Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN only works if router is in DMZ mode.

Status
Not open for further replies.
EssSTP

EssSTP

Programmer
May 25, 2003
2
AU
I am attempting to set up VPN on a windows 2000 server.

I have a DSL-504 D-Link Modem/Router between my server and my fixed-IP DSL service. I have two remote computers to connect in via VPN from the internet. I have been fiddling around with this setup and it seems the only way I can get the remote computers to be able to connect is to put the win 2k server's IP in the DMZ zone of the router (I have tried port forwarding).

I was just wondering if this is acceptable? I am worried about security. Is there any security measures that I should put in place or am I better off buying another router that is going to allow it to work without losing the security of NAT. I am prepared to take the DSL-504 out and put in anything that will do the job.

Thanks in advance.

Peter
 
Sort by date Sort by votes
You could put in a Linksys BEFVP41, and the users could actually connect directly to it. Or if your remote users are pretty static in where they are, you could put routers in their location and set up a permanent tunnel...

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
Thankyou for responding.

I am interested in the Linksys BEFVP41 as it sounds like a more secure answer. The purpose of my VPN is to provide a secure channel for 3 remote users to use a program via Win 2000 Server Terminal Services (i.e. running Terminal Services over VPN). It will not be used for any other purpose.

I am little confused about how a VPN would work with a VPN/Broadband Router in place. Would my clients (Win XP PRO and Win 2000 PRO) still connect to the VPN in the same way (eg. by setting up a VPN connection through Control Panel->Network Connections) And how would authenication be handled? I assume that this sort of setup would mean that my Win 2000 Server would not be needed at all for my VPN to work (ie the router would act as a VPN server) and that I could then set up my terminal services client connection in the usual way?

Finally, I think it might be hard to get a Linksys router through my supplier here in Australia. I was wondering if someone could recommend a dlink router: that may do the job.

I would appretiate advice from anybody willing to help.

Thanking you

Peter
 
Upvote 0 Downvote
The connection is a little different. It requires some configuration of the Client machine. Authentication would be thru a Pre-shared key. Are your users mobile? If they are not, you could put in routers at their location, as this is much more seemless for them...

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
I am attempting to do the same with a Siemen's Router, and I am trying to figure out how to even get it to work with the DMZ. The ISP only assigned us a single Static IP which the Router seems to want to assign for itself..and then I don't have a Public IP for the Server to pass through or DMZ. Any ideas? Am I correct that I should be using the statically assigned IP from my ISP on my multihomed NIC on the Server? All VPN activity is supposed to be transparent to this router. I can even access the router remotely for configuration without a problem.. I just can't get through it to the Server. Any help would be appreciated.
 
Upvote 0 Downvote
If you have a router from your ISP, it must have the Static IP or none of this will work. Your server will have a private address, and the router will put it in a "pseudo" DMZ, it is not a true DMZ. It just will open up the ports to it.
Your client should be configured to VPN to the router. Then set up port-forwarding in the router, to forward to your VPN server. Are you using PPTP or IPSec for your VPN?

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
Thanks Matt for the Input, I am still a little confused with your answers however. A)The Siemen's router has a GUI, and there isn't anything about setting a pass thru. The default port for VPN is supposedly already set and is according to the documentation "transparent".
(B)You mention configuring the VPN client to the Router's IP.. this is the most confusing as with Microsoft's 2000 Server VPN Client when you go to create the client with the CMAK, you are only given the opportunity to select for the client one of the two NIC addresses that are actually in the multi-homed server... unless I am missing something. In the CMAK creation utility how would I tell it to use the router's IP? Thanks for the help!!
 
Upvote 0 Downvote
Matt,
Interesting reading and a Big Thanks for the quick reply! Unfortunately I think I am still going in circles. The initial problem I am having is on the Server side, where this article that you referred me to seems to be referring to the Workstation or PC side trying to access the VPN.

I am trying to use Win2K SERVER VPN implementation, and using the CMAK that builds a keyed client that is then executed on the remote workstation for access to the Server. Perhaps the client software will not work and I will have to go through these steps on the Workstation side as the User does indeed have a Linksys router at his home.

But I am trying to get the Server side configured properly first and as I mentioned this is with a Siemen's Router. At the bottom of Linksys's support page they give you 2 Microsoft links for SERVER. I checked them out as well and the very first thing that they state is that this is primarily for routers that do not support Layer2 Tunneling or PPTP VPN technology... which evidently the Linksys does not support, but my Siemen's is supposed to support it. It also states that this is used for situations where you have a static address on both sides. I do not. Only on the Server side. The client side use's charter cable and does not have a static ip.

Am I making any sense here or just confusing things further?

Thanks!
EdR
 
Upvote 0 Downvote
OK, I got a little off track. If you want to use the Server as the VPN server, I'd put in a different router. Sonicawalls are very good...
What it all boils down to, is that your router is blocking something that the VPN needs. If you tried port-forwarding and it did not work, you either have to get a new router or put your server in the DMZ. What other purposes does this router server? If it is only for VPN, you could put a software firewall on it and have at it. If it is mission critical, I would get a new router....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
Matt,
Thanks for the reply, yes I have thought about a different router but for the limited use of this config..it doesn't make much sense. I guess I could just take the Router out of the picture and use the static IP assigned by the ISP to the Public side of my VPN Server.

I had just hoped to figure out how to get the VPN CMAK to somehow assign the static IP of the Router instead of a NIC on the Server...

Thanks!

EdR
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
680
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
510
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
467
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
417
Joon Smith
Joon Smith
eleafpod
  • Locked
  • Question
ISO the best security camera monitoring system
Replies
2
Views
1K
Pigasque
Pigasque

Part and Inventory Search

Sponsor

Back
Top