W2K VPN Setup

[Mark]

Hi,

Sorry to repost this to the group, but I thought I was on the right tack and
home free. Seems I am not.

Hello,

I am trying to setup a VPN on my server.

I start to run "Configure and Enable Routing and Remote Access" I run into a
snag. As I go through the screens I come to a place to "Specify the
Internet Connection that the Server Uses". Here I show my LAN connection
(this is the NIC in the server.. it has two IP addresses) and another line
showing <No Internet Connection>. When I select the LAN card I get "You
have chosen the last available connection as the internet. A VPN Server
requires one connection to be used as the private network connection" I
can't seem to go any further. If I select "no internet connection" I can't
seem to get anything to work.

I can browse from the server to the net just fine. I also have a router in
place where the gateway is 192.168.0.1...

Thanks for any help of suggestions!

 

[Robert L [MS-MVP]]

assuming you have just one NIC, this may help. quoted from
http://www.ChicagoTech.net
How to setup VPN on w2k server with one NIC

Symptoms: When attempting to create VPN on w2k server with one NIC, you may
receive "You have chosen the last available connection as the Internet
connection. A VPN server required that one connection be used as the private
network connection" if you select the NIC.

1. You should highlight No internet connection instead of the NIC or LAN
connection.
2. You may try "Manually configured server option".


--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
Networking Solutions, http://www.chicagotech.net/networksolutions.htm
VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
VPN Process and Error Analysis, http://www.chicagotech.net/VPN process.htm
VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
This posting is provided "AS IS" with no warranties.

 

[Mark]

Thanks Rob, but for me, for what ever reason this just doesn't work.

All of my "internal interfaces" seem to be blank or non-operational.
Everything else on he server works great (I don't run ISA on this box and
don't know if this is a factor). I has just one NIC (IP 10.0.0.10 GW
10.0.0.1) is attached to a switch serving the LAN. Router/Gateway
(10.0.0.1; doing NAT & Firewall) is also attached to the switch. Server
and workstations use GW to surf the net.

Mark

 

[Bill Grant]

If you only have one NIC in the server, do not try to use any of the
VPN wizards. Simply configure your server as a remote access server. This
will set up the miniports you need for VPN.

Test your config by making a VPN connection to the server from one of
your LAN clients. (VPN works fine over Ethernet).

When this works, try forwarding tcp port 1723 from your router to the
server's IP address. Now try making a VPN connection from a remote machine
to the router's public IP. The port forwarding will extend the connection to
the server through its LAN NIC.

 

[Mark]

Bill,

Thanks for the help.

I am able to access the VPN through the LAN with no problems. I have
configured the router to forward port (PPTP 1723 correct??) to the server
and I get at 721 error. Everything I have read talk about GRE protocol 47.
I would suspect that my firewall is causing the problem (Linksys BEFVP41).
I can't seem to find out how to configure this on the router anywhere. I
understand that this is not a "port protocol". Is this correct? Then how do
you allow it?

Thanks again,
Mark

 

[Mark]

Guys,

OK.. I FINALLY found out what I belive the problem is. Seems my router
doesn't do a very good job with VPN (after at 45 min discussin with Linksys)
so I will have to start looking arround.

Thanks for all the help!

Mark

 

[Bill Grant]

Just a note concerning ports and protocols.

GRE is as IP protocol, just like TCP or UDP. TCP is protocol 6, UDP is 17
and GRE is 47. So it can be allowed or blocked by a firewall/router. It
cannot be forwarded, because it is not a port.

When you set up a PPTP connection, PPTP controls the setup and
maintainence of the PPTP tunnel. So if you forward TCP port 1723 from your
router to your server, you extend the tunnel endpoint to the server.

The actual packet containing the encrypted data has a GRE header with a
public IP on the front. If your router (or anything else in the path) blocks
GRE, no data is transferred, and the connection fails.

 

[Mark]

Thanks again Bill! Any recommendation on a router that work with VPN .

Mark

 

[Bill Grant]

Most SOHO router/firewalls can handle it these days. Unfortunately, they
all seem to do it a different way using different terminology. Some mention
GRE by name or by IP protocol, some use PPTP pass-through or even just VPN
pass through. And some just don't work even when they say they support it.
Some only work with the latest firmware upgrade.