VPN Setup
Summary
Basic VPN
Requirement
Can I setup my VPN client as a router to direct all local computers traffic to
the VPN.
Can't ping computer name
when using VPN
Configure
RRAS tracing
How many inbound
dial-in connections are supported
How to add DNS and
WINS into your Cisco VPN server
How to assign a static IP
to VPN client
How
to connect to a Windows domain using Windows VPN at startup
How to configure VPN Packet
Filters
How do I set
up a modem to dial into a remote compute
How to configure W2K
server as VPN server
How to configure Win
2000/XP Pro as VPN host
How to configure a W2K/XP
as VPN client
How to configuring a
multihomed VPN server
How to configure VPN Packet
Filters
How to copy dial up connections from one computer to others
How to create an
incoming networking connection
How to establish VPN
connection automatically
How to manage IP assignment on
RRAS
How to Manage Dial-in Constraints
How to Restrict RRAS Connections
How to schedule to
connect and disconnect a VPN
How to setup Mac VPN
How to Set Up L2TP VPN Tunnel on MAC OS
How to Set Up L2TP VPN Tunnel onZyWALL/USG
How to setup VPN server on
2003 server
How to setup Windows 2003 as VPN
server with one NIC
How to
setup VPN on w2k server with one NIC
How to use PPTP through a Cisco PIX
VPN Head Office to Branch Office
Incoming Connection or RRAS
Logon locally and remotely
Logon
script with VPN
Manage VPN connections
Security on Windows VPN Server
Start Cisco VPN before logon Windows domain
Two-Way VPN Using One-Way
Connection?
VPN SITE TO SITE
Which ports need to be opened for running VPN
What statements are required to allow a VPN inbound past my Cisco PIX?
Why doesn't my w2k/xp have "log on using dial-up connection" option on the
logon screen
Post your questions, comments, feedbacks and suggestions
Contact a consultant
[ads/yahoobanner240.htm]
Virtual Private Networks (VPN) allow users working at home, on the road or
at a branch office to connect in a secure manner to a remote corporate server
using the public Internet. VPN server or host is a computer that accepts VPN
connections from VPN clients. A VPN server or host can be a NT/W2K server or
W2K/XP Pro. VPN client is a computer that initiates a VPN connection to a VPN
server or host. A VPN client can be an individual computer running MS Windows
NT version 4.0, Windows 2000, 9x. VPN clients can also be any non-Microsoft
Point-to-Point Tunneling Protocol (PPTP) client or Layer Two Tunneling
Protocol (L2TP) client using IPSec.
Basic VPN
Requirement
-
User Permission. Enable a user to access the VPN.
To do this, go to AD Users and Computers, select the user who need to access
the VPN, click Dial-in. Check Allow access on the Remote Access Permission
(Dial-in or VPN).
-
IP Configuration. The VPN server should have a
static IP address and assign the arrange IP addresses to VPN clients. The VPN
server must also be configured with DNS and WINS server addresses to assign
to the VPN client during the connection.
-
Data Encryption. Data carried on the public network
should be rendered unreadable to unauthorized clients on the network.
-
Protocol Support. The TCP/IP is common protocols used in the
public network. The VPN also include IP, Internetwork Packet Exchange (IPX),
NetBEUI and so on.
-
Firewall Ports. When you place a VPN server behind
your firewall, be sure to enable IP protocol 47 (GRE) and TCP port 1723.
-
Interface(s) for VPN server. If your network
doesn't have a router or the VPN is also a gateway, your computer must have
at least two interfaces, one connecting to the Internet and another
connecting to the LAN. If it is behind a router, you just need one NIC.
-
One interface for VPN client. The interface can be
a dial-in modem, or a dedicated connection to the Internet.
Still need help,
contact consultant
[ads/yahoobanner240.htm]
Q:
Can I setup my VPN client as a router to direct all local computers traffic to
the VPN.
A: No, you need to setup site to site VPN.
Can't ping computer name when
using VPN
If you have name resolution issue when using
VPN, check the PPTP filtering on the server. If you
disable UDP ports 137 and 138 or TCP port 139, NetBIOS packets can't pass
through the network. You also need to enable these ports on all firewalls and
routers that are between the client and the server for unicast
(point-to-point) traffic.
Configure RRAS
tracing
When you need to monitor the activities of RRA and Dial-Up Networking
components, use the tracing functionality to configure RRA and Dial-Up
Networking components to log tracing information to a file. You can make RRA
and Dial-Up Networking tracing available by either configuring the registry or
using the netsh command.
How to add DNS and WINS
into your Cisco VPN server
If your VPN client cannot find servers or
cannot ping computernmae, you may need to add DNS and WINS into your VPN
server. For example, to add DNS and WINS on a Cisco Firewall PIX, add vpdn
group 1 client configuation dns dnsservername and vpdn group 1 client
configuration wins winsservername..
How to assign a static IP to VPN client
If you have Windows 2003 server as VPN server, you can assign a static IP
under user's properties. If you use other Windows OS as VPN server, you may do
create a DHCP reservation.
How
to connect to a Windows domain using Windows VPN at startup
If you are running w2k/xp pro setup for a domain controller, you will have
a option to "log on using dial-up connection" on logon screen after creating a
VPN/dial-up connection. In the Log On to Windows dialog box, the user
can select the Log on using dial-up connection check box. After
clicking OK, the user is prompted to choose a network connection.
How to configure VPN Packet
Filters
When you setup the RRAS, a set of default Input and Output Filters on the
external adapter on the VPN server will be created. If you aren't running your
server in a highly secure environment, you can comfortably place the server
outside the firewall and restrict incoming VPN traffic to PPTP packets only.
To display and mortify these filters, go to Routing and Remote Access>IP
Routing>General, and then you can add or edit the packet filters of the
dedicated Local Area Connection. Or to enable PPTP filtering from Control
Panel, select the Network applet, Protocols, TCP/IP Protocols, the WAN
adapter, Advanced. Then, select the Enable PPTP Filtering check box, as Screen
1 shows. When you enable PPTP filtering, the server will refuse all non-PPTP
requests.
How do I set
up a modem to dial into a remote compute
You need to install your modem from the control panel if you haven't already,
and you need to set up the dialup networking server on your remote computer.
(This is included with Win98, NT4 and w2k/xp. On Win95 it is in the Plus!
pack, but you need to get an update to version 1.3 or later from Microsoft's
site. At the time of writing it can be found here.) You can enable the dialup
server from the 'Connections' menu of the dial-up networking window. If it
isn't there, or if you've updated the dialup networking as mentioned above,
you need to install it using the Windows Setup section of 'Add/Remove
Programs' in the control panel.
How many inbound
dial-in connections are supported
W2K server supports 256 inbound dial-in connections while w2k pro supports 1.
How to create an
incoming networking connection
You can configure an incoming connection to accept the following connection
types: (modem, ISDN, X.25), VPN (PPTP, L2TP), or direct (serial, infrared,
DirectParallel). On a computer running Windows 2000, 2003 or XP Pro, an
incoming connection can accept up to three incoming calls, up to one of each
of these types. Note: on a computer running Windows 2000/2003 Server, the
number of inbound calls is only limited by the computer and its hardware
configuration.
To create VPN connection, open Networking Connections>New Connection
Wizard>Set up an advanced connection>Accept incoming connections. Click
Next without selecting modem or other devices if you try to setup PPTP VPN. Then follow
the instruction.
1. You can run rasdial.exe as a service by using instsrv.exe
2. Add rasdial.exe into startup.
3. Create IPSec VPN if you have static IP.
How
to manage IP assignment on RRAS
Open RRAS, right-click on the RRAS server>Properties>IP. You will have two
options, DHCP and Static address pool.
How to schedule to
connect and disconnect a VPN
You can use rasdial command plus scheduler.
How to setup VPN server on 2003 server
You may have two options to setup VPN server on Windows 2003. 1) Create an
incoming networking connection if you have small network or you want to setup
one PC to PC VPN; 2) If you have large numbers of incoming connections on a
server that operates as part of a distributed network or as a domain
controller, you should use RRA to create a VPN server. Also refer to
How to setup Windows 2003 as VPN
server with one NIC
How to setup VPN on w2k
server with one NIC
Symptoms: When attempting to create VPN on w2k server with one NIC, you may
receive "You have chosen the last available connection as the
Internet
connection. A VPN server required that one connection be used as the private
network connection" if you select the NIC.
1. You should highlight No internet connection instead of the NIC or LAN
connection.
2. You may try "Manually configured server option".
Also refer to
How to setup Windows 2003 as VPN
server with one NIC
How to use
PPTP through a Cisco PIX
In order to use PPTP through a PIX,
you must have a one-to-one mapping from the external IP to an internal IP for
type 47 GRE packets and port 1723.
How to configure W2K
server as VPN server
To setup a Windows 2000 server for VPN, open Routing and Remote Access
console in the Administrative Tools folder, right-click the server and then
click Configure and Enable Routing and Remote Access>Virtual private
network [VPN] server. Click Next if TCP/IP is only protocol you will use.
Select a connection you will connect to on the Internet Connection. You will
have two options to assign IP to VPN clients. The default is Automatically. It
is recommended to configure the server to assign client addresses from a
static address pool, rather than assigning addresses from a DHCP server. If
you configure RAS to assign client addresses from a static address pool,
clients inherit the DNS and WINS settings from the RAS server. If your RAS
server can browse the network, clients should also be able to browse the
network with the same settings. If you prefer DHCP, verify that DHCP scope
option 44 (WINS/NetBIOS name server) points to the WINS server and scope
option 6 shows the address of your DNS server. When you don't define these
options, you almost guarantee problems with client browsing. Finally, you can
select using RADIUS or not.
NOTE: If VPN traffic is traveling through a router or firewall,
configure the router or firewall to pass PPTP (TCP Port 1723 and IP Protocol
ID 47 [GRE - Generic Routing Encapsulation]) or L2TP over IPSec (UDP Port 500
and IP Protocol ID 50 [Encapsulating Security Payload]) traffic to and from
the VPN server.
Prior to Windows 2000/XP Pro, you must add PPTP on NT 4.0 Server to
establish VPN connections. With the release of Windows 2000/XP Pro, you have
the ability to run a Windows 2000/XP Pro as a VPN host. However, Windows
2000/XP Pro enables only one VPN connection at a time and requires Internet
Protocol (IP).
Before you start the VPN configuration, you should have a equipment (modem,
T1, Frame Relay, ADSL, or cable modem) connecting to the Internet. Also make
sure you have correct TCP/IP settings on the W2K/XP.
To setup Win XP (in our case) Pro as VPN host, go to the Properties
of My Network Places>Create a New Connections>Set up a Advanced
Connection>Accept Incoming Connections. On the
Devices for Incoming Connections dialog box, do not select any
device, only click Next and check Allow Private
Connections, and then click Next. On the
Allowed Users dialog box, select or add all users for whom you want
to enable access. The accounts have to exist on both computers that are
involved in establishing the VPN connection. On the New Connection
Wizard, File and Printer Sharing for Microsoft Networks,
Internet Protocol (TCP/IP) and Client for Microsoft Networks
should be listed as networking components. By default, Allow callers to
access my local area network and Assign TCP/IP address automatically using
DHCP are checked. If you would like to keep the default settings, click
Next to continue. Now, the Incoming Connection icon should
show on Incoming section under the Properties of My Network Places and is
ready to use.
To connect to a VPN server, you should have a dail-in modem or a
high speed Internet connection. To setup a XP client to access the VPN
host, go to the Properties of
My Network Places>Create a New
Connections>Connect to the network at my workplace>Virtual Private Network
connection. Type Computer that will be showed as connection name in VPN
section, select Do not dial the initial connection and then type the VPN host
IP. You have two options to create this connection for anyone or for
yourself.
If the VPN server has two
network cards, one for the LAN and one for the WAN, leave the gateway on the
LAN adapter blank. In the gateway field of the WAN network interface, enter
the TCP/IP address that your ISP defines; the gateway address usually points
to a router at your ISP. It is recommend you manually enter the TCP/IP
address, DNS and WINS for the LAN NIC instead of using DHCP.
Incoming
Connection or RRAS
You can create an incoming connection on a computer acting as a remote
access server if it is running
Windows 2000, XP Pro.
or if it is a stand-alone computer running
Windows 2000/2003 Server. For large numbers of incoming
connections on a computer running Windows 2000/2003 Server as a router or as
a domain controller, or a member of a domain, you should use Routing and
Remote Access to create a remote access server.
Logon script with
VPN
To run logon script while establishing a VPN, you may have two options.
1) create a batch including rasdial.exe plus mapping. 2) Use Use
Microsoft
CMAK.
Manage VPN
connections
To manage VPN logon time, permissions, disconnect if idle for certain
minutes, maximum session other constraints, use Remote Access Policies under
RRAS.
A Windows 2000 VPN server is installed with a default set of
Input and Output filters on the external adapter. These filters support
PPTP, L2TP, and IPSec connectivity only and block other traffic.. However,
the filters can be modified. To modify the filters, go to RRAS>IP
Routing>General, right-click the external adapter and select Properties.
Which ports need to
be opened for running VPN
A: PPTP VPN uses TCP Port 1723, IP Protocol 47
(GRE); L2TP: UDP Port 1701; IPSec: UDP Port 500, Pass IP protocol 50 and 51. Note:
47 is a protocol number and not TCP port. The protocol name is GRE. It'll make
a big difference when configuring your firewall or router.
What statements are required to allow a VPN inbound past my Cisco PIX?
The following example is a simple PPTP access list:
access-list 110 permit tcp any host x.x.x.x eq 1723
access-list 110 permit gre any host x.x.x.x
Note: 1. x.x.x.x is outside ip. 2. If you use 6.3.1, you will
need to enable fixup protocol pptp 1723.
Why doesn't my w2k/xp have "log on using dial-up connection" option on the
logon screen
1. You must create a VPN or dial-up connection.
2. Your administrator may disable this option.
3. If the computer is not a member of a domain, the Log on using dial-up
connection check box does not appear. |