VPN question on Windows 2000 Server

  • Thread starter Thread starter Dan Hoffman
  • Start date Start date
D

Dan Hoffman

Hello,

We recently installed a Windows 2000 server on our network and are now ready
to set up a VPN with a satellite office. Question: do we need to install a
second network card in the server(PCI slot)? When setting up the VPN it
keeps saying that we are using the last internet connection available and
the VPN requires a private connection(I.E. separate).

Thanks in advance

Dan Hoffman
(e-mail address removed)
 
Usually you have two nics on a rras server. However if it is behind a
nat device [like mine is], you can do it with one nic. You just need to map port
1723 and protocol 47/gre [sometimes called pptp passthrough] to the internal ip
address of the rras server if using pptp. L2tp generally does not work over a
nat device, though MS has released a nat-t update. Machine certificates are
needed for W2K computers to use l2tp. When you are setting up rras for vpn, do
not select the vpn option but instead use the last option on the list - manual I
believe and you will not get that error message. Test your vpn on the internal
lan first, and once it is working right then try it over the wan, --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308208
http://www.microsoft.com/serviceproviders/whitepapers/vpn.asp
 
L2TP with IPSec actually is IMPOSSIBLE to NAT unless both
the server and client use NAT-Traversal extensions for
IPSec (you can get the update here -
http://support.microsoft.com/default.aspx?scid=kb;en-
us;818043#6) .
This is because IPSec encrypts right after IP header, thus
makes impossible for NAT server to udate the checksums.
As for PPTP the problem is with Win2k NAT, which as
described by Microsoft in
http://support.microsoft.com/default.aspx?scid=kb;en-
us;263925
"NAT in Windows 2000 currently does not support incoming
PPTP traffic from the external network(s) to an internal
PPTP server behind the NAT server."
-----Original Message-----
Usually you have two nics on a rras server. However if it is behind a
nat device [like mine is], you can do it with one nic. You just need to map port
1723 and protocol 47/gre [sometimes called pptp
Click to expand...
passthrough] to the internal ip
 
Back
Top