It's like My First Sony, but it's My First VPN 2

[quolo]

This is my virgin run setting up a VPN. Feel free to assume I don't know too much already.

I have a windows 2000 server and about 10 users, some desktop, some laptop, and some with home pc's, all of which need to connect to the same exchange 2000 emails boxes, the same fileserver, yadda yadda yadda.

I have succesfully (I think) configured the server as a VPN host and have succesfully connected several client computers via a VPN connection (downloaded and installed a certificate, made a new VPN connection, logged in, and got the 'VPN successfully installed' message)

So far so good.

Now what?

At home this morning, I connected my home computer, but couldn't see the fileshare or the exchange domain, any of that stuff. The only reason I knew I was VPN connected was because the dialog told me so.

I tried to read up on it, but there was a lot of confusing stuff about NetBios, WINS, lmhosts, stuff I don't know too much about. Any advice? The two main things I'd like to be able to do are access one's Exchange mailbox and map a network drive to the fileshare on the server.

Does a user have to login to the domain to do this?

If you need more info, let me know. Thanks in advance.

 

[quolo]

I'm still working on this, to no avail.

I tried pinging some things from the client computer - I can't ping any internal IP's (192.168.1.x) from the network, the only thing that seems to work is the external IP for the server - the same one I connected to through VPN.

It's like, even after connecting, the computer doesn't even know the network is there. How can this be? Where is the justice?

 

[iSeriesCodePoet]

Can the VPN server access the network? iSeriesCodePoet
IBM iSeries (AS/400) Programmer

 

[John Lewis]

Sounds like you have issues with routing. NetBios, WINS, lmhosts and all of that stuff is related to name resolution, which may indeed be an issue, but you need to work on the generall conectivity first. The fact that you have the VPN up and running is a good start.

First, you have three distinct networks, so you need three network addresses for everything to work. An IP address consists of a network portion and a host portion. Generally, on a small network, the network portion is the first three numbers and the host is the last number. In 192.168.1.100, the network is 192.168.1 is the network and 100 is the host. The LAN on the VPN server should be on one network, the client should be on different network, and your VPN connection should be on a third network. You could use something like 192.168.100.xxx on the server side, 192.168.101.xxx for the VPN connections and 192.168.102.xxx for the client network. Doesn't matter too much other than you should stick with the 192.168.xxx and the xxx should be different for each one.

If all is well, after you get your addresses segregated, you should be able to work with the VPN server when connected. If you type 'ping 192.168.101.xxx' in a command window (using the actual VPN server address from the VPN connection properties), you should get a good reply. If you need to access other hosts on the server side network, you will need to add a route to that network on your client -- in a command window 'ROUTE ADD 192.168.100.0 MASK 255.255.255.0 192.168.101.0'. You will, of course need to adjust for your actual addresses. You should then be able to ping other hosts on the server side network. If you need to report back with results of the ping, be specific. Ping produces several different errors and they can mean different things.

Get to that point and report back and we'll look at the other issues.

 

[quolo]

Thanks a zillion. This is clearing up a lot of things. That whole three network thing I knew nothing about.

Okay, IP address segregation. Sounds like a plan. I could use a bit more clarification on what constitutes each network...lessee...there's the LAN on the VPN server (we only have the one server, so that narrows it down), the client, and the VPN connection.

The client I understand, they are connecting from their home network through their home ISP, right? The LAN on the VPN server is basically all the IP details on the properties of the LAN card, right? Where does one set the network and host information for the VPN connections? I guess I don't understand physically where that lives.

Let me talk through my thinking so you can point out any misunderstandings I may have:

The client in this example would be my home computer. It's cable modem connected behind a Linksys router. On that little client network, that machine is 192.168.1.100. I should change that to 192.168.102.100 and change the IP address of the router to 192.168.102.1.

Our Zyxel router here at the office is set to 192.168.1.1.
The do-it-all server has 2 LAN cards, one set to 192.168.1.200 and one set to 192.168.1.199. I'll go ahead and leave those where they are. Now I would have 2 distinct networks, one at 192.168.102 and one at 192.168.1.

I'm not sure where to set the VPN connections to a third distinct network. In fact, I don't have a clue.

Thanks a bunch

 

[iSeriesCodePoet]

Okay... actually I am running into the same problem now. :-( I didn't know what I was talking about before. I am running PPTPd under Linux. It has a internal IP and external IP for the setup. So based on what was said, this is how I understand it. My current network IP is 192.168.1.xxx. I should set my exernal IP to 192.168.2.xxx and my internal IP to 192.168.3.xxx? Is this correct? iSeriesCodePoet
IBM iSeries (AS/400) Programmer

 

[quolo]

I ran this little problem of mine past a friend of mine and he explained it a bit further for me.

If what I understand from him is true (and I'm no authority), your current network IP is fine at 192.168.1.x, you client IP would be fine at 192.168.3.x, but the external IP is not a 192.168.x.x, it's the public IP you get from your ISP. If I understand correctly, the 192.168.x.x in mhkwood's explanation was just an illustration of how they need to be different.

I'm going to give it a try tonight when I have a remote computer from which to VPN on in.

 

[John Lewis]

First to quolo -- sounds like your moving the right direction. The addresses you have setup on your LAN at the server side and the client side will work, however I try to avoid the 192.168.1 on the server side if multiple clients are involved. Most routers are shipped out with a default network of 192.168.1, so most of your clients will have this setting by default. It's easier to change the addresses on the server side than have all of the clients change theirs -- usually. Of course, if you have only a few clients connecting, not so much of an issue.

When you create a VPN connection, both the server and the client have a virtual network interface created. Just like adding another network card so far as the OS is concerned, but no additional hardware involved. Data is sent across the VPN by sending it to this virtual interface. That's where the third network comes in. The VPN interfaces all need to be on the same network, but on a different network than any of networks that the computers on either side of the VPN are connected to.

Under your current configuration, your office network is 192.168.1 and your client is 192.168.102 . Unless you change it, your VPN will also get a 192.168.1 address. If you were to try to ping the VPN client 192.168.1.xxx from the server, the server would think that the client is on the local network (the address matches) and sent the request across the LAN instead of the VPN. If you change the VPN addresses to something different, say 192.168.101.xxx, both machines are able to figure out where to send the data. Hope that makes sense, it's hard to explain without pictures.

You would change the VPN IP address range in RAS properties. If I remember correctly, should be something like Start --> Programs --> Admin tools --> Routing and Remote access --> click properties --> IP. If you already have a static IP address pool established you will edit what is already there, if not, you will need to add one.

Now iSeriesCodePoet, your situation is similar but different because of the linux factor. In your pptpd.conf file, the two addresses are both for the VPN. The localip entry will be the VPN address of the server, and the remoteip will be the VPN address of the client. These two addresses should be on the same network, but a different network than the LAN on either the client or the server side. Also note that if you are running a firewall on your linux box with a DROP or DENY policy, you will need to add a few lines to ACCEPT traffic on interface 'ppp0'.

In either case, there are other ways to configure and make everything work, but I have found that using the separate subnets makes everything more predictable.

Hope all of this makes some sense, but if not post back and we'll try again.

 

[iSeriesCodePoet]

Thanks, I will try that. iSeriesCodePoet
IBM iSeries (AS/400) Programmer