Re: W2K VPN - Problems using a single server

---

• From: "Bill Grant" <not.available@online>
• Date: Thu, 7 Apr 2005 14:55:26 +1000

---

All data packets sent over a pptp connection are encrypted and
encapsulated. The encapsulation used is a modified GRE header. If you block
GRE anywhere, these packets are blocked so you get zero bytes of data
transferred and the connection closes. Allowing the GRE protocol allows the
encrypted data to pass. It does not allow anything else.

Nick wrote:
> Okay, I see what you are talking about now. So would this take the GRE
> protocol out of the equation? Is this still secure?
>
> Thanks,
>
> Nick
>
> "Bill Grant" wrote:
>
>> In addition to what Bob Lin said (ie don't use two NICs), do not
>> use the VPN server option in the wizard. This should only be used if
>> the server is a VPN server ONLY. It sets up filters to block all
>> non-VPN traffic (hence your LAN problem).
>>
>> Here is the procedure I would recommend. Configure your server
>> for remote access with just one NIC. (This sets up the WAN miniports
>> for VPN). Make sure you can make a VPN connection to your server
>> from a LAN client. Check that the router is forwarding tcp port 1723
>> to the RRAS server's private IP.Then try making a VPN connection
>> from a remote client via the router (ie using the router's public
>> IP).
>>
>> Port 47 (TCP or UDP) has nothing to do with VPN. What a PPTP
>> connection does require is GRE, which is IP protocol 47. If your
>> router (or anything else in the path) blocks GRE, your connection
>> will fail, probably with an error 721.
>>
>> Nick wrote:
>>> We have one file server. We would like to be able to access it
>>> remotely via VPN but also allow it to perform its general file
>>> sharing services on our LAN. We have a DSL line provided by our
>>> Telco which also provides the router (configured and maintained by
>>> them). I have been reading numerous articles and they all suggest
>>> having one server for VPN and additional servers for various other
>>> functions. Financially this is not possible with our organization.
>>> Our Telco's router is plugged into our switch as is our server. The
>>> gateway for our workstations and the server is the interal IP of
>>> the router. We are not running active directory so we don't have
>>> DNS or WINS setup on the server. Our network scheme is 192.168.0.x.
>>> Here is what I have tried so far on our server:
>>>
>>> Installed an additional NIC. The original NIC had an IP address of
>>> 192.168.0.254. The additional NIC was configured with an IP address
>>> of 192.168.0.253. I ran the Routing and Remote Access wizard and
>>> configured the VPN server to use the addtional NIC. I called our
>>> Telco and asked them to configure the router so when someone hits
>>> the public IP of the router using port 1723 it forwards that to the
>>> internal address of 192.168.0.253. They said they understood what I
>>> was wanting to do and also set up port 47 for GRE. When I plugged
>>> the additional NIC into our switch no one could access the server
>>> from the LAN. It immediately dropped all of the active connections.
>>>
>>> Can I setup a single server to perform both functions and will it
>>> work in our situation where we go through a switch to connect to the
>>> router. What should I tell our Telco in order to make this work? I
>>> have read that possible configuring the additional NIC with the
>>> public IP of the router may help. If so what needs to be done? We
>>> are willing to try just about anything at this point.
>>>
>>> Thanks in advance.


.

---

• Follow-Ups:
  • Re: W2K VPN - Problems using a single server
    • From: Nick

• References:
  • W2K VPN - Problems using a single server
    • From: Nick
  • Re: W2K VPN - Problems using a single server
    • From: Bill Grant
  • Re: W2K VPN - Problems using a single server
    • From: Nick

• Prev by Date: Re: Win Server 2003 RAS routing problems
• Next by Date: Re: Unable to access private network from the VPN (NAT)
• Previous by thread: Re: W2K VPN - Problems using a single server
• Next by thread: Re: W2K VPN - Problems using a single server
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: static routing ... Connections work going out from inside the router, ... I'll have to remove the router and connect the server directly to the cable ... A static route has been added that matches the subnet ... (microsoft.public.windows.server.networking) Re: Connection from remote computer to network SQL Server ... There is no firewall on the W2K machine acting as the SQL server. ... I tried making the SQL machine a "trusted" on the router. ... connection works. ... To find the IP address of your computer inside the network, ... (microsoft.public.access.adp.sqlserver) Re: Networking Question - VLANs on SBS 2003 Premium SP1 ... port on the old router so I now have a segregated WLAN. ... be sure you do not enable any DHCP server in internal network. ... On the Connection Type page, click Broadband, and then click Next. ... On the Network Connection, You must enable and configure the network ... (microsoft.public.windows.server.sbs) Re: Urgent! New router and big disaster ... seleting full time broadband connection. ... Les Connor [SBS Community Member - SBS MVP] ... check the router as well and unless I missed a firewall setting on it, ... Anyway the Server Ipconfig /all is this... ... (microsoft.public.windows.server.sbs) Re: Still cant connect to RWW or OWA remotely ... As for error messages when I fail to access RWW with the laptop, ... the server) when you fail to access RWW with the laptop? ... I tried accessing RWW from my laptop connected to a router ... match the broadband connection, the two NIC firewall, the remote ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)