win2k vpn

  • Thread starter Thread starter kp
  • Start date Start date
K

kp

I have set up a win2k vpn to connect to from the outside world (road
warrior). Before I left the office I tested it and it worked fine (same
subnet, authenticated off of the domain), however when I am on the road I
can not connect. The sniffer shows that it is a routing problem in that
certain ports and protocols are being denied not on the border router, but
on an internal router at my company.

My question is:

Which ports need to be open?
Which protocols need to be enabled? (i think I remember something about
GRE)

Klint Price
http://www.custom-web.biz
 
Which ports need to be open?
Which protocols need to be enabled? (i think I remember something about
GRE)

Depends on the VPN type and where it terminates (and
what you do from the termination point, e.g., file services,
terminal services, etc.)

First, what address pool did you give the VPN router?
It's on the same subnet with the router, right? (So that
routing will work to you -- and DNS/WINS etc. if you
have NAME problems but IP works.)

Ok, for PPTP, you need TCP 1723 port and IP 47 (GRE)
For L2TP you need UDP 1701 & 500 (IKE) ports

(These are all the server side ports.)

Usually, if you are using L2TP you use encrypted IPSec to
secure it -- this is UDP 50 (ESP) -- or 51 for AH if only
authenticated data is used. BUT you only need to open
these on INTERMEDIATE routers (and not 1701) since it
encapsulates the L2TP and is stripped at the terminating
routers (usually) BEFORE the filters.

Ok, that gets you TO a terminating VPN router -- on the
subnet where the router lives. If you have any other firewalls
between their and you application target you deal with the
specific applications, e.g., Terminal Services, RPCs, DNS,
HTTP, etc.
 
Back
Top