Re: Easy RRAS VPN question

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/19/05 

Date: Sat, 19 Feb 2005 14:01:02 -0600

The article you referenced has all the info. You may also need to allow
access for port 1701 UDP and protocol 50 - not 51. Protocol 50 is for
SP. --- Steve

"Jefferey Simons" <asdfsdaf@asdf.asd> wrote in message
news:OedcPSnFFHA.2156@TK2MSFTNGP09.phx.gbl...
> Hi Steve,
>
> Thanks for your advice. So what you are saying is that I have assumed
> correctly, and to get this working all I should need to do is enable
> inbound traffic to my RRAS servers interface on UDP 500 and 4500 and IP
> Protocal 51? After that I should be laughing?
>
> Cheers,
>
> Jarryd
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:edRIRajFFHA.1260@TK2MSFTNGP12.phx.gbl...
>> You do not need to enable outgoing connections. The VPN server will
>> listed for VPN clients that want to connect and then evaluate the
>> connection based on Remote Access Policy conditions/profile. --- Steve
>>
>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>> news:%23q%237W5cFFHA.2564@tk2msftngp13.phx.gbl...
>>> Hello,
>>>
>>> I have found the following article which answers all my questions in the
>>> last post. What I am not sure of now is if I need to enable outoing
>>> connections. Please see:
>>> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_VPN_und13.asp
>>>
>>> As far as I know the firewall will block syn packets, so I am assuming
>>> that if I only to use my RRAS server to handle incoming connections then
>>> I should be OK just permitting inward traffic. The sessions are
>>> initiated by the clients and the server server piggy backs out. I don't
>>> necessarily want the server to initiate remote sessions, i.e. with other
>>> VPN servers. Is my thinking correct?
>>>
>>> Please help, TIA,
>>>
>>> Jarryd
>>> "Jarryd" <Jarryd@youllneverknow.com> wrote in message
>>> news:uQcei5aFFHA.3648@TK2MSFTNGP10.phx.gbl...
>>>> Hi,
>>>>
>>>> I am wanting to use Win Srvr 2003 as a VPN server. I only want to
>>>> allow L2TP connections using MS-CHAP v2. I have configured this
>>>> already on the server. Certificates are sorted as well. The only
>>>> thing is the ports that need to be opened on the firewall and NAT on
>>>> the router.
>>>>
>>>> As for the ports, do I only need to open up access to the server for
>>>> MS-CHAPv2 and IP/Sec? And what are the port numbers for that? I think
>>>> I have to have IP protocols 50 and UDP port 1701 allowed on the router.
>>>> But what about a port for MS-CHAPv2? Or is that tunnelled through
>>>> 1701? And does that then handle everything? If so then I shouldn't
>>>> have to enable 88 for Kerberos or 443 for SSL because it is all
>>>> tunnelled through?
>>>>
>>>> With regards to the router and NAT. I have a public address assigned
>>>> to the LAN interface that is statically NATed to an address on our
>>>> private range. To see the NAS from the internet I will configure it the
>>>> same (static NAT public.IP private.IP). Is that going to cause any
>>>> problems. I once read somewhere that it can and you use port
>>>> forwarding. Is that the answer? If so, what do I forward to what?
>>>> All L2TP and IP 50 packets to the server's IP, rather than set up NAT?
>>>>
>>>> Please help, TIA,
>>>>
>>>> Jarryd
>>>>
>>>
>>>
>>
>>
>
>

Relevant Pages