Is it possible to establish a VPN for road warriors using XP home and a machine running win2000 pro

[Jeff VA]

Hi,

I work for a small company that has a number of field technicians and
a small central office. The field technicians use laptops running
windows xp home edition. Most of the techicians connect to the
internet via wireless connections (D-Link DI-524's being the most
popular at the moment) The computer in the office is a Dell Precision
650 running Windows 2000 Professional.

Is it possible to establish a VPN using this equipment / operating
systems?

I've attempted to connect using the "Incoming Connections" in 2000 and
the "Connect to a network at my workplace" option in the New
Connection Wizard (XP Home). (If so I've just got something
misconfigured) When I try to connect, the process stalls for several
minutes at the "Verifying user name and password" dialog, then
eventually reports "Error:721 the remote computer did not respond..."

I understand that XP Home isn't designed to authenticate against a
domain, but would that cause this error?

If that option isn't workable, can Open VPN be used to establish the
connection? I don't understand the difference well between the two
technologies, but if OpenVPN uses ca certificates for authentication,
would that circumvent the issue of trying to get XP Home to log in to
the "server".

Thanks in advance,

 

[Sooner Al [MVP]]

Hi,

I work for a small company that has a number of field technicians and
a small central office. The field technicians use laptops running
windows xp home edition. Most of the techicians connect to the
internet via wireless connections (D-Link DI-524's being the most
popular at the moment) The computer in the office is a Dell Precision
650 running Windows 2000 Professional.

Is it possible to establish a VPN using this equipment / operating
systems?

I've attempted to connect using the "Incoming Connections" in 2000 and
the "Connect to a network at my workplace" option in the New
Connection Wizard (XP Home). (If so I've just got something
misconfigured) When I try to connect, the process stalls for several
minutes at the "Verifying user name and password" dialog, then
eventually reports "Error:721 the remote computer did not respond..."

I understand that XP Home isn't designed to authenticate against a
domain, but would that cause this error?

If that option isn't workable, can Open VPN be used to establish the
connection? I don't understand the difference well between the two
technologies, but if OpenVPN uses ca certificates for authentication,
would that circumvent the issue of trying to get XP Home to log in to
the "server".

Thanks in advance,

Remember you need TCP Port 1723 open on any firewall between the server PC
and the client. Also the firewall must pass GRE Protocol 47 traffic. You can
test that using the tests detailed in the PPTP Ping and VPN Traffic sections
on this page...

http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx

You could use OpenVPN as an alternative. I had it running on a XP Pro box
(server) and an XP Pro (client).

What do the field techs need to access through the VPN? Ie. shared files or
actual desktops, etc? Secure Shell (SSH) may also be an alternative...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

 

[Jeff VA]

Remember you need TCP Port 1723 open on any firewall between the server PC
and the client. Also the firewall must pass GRE Protocol 47 traffic. You can
test that using the tests detailed in the PPTP Ping and VPN Traffic sections
on this page...

http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx

You could use OpenVPN as an alternative. I had it running on a XP Pro box
(server) and an XP Pro (client).

What do the field techs need to access through the VPN? Ie. shared files or
actual desktops, etc? Secure Shell (SSH) may also be an alternative...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program -http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

Al,
Thanks for the reply, I'll work through the testing as outlined on the
page you sent. As it happens, we're "Cable Guys", we build/maintain
fiber/coax cable systems. The techs need to be able to access a
couple of Access databases, and shared excel workbooks. Emailing
multiple copies of the same workbooks back and forth has led to
confusion and missed billing. I'm trying to eliminate the confusion.

I'll follow up once I've worked through the "testing network paths"
instructions.
Thanks for now

 

[Jeff VA]

Al,
Thanks for the reply, I'll work through the testing as outlined on the
page you sent. As it happens, we're "Cable Guys", we build/maintain
fiber/coax cable systems. The techs need to be able to access a
couple of Access databases, and shared excel workbooks. Emailing
multiple copies of the same workbooks back and forth has led to
confusion and missed billing. I'm trying to eliminate the confusion.

I'll follow up once I've worked through the "testing network paths"
instructions.
Thanks for now

Thanks again for the guidance, I've made good progress to date, but
some work left to do....

The following was completed with an XP home laptop and the Win 2000
Pro server operating within the same LAN...

After reading through the Cable Guy article on testing network paths,
I downloaded the Windows XP Service Pack 2 Support Tools from

http://www.microsoft.com/downloads/...76-9bb9-4126-9761-ba8011fabf38&displaylang=en

Since the tools won't install on Windows 2000 Pro, I installed them on
the XP home machine and then copied the pptpsrv executable over to the
server.

On the server I navigated to
Control Panel => Administrative Tools => Services and disabled the
"Routing and Remote Access Service

I then started the pptpsrv tool on the server, and ran the pptpclnt
tool on the laptop. The tools showed that I had good communication on
port 1723, but the server didn't receive any GRE traffic.

After realizing that protocol 47 is NOT the same as Port 47, I
navigated to the VPN section of the D-Link support page and found out
how to configure the router to pass this protocol...

"In Virtual Server make 1 entry for your PPTP/GRE connection. Use TCP
port 1723 and forward to your MS VPN (PPTP/GRE) server. This has to be
TCP (not UDP or Both). After applying settings, check Firewall section
for a TCP 1723 entry and a PPTP_GRE entry. Now connect to your WAN IP
address using your MS VPN client from the WAN (this will not work from
LAN using the WAN IP to loopback to LAN). "

With this done, I ran the pptpsrv and pptpclnt tools again, and both
the communication on port 1723 and the GRE tests were successful..

On the laptop, I created a new connection, and can now log into the
vpn from home.

I still have to figure out how to map the server shares as network
drives, but that's another post.
Thanks again,

 

[Sooner Al [MVP]]

Thanks again for the guidance, I've made good progress to date, but
some work left to do....

The following was completed with an XP home laptop and the Win 2000
Pro server operating within the same LAN...

After reading through the Cable Guy article on testing network paths,
I downloaded the Windows XP Service Pack 2 Support Tools from

http://www.microsoft.com/downloads/...76-9bb9-4126-9761-ba8011fabf38&displaylang=en

Since the tools won't install on Windows 2000 Pro, I installed them on
the XP home machine and then copied the pptpsrv executable over to the
server.

On the server I navigated to
Control Panel => Administrative Tools => Services and disabled the
"Routing and Remote Access Service

I then started the pptpsrv tool on the server, and ran the pptpclnt
tool on the laptop. The tools showed that I had good communication on
port 1723, but the server didn't receive any GRE traffic.

After realizing that protocol 47 is NOT the same as Port 47, I
navigated to the VPN section of the D-Link support page and found out
how to configure the router to pass this protocol...

"In Virtual Server make 1 entry for your PPTP/GRE connection. Use TCP
port 1723 and forward to your MS VPN (PPTP/GRE) server. This has to be
TCP (not UDP or Both). After applying settings, check Firewall section
for a TCP 1723 entry and a PPTP_GRE entry. Now connect to your WAN IP
address using your MS VPN client from the WAN (this will not work from
LAN using the WAN IP to loopback to LAN). "

With this done, I ran the pptpsrv and pptpclnt tools again, and both
the communication on port 1723 and the GRE tests were successful..

On the laptop, I created a new connection, and can now log into the
vpn from home.

I still have to figure out how to map the server shares as network
drives, but that's another post.
Thanks again,

If your not running a WINS server on your office network then an alternative
is to use a lmhosts file on the VPN clients. Then you can address shares
using the UNC in the form \\ComputerName\ShareName. Here is an example
lmhosts file and the MS guidance...

http://theillustratednetwork.mvps.org/Vista/PPTP/Examplelmhosts.txt

http://support.microsoft.com/kb/314884/en-us

Good luck...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...