w2k3 vpn server IP address(ES) ... ??

[Steven Wong]

Hi,

When I go to Routing and remote access -> IP routing -> general,
I have 4 items on the right panel

1) loopback 127.0.0.1
2) Local Area Connection - Internal 192.168.1.100(Static)
3) Local Area Connection - External 209.21.23.19(Static)
4) Internal - Internal 192.168.1.201(DHCP)

May I ask the use of the 4th items ?
because if the 4th item can't get an IP from the DHCP,
it will be assigned a 169.x.x.x address and all the vpn
client will have the following errors while connecting to the VPN server.

1) TCP/IP CP reported error 733: the PPP control protocol for this network
protocol is not available on the server.
2) TCP/IP CP reported error 736: The remote computer terminated the control
protocol.

another question, currently PPTP is working fine on this VPN server
(provided the above is
working on the server). Now, I would like to configure the server for L2TP
VPN connection.
I have read some articles but I am still really confused about how it works
....
can anyone kindly tell me where can I find some clear explanation and
configuration
to enable L2TP on my w2k3 VPN server ?
Thanks a lot

Steven

 

[Marc Reynolds [MSFT]]

See 241398 RRAS Console Displays an "Internal" Routing Interface
http://support.microsoft.com/?id=241398

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven Wong]

I see .. thanks
So, can I assign static IP to that Internal Interface ?

Steven

 

[Bill Grant]

No. That interface receives its IP when your first remote client
connects. It is the server end of the connection. It receives its IP in the
same way as the remote clients -ie from the pool of addresses used for
remote access.

 

[Steven Wong]

so .. I have to have a DHCP server somewhere or use the built-in IP address
pool .. ?
That's still OK.
I would like to ask one more question.
I got some filtering rules setup on the switch port connected to the VPN
server

eg.

internet <-------> VPN server <------> 10/100 switch <-----> DHCP server
^
incoming filtering
apply (it's a cisco 2970 series switch)

I have permitted incoming UDP bootpc and UDP botopc
but the Internal interface were unable to obtain IP when the first client
connect via PPTP from the internet.
If I disable the filtering on that particular port, it works fine when the
first client connect, and the second client can
also obtain IP even I re-enable the filtering on the port.

I have tried to permit all TCP/UDP traffice into that port from the VPN
internal IP address but it was
successful.

Anyone know what do I have to do so I can enable filtering ?
or I am doing something really wrong here ??
Thanks a lot

Steven

 

[Bill Grant]

How the IP addresses are allocated is up to you. The default option is
to use DHCP. But if you don't have a local DHCP server available, you can
use a static address pool, which you configure in the RRAS console.

That seems an odd way to configure your network. Why would you have the
VPN server outside the firewall? This causes all sorts of problems.

 

[Steven Wong]

actually I have a filrewall between the internet and my VPN server.
but my manager would like to limit what the VPN users can do and cannot do,
so I have to set some filtering on the switch to limit traffic ... and
that's why caused
all this sort of problem when connecting to the local DHCP server which sit
in the local LAN.

I think the easiest solution is to use the static address pool configure
through the RRAS console
at the moment ... right ?

Steven

 

[Bill Grant]

That gets tricky, and becomes a security problem rather than a routing
problem.