VPN server behind an Actiontec DSL Gateway

[Nate]

Hello,

I am setting up a secure network for a local doctor. He wants to be able to
access his medical records at his office server from his home computer via a
secure VPN tunnel. He has purchased Qwest DSL for both his home and his
office phone line. He was sent 2 of the Actiontec DSL gateways. I have
setup the VPN server on his main office server, which is a windows 2000
server system. It works fine when connecting to it from a LAN PC. We are
having trouble connecting to it from the Internet however, I have set up
the router to forward TCP port 1723 to the IP address of the VPN Server.
But I think their are some additional protocols that need to be forwarded as
well, that this Actiontec DSL gateway is not capable of. It gets to the
verifying username and password stage, then it times out an fails. I know
the U/P's are correct. I haven't tried this in DMZ mode yet however. Also,
I don't like the fact that the built in firewall cannot be disabled for
testing purposes. Internet works fine for both systems.

If possible, can someone tell me how to get this working? All possibilities
are available as an option. We were wondering if purchasing additional
public IP's would fix this issue. Also contemplating buying a true DSL
modem to connect directly to the office server. Not a DSL modem/NAT router.

Thanks for any help,
Nate

 

[Alan]

Nate,

Your ISP must support VPNs, they may be filtering
traffic. It is best to have a static IP at each end but a
static IP at the server end only will work with the right
router(s). I suggest using a Cable/DSL VPN Router on the
server end and the same or a Cable/DSL VPN End-Point
Router at the docs home. Aviod using different brands on
each end. Verify each router has the same firmware
version and configure them to establish, encrypt and
maintain the VPN tunnel(s). Assign a new password and
remote management port to each of the routers after
configuring them rather than using the defaults. I would
also consider assigning a new default router IP rather
than using the standard 192.168.1.1 which most use.
Enable encryption and authentication in each of the
routers for each tunnel created, enable blocking of WAN
requests and disable remote upgrade if available in the
routers you choose. Use Windows 2000 or XP Pro at the
docs home to logon and access the server. A word of
caution for both you and the doc, patient information must
be protected under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) rules and guidelines.
If others use the docs home computer to access the
internet they need to have their own account with the
appropriate user access level. An audit trail must be
available to determine who, when and what information was
accessed on the server. Sharing of a single user account
is NOT acceptable and creates a liability for the doc,
institution and you as a solution provider. Check out
http://www.ama-assn.org/ama/pub/category/4234.html for
more info on the HIPAA guidelines. Good Luck.

Alan

 

[charteer]

I'm not sure what your exact issue is, but I can tell you this, unless this
equipment is "unusual", a vpn tunnel is considered for all practical
purposes a LAN connection by the routers and therefore does not require port
forwarding or opening of firewall ports. VPN tunnels allow all ports to
pass.

Having said that, I'm having problems using vpn as well, not my post from
Newsguy.