Re: Complete VPN Fundamentals and VPN Router RV042

From: Jeffrey Randow (MVP) (jeffreyr-support_at_remotenetworktechnology.com)
Date: 09/08/04 

Date: Tue, 07 Sep 2004 20:14:52 -0500

The easiest and best option for an end user is to get one of the
WRT54G devices and install one of the 3rd party firmware (SVEASOFT for
one) that provides a PPTP-based VPN server integrated into it...

Jeffrey Randow (Windows Networking & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Tue, 7 Sep 2004 09:06:14 -0400, "Bill Sanderson"
<Bill_Sanderson@msn.com.plugh.org> wrote:

>There is a new standard, colloquially known as NAT-T, which allows a client
>machine to use an IPSEC VPN through a NAT device to a host. This standard
>must be supported by both the client and the host. Linksys should be able
>to tell you whether or not the router supports this (as the host) and what
>client software you need to be running to support this at the client end.
>Theres a good chance that making this work well requires the latest firmare
>for the router, as well.
>
>
><anonymous@discussions.microsoft.com> wrote in message
>news:72ca01c494c1$d376be30$a601280a@phx.gbl...
>> Thanks Bill:
>>
>> I am afraid you may be correct. Linksys support which is
>> very weak and also are very confused themselves seem to
>> insist that it is possible. They make you set up the
>> IPsec configuration (Policy) on the PC w/Windows XP with
>> two tunnels. Somewhere I read that tunnel mode can do
>> VPN over NAT. HOwever I dont know whether creating
>> tunnels in the IPsec policy is the same as Tunnel Mode
>> IPsec. Nevertheless, a complicating factor is that
>> Microsoft has a paper that says that this TUnnel
>> configuration is only for a server with two NICs acting
>> as a GATEWAY with the other end of the tunnel a
>> VPNrouter. The single PC with a NAT address connecting
>> to the VPN router seems in their view hopeless.
>>
>> Has anybody done a VPN over NAT with a single PC w/winXP
>> or win2000?
>>
>> PCw---Router1--Internet--VPNRouter---Server
>> Router1 and VPNRouter are doing NAT and providing private
>> IPs.
>>
>> In this diagram which side of Router1 and VPNRouter are
>> the VPN end points?? Perhaps the PC Address is one of the
>> endpoints?
>>
>>
>>>-----Original Message-----
>>>I'm a novice on non-pptp VPN's so take this with a grain
>> of salt:
>>>
>>>I'd rather you tested this without router1, if
>> possible. I don't believe
>>>you can do what you are trying to do through the average
>> NAT.
>>>Jeffrey--correct me??
>>>
>>>As to what happens when you connect in the end--with
>> other VPN's I've used,
>>>the answer is nothing--just what happens when you plug
>> in an ethernet
>>>connection. You have an open pipe--you may be able to
>> see bytes exchanged
>>>if you've chosen to have the connection visible as a
>> system tray icon--but
>>>you'll need to actually connect to something to "see"
>> something happen.
>>>
>>>
>>>"Lewis Giana" <anonymous@discussions.microsoft.com>
>> wrote in message
>>>news:5ca601c49205$2e4f57a0$a601280a@phx.gbl...
>>>>
>>>> So far I have a laptop at home, and I want to connect
>> to
>>>> a server in another house and the situation looks like
>>>> this:
>>>>
>>>> laptop1---Router1--Internet--VPNRouter---Server
>>>>
>>>> or equivalently:
>>>>
>>>> NETA---Router1--Internet--VPNRouter---NETB
>>>>
>>>> Router1 is Linksys BEFW11S4
>>>> The VPNRouter is Linksys RV042
>>>> www.linksys.com Their manual is almost worthless.
>>>> Their support inane.
>>>>
>>>> The ROUTERS HAVE TOTALLY DIFFERENT INTERNET ipS.
>>>> THAT IS, ONE HAS 200.3.34.4, THE OTHER 127.6.32.3
>>>> Each provides NAT and Private ips, one to NETA and the
>>>> other router to NETB respectively.
>>>>
>>>>
>>>> Laptop has XP Professional
>>>> Laptop and server have PRIVATE IPs
>>>>
>>>> Server is a DOMAN controller. Has Window Server 2003
>> and
>>>> VPN is NOT configured, since the VPNrouter will do the
>>>> VPN job. Is this thinking correct?
>>>>
>>>> To configure this WHY do we do the following steps? In
>>>> other words what are we doing? Can someone explain? One
>>>> short paragaph should do wonders.
>>>>
>>>> 1. On the laptop with Windos XP I create IPsec Policy
>>>> FROM the laptop to the VPNrouter. DO I need another
>>>> security policy from the VPNRouter to the laptop?
>>>>
>>>> 2. On the laptop Create two Filter Lists for the
>>>> connection from the laptop to the VPN router and
>> another
>>>> filter list from the connection from the VPN router to
>>>> the laptop.
>>>>
>>>> 3. On the Laptop create security rules for the filter
>>>> lists created on step 2. This is where encription and
>>>> authentication methods are defined.
>>>>
>>>> 4. On the laptop create two tunnels for each Filter
>> List
>>>> on step 2.
>>>>
>>>> 5. Assign the security policy create on step 1.
>>>>
>>>> 6. The mising step. WHEN AND HOW THE PREVIOUS STEPS
>> are
>>>> used or activated to create the VPN?
>>>>
>>>>
>>>> 7. The router for NEtA has vpn passthrough. Is this
>>>> correct?
>>>>
>>>> 8. The VPNrouter for NETB should it have vpn
>> passthrough
>>>> DISABLED? This router has VPN capabilities and can
>>>> establish 30 tunnels they say.
>>>>
>>>> 9. DO I need to configure the server on NETB just like
>>>> the laptop? In other words perform steps 1 through 6 on
>>>> the server?
>>>>
>>>> 10. When all is working properly and the laptop joins
>>>> NETB throgh VPN. what happens? Does one see a small
>>>> window to login into the server? or does the VPN router
>>>> does the authentication and how? Or nothing should
>> happen
>>>> until one accesses shares on the server?
>>>>
>>>>
>>>
>>>
>>>.
>>>
>

Relevant Pages

  • Re: IPSEC routing ?
    ... the Tunnel only see the "outside" of the Tunnel,...nothing sees the inside ... Site-to-Site VPN and Remote Access VPN act totally different..... ... This means the VPN Router behaves just like a regular LAN ...
    (microsoft.public.windows.server.networking)
  • Re: HIPAA and firewalls
    ... >compliant manner using VPN. ... this is a bad and expensive method of purchasing a router. ... the VPN is setup in 5 steps. ... network IP block to both sides of the VPN tunnel. ...
    (comp.security.firewalls)
  • Re: I-Net und VPN über LANCOM-Router
    ... Der ISA hat mit dem VPN Tunnel eigentlich gar nichts zu tun, ... auf der 2.Netzwerkkarte ist der Router angeschlossen. ...
    (microsoft.public.de.german.isaserver)
  • Re: Establishing a site-to-site ipsec connection
    ... Thier is nothing to hack (unless they take over your tunnel ... If your tunnel server is hacked than you have bigger problems anyway. ... that box or create thier own VPN connections as they choose? ... NAT hardware solution anyway when you can have a software firewall/NAT, ...
    (comp.os.linux.security)
  • VPN tunnel vs. simple remote desktop
    ... if you are setting up an ipsec vpn tunnel, ... you would need to carry a router around - I don't think ... It also only provides a connection ...
    (microsoft.public.windowsxp.network_web)