Very Computer

I'm not having much luck setting up VPN on Windows 2000 Server at our small
office.

The setup is as follows:

The Firewall is running WinRoute Pro (on Win2KPro) for the firewall software
and is handling NAT and DHCP in addition to firewall.  It has two NICs:
Internet NIC = xxx.xxx.xxx.66
LAN NIC = 192.168.12.2

Our Fileserver is running Windows 2000 Server and has one NIC:
LAN NIC = 192.168.12.1

I've got Routing and Remote Access installed and running.  It's configured
for PPTP port access (I think).

Now here are the conceptual problems I'm having....

I understand I need to configure WinRoute Pro to somehow pass on VPN traffic
to the Fileserver (VPN Server) but not exactly sure how.  Within the
WinRoute Port Mapping configuration, I could have it map port 1723 to the
LAN NIC of the Fileserver, but then how does WinRoute map VPN traffic back
to the client?  So I'm guess I don't want to actually "map" the port, but
instead just "open" the port to VPN traffic.  (Not sure how to do this, but
I'm working on it).

I'm also confused as to how to properly setup Routing and Remote Access on
the Fileserver.  I believe I've got the IP addresses configured properly
(using a small range beginning at 192.168.12.50).  But within the Port
Properties, it has a field for the "Phone number" where you're to enter the
IP address that clients are "calling".  However I'm assuming that I have
users "call" the firewall's Internet NIC.  I wouldn't think that that is
what I'm supposed to enter there.  Maybe I just leave that blank.

So anyway, this is conceptually what I think is supposed to happen:
- Firewall is somehow configured to pass VPN traffic (port 1723) to
Fileserver
- Fileserver (VPN Server) is automatically listening to traffic on port 1723
on the only NIC it has (I'm assuming this is automatic in the fact that I
have Routing and Remote Access running)
- Fileserver assigns an "internal" IP address (starting with 192.168.12.50)
for all traffic coming in on that port for that client's IP address.
- Internal networking requests are done using the "internal" IP address and
then information is passed back to the client via the client's actual
internet IP address (passed back through the firewall)

Well, seems simple enough, but whenever I try to VPN connect from a client,
it comes back saying the request is denied.  I can ping the firewall fine
from the client computer, so it's seeing it.  So, I'm thinking my main
problem is not having the firewall configured properly, but I've probably
got my VPN server configuration horked too.

Any pointers you can give to straighten me out would be appreciated.

- Alex

In addition to opening TCP/IP port 1723, you also have to enable IP protocol
47.
See the following link for tips...

http://www.winntmag.com/articles/print.cfm?action=print&articleid=8290

Jeff

Quote:> I'm not having much luck setting up VPN on Windows 2000 Server at our
small
> office.

> The setup is as follows:

> The Firewall is running WinRoute Pro (on Win2KPro) for the firewall
software
> and is handling NAT and DHCP in addition to firewall.  It has two NICs:
> Internet NIC = xxx.xxx.xxx.66
> LAN NIC = 192.168.12.2

> Our Fileserver is running Windows 2000 Server and has one NIC:
> LAN NIC = 192.168.12.1

> I've got Routing and Remote Access installed and running.  It's configured
> for PPTP port access (I think).

> Now here are the conceptual problems I'm having....

> I understand I need to configure WinRoute Pro to somehow pass on VPN
traffic
> to the Fileserver (VPN Server) but not exactly sure how.  Within the
> WinRoute Port Mapping configuration, I could have it map port 1723 to the
> LAN NIC of the Fileserver, but then how does WinRoute map VPN traffic back
> to the client?  So I'm guess I don't want to actually "map" the port, but
> instead just "open" the port to VPN traffic.  (Not sure how to do this,
but
> I'm working on it).

> I'm also confused as to how to properly setup Routing and Remote Access on
> the Fileserver.  I believe I've got the IP addresses configured properly
> (using a small range beginning at 192.168.12.50).  But within the Port
> Properties, it has a field for the "Phone number" where you're to enter
the
> IP address that clients are "calling".  However I'm assuming that I have
> users "call" the firewall's Internet NIC.  I wouldn't think that that is
> what I'm supposed to enter there.  Maybe I just leave that blank.

> So anyway, this is conceptually what I think is supposed to happen:
> - Firewall is somehow configured to pass VPN traffic (port 1723) to
> Fileserver
> - Fileserver (VPN Server) is automatically listening to traffic on port
1723
> on the only NIC it has (I'm assuming this is automatic in the fact that I
> have Routing and Remote Access running)
> - Fileserver assigns an "internal" IP address (starting with
192.168.12.50)
> for all traffic coming in on that port for that client's IP address.
> - Internal networking requests are done using the "internal" IP address
and
> then information is passed back to the client via the client's actual
> internet IP address (passed back through the firewall)

> Well, seems simple enough, but whenever I try to VPN connect from a
client,
> it comes back saying the request is denied.  I can ping the firewall fine
> from the client computer, so it's seeing it.  So, I'm thinking my main
> problem is not having the firewall configured properly, but I've probably
> got my VPN server configuration horked too.

> Any pointers you can give to straighten me out would be appreciated.

> - Alex

One thing you can do to isolate firewall problems from server problems is to
VPN into your server from within your local LAN (using the internal IP
address of your server).  You should be able to connect, assuming that the
server will accept connections on the internal NIC.  Once you get that
working, you can tackle any firewall issues.

--  Bill

Quote:> I'm not having much luck setting up VPN on Windows 2000 Server at our
small
> office.

> The setup is as follows:

> The Firewall is running WinRoute Pro (on Win2KPro) for the firewall
software
> and is handling NAT and DHCP in addition to firewall.  It has two NICs:
> Internet NIC = xxx.xxx.xxx.66
> LAN NIC = 192.168.12.2

> Our Fileserver is running Windows 2000 Server and has one NIC:
> LAN NIC = 192.168.12.1

> I've got Routing and Remote Access installed and running.  It's configured
> for PPTP port access (I think).

> Now here are the conceptual problems I'm having....

> I understand I need to configure WinRoute Pro to somehow pass on VPN
traffic
> to the Fileserver (VPN Server) but not exactly sure how.  Within the
> WinRoute Port Mapping configuration, I could have it map port 1723 to the
> LAN NIC of the Fileserver, but then how does WinRoute map VPN traffic back
> to the client?  So I'm guess I don't want to actually "map" the port, but
> instead just "open" the port to VPN traffic.  (Not sure how to do this,
but
> I'm working on it).

> I'm also confused as to how to properly setup Routing and Remote Access on
> the Fileserver.  I believe I've got the IP addresses configured properly
> (using a small range beginning at 192.168.12.50).  But within the Port
> Properties, it has a field for the "Phone number" where you're to enter
the
> IP address that clients are "calling".  However I'm assuming that I have
> users "call" the firewall's Internet NIC.  I wouldn't think that that is
> what I'm supposed to enter there.  Maybe I just leave that blank.

> So anyway, this is conceptually what I think is supposed to happen:
> - Firewall is somehow configured to pass VPN traffic (port 1723) to
> Fileserver
> - Fileserver (VPN Server) is automatically listening to traffic on port
1723
> on the only NIC it has (I'm assuming this is automatic in the fact that I
> have Routing and Remote Access running)
> - Fileserver assigns an "internal" IP address (starting with
192.168.12.50)
> for all traffic coming in on that port for that client's IP address.
> - Internal networking requests are done using the "internal" IP address
and
> then information is passed back to the client via the client's actual
> internet IP address (passed back through the firewall)

> Well, seems simple enough, but whenever I try to VPN connect from a
client,
> it comes back saying the request is denied.  I can ping the firewall fine
> from the client computer, so it's seeing it.  So, I'm thinking my main
> problem is not having the firewall configured properly, but I've probably
> got my VPN server configuration horked too.

> Any pointers you can give to straighten me out would be appreciated.

> - Alex