Make sure that you at least have TCP/IP maked.

Highlight TCP/IP and click properties. The 'Allow callers to access my local network' will enable routing from the VPN to your local network, use the option that suits you best.

In TCP/IP address assignment, the DHCP option has some problems so you will have better luck marking the 'specify TCP/IP addresses box' and entering a range of addresses. If you want to route back to your local LAN, you should be RFC compliant (192.168.1.0 net address with a 255.255.255.0 mask on your network) and select addresses from the same network for the VPN. If DHCP is running on the network, make sure the addresses are excluded from the pool. You must have at least two addresses even though you only have one connection available as the server side takes one. Four or more is a good idea as the addresses are not released immediatly upon a disconnect. If something happens to break the connection, you may not be able to get back in right away.

The box for 'Allow calling computer to specify it's own address' will do exactly what it says, however the address does have to be an available address from the specified pool. If you have the DHCP box marked, the address must be available from the DHCP server. Either way, not a good idea if you can help it.

Should be ready to hit OK on the TCP/IP properties box.

Adjust any other components/protocols as needed and hit next on the networking components dialog.

The next box is a teaser, you can't really change the Incoming Connections name, so hit finish.

Guess what!?! Your finished, as indicated by the finish button. You can go to Networking connections and adjust the properties of your incoming connection as needed.

Sorry, no screen shots or anything of the sort with this one, but it should get you going.

Also, note that this is a cut'n'paste deal from instructions for W2K Pro, so some things might be just slightly different. I'll restate again, I don't have a machine to try this with, and my memory isn't what I would like it to be, so no promises. Post back if it doesn't fly.

 

[rezeldazel]

Guys, I have the same setup. Win2k Server as VPN Router, a home computer with win2k pro. I can connect to vpn server and authenticate my domain user name and pass. I can also ping the VPN server from a remote computer, however I cannot browse resources from the office network.

My HOME:
ip: 192.168.10.x

My Office:
ip: 192.168.0.x

What could be the possible errors? Thanks

 

[stoormz]

I am running Windows 200 Server and when I Select Accept incoming connection and then I get this message:

Becuase this Windows 2000 Server belongs to or controls a domain, you must use the Routing and Remote Access system consile to configure this machine to recieve incoming connections. Cancel changes and switch to this console?

Yes or No

So basically you can't use this function in Windows 2000 Server.

Can you please advise!

 

[ChicagoTechNet]

1. VPN server with one NIC: try Manually configured server option.

2. Must use RRA: quoted form

http://www.chicagotech.net/

Incoming Connection or VPN
You can create an incoming connection on a computer acting as a remote access server if it is running Windows 2000, XP Pro. or if it is a stand-alone computer running Windows 2000/2003 Server. For large numbers of incoming connections on a computer running Windows 2000/2003 Server as a router or as a domain controller, or a member of a domain, you should use Routing and Remote Access to create a remote access server.


Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www.ChicagoTech.net

 

[Omnicef]

You need to choose no internet connection. Then continue on through the wizard for RRAS. That tells Win2k that you don't have a public IP address.

Thnks in advance to all users out there who continually answer all of our questions. Although I try to answer some questions, I usually am asking.

 

[gilbar]

Hi.
Similar problem.
I have two NIC. I am able to establish a vpn connection, but the default gateway value im getting is the same address as the IP that was assigned to me by the RAS.
for example:
IP: 192.168.10.20
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.10.20
I'm getting the correct DNS entries

I'm using static address pool and not DHCP.

What am I doing wrong?

Thanks,
Gil Bar

 

[Roboton]

Stoormz,

Go ahead and buy another NIC and hub. They are like 20 and 50 bucks respectively. You will be glad you did. You also should go ahead and upgrade to the 5 IP address deal. I think it is only a one time charge (at least it used to be). That way you can do the following: Plug the DSL modem into the hub. Plug one of the nics into the hub. Plug one of the nics into the cayman. plug the clients (workstations) into the cayman. Now you have a public and private network that you can play with. You will be happier in the long run. I like being able to plug a client into the hub and operate on the public network for vpn testing purposes.

Also, the Cayman 3500 router DOES NOT pas through IPsec, not sure about the 3546 though.

Greg

 

[R00K]

We are using MS Server 2003 and have a domain that was working great(it may still be working). The boss is leaving the country for a few days and wants to connect remotely. I set up a vpn that allows ip-based remote access. That functions. In getting that up, somehow no one on the network can see the server or eachother.

I went home (small company) to test the remote connection and as I said previously, I connect. My system was registered on the domain and when I returned to work, my system was showing in the remote access clients folder. However, in my network places, I can only see myself.

The setup is 3 users with xp pro, a server with ms server 2003 behind a Linksys befsr81.

By the way, I couldn't ping the router yesterday from the server despite a funtional vpn connection with my home computer - weird. Now I can ping the router...we all can, but not each other. I redid the router settings from scratch.

Any help is greatly appreciated.