VPN Setup with a Linksys Router

[Jason Clark]

Can anyone tell me how to Setup a VPN Server on a WIN 2000
Domain using a Linksys Router? Also to allow my VPN
Clients to browse the internet while connected to the VPN.

 

[Bill Grant]

There is not just one method to set up a VPN server behind a router. It
depends on how your LAN is configured. But basically you configure your RRAS
server to act as a remote access server. You test the config by making a VPN
connection from a local machine on the LAN. When that works, you forward tcp
port 1723 (PPTP) from the router to the RRAS server and try to connect from
a remote client to the router's public IP. If you get an error 721,
something (probably the router) is blocking GRE (IP protocol 47). GRE is
required in both directions because the encrypted VPN data travels as the
payload of an IP packet with a GRE header. So no GRE, no VPN data!

As far as Internet browsing by the client is concerned, there are
basically two possibilities. By default, the client will send all traffic
through the VPN, so they would browse the LAN through your server's Internet
connection. To modify this so that they still browse the Internet through
their local Internet connection, you need to clear the "Use default gateway
... " setting in the client's connection properties. See KB 254231 for
details on this.

 

[medicine.man]

Bill,

If I may jump into this thread ... I am up to the point
of the 721 error you mentioned. I have a Flowpoint 2200
router in place with 1723 forwarded to my W2K server. Any
ideas on how to pass GRE/IP47 through NAT? Can you
expound for the benefit of a neophite?

Thanks,

Medicine Man

 

[Bill Grant]

GRE is a protocol, not a port. Your router needs to allow that
protocol in both directions. It should appear somewhere either by name or by
IP protocol number. It must be allowed in both directions because the VPN
data packets going to and from the server will all be encrypted and
encapsulated in a packet with a GRE header.

 

[medicine.man]

Thanks Bill,

.... got IP 47 (all ports) forwarded through my router
now, but still getting error 721 when trying to
authenticate on the VPN server. Do I need any other ports
opened besides TCP 1723? I'm stumped. Any more ideas?

 

[Bill Grant]

Do you have GRE enabled for both incoming and outgoing traffic?

No, you don't need any other ports for PPTP. Just tcp port 1723.

 

[Diverse Guy]

I'm still confused on where IP 47 is enabled at.

Do you have GRE enabled for both incoming and outgoing traffic?

No, you don't need any other ports for PPTP. Just tcp port 1723.

 

[Bill Grant]

That really depends on your router. They all seem to do it in a slightly
different way. It can be referred to by name or by protocol number.

In RRAS you go to the public interface and enable it by IP number in
input and output filters. In Cisco IOS you use permit gre on the interface.
In some SOHO routers it is called something like PPTP pass-through mode, or
even VPN pass-through mode.

 

[Joseph]

i have the dlink 604 i upgraded the firmaware yesterday and the new
firmware is preatty cool it has static dhcp. i had a little bet of
hasle getting it to work but now it works fine with my w2k vpn server
behind and a single network card and a single ip. i did several things
to make it work i bet not all are necessary.
enabled dMZ in the router with the ip of the vpn server
in the server
enable ip router manager
grant access permission in the policy
enable remote access server and disable router function

auth chatp v2 ms chap and even pap
local interface ->
encryption allow mppe and ipsec
allow ms-chat
allow remote systems runnin ip access entire network.

i am sure the encryption setting are preattly loose and i will work on
them. i dont have any service packs on my server so i left like this
just for testing.