Setup VPN using Win 2000 RRAS 3

[dsdjnpfvf]

Hi,

I have a small network of 6 client computers and a Windows 2000 server. The network is connected to the internet using a DLink DSL-504 combined ADSL modem/router. It is running in NAT mode and connected directly to the main hub.

My ADSL connection has a dynamic IP but I use a dynamic DNS service so that isn't too much of a problem.

All of the computers on the network are assigned IP addresses using DHCP in the 192.168.x.x range (including the server).

I would like to setup the 2k server RRAS to allow for VPN connections from home to the office (only light usage, 1 to 2 users max)

All of the information I've read on the Microsoft website talks about the Server having two interfaces, one to the internet and one to the LAN. My server doesn't have this, it simply accesses the internet and network through one network card connected to the network with the NAT router.

How would I go about setting up VPN in this situation?

My router supports passthrough and port redirection. Is it simply a matter of redirecting the PPTP ports? I'm really not sure.

Any help greatly appreciated.

Many thanks,

Daniel Briley

 

[John Lewis]

The references to two network adapters assume that you are using the server for routing to the internet -- you have one adapter connected to the internet and another connected to your private network. Since you are using a NAT router, you should not have a problem. I would not use your configuration for more than 2 or 3 VPN clients, but 1 or 2 should be fine.

Sounds like you've already done some reading. If you aren't satisfied, I like

http://www.onecomputerguy.com/w2k/w2k_vpn/w2k_vpn.htm

-- lot's of nice screen shots and generally correct information.

As that page states near the bottom, you will need to forward TCP on 1723 to your server and allow PPTP passthrough.

Good luck.

 

[SpotLizard]

This is pretty straightforward, but there are a few things to consider:

1. The moment you open up ports for VPN access you will almost certainly get people trying to login to your network. Make sure that you have good antivirus/trojan scanning software on the 2K server. Setup auditing on the server to monitor for failed logon attempts and check the Even Viewer Security logs regularly to see if anyone has been poking around. If they have then you might want to increase password length/password history etc.

2. Most cable/DSL routers allow port forwarding. One port/service can be forwarded to one IP address. The same IP address cannot have more than one port/service assigned to it. Example: Say your server has an internal IP LAN address of 192.168.0.5. You want this server to function as a Web server AND an FTP server, so you forward port 80 to 192.168.0.5 to get your web server working. Now you need to to assign port 21 to something for FTP. If you point it to 192.168.0.5 it probably won't work.

Windows 2000 and XP allow us to resolve this issue by having multiple IP addresses to be assigned to a single network card. If you right-click My Network Places and select Properties you will see your LAN connections. Right-click on your main LAN connection and select Properties, then highlight TCP/IP and click the Properties button. Next, click the Advanced button. The advanced properties sheet IP Settings tab has 2 sections: One for IP addresses, the other for Default Gateways. If you click the Add button located beneath the IP addresses section you will find that you can add more IP addresses that will be assigned to your network card. You need to assign as many IP addresses as you will have open ports on your firewall.

If I remember correctly (and it's been a while since I did one) Windows 2000 needs ports 1701 and 1723 opened. I would also open port 47 for GRE (General Routing Encapsulation). Port 500 (ISAKMP) may also be necessary, particularly if you plan on using IPSec.

Finally, you need to open a Management Console (Start > Run > MMC) and add the Routing and Remote Access snap-in. This will allow you to configure the server as a VPN server. Clients are configuredby installing the VPN client (My Network Places > Add New Connection) and providing the WAN (external) IP address of the router.

Hope this helps.

SL

 

[dsdjnpfvf]

Thanks guys. The advice is really helpful and much appreciated.

Daniel Briley

 

[bcastner]

Spotlizard,

"Most cable/DSL routers allow port forwarding. One port/service can be forwarded to one IP address. The same IP address cannot have more than one port/service assigned to it. Example: Say your server has an internal IP LAN address of 192.168.0.5. You want this server to function as a Web server AND an FTP server, so you forward port 80 to 192.168.0.5 to get your web server working. Now you need to to assign port 21 to something for FTP. If you point it to 192.168.0.5 it probably won't work."

The only issue I have ever had was forwarding the same port to multiple IPs. This will not work.

But doing multiple port forwards of different ports to the same IP I have never had the issue you described, including using port ranges as forwarded entries.

 

[SpotLizard]

Bcastner,

What equipment are you using ?

I have had this problem with D-Link DI713p and SMC Barricade wireless cable/dsl routers. (which are quite similar). I have a Win2K server that performs many functions, including MSExchange 2000 and IIS 5.0. When I attempted to forward port 80, 110 and 25 to the server IP address nothing worked. The documentation for the D-Link states that it is not capable of doing this.

Of course, your mileage may vary depending on the hardware/vendor but without knowing that I went for the easiest solution here, multiple IPs on the NIC.

Regards,

SL.

 

[John Lewis]

Well, guess I'll drum on this one a bit, too.

First, on the one service/port per internal IP. Never heard of that one, either. Some web services require several ports to be forwarded, so I can't imagine a manufacturer releasing a product with that limitation. Went and poked about the DI713p docs a bit, but don't see anything that even comes close to supporting the statement. Either way, should not be an issue with the vast majority of routers out there.

If I had to guess, I would think that your router configuration for the forwarding was just fine, but you had something misconfigured with the services you were trying to host. In the process of adding/changing the IPs, you fixed the other problems. Just a guess.

Now for the second note, I wouldn't worry too much about opening the port for the VPN. No major problems with the VPN software, and there is no announcement that you have the port open. I would be surprised if you were to see a significant number of challanges there. Even if you do get probed, not a good chance of someone getting in. If a bug is discovered, you will hear about it, just pay attention. Patch, patch, patch.

The other part of the second note, I wouldn't open ports you don't need. TCP on 1723 and PPTP passthrough will cover it.

 

[Entomologist]

Just a quick note...
SL mentioned 'open port 47 for GRE'

I think this is a typo...
I was led to believe that GRE is a protocol, like TCP and UDP, not an actual port.
i.e.
Protocol 6 is known as TCP
Protocol 17 is known as UDP
Protocol 47 is known as GRE


The link below has the following descriptions for 'port 47'

http://www.iana.org/assignments/port-numbers

ni-ftp 47/tcp NI FTP
ni-ftp 47/udp NI FTP

As Mhkwood says, the PPTP passthrough (GRE protocol 47), and TCP 1723 should cover it.

 

[Regulluz]

Although quite old, I have a few questions about VPN, and some has to do with all this issue of IP's and routers and ports. I'm new in this VPN thing, and have an SBS2000 server running on a 16 users network. I also wanna have VPN access to 1-3 clients from outside the network and this is what I have:

1. SBS2000 Domain with Echange 2000 running
2. An octave chopped T1 permanent connection to the net (128k)
3. A Siemens 5094 8port Router/Switch
4. ISA Server Running
5. An additional external IP.

So, I have this router, and I think that I could do something about opening the port on the router and allow VPN acces and etc. But, I also have ISA server, and the SBS documentations tells to create a VPN through ISA server, which tells it requires a second NIC, which I don't have. Besides, my ISP said I would need a different public IP, since I wanna provide users access to Outlook Web Access from the Internet (I know this is another forum, but help please, or forward me to any that would know this things)

So how do I make use of that second IP through my Router, how do I configure VPN on Win2k without having to touch or being affected by ISA Server, and about OWA... well.. if you can let me know that one too.

About the second IP, I don't know if it has to do with VPN, but my computer is not hosting a Website, but it is configured as if it is the Domain contoller, you know

http://www.mydomain.com

it's an ouside server and my e-mails in Exchange are configured as user@mydomain.com even when Exchange is no hosting my Website. So I would like to make some kind of pointing address like,

http://www.mydomain.com/localserver

and will point to my server in OWA mode. I think this is why I need the second IP, but who knows (at least I dont't). And if it's for that, having only one Internet connection through my router, how can I set the two IP's on the router and route the second one to OWA.

Help me out with the VPN, and if you can do something about OWA, I'll appreciate as well, and will send a picture of the beautiful sunny beaches of Caribbean. ;-)

MILLION THANKS!!!

Reg.

 

[Regulluz]

Although quite an old thread, I still have a few questions about VPN, and some has to do with all this issue of IP's and routers and ports. I'm new in this VPN thing, and have an SBS2000 server running on a 16 users network. I also wanna have VPN access to 1-3 clients from outside the network and this is what I have:

1. SBS2000 Domain with Echange 2000 running
2. An octave chopped T1 permanent connection to the net (128k)
3. A Siemens 5094 8port Router/Switch
4. ISA Server Running
5. An additional external IP.

So, I have this router, and I think that I could do something about opening the port on the router and allow VPN acces and etc. But, I also have ISA server, and the SBS documentations tells to create a VPN through ISA server, which tells it requires a second NIC, which I don't have. Besides, my ISP said I would need a different public IP, since I wanna provide users access to Outlook Web Access from the Internet (I know this is another forum, but help please, or forward me to any that would know this things)

So how do I make use of that second IP through my Router, how do I configure VPN on Win2k without having to touch or being affected by ISA Server, and about OWA... well.. if you can let me know that one too.

About the second IP, I don't know if it has to do with VPN, but my computer is not hosting a Website, but it is configured as if it is the Domain contoller, you know

http://www.mydomain.com

it's an ouside server and my e-mails in Exchange are configured as user@mydomain.com even when Exchange is no hosting my Website. So I would like to make some kind of pointing address like,

http://www.mydomain.com/localserver

and will point to my server in OWA mode. I think this is why I need the second IP, but who knows (at least I dont't). And if it's for that, having only one Internet connection through my router, how can I set the two IP's on the router and route the second one to OWA.

Help me out with the VPN, and if you can do something about OWA, I'll appreciate as well, and will send a picture of the beautiful sunny beaches of Caribbean. ;-)

MILLION THANKS!!!

Reg.