Win2K RRAS VPN with Netgear DG834 ADSL Router

  • Thread starter Thread starter Charles Crawley
  • Start date Start date
C

Charles Crawley

Hi,

I am having a few problems re-setting up my VPN, for client PCs I have
connected to the internet elsewhere, using a new Netgear DG834
modem/router/firewall. I used to have my Win2k SP4 DC connected directly to
the internet using the BT Frog (Alcatel USB ADSL modem), but this has always
caused massive instability on my server, so have moved to a separate router
(the DG834).
I have had a VPN (PPTP) set up using RRAS on this server, which has always
worked fine. I have now, obviously removed the RRAS configuration on the
server that provided the internet connectivity for my LAN clients and have
instead set up the new router to provide this. I have now reconfigured RRAS
to simply provide VPN functions.
I performed the following tasks to accomplish this:

(1) Created firewall rules on the DG834 to forward PPTP and IPSec traffic to
my Win2K server:

Outbound Services
1 Port135 BLOCK always Any Any Always
Default Yes Any ALLOW always Any Any Never

Inbound Services
1 Any(ALL) ALLOW always 192.168.0.5 Any Never - THIS IS DISABLED and only
there for testing...
2 SETI ALLOW always 192.168.0.5 Any Always
3 VNC1 ALLOW always 192.168.0.5 Any Always
4 VNC2 ALLOW always 192.168.0.5 Any Always
5 FTP ALLOW always 192.168.0.5 Any Always
6 HTTP ALLOW always 192.168.0.5 Any Always
7 SMTP ALLOW always 192.168.0.5 Any Always
8 RemAcc ALLOW always 192.168.0.5 Any Always
9 Port135 ALLOW always 192.168.0.5 Any Always
10 POP3 ALLOW always 192.168.0.5 Any Always
11 VPN-PPTP ALLOW always 192.168.0.5 Any Always
12 VPN-IPSEC ALLOW always 192.168.0.5 Any Always
Default Yes Any BLOCK always Any Any Never

I am a little unsure about the necessity for IPSEC, as I thought this was
only required for L2TP VPNs, but did see an article somewhere on the Netgear
forums saying it should be used. I'm probably wrong about it either way!
I am blocking Port135 out as I have another DC at the end of a VPN
connection that my main DC is sending 135 traffic to, but my ISP is
detecting all 135 traffic out and blocking the connection, due to the
possibility of it being a virus / worm. I am not worried about this and
don't really need the other DC.

(2) Set up RRAS on my Win2k Server:
I started the configuration wizard and selected to install the RRAS Service
manually, as advised in many places, due to a bug in RRAS. I then allowed
the service to start. I right clicked the Server and selected "Properties"
and ensured that "Router" was ticked, "LAN and demand-dial routing" was
selected and "Remote Access Server" was ticked. On the "IP" tab, "Enable IP
Routing" and "Allow IP-based remote access and demand-dial connection" are
both ticked and I set up the server to assign IP addresses using a "Static
address pool" of 192.168.0.200 - 192.168.0.210
Next, I clicked on the "Ports" icon and selected "Properties", clicked on
"WAN Miniport (L2TP)" and "Configure" and reduced the "Maximum Ports" to 0.
I did the same for "WAN Miniport (PPTP)", but increased the number of ports
to 10. Both "Remote access connections (inbound only)" and "Demand-dial
routing connections (inbound and outbound)" are ticked. "Phone number for
this device" is left blank, as I am not using "Called-Station-Id"
attribute... !
All other options have been left at defaults.

(3) Configure VPN client:
I did nothing to change my original VPN network connections that previously
worked fine. They are pretty standard and have the static IP address of my
modem / router entered as the destination, IP address and DNS are set to be
assigned automatically, Windows Domain is included and the option to use the
"default gateway on the remote network" is disabled. I have subsequently
tried setting the type of VPN to "PPTP VPN" explicitly, but his has had no
effect.

(4) Tested the connection:
When running the connect attempt, I get a dialogue saying that it is
"Verifying username and password...", but this eventually times out with an
error (Error 721: The remote computer did not respond)
The only log information that I can find is in the file
C:\WINNT\SYSTEM32\LOGFILES\IN010405.LOG and seems to be of little help, in
fact, for most of my testing nothing has been logged at all:
192.168.0.5,,01/05/2004,10:11:51,RAS,SERVER01,4,192.168.0.5,44,40,40,8,4108,
192.168.0.5,0,,4136,4,4142,0
192.168.0.5,,01/05/2004,10:31:49,RAS,SERVER01,4,192.168.0.5,44,41,40,7,4108,
192.168.0.5,0,,4136,4,4142,0
192.168.0.5,,01/05/2004,10:59:40,RAS,SERVER01,4,192.168.0.5,44,41,40,8,4108,
192.168.0.5,0,,4136,4,4142,0
192.168.0.5,,01/05/2004,10:59:45,RAS,SERVER01,4,192.168.0.5,44,42,40,7,4108,
192.168.0.5,0,,4136,4,4142,0

Nothing seems to be logged in the Windows Event Log, even though I have
turned full logging on, so I suspect that my problem lies with my router and
either the VPN passthrough is not working properly or I have messed up my
rules somehow.

(5) Further information:
My Win2k SP4 Server has all Windows Update patches applied as does my
Windows XP Professional workstation attempting to connect. The Netgear DG834
has the latest 1.03.00 firmware loaded.

I hope this is sufficient information and if anyone can help me with this
problem I would be very grateful. If you need further information, I can
obviously get that to you.

Thanks,

Charles Crawley
 
I have found possible reports (in the Netgear forum on DSLReports.com) that
in the Netgear DG834's latest firmware (1.03.00), the VPN passthrough (IP
Protocol 47 (GRE)) support is broken and that possibly going back to
v1.02.10 will fix this. I have been unable to verify this so far.
If this is the case, apologies for posting this problem here. Although I
would still be glad if someone could check my RRAS VPN configuration for me!

Cheers,

Charles
 
Back
Top