Setting up Security for a VPN

[NTesla]

I have a Linksys BEFVP41 Router. I am trying to set up a VPN so that I can access my Network though a dial up connection. However I get as fair as Verifing User Name and password, and I get a an Error 721: The remote computer is not responding.

My remote system is Windows 2000 Professional
My system I'm trying to gain access to is Windows 2000 Server

I do have a security policy set up, that I can give settings to if necessary.

 

[Accessdabbler]

You need to know what is set up at the Win2K Server end.

 

[NTesla]

I'm not sure I understand you statement. The Server is running Windows 2000 Advanced Server with RRAS, DNS, DHCP and Active Directory Installed. My user name does have remote Access.

 

[mjinks61]

Does your remote user account have dial in priviliges?
This is also required.

Isn't it 5:00PM yet?

 

[NTesla]

My user name does have remote Access.

I did have this working at one time but but user profile got corrupted and I don't remember how I got it to work before!

 

[bcastner]

The answer to your question is that you have the same IP assignments as private IPs on both the remote system and your local Linksys router.

You need to set the Linksys router to begin its local LAN addressing at something other than 192.168.1.1. You can do this through the setup page of the router. Set it to 192.168.2.1

But the Remote Access Issues Forum is more appropriate for the question if you have further issues. forum595

 

[NTesla]

Bcastner

I don't understand what you are saying. I have already changed the default address anyway. I'm not using private IP address at all. I'm using 200.X.X.X and subnet 255.255.255.0. I have taken all four semesters of Ciscos net acadmey and received A's all four semesters, I'm also one semester away from receiving a Networking Engineer degree but I do not understand why changeing the default address of the router would do anything.

I can go in to the router and view the VPN logs and see where the IP from the remote system on the dial up is attempting access. I believe, but not sure, that it is going to be on the server.

I did print up from linksys' support site directions how to set up security between to remote system and the router linked below

http://kb.linksys.com/cgi-bin/om_is...ev.nfo&record={3BB}&softpage=IKW_ENU_JDocView

But still does not work.

As I said before I did have this working before, but I just don't remember how I got it to work. My ip address have not changed sice the first time it was working. If my user profile did not get corrupt I would not have to worry about it.

I have also post this question in the remote access and 2000 server forums

 

[bcastner]

I bow to all of your education and certifications. But the simple fact of the matter is that you have a LAN addressing conflict, not a WAN addressing conflict.

 

[bcastner]

I checked my personal notes again, the only oddities for a 721 error I have seen:

. Private LAN IP addresses on the same subnet; i.e. 192.168.y.x; where 'y' is the identical subnet;

. Router on either side will not pass GRE type 47 traffic. This has to be passed, some routers will not allow you the granularity to do so. Replace router.

. Firewalls block GRE traffic type 47. Adjust software firewall.

. Make sure you have the 'use default gateway on remote network' option checked in the VPN advanced tcp/ip properties and UNCHECKED in the actual lan/dialup advanced properties.

. On your router, enable IPSEC and PPTP pass-through

. Either router or firewall is blocking NAT traffic on the VPN ports; allow both TCP and UDP on the VPN port 1723, forwarded to the VPN endpoint local LAN IP. And in particular GRE 47 traffic.

 

[NTesla]

I'm not saying that I'm supurior than you or any body else. What I'm say is that with the education and experience that I have I fail to understand how changeing the address of the router will fix this problem. I'm just trying to learn something here and at the same time fix a problem I have.

I also fail to understand how it can be and address problem LAN or WAN when it has worked before with the same exact address that I have now. All systems on the LAN can see each other and access the internet. When I attempt to connect to the VPN I get as fair as the User Name and Password verification and I get an ERROR 721. It seems to me for one reason or another the Server is not doing its job, I just do not know why.

 

[bcastner]

Ntesla,

Follow all the possible links here:

http://www.remotenetworktechnology.com/

This is the Microsoft MVP Wiki for Remote Access Issues. It is a little rough right now, but most of the links are solid.

Poke around, read, etc. Your answer is likely there.

Also, explore a bit in forum595

I know how frustrating it can be when it worked once, but stops working.

Return to the basics: has anything, anything changed. Often it is some silly thing where you went from static IPs and made all the router and firewall rules to forward the traffic, and know the adapter is at DHCP or a different static IP.

Bill Castner

 

[bcastner]

One nearly last thought. I went to a site two weeks ago with a similar issue. They swore it had worked perfectly, .etc and nothing had changed.

PC-Illan antivirus software had been installed. In its default installation configuration it installs a small firewall and there was no way GRE much less much of anything else would pass the firewall.

Check everything that has been added or changed.

 

[NTesla]

. Private LAN IP addresses on the same subnet; i.e. 192.168.y.x; where 'y' is the identical subnet;
I'm not using private address.
Router is 200.0.107.1 (LAN side)
Windows 2000 Advanced Server is 200.0.107.21
Subnet is 255.255.255.0

. Router on either side will not pass GRE type 47 traffic. This has to be passed, some routers will not allow you the granularity to do so. Replace router.
This could be a possiblity if the router has gone bad on
me. But I have used this router with VPNS Before

. Firewalls block GRE traffic type 47. Adjust software firewall.

. Make sure you have the 'use default gateway on remote network' option checked in the VPN advanced tcp/ip properties and UNCHECKED in the actual lan/dialup advanced properties.
I'm not using firewalls software or hardware

. On your router, enable IPSEC and PPTP pass-through
This is a VPN router so this should already be done

. Either router or firewall is blocking NAT traffic on the VPN ports; allow both TCP and UDP on the VPN port 1723, forwarded to the VPN endpoint local LAN IP. And in particular GRE 47 traffic.
Again I'm not using firewalls of any kind

I did just remember that I did update the firmware on the router as well, due to another problem I do not remember if it was before or after I started having trouble. I do know that somehow or another my local user profile got corrupted, because I remember haveing to set everything else back up.

 

[NTesla]

Just checked all my Router settings. PPTP pass thourgh is enabled

IpSec is enable

Ports 47, 500, and 1723 are being forwarded to 200.0.107.21, my server.

I'm running Norton System works 2002, which includeds Norton Anti Virus, but I was running this before. No new software of this kind has been installed. Games etc, is it but nothing having to do with networking.

Is it possible that an update from microsoft or Symantec is screwing things up.

 

[bcastner]

I had an odd router problem after a firmware update where it would not pass ICMP traffic. Absolutely everything looked clean.

Solution: hold the reset button for at least 30 seconds. Remove power to the router and broadband connection. Repower broadband modem. When stable, repower router.

This is similar to the Voodoo one occasionally does when making changes on a workstation. Sometimes in the BIOS youi have to reset the ECSD defaults before it will work, no matter what is configuration pages say.

 

[NTesla]

I unplug my cable modem from the router and power, pressed the reset button as well as unpluged it from the power. Then plugged the cable modem in waited for it to finish it's boot up and then plugged the router back in. All the settings were still the same, but I still cannot connect to the VPN.

It did take a long time before I got the error. Longer than usual. Is that going to be a security issue? Do I need to set up the security the router and on the remote system as well as server?

 

[bcastner]

Disable Ipsec pass-through.

 

[bcastner]

What still troubles me is that you are using Public IPs on the LAN side of the router.

The LAN-side addresses are already reserved:
NetRange: 200.0.0.0 - 200.255.255.255
CIDR: 200.0.0.0/8
NetName: LACNIC-200

These are reserved IPs.

Why are you not using the reserved private IP address ranges on the LAN side?

On the server side it has to be attempting to resolve the local address with external DNS servers, and failing.

 

[NTesla]

Because I'm running NAT on the Router the internal address will never be seen by the outside world. Since these IP address will never be seen on the internet it would be the same as using a private address. The only problem I have is getting this VPN to work. Everything else works just fine, DNS,DHCP, I can even access the server though dial up acces, just not though the VPN.

I did disable IPSec Pass though but still did not connect.

 

[bcastner]

DNS resolution at the client does not work that cleanly. Explain to me again why you are using public IPs as private, and public IPs that you are not registered to use?

For the remote client this has to be incredibly confusing. For the LAN side clients it has to work in a half-baked fashion.

You do not arbitrarily assign public IPs and NAT them. Is this really what CISCO taught you was best practice?