VPN weirdness

[ncsharp]

I need to start using VPN and decided to test it today. I created a VPN server on a win XP sp2 box today. Then, on my laptop I configured VPN client and can connect to the LOCAL ip address just fine. I could easily browse shares by going to run and typing \\192.168.1.100 (VPN Server) from the client.

I have a linksys router that sits between my internal net and the internet. So I opened ports 50-51, 1723, 500, and 137-139 and created port forwarding to the VPN server internal IP. I then went to my brothers across town and was able to connect to the VPN but NOT browse shares. The external IP of the VPN server is 24.199.165.230 and from my brothers I tried start, run, \\24.199.165.230 but got no shares even though I was connected.

I then came back to my internal net, and verified that I could browse shares internally ( \\192.168.1.100 ). But, even from the local net, when I connect to the external IP (24.199.165.230) using the VPN client I can connect but not browse shares.

What am I missing?

Mike

 

[dloz]

You should not need to forward all those port thru to you XP box. XP machines are not secure. Also I hope you didn't post your real public IP. Anyway you should only need to forward ports 500 and 501. If this is an ipsec tunnel this will forward all traffic thru to the lan. Next you should be using \\192.168.1.100 even when at a remote site connected to the vpn. This would be the ip adrress of the nic attached to the lan not to the internet. You should also check for any software firewalls on the machine you want to access ie norton internet security, and windows XP firewall.

 

[dloz]

Sorry I mispoke you do need those ports.

 

[pmf71]

Probably only a PPTP server, which means u only need to forward TCP 1723 to the xp box.

And indeed, when u r connected through VPN, treat the other side as if you're simply on your own LAN, so no addressing public IP's.

 

[ncsharp]

Awesome, thanks guys. When I saw dloz's post it came to me and it was like someone hit me with a dummy hammer.

Now I realize the native VPN tunnel in Windows is PPTP as opposed to IPsec. What is everyones thoughts on how secure PPTP is vs. IPsec using X.509 certs.

Also, when I set the VPN server up, I didn't see an option to use IPsec with X.509 certs, is this possible? I do see the option on the client to use IPsec/X.509

M

 

[MaxPipeline]

PPTP is not nearly as secure as IPsec. There is no encryption of the data. IPsec with x.509 certs can cost extra money unnecessarily. Unless you have your own CA server you will need to goto sites like Verisign and have them generate certs for you for a fee. I think for most users IPsec with preshared keys is secure enough. But that is your call.

One more thought, regarding PPTP, in addition to forwarding TCP 1723, you also need to forward IP protocol 47 which is GRE (Not TCP/UDP port 47). For IPsec you need to forward UDP 500 (and also possibly 4500 if using natt-v2) and IP protocol 50 (ESP) and/or 51 (AH). For IP protocol 47, most SOHO routers refer to this as PPTP pass-through whereas IP proto 50/51 is usually referred to as IPsec pass-through.

 

[ncsharp]

I discovered OpenVPN (

http://www.openvpn.net

) and I LOVE it. It's open source, uses strong encryption and TLS. Very awesome software.

Michael

 

[ms1mm0]

Try this...
Log on to your router.

Click "Gaming and Applications" section.

Click "Port Triggering".

Then enter an app name (any thing you like) in the application field.
In each of the four port fields enter 500 and tick enable
Do the same for 4500 or what ever the other port number is on your VPN server.

That should do the trick. No need for static IP addresses or any thing out of the ordinary.

Good Luck

Mark.