#243079 - 02/12/2004 19:35
VPN Help
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
I've never set up a VPN from scratch before and I'm wondering how I should go about it. Anyone have experience with this sort of thing?
Here's the scenario:
- Office LAN at a small real estate office.
- Office is connected to the internet via DSL router that has a built-in NAT/Firewall.
- Router does not have VPN built in to the hardware. It does allow me to put in port forwarding (I think that's what they call "pinholes" in the router's menu).
- Office runs all Windows systems.
- Office has a server that's running Windows 2003 Server.
- A select few people, all NATed broadband at home, need to get into the office LAN remotely, in order to run a certain piece of client/server software and also for me to get in and remotely manage the server.
I see a few ways I can go about this:
1. I can make the server a DMZ. **NOT**. Windows is too unsecure to expose out from behind a firewall like that.
2. I can port-forward the VPN requests through the router to the 2003 server, and activate/configure RRAS on that server.
3. I can replace the office router with one that has VPN built-in.
Never having done this before, my questions are...
If I do option 2, is it only one port that needs to get forwarded, and do I only need to do that on the office's router? Or do I need to do tricky stuff on the client side too?
If I do option 3, will the clients need hardware too, or can they just use the VPN client software that comes with windows?
Anyone have any other tips?
|
Top
|
|
|
|
#243080 - 02/12/2004 20:00
Re: VPN Help
[Re: tfabris]
|
Carpal Tunnel
Registered: 08/02/2002
Posts: 3411
|
All routers must support VPN passthrough at the least. The majority of recent routers do. If they don't then you cannot use 'AH' (authentication headers) as the NAT causes mismatches in the IP addresses. Not using AH renders your encrypted packets susceptible to man in the middle and spoofing attacks.
_________________________
Mk2a 60GB Blue. Serial 030102962
sig.mp3: File Format not Valid.
|
Top
|
|
|
|
#243081 - 02/12/2004 20:13
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Without thinking about it too hard, I'd choose super-secret option #4: put a VPN endpoint box in a DMZ. Then have the remote clients use software VPN endpoints to connect to it.
You should be able to find a turnkey solution for this. Not sure how much you want to spend. You could also install something yourself, likely for free plus a lot of time.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243082 - 02/12/2004 20:30
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Quote: put a VPN endpoint box in a DMZ
Oooo cool idea.
Anyone got any suggestions for this solution? Dunno how much the "client" is willing to spend until she sees some prices.
|
Top
|
|
|
|
#243083 - 02/12/2004 20:31
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
We use the Nortel Contivity here. No idea of the price.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243084 - 02/12/2004 20:35
Re: VPN Help
[Re: genixia]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Quote: All routers must support VPN passthrough at the least.
The box in question, a Netopia Cayman Series 3000, says that is supports IPSec Passthrough for VPNs by default and that no special configuration should be needed.
How can this work if everyone behind it is NATed?
Like I said, I've never worked with VPN before and don't know what to expect.
|
Top
|
|
|
|
#243085 - 02/12/2004 20:46
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Hm. I can get a Linksys BEFSR41 on the cheap, and says it'll do VPN endpoint for me.
Anyone got any feeling for whether it's gonna be any more secure than simply running the Windows Server 2003's VPN endpoint?
And by "secure", I mean, which is less likely to have some kind of buffer overflow exploit discovered and not patched in time.
|
Top
|
|
|
|
#243086 - 02/12/2004 20:47
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I think that genixia was referring to the possible routers people might have on the client side. If you go the VPN-endpoint-in-DMZ route, then it's not an issue on your side. But if your firewall supports it, you could not bother with a DMZ and just put the VPN endpoint in your normal network, which is probably more secure. http://vpn.ebootis.de/ is a free solution that ought to work, but will take much longer to set up, and probably be a little flakier. I'm sure that there are other similar solutions out there.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243088 - 02/12/2004 21:42
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Quote: I think that genixia was referring to the possible routers people might have on the client side.
Okay, let me rephrase the question then.
Let's say that my DSL router/firewall supports IPSec passthough but it's not a VPN endpoint.
Let's say that I have a VPN endpoint (whether it's a dedicated box, or VPN server software running on a PC) inside that firewall. Let's say its internal address is 192.168.0.39.
My question is: In that configuration, does the router's magical "IPSec passthrough" feature also handle forwarding external VPN traffic to that 192.168.0.39 address? Or must the VPN endpoint have a publicly-visible IP address before it can work?
In other words, am I overthinking this and all I REALLY need to do is activate the RRAS feature in windows 2003 and I'm done?
|
Top
|
|
|
|
#243089 - 02/12/2004 22:14
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Possibly. I don't know the technicals behind RRAS -- what protocols it uses, etc. But possibly. Worth trying.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243090 - 02/12/2004 22:22
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Some googling seems to indicate (not certain) that it won't work with IPsec over NAT, but if the software falls back to PPTP (which is a little bit less secure), then it will work.
|
Top
|
|
|
|
#243091 - 02/12/2004 22:44
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
The reason that it may not work is probably what genixia described. Try it anyway.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243092 - 02/12/2004 23:21
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Ah, here we go: Quote: NAT-T and Firewall Rules Because the new NAT-T code is designed around the IETF RFC 3193 and draft-02 of the IETF NAT-T specification, for these services to run through a firewall, you may have to open the following ports and protocols in the firewall rules: • L2TP - User Datagram Protocol (UDP) 500, UDP 1701 • NAT-T - UDP 4500 • ESP - Internet Protocol (IP) protocol 50
Supported Scenarios Using NAT-T The following scenarios will successfully allow L2TP/IPSec NAT-T connections. In these scenarios, Client is a client that is running Windows 2000 and that has the 818043 update installed or is a Windows XP-based computer with SP2 installed. Server is an L2TP/IPSec server that is running Windows Server 2003 and that is using Routing and Remote Access. In the first scenario, for example, Client is behind a NAT router; the connection goes through the Internet and connects to Server. In the second scenario, Server is behind another NAT router. Client----> NAT ----Internet---->Server Client---->Internet---- NAT ---->Server Client----> NAT ----Internet----> NAT ----> Server In these scenarios, where an L2TP/RRAS server is behind a NAT router, the NAT router must open the required ports and protocols for L2TP/IPSec NAT-T connections. The L2TP/IPSec server may also be a third-party gateway product that supports NAT-T connections.
Note If you apply the 818043 update to a Windows 2000-based server that is using Routing and Remote Access, the server cannot function as an L2TP/IPSec server in these scenarios. It cannot allow connections from L2TP/IPSec clients when one or more NAT routers is involved. This update is a client-side update only. Server-side NAT-T functionality is a new feature in Windows Server 2003 Routing and Remote Access only. NAT-T server-side support will not be added to Windows 2000 Routing and Remote Access.
So I wonder how unsecure things will be if I pinhole those ports?
|
Top
|
|
|
|
#243093 - 03/12/2004 00:13
Re: VPN Help
[Re: tfabris]
|
member
Registered: 12/08/2001
Posts: 175
Loc: Atlanta
|
Quote: - A select few people, all NATed broadband at home, need to get into the office LAN remotely, in order to run a certain piece of client/server software and also for me to get in and remotely manage the server.
How about putting terminal services on the server and let people remote into the server to run apps?
|
Top
|
|
|
|
#243094 - 03/12/2004 16:03
Re: VPN Help
[Re: Folsom]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Quote: How about putting terminal services on the server and let people remote into the server to run apps?
Not an option for this particular situation. Plus, I don't want to expose terminal services to the internet on this server, I don't trust its security yet.
|
Top
|
|
|
|
#243095 - 03/12/2004 17:20
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
I wise decision I think. I too keep my Terminal Services port locked down. If I need to use it remotely I ssh into my Linux box and punch a hole in the firewall for the specific address I am using at the time (I never remember to remove them though, so there are dozens of port 3389 rules hanging around ).
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#243096 - 03/12/2004 17:28
Re: VPN Help
[Re: andy]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
I've put a pinhole in the firewall at 3389 today just so I can mess with configuring the server, but I intend to lock that back down when I get VPN working.
|
Top
|
|
|
|
#243097 - 03/12/2004 18:23
Re: VPN Help
[Re: tfabris]
|
member
Registered: 12/08/2001
Posts: 175
Loc: Atlanta
|
You could make it a little safer by changing the public port to a different port than 3389. I do that so I can get to my home network from work, and work blocks out 3389.
|
Top
|
|
|
|
#243098 - 03/12/2004 19:10
Re: VPN Help
[Re: Folsom]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Quote: You could make it a little safer by changing the public port to a different port than 3389.
I thought of that, but I don't see anywhere in the Terminal Services client software to spec a port other than 3389.
|
Top
|
|
|
|
#243099 - 04/12/2004 05:39
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 28/04/2002
Posts: 770
Loc: Los Angeles, CA
|
just add a <hostname>:<port>, i.e. www.microsoft.com:33389
|
Top
|
|
|
|
#243100 - 04/12/2004 06:41
Re: VPN Help
[Re: image]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Oh cool, thanks. Well, at this point I don't need that any more since my VPN seems to be working.
I had to pinhole TCP port 1723 because that's the PPTP connection port. And then for some reason or other, I had to go into the router's configuration and set a pinhole for "Protocol: PPTP" but it didn't seem to matter what port number I set that to. I didn't realize that PPTP was a "protocol" like TCP or UDP is. Not exactly sure what the router is doing in that case.
Anyway, it works now but I've got the nagging doubt that somehow the Windows VPN server isn't the most secure thing in the world and that someone out there might be able to gain access to the server via VPN.
I've got a couple of bugs I need to work out, too... For instance, name services don't seem to work, I can't locate the server by name after I've VPN'd into it. Also, I can't seem to get two VPN tunnels working from my house at the same time. Maybe it's because we're both behind a NAT layer here.
|
Top
|
|
|
|
#243101 - 04/12/2004 13:37
Re: VPN Help
[Re: tfabris]
|
pooh-bah
Registered: 25/08/2000
Posts: 2413
Loc: NH USA
|
Tony, While the topology of my VPN setup is totally different from yours (Sonicwall Firewall w/VPN as the terminating point for the tunnel and Sonicwall client software on the remote end), I also cannot resolve names across the VPN link. If I want to use a share inside the firewalled network I have to map the share as \\###.###.###.###\sharename .
-Zeke
_________________________
WWFSMD?
|
Top
|
|
|
|
#243102 - 04/12/2004 14:53
Re: VPN Help
[Re: tfabris]
|
Carpal Tunnel
Registered: 08/02/2002
Posts: 3411
|
Yeah, PPTP isn't known for its strength, but it's better than nothing. And yes, it does use another protocol on top of IP. IPsec also does this with protocol 50. The way that many consumer 'routers' deal with NAT and VPNs prevent more than one tunnel from being open at a time - since packets from the VPN server are encrypted it is not easily possible to determine which of the local hosts they are intended for. The easiest solution is for the router to allocate the entire VPN functionality to the first host that asks for it, typically by watching tcp/1723 (or tcp/500 for IPsec). Some newer routers can apparently allow multiple hosts to open tunnels - I'm not sure how they do this. I'm a bit out of the loop on all this now.
_________________________
Mk2a 60GB Blue. Serial 030102962
sig.mp3: File Format not Valid.
|
Top
|
|
|
|
#243103 - 04/12/2004 15:57
Re: VPN Help
[Re: genixia]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Quote: The way that many consumer 'routers' deal with NAT and VPNs prevent more than one tunnel from being open at a time
Aha. This is critical information. I'd like to find out more about it, since the plan is to eventually run many VPNs to this server. If it can't be done through this router, then a dedicated endpoint which CAN do this is much more desirable.
|
Top
|
|
|
|
#243104 - 04/12/2004 15:58
Re: VPN Help
[Re: Ezekiel]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Quote: I also cannot resolve names across the VPN link.
This is good to know that I'm not alone, thanks. That means there's likely someone out there who has a solution.
|
Top
|
|
|
|
#243105 - 04/12/2004 16:25
Re: VPN Help
[Re: tfabris]
|
pooh-bah
Registered: 13/09/1999
Posts: 2401
Loc: Croatia
|
Try adding domain name of the network you are connecting to the configuration of your VPN connection. In XP: ['Network' tab]->[Properties button with TCP/IP selected]->[advanced]->[DNS tab]->[append these DNS suffixes] (or perhaps 'DNS suffix for this connection' - I have both ) We use some third-party SW router on Windows (I don't recall which), and have no problems establishing multiple PPTP connections, although we also use NAT. I don't know what the people we are connectiong to use as PPTP endpoint.
_________________________
Dragi "Bonzi" Raos
Q#5196
MkII #080000376, 18GB green
MkIIa #040103247, 60GB blue
|
Top
|
|
|
|
#243106 - 04/12/2004 18:47
Re: VPN Help
[Re: bonzi]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31594
Loc: Seattle, WA
|
Quote: Try adding domain name of the network you are connecting to the configuration of your VPN connection.
Thanks for that suggestion, that's a good idea. Didn't work, but it was worth a try.
|
Top
|
|
|
|
#243108 - 04/12/2004 20:00
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 28/04/2002
Posts: 770
Loc: Los Angeles, CA
|
if you have a WINS server still, setup the vpn connection to use that.
|
Top
|
|
|
|
|
|