VPN or no VPN?

[James S Clark]

I have being trying with limited success to set up vpn's
from my office PC to a couple of remote servers in branch
offices. I can achieve a connection but no drive
connectivity or remote network/PC visibility.

Site Detail
We have Win2K Adv Server on a mixed windows network (p.d.c
is NT4) and are using a small combined ADSLmodem & LAN
Router to gain internet access. The ADSL router is
configured with a built-in firewall and NAT.
One remote site has the same ADSL router, 1 workstation
(win2K) and a Win2K Adv Server, the other remote site is
the same except it has a Win2003 Server.

Question
Am I ever going to be able to acheive a proper VPN with
remote network visibility by using the LAN ADSL Routers?
Specifically: Everything I read about VPN's suggests you
need separate NIC's for the LAN and WAN - is this really
true?

Any information appreciated.

James

 

[Salt_Peter]

So the W2K servers are member servers, not DCs, right? In other words, no
W2K or W2K3 DC exist on the network. Just trying to clarify your domain
setup. Point being that a W2K DC must be the PDC emulator and domain root in
a mixed domain environment with NT4 backup domain controllers. You can't run
an NT4 PDC and a W2K domain controller in mixed mode on the same domain. The
netbios domain names will appear to concur, but in fact the domain SIDs are
unique and therefore the 2 domains are seperate entities.

Special considerations as far as the router's firewall need to be addressed,
VPNs need certains ports open (and maybe the ISP needs to support GRE
pacquets to allow VPN connections to succeed if over the internet). The
ports that the firewall must allow depends on what protocols you are
implementing:

PPTP
TCP Port 1723
IP Protocol 47 Both types of traffic must be allowed for a successful
connection.

L2TP
UDP Port 1701
The port number can be reconfigured.

L2TP/IPSec
UDP Port 500;IP Protocol 50
Port numbers and assignments can vary among different implementations.

Once the firewall issue has been dealt with, you need to look at how
ipaddresses are distributed (via RAS fixed scope or DHCP server? + dhcp
relay?). This revolves arround the routing table and whether or not an
incoming client VPN can successfully reach the local dns server in order to
achieve name resolution on the local network. That's were the importance of
the default gateway assigned or inherited by client becomes important.

Generally speaking, it's a bad idea to run both dhcp and RAS on the same
server if the former is being used to accept incoming connections AND
provide dhcp scope addresses to incoming clients. More often than not,
carefull analysis of the routing table at RAS server will explain why a VPN
client can't access the network (route metrics). In such cases, disabling
"use default gateway on remote network" on client's connectoid usually fixes
that issue.

It sounds complicated but it's not, with a step by step procedure, a VPN is
fairly easily achieved. But you must keep in mind that if you can't route
and resolve, authentication becomes secondary.

There really is no excuse for having only one NIC on a router. Multiple ip
addresses on a single NIC might provide logical routing but the throughput
will suffer and issues will arise.

Nics are dead cheap even when options are included. Consider 3Com which
sells a high end IPSec integrated NIC with an embedded 125 MHz security
processor for $140 US. IPSec packet encryption on the fly. It's an awesome
piece of technology and well worth every penny. Besides $40 should get you
an ordinary NIC.

 

[James S Clark]

Thank you for the advice. You've helped me with several
issues, and after a bit of re-routing i have been able to
get proper remote-network visibility. YES!

Thanks again,

James

 

[Salt_Peter]

I'm cheering as well, good news. Congratulations.