can xp act as server for vpn connection

[Guest]

I am trying to establish a vpn conncetion from one xp pro machine to another xp pro machine. I have a static ip on the server side. Can you setup a vpn connection to accept another xp pro machine, or do you have to have server software?

this is a peer to peer network with only 4 machines, but the 5 needs to connect to the server machine running xp pro from a remote location.

thanks!

 

[Bill Sanderson]

Sure--read about "incoming connections" in help and support.

Created by "add a new connection" in control panel, network
connections--advanced, incoming.

 

[Guest]

also, i forgot to add this, what ports do you have to open on the router (linksys) to achieve a connection from the outside world from the lan where the server machine is located.

 

[Guest]

what ports do you have to open on a router (linksys) to allow this connection from the outside world?

thanks!

 

[Bill Sanderson]

For a PPTP vpn connection, you need to open port 1723, TCP, and GRE protocol
47. Many linksys models have a setting called "PPTP passthrough" which is
the GRE protocol 47. You want PPTP passthrough enabled.

 

[Bill Sanderson]

(answered elswhere in the thread)

 

[Guest]

I am trying to make an ipsec vpn connection......have a windows xp home as the client, and a xp pro as the server......I am having problems with security permisson (secpol.msc) in the home edition. I cant' find where you can set the security policy on the client connection.

what is happening is that the security permissons are set up on the sever side, but when the computer is behind the firewall it can't connect because it can't see the security policies, but if i put the server in the dmz zone then it connects right away.

what i need is a way to set the security policies on the client side so that i can tunnel to the sever behind the firewall

 

[Bill Sanderson]

I'm afraid I have zero experience with IPSEC--none of my clients has
sufficient need to pay the extra for fixed IP addresses, so I haven't spent
the time to learn about the issues involved.

Jeffrey?......

Here's a clear reference to the limitations on IPSEC in XP Home:

http://www.microsoft.com/windowsxp/...xp/home/using/productdoc/en/sag_IPSec_Ov9.asp

If I am reading this correctly, it appears you may be able to do what you
are trying to do if you can find the correct tool to set local IPSec policy
on the XP Home machine.

This reference would seem to be what's needed:

http://www.microsoft.com/windowsxp/...e/using/productdoc/en/ipsec_start_snap-in.asp

but I haven't got access to an XP Home install to test whether the docs are,
in fact, correct--they sometimes are not.

Here's a doc for troubleshooting:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314831

 

[Jeffrey Randow (MVP)]

IPSEC L2TP connections won't work behind a NAT firewall without
NAT-T... Unfortunately, NAT-T server side functionality isn't being
included in Windows XP (grr...)... Thus, the only way to do this is
to (1) - get a hardware IPSEC firewall router that supports NAT-T, (2)
run Windows 2003 Server...

Hopefully I'll learn more about this next week...

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

 

[Jeffrey Randow (MVP)]

Take a look at this article for L2TP/IPSEC troubleshooting.
http://support.microsoft.com/default.aspx?scid=kb;en-us;314831

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

 

[Guest]

Can you give me assistance with PPTP? I figure that I should connect PPTP bcse of the heartache involved with ipsec not dealing with server OS>.

I have opened 1723, and enabled pptp passthrough (protocol 47) the server and client side.......can get to the screen where it is verifying username and password. I then get a error 721.....I have looked up on google but get a bunch of dead ends.....

I am using the linksys wrt54g on both ends.

 

[Bob]

Can you give me assistance with PPTP? I figure that I should connect PPTP bcse of the heartache involved with ipsec not dealing with server OS>.

I have opened 1723, and enabled pptp passthrough (protocol 47) the server and client side.......can get to the screen where it is verifying username and password. I then get a error 721.....I have looked up on google but get a bunch of dead ends......

I am using the linksys wrt54g on both ends.

I just got done spending a couple days with that Error. It's a
firewall problem. Something is blocking the authentication process,
which is done thru GRE.

The way I fixed it is to get my associate at the office to remove
everything from his machine that looked even remotely like it might
cause a problem - firewalls, virus detectors, crap he knows nothing
about, etc. After he did that I could connect.

But I cannot map a drive letter to the share we created. In fact I
can't even browse his machine.


--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

You know you are in Hell when you have to make a
distinction between what is moral and what is legal.

 

[Bob]

Can you give me assistance with PPTP? I figure that I should connect PPTP bcse of the heartache involved with ipsec not dealing with server OS>.

I have opened 1723, and enabled pptp passthrough (protocol 47) the server and client side.......can get to the screen where it is verifying username and password. I then get a error 721.....I have looked up on google but get a bunch of dead ends......

I am using the linksys wrt54g on both ends.

You have a firewall blocking one or more components of the connection.
I had the same problem and when my associate removed all potential
firewalls I was able to connect.

Merely exiting the GUI for a firewall is not going to work. You have
to disable it from the GUI. If that does not work, then remove
everything from your machine that you suspect could be causing a
problem. Use Add/Remove - take a screenshot before removing anything
so you can restore things, one at a time until the VPN breaks again.

When I finally got connected, I reactivated Kerio and it found two new
rules I needed for the firewall: 1) GRE passthru both ways; 2) Windows
Explorer TCP Out.



--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

You know you are in Hell when you have to make a
distinction between what is moral and what is legal.

 

[Bill Sanderson]

You're getting there--check out the IP addresses given for the endpoints of
the VPN connection. Sometimes modifying properties of IP on the Incoming
Connection to give out IP's on the right subnet is the fix for such issues.

 

[Bob]

You're getting there--check out the IP addresses given for the endpoints of
the VPN connection. Sometimes modifying properties of IP on the Incoming
Connection to give out IP's on the right subnet is the fix for such issues.

I discovered the problem - Win2K PPTP VPN has a bug which was
apparently corrected in XP, preventing name resolution by the VPN
Client. If I use raw IP addresses, like 192,168.1.100 for the VPN
Server in Network Places, I can browse the network on that machine. If
I use that raw IP in mapping a share, I can set that up too.

If you want to work around this bug, you can use static VPN IP
addresses and put entries in the HOSTS table on both machines.


--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

You know you are in Hell when you have to make a
distinction between what is moral and what is legal.

 

[Jeffrey Randow (MVP)]

I wouldn't necessarily say this is a bug... Broadcast name resolution
doesn't work over the VPN link... You need to have access to a WINS
server (or DNS server) to get names to work... My solution is to
provide a mini-WINS server, but MS hasn't taken my advice on that
yet...

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

 

[Bob]

I wouldn't necessarily say this is a bug... Broadcast name resolution
doesn't work over the VPN link...

It does for XP - but not for Win2K.

We have an XP VPN Client where we can type "\\servername" (where
"servername is the Full Computer Name of the VPN Server) in Start|Run
and it will bring up all the shares on the VPN Server.

We can't do that with a Win2K VPN Client - we have to use the raw IP
address for that machine on the VPN, which is 192.168.1.100.

I do not have access to an XP machine at the moment, so why don't you
look in the VPN Client under WINS and see if there is mention of
NetBIOS (like there is for the LAN). My Win2K Client has no mention of
NetBIOS in the WINS panel - the last thing is mention of LMHOSTS and
then the bottom half of that panel is blank. If there is a checkbox
for NetBIOS, check it and see if name resolution now works.

Let us know what you find.

--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

You know you are in Hell when you have to make a
distinction between what is moral and what is legal.

 

[Bob]

I wouldn't necessarily say this is a bug... Broadcast name resolution
doesn't work over the VPN link.I looked at an XP PPTP VPN Client and sure enough on the WINS panel there it was - NetBIOS. That's why you can do name resolution.

It was deliberately left off the Win2K PPTP VPN Client. That's why you
cannot do name resolution.

Microsoft has had 4 Service Packs to fix this glaring deficiency on
Win2K, but has chosen not to. They want to force you to buy XP, if you
must have name resolution.

Fortunately I don't - I use raw IP addresses anyway. The VPN Server is
always the first address in the range of addresses you configure for
the VPN - and therefore it is static for the VPN - and if you
configure the VPN correctly you can set up a static IP address for the
VPN Client.

Now all you need to do is use those raw IP addresses to access the
shares on either machine, e.g. \\192.168.1.100, etc.

I find it a bit strange that no one on these forums knew all this.

--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

You know you are in Hell when you have to make a
distinction between what is moral and what is legal.

 

[Jeffrey Randow (MVP)]

It depends... With a properly configured VPN client and WINS/DNS
server, you should get name resolution to work properly... Without
WINS/DNS (or without it being properly configured by the RAS server),
you may or may not get name resolution depending on which OS is
operating as the server and whether or not you are using ICS...

Windows XP Incoming Connections Server (service) will not support
broadcast name resolution alone without the use of a DNS or WINS
server in TCP/IP mode... This, unfortunately, was by design...

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

 

[Bob]

Windows XP Incoming Connections Server (service) will not support
broadcast name resolution alone without the use of a DNS or WINS
server in TCP/IP mode... This, unfortunately, was by design...

I do not understand what you just said, because I am able to get name
resolution to work without any DNS or WINS server.

We have been able to get name resolution to work using XP for the PPTP
VPN Client, with both XP and Win2K VPN Servers - on a simple
peer-to-peer (workgroup) VPN connection.

I set up the PPTP VPN Server on my Win2K machine and an associate
connects from his XP VPN Client. He then does a Start|Run \\servername
where "servername" is the so-called Full Computer Name of my machine
found in ControlPanel|System|NetworkIdentification (aka "the NetBIOS"
name). He did not have to use a raw IP address to access the shares on
my machine.

In order to accomplish this he had to Enable NetBIOS for the VPN
Client. He went to the icon for the VPN Client in Network Connections,
then to Properties|Networking|TCP/IP|Properties|Advanced|WINS. On the
bottom half of that page there is a section for NetBIOS.

That section for NetBIOS for the Win2K PPTP VPN Client is blank. If
that was an oversight when Win2K was first published, it should have
been provided later with one of the Service Packs. But MS won't do
that because they want you to buy XP.

I have not been able to get name resolution to work with a Win2K PPTP
VPN Client on a simple peer-to-peer (workgroup) connection, regardless
of the OS of the VPN Server.

--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

"You can all go to hell, and I will go to Texas."
--David Crockett