Complete VPN Fundamentals and VPN Router RV042

[Lewis Giana]

So far I have a laptop at home, and I want to connect to
a server in another house and the situation looks like
this:

laptop1---Router1--Internet--VPNRouter---Server

or equivalently:

NETA---Router1--Internet--VPNRouter---NETB

Router1 is Linksys BEFW11S4
The VPNRouter is Linksys RV042
www.linksys.com Their manual is almost worthless.
Their support inane.

The ROUTERS HAVE TOTALLY DIFFERENT INTERNET ipS.
THAT IS, ONE HAS 200.3.34.4, THE OTHER 127.6.32.3
Each provides NAT and Private ips, one to NETA and the
other router to NETB respectively.


Laptop has XP Professional
Laptop and server have PRIVATE IPs

Server is a DOMAN controller. Has Window Server 2003 and
VPN is NOT configured, since the VPNrouter will do the
VPN job. Is this thinking correct?

To configure this WHY do we do the following steps? In
other words what are we doing? Can someone explain? One
short paragaph should do wonders.

1. On the laptop with Windos XP I create IPsec Policy
FROM the laptop to the VPNrouter. DO I need another
security policy from the VPNRouter to the laptop?

2. On the laptop Create two Filter Lists for the
connection from the laptop to the VPN router and another
filter list from the connection from the VPN router to
the laptop.

3. On the Laptop create security rules for the filter
lists created on step 2. This is where encription and
authentication methods are defined.

4. On the laptop create two tunnels for each Filter List
on step 2.

5. Assign the security policy create on step 1.

6. The mising step. WHEN AND HOW THE PREVIOUS STEPS are
used or activated to create the VPN?


7. The router for NEtA has vpn passthrough. Is this
correct?

8. The VPNrouter for NETB should it have vpn passthrough
DISABLED? This router has VPN capabilities and can
establish 30 tunnels they say.

9. DO I need to configure the server on NETB just like
the laptop? In other words perform steps 1 through 6 on
the server?

10. When all is working properly and the laptop joins
NETB throgh VPN. what happens? Does one see a small
window to login into the server? or does the VPN router
does the authentication and how? Or nothing should happen
until one accesses shares on the server?

 

[Guest]

Hi there Lewis,

You've got a whole bundle of questions going here - and we really need to
get back to basics before working through that lot!

First things first, whilst you may already know this, I'll cover anyway, you
can always skip over - A VPN should be seen as a pipe which runs from one
endpoint to another and the endpoints are very important. The internet
routers you have, I think, should be able to manage the VPN without your XP
system getting involved - and because of the way that the Linksys devices
handle VPN, this is often best.

If you are configuring the NETB router as an endpoint, then you should not
need any further configuration at the server end. You will need to configure
the router at NETB to NOT be VPN passthrough, but to act as a VPN endpoint.

There's the Linksys article here
http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=207

which covers XP/W2k config and the site:

http://routerworld.dyndns.org/

has some excellent configs which cover much of your requirements - including
MS -> Linksys.

I'm sorry I can't give full settings etc here, but hope that this gets you
on the right track.

Reply to the post if you need more info.

Regards,

Jason







There ate

 

[Bill Sanderson]

I'm a novice on non-pptp VPN's so take this with a grain of salt:

I'd rather you tested this without router1, if possible. I don't believe
you can do what you are trying to do through the average NAT.
Jeffrey--correct me??

As to what happens when you connect in the end--with other VPN's I've used,
the answer is nothing--just what happens when you plug in an ethernet
connection. You have an open pipe--you may be able to see bytes exchanged
if you've chosen to have the connection visible as a system tray icon--but
you'll need to actually connect to something to "see" something happen.

 

[Guest]

Thanks Jason:

After repeated calls to Linksys support on your point of
having the vpnrouter of NETB set with VPN
passthrough=DISABLE for the reasons you stated, Linksys
insisted that I should have it set on ENABLE. But could
not give a reason. Later, after looking at manuals of
other routers I found that the VPNrouters have at least
two components. One component is a firewall. If you set
VPN DISABLE you would be setting the vpnrouter firewall
to stop VPN traffic and all VPN would fail. So as a rule
then if you want VPN set all routers to VPN
passthrough=ENABLE. This seems to be correct. Factory
default for this VPN passthrough setting is ENABLE. But
this is the first step only...

 

[Guest]

Thanks Bill:

I am afraid you may be correct. Linksys support which is
very weak and also are very confused themselves seem to
insist that it is possible. They make you set up the
IPsec configuration (Policy) on the PC w/Windows XP with
two tunnels. Somewhere I read that tunnel mode can do
VPN over NAT. HOwever I dont know whether creating
tunnels in the IPsec policy is the same as Tunnel Mode
IPsec. Nevertheless, a complicating factor is that
Microsoft has a paper that says that this TUnnel
configuration is only for a server with two NICs acting
as a GATEWAY with the other end of the tunnel a
VPNrouter. The single PC with a NAT address connecting
to the VPN router seems in their view hopeless.

Has anybody done a VPN over NAT with a single PC w/winXP
or win2000?

PCw---Router1--Internet--VPNRouter---Server
Router1 and VPNRouter are doing NAT and providing private
IPs.

In this diagram which side of Router1 and VPNRouter are
the VPN end points?? Perhaps the PC Address is one of the
endpoints?

 

[Bill Sanderson]

There is a new standard, colloquially known as NAT-T, which allows a client
machine to use an IPSEC VPN through a NAT device to a host. This standard
must be supported by both the client and the host. Linksys should be able
to tell you whether or not the router supports this (as the host) and what
client software you need to be running to support this at the client end.
Theres a good chance that making this work well requires the latest firmare
for the router, as well.

 

[Jeffrey Randow (MVP)]

The easiest and best option for an end user is to get one of the
WRT54G devices and install one of the 3rd party firmware (SVEASOFT for
one) that provides a PPTP-based VPN server integrated into it...

Jeffrey Randow (Windows Networking & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

 

[Bill Sanderson]

Interesting--that should save quite a few users who are finding they can't
make use of what they've just spent $ on.

 

[Jeffrey Randow (MVP)]

The third party firmware is excellent.. If one doesn't want to do a
PPTP-based VPN, one can easily setup tunnels with SSH (a bit more
difficult in the Windows world, but it can be nice for secure
connection tunnels).

Jeffrey Randow (Windows Networking & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone