RRAS as VPN Server Configuration Questions... New one...


M

Mike B.

Hi all again,

With only one physical Internet connection and one Windows 2000 Advanced
Server (PDC), I need to setup VPN access to a local LAN while keeping
unauthenticated VPN traffic OFF the LAN where Client PC's are located. I
have three Hardware Routers in which to use. I know it's NOT advised to
use a PDC for this, but this is all we have. I also know that it would be
much easier to use just one NIC, but the client wants(needs) to
have unauthenticated VPN traffic OFF the LAN. Previous attempts have
failed,
so I'm wondering if this new setup should/will work?

Thanks for any help,

Mike B.
I.D.M. Technologies
Milwaukee, WI, USA

Previous question in newsgroup with old setup:
RE: RRAS as VPN Server Configuration Questions

Subnet Mask 255.255.255.0 for EVERYTHING

Because LAN PC's also VPN out:
IPSec - Passthrough on all Hardware Routers
PPTP - Passthrough on all Hardware Routers
PPPoE - Passthrough on all Hardware Routers

*** Router #1 gets feed from Internet.
*** Router #2 and #3 connect to LAN ports on Router #1.

Router #1
---------
For now, until VPN is setup than client will get static IP.
(External Address: Set by ISP; dns: Set by ISP)
(Internal Address: 192.168.118.1)
External Port 1723 Forwarded to Port 1723 on 192.168.118.2 (Router #2)

Router #2
---------
(External Address: 192.168.118.2 dg 192.168.118.1 dns 192.168.118.1)
(Internal Address: 192.168.119.1)
Static Route: 192.168.120.0 255.255.255.0 192.168.119.2 on LAN
External Port 1723 Forwarded to Port 1723 on 192.168.119.2 (RRAS)

Router #3
---------
(External Address: 192.168.118.3 dg 192.168.118.1 dns 192.168.118.1)
(Internal Address: 192.168.120.1)
Static Route: 192.168.119.0 255.255.255.0 192.168.120.2 on LAN

Windows 2000 Advanced Server
----------------------------
- 2 NICs
Connection Name: WAN (192.168.119.2 dg 192.168.119.1)
Connection Name: LAN (192.168.120.2 dg Blank)
- PDC (domain: abc.local) with Active Directory
- DHCP (Bindings to both NICs 192.168.119.2 and 192.168.120.2)
Scope 192.168.119.0 (pool: 192.168.119.10 - 192.168.119.254)
Scope Options:
(003 Router) 192.168.119.1
(004 Time Server) 192.168.119.2
(005 Name Servers) 192.168.119.2
(006 DNS Server) 192.168.119.2
(007 Log Servers) 192.168.119.2
(042 NTP Servers) 192.168.119.2
(044 WINS/NBNS Servers) 192.168.119.2
(015 DNS Domain Name) is abc.local.
Scope 192.168.120.0 (pool: 192.168.120.10 - 192.168.120.254)
Scope Options:
(003 Router) 192.168.120.1
(004 Time Server) 192.168.120.2
(005 Name Servers) 192.168.120.2
(006 DNS Server) 192.168.120.2
(007 Log Servers) 192.168.120.2
(042 NTP Servers) 192.168.120.2
(044 WINS/NBNS Servers) 192.168.120.2
(015 DNS Domain Name) is abc.local.
- DNS (Listen on Both NICs 192.168.119.2 and 192.168.120.2)
One Forward Lookup Zone
"Name Servers" property page includes one entry with both IP's
Two Reverse Lookup Zones
120.168.192-in-addr.arpa
119.168.192-in-addr.arpa
- WINS
- RRAS
Configured on 192.168.119.2 using DHCP
Router - LAN and demand-dial routing and Remote Access Server
Windows Authentication
Use the following adapter to obtain DHCP, DNS, and WINS addresses
for dial-up clients. Adapter: WAN
Modified Policy to only allow one domain group for Remote Access
DHCP Relay Agent configured for 192.168.119.2
WAN interface only
IGMP
WAN - IGMP Router
LAN - IGMP Router
Need HELP with the rest of RRAS configuration?

==================================================================

Router #1
|
|
Router #2
|
|
Strictly for VPN Clients (dhcp clients 192.168.119.2 *see above)
VPN Clients do NOT "use default gateway on remote network" - which
allows them to access their local LAN and Internet connection?
|
|
192.168.119.2 dg 192.168.119.1
Windows 2000 Advanced Server
192.168.120.2 dg blank
|
|
Clients (dhcp clients 192.168.120.2 *see above)
|
|
Router #3
|
|
Router #1
 
Ad

Advertisements

B

Bill Grant

The first thing to check is whether any of the routers is capable of
acting as a VPN server.

If you must use the W2k server, you can give the VPN clients access to
the server but not the LAN. You put the remote clients in their own IP
subnet (using the static address pool in RRAS). They will be able to access
the server (because it gets an IP address from the pool for its "internal"
interface). They will not be able to access LAN machines if you do not
enable IP routing on the RRAS server.

Having the remotes in their own subnet also avoids most of the problems
you normally have with a DC as remote access server.

You do not need more than one NIC in the server if it is behind a router
which has an Internet connection. The router acts as the public interface
for connection (ie the remote client connects across the Internet to the
public interface of the router). The VPN connection is extended to the
server by forwarding from the router (tcp port 1723 for pptp).
 
M

Mike B.

Hi Bill,

Thanks again for your response. Did you READ my full post???
The first thing to check is whether any of the routers is capable of
acting as a VPN server

One of them has VPN Server capability (D-Link DI-824VUP). However, this
does not allow for Domain User authentication and also has to remain on the
inside LAN as it is used for the Wireless AP on the LAN.
They will be able to access
the server (because it gets an IP address from the pool for its "internal"
interface). They will not be able to access LAN machines if you do not
enable IP routing on the RRAS server.

Please tell me if I'm wrong, but in "ipconfig /all" "IP Routing... Enabled"
and:
- RRAS
Configured on 192.168.119.2 using DHCP
Router - LAN and demand-dial routing and Remote Access Server
Windows Authentication
Use the following adapter to obtain DHCP, DNS, and WINS addresses
for dial-up clients. Adapter: WAN
Modified Policy to only allow one domain group for Remote Access
DHCP Relay Agent configured for 192.168.119.2
WAN interface only
IGMP
WAN - IGMP Router
LAN - IGMP Router

tells me that IP routing is enabled and VPN Clients should have full access
to the network, correct???
You do not need more than one NIC in the server if it is behind a router
which has an Internet connection. The router acts as the public interface
for connection (ie the remote client connects across the Internet to the

This suggestion will NOT work for:
while keeping unauthenticated VPN traffic OFF the LAN where Client
and

public interface of the router). The VPN connection is extended to the
server by forwarding from the router (tcp port 1723 for pptp).

I have on Router #1:
External Port 1723 Forwarded to Port 1723 on 192.168.118.2 (Router #2) and on Router #2:
External Port 1723 Forwarded to Port 1723 on 192.168.119.2 (RRAS)

Thanks,

Mike
 
Ad

Advertisements

B

Bill Grant

I have no idea whether forwarding across two routers will work. I have
never tried it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top