1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Connect VPN PPTP tunnel to remote 2003 Server using MS Clien

Discussion in 'Networking Issues' started by IT_Architect, Nov 8, 2005.

  1. IT_Architect

    IT_Architect Network Guru Member

    I think I may be a not so proud owner of a a one-day-old WRV54G router that probably won't work for me :cry: So now I'm here where I should have started in the first place.

    Situation:
    Currently the customer is connecting VPN via pass through, which means only one can be on-line at a time, and it requires 1/2 hour between the time one logs off and the other logs on. The customer is currently squating on his landlord's network until he can get cable access.(90-120 days). E.G. I have one public IP for two companies and two separate networks. What I plan to do there is put a switch in between the modem and and the two gateways. Fortunately, the landlord's company has no vpn to be concerned with.

    Requirements:
    - I need to tunnel from a remote office to a central office 2003 Server using pptp AND likely use the Microsoft client on their laptops at the remote office.
    - I need them to be able to access the network assets at the home office as well as their own local network assets and have local internet access at the same time.
    - I'm not willing to have the central office make changes to accomodate the remote office even though they no doubt would.
    - Their consultants, when on the road, log into the home office using VPN pass-through. From what I'm reading, the WRV54G requires a "special" VPN client because it lacks NAT-T. I'm not into "special" :thumbdown: I don't want them to have to play games with multiple VPN clients, and from I understand, the "special" VPN client doesn't play at all with other VPN clients loaded on the same computer anyway.

    What I need:
    1. Hardware recommendations: I read here about people liking the SMC SMCBR18VPN and D-Link DI-808HV and using the WRV54G as a WAP for this situation, but I would appreciate any advice you might have concerning equipment and configuration.
    2. An implementation plan that will meet these requirements.

    Thanks! :thumb:
     
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    Actually,

    I said I was using the SMCBR18VPN as my "gateway router" (connected directly to the internet" and then I have my WRV54G connected behind it via its WAN port (the SMC's DHCP server is giving out one ip address for the WRV54G), which gives me two functional subnets at home. It's the BWA711 router I'm using as the access point. :rockon:

    No special vpn client is needed because the quickvpn client comes with 5 free user accounts when you purchase the WRV54G. This client is a little "fussy," but it does work (I use it everyday without fail). Also, in my quickvpn setup guide, I did mention that on the norm, quickvpn doesn't play nice with other vpn clients loaded, but I've begun to see where "occasionally" you can get away with having a client such as "greenbow vpn" loaded at the same time with quickvpn and there's no conflict (this might be do to patch updates for microsoft OS as my guess or something else totally arbitrary...).

    There are a few links below if you need to use quickvpn in the meantime...

    Now all I have to do is forward 443 and 500 on the smc router to the ip address the WRV54G pulled (of course, because its WAN port is on the same ip subnet as the SMC LAN). In this configuration, I can now use greenbow on either subnet to connect out to another endpoint router (WRV54G, D-link, Netgear) because the SMCBR18VPN router has NAT-T support. With the SMC router running in front as my perimeter router, "little" problems I had with the WRV54G (ip refresh times) disappeared. Minus the NAT-T, the WRV54G performs great now...

    The SMCBR18BPN firewall router comes with 5 built in pptp/l2tp/ipsec clients. You also have 40 ipsec tunnels. If this were a wiresless router, I probably would have bought it instead of the WRV54G because it's NAT-T capable:

    http://www.smc.com/files/AP/DS_BR18VPN_EN.pdf

    The two of these routers working together are the shizzell! You can get the SMCBR18VPN router from newegg.com for $78! :thumb:

    In the meantime, here's a couple of links to get you by until you get another router to put in front of the WRV54G:

    http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=5173 (Quickvpn setup guide)

    http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=5911 (Quickvpn Won't Connect)

    Doc
     
  3. IT_Architect

    IT_Architect Network Guru Member

    Perfect! That's the help I needed. Now I just need a head check.

    What I hear you saying is that:
    - If I could run the WRV54G as the gateway, there would be no problem and I could use any client.
    - The problem comes in when the WAN port has been NATed from another router because the WRV54G does not know how to wrap and unwrap the NATed VPN packets so the it appears to both ends that the conversation is occurring between two public IP addresses. Thus, the WRV54G either needs to be a gateway with a public IP, OR you need either a router ahead of it that knows how to wrap and unwrap VPN packets for the NAT side. That way the WRV54G does not have to know that it isn't actually dealing with the right address.
    - The "special" client handles this for the WRV54G.

    Currently at the customer site I have a Belkin Pre-N as the Gateway and another as an access point to reach the business that needs the VPN. They are currently on the same network. Having the WRV54G be the gateway directly would not work because even if the landlord's network were NATed off one of the Belkin Pre-Ns, it would still have full visibility of the VPN network since the VPN network would reside on the WAN port of the Belkin Pre-N.

    So it looks like I have a couple options:

    Option 1:
    Two gateways on the same public IP connected through a hub; one to the landlord's company, and one to the VPN company.(I'll have to see if this works using my packet sniffer hub.)

    Option 2:
    As per your suggestion, make the SMCBR18VPN the gateway, and dish dhcp to a Belkin Pre-N for the landlord's company and the WRV54G for the VPN company.

    If my time is worth more than 50 cents and hour, going with your option, Option 2 sounds the best because I'm not doing anything out of the ordinary. My thinking is the SMCBR18VPN could be used in two different capacities:
    - When it is being used as the VPN server, the connections are made from the client directly to the SMCBR18VPN.
    - When it is providing simply NAT-T services, the WRV54G is providing the VPN server function, and people can connect to it on the local subnet with any client because the NAT-T services are being handled by the SMCBR18VPN to maintain the public IP to public IP conversation.

    In this case, I would want the VPN server to be the WRV54G to make sure that the VPN customer's network is not visible on the landlord's network.

    Thanks! :thumb:
     
  4. DocLarge

    DocLarge Super Moderator Staff Member Member

    In my haste to answer you question earlier, I forgot to include a link to a "VPN Server" configuration guide I put togther (I realized you were looking at a vpn server as an option also; my bad).

    This guide illustrates how to configure either 2000 server or 2003 server as a PPTP vpn server. I'm running one of these in my house also. Basically I've got my PPTP server configured with a static ip address that's on the same ip scheme as the SMCBR18VPN router; from there I have port 1723 forwarded to the ip address of the vpn server and voila!, there's my pptp vpn server in effect!!

    http://www.dslreports.com/forum/remark,14418801

    Additionally, when your users are on the road and run into problems with internet connectivity provided by the hotel, it might be of interest for them to travel with either the WTR54GS or the WRT54GC; I own the latter also. I just got back from a business trip and bought one.

    It was worth the money. My hotel only had "wired" ethernet, so I went over to best buy, came back and ran the CAT 5 to the WRT54GC's WAN port, put in my settings, and
    I was using quickvpn to connect to my WRV54G without "ANY" problems!!

    It's dual voltage, so you can go "anywhere" in the world with it. I'm telling you, you just have to know what you're doing with the WRV54G to get some satisfaction!! :cheer:

    Doc
     
  5. IT_Architect

    IT_Architect Network Guru Member

    Perfect! Any recommendation of which firmware to run?

    Thanks! :cheer:
     
  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    I'm just using the current firmware right now, there's no need to rush into anything.

    So, what router are you looking at getting or are you going to run a vpn server with pptp configured?

    Doc
     
  7. IT_Architect

    IT_Architect Network Guru Member

    >So, what router are you looking at getting or are you going to run a vpn server with pptp configured? <

    Well I was trying to run the SMCBR18VPN from New Egg. I just got off the phone with them. I orded it 3 days ago overnight, and I have a copy of their order, but they don't. Plus they said it's 12 minutes past their shipping cut-off time to send it out today. :x

    However, I just had a thought. If I put the Linksys WRV54G on the public IP, then I could run a wire to the landlord's Belkin Pre-N WAN port and have the Belkin Pre-N nat another network. That way the landlord's company wouldn't see the VPN customer's network. .......Never mind, it won't work. That still doesn't get me out of running a special VPN client. Looks like I re-order the SMCBR18VPN from someplace that delivers.

    Thanks! :thumb:
     
  8. IT_Architect

    IT_Architect Network Guru Member

    Well... I got my SMC router in. They have a Microsoft server doing their VPN in their headquarter office. So my guess is since I have one dynamic public IP address to share between two companies:
    1. Pull the Belkin off the WAN and install the SMC.
    2. Run a wire from the SMC's LAN port to the WAN on the landlords Belkin Pre-N. This NATs the landlord a separate network.
    3. Run a wire from the SMC's LAN port to a LAN port on the other BELKIN Pre-N that runs to the VPN customer that it doesn't get NATed other than by the SMC. This puts the landlord and VPN customer on separate networks.(sorta)

    I don't understand things here though.
    - If the SMC VPN router connects to the MS 2003 VPN other network, why do you need a client? Or does the the client connect to the VPN router and the tunnel so you can have visibility of your own network and the internet as well?
    - The end game is to have two or three people from the VPN customer connect to the corporate headquarters as well as use the internet and their network and also have the landlord's company use the internet.

    Any thoughts that you have that can make this process a little more clear in my mind as what I need to do would be welcome.

    Thanks!
    :thumb:
     
  9. IT_Architect

    IT_Architect Network Guru Member

    PS: I'm also guessing that the VPN customer that is connecting to their central office network would put the IP address of the SMC router in their client?
     
  10. IT_Architect

    IT_Architect Network Guru Member

    Disregard, I got it running. In the VPN area I went into the PPTP and enabled it. I set up one tunnel. I set up 3 users and their passwords. I had the wrong private network address, but once I connected with the client, it gave me the right address. After that multiple people could connect from the remote location. I may have done extra steps, I don't know. All I know is that it works with multiple connections from the remote site whereas before it did not. I tried taking the SMC out of the picture, and no multiple connections. I tried adding another wireless router after it using NAT, and no multiple connections. I changed the wireless router to act like an access point, and I had multiple connections back again. The SMC router must have the right stuff.
    :thumbup:
     
  11. DocLarge

    DocLarge Super Moderator Staff Member Member

    Hey,

    I told you everything would work out using the SMC router. :D

    So, what are you doing with your WRV54G now?

    Doc
     

Share This Page