Vista VPN

[Guest]

Hi:

I found an interesting article on the Web while searching for a VPN solution
that runs on Vista:
http://theillustratednetwork.mvps.org/Vista/PPTP/PPTPVPN.html

This solution is built into Vista. Is this secure? Does this use encrypted
connnections? And wouldn't I need a static and public IP address for the PC
running Vista for this to work?

Thx.

 

[Guest]

PPTP is a perfectly acceptable VPN technology, although IPsec is a more
common technology to use now. Both use encrypted connections (which is
essentially the definition of VPN) and neither needs static addresses.

 

[Guest]

Can this work with Vista over the Internet?

Thanks.

 

[Guest]

Yes.

 

[Guest]

Well, how is it going to work over the Internet if the Vista PC doesn't have
a static and public IP address?

Thx.

 

[Guest]

It will work the same way any other packet that goes through a network
address translator works (DHCP is entirely orthogonal to this issue). PPTP,
proposed in RFC 2637, simply encapsulates a TCP or UDP session in a GRE
packet. The surrounding IP packet gets address translated just like any other
traffic, in accordance with RFC 2663.

This is the same way IPsec works, except that IPsec validates the source
address on the encapsulating packet. Therefore you have to use IPsec NAT-T,
per RFCs 3715, 3947, and 3948, and perform the encapsulation inside a UDP
packet instead of GRE. That's all handled automatically by the stack in
Windows.

When you connect you get an address local to the remote network. That
address is link-local to the VPN head-end and it will respond to ARP messages
for that address. When it gets a request for that address it simply
encapsulates the packet and ships it to you across the VPN.

This stuff has worked for 10 years at least, longer if you count pre-cursor
technologies like PPP. It's not exactly new technology.

 

[Guest]

Hi:

I don't think I've communicated my question right.

Here's what I want to do:
1. Enable incoming connections on my Vista PC at home from Network & Sharing
Center -> Manage Network Connections -> File -> New Incoming Connection.
2. Once I set that up, I would like to connect to this PC from my laptop
over the Internet (how?)

How do I address my Vista PC over the Internet? It either has to have a
static and public IP address or a host name registered in the global DNS
pointing to a static and public IP address or a simulated static and public
IP address (through dynamic DNS).

Please enlighten me.

Thanks.

 

[Guest]

Aah, no, that was not clear. If you want to turn your workstation into a VPN
server then you need two things:
1. A way to find the system. Dynamic DNS, like what you can get from
DynDNS.org, works well.
2. A way to reach it. If the system is directly on the Internet with a
public address then you already have this. If your system is configured with
a non-routable address behind a NAT router you need to turn on port
forwarding on the NAT router. If you are using PPTP you need the router to
forward protocol 47 and TCP port 1723 to your computer.

 

[Guest]

Great.

However, once I set up Vista this way to function as a VPN server over the
Internet, how do I access it from the client? Can I work with the Vista VPN
server like I could with Remote Desktop?

And are there any inherent security weaknesses in Vista if I set it up to
function as a VPN server over the Internet?

Thanks.

 

[Guest]

You actually can't work directly with the Vista box serving as the head-end
for the VPN. You can only access services exposed on the network behind it.
The VPN server itself becomes nothing more than a router. If you want to, say
use Remote Desktop to it from the Internet, you would need to first establish
the VPN from the machine on the Internet, then connect using RDP to a machine
behind the VPN server, and then connect inside that connection to the VPN
server. This is why using Vista as a VPN server is not really a recommended
scenario.

The biggest security issue with VPN is poor user credentials.

 

[Guest]

Thanks. That answers my question.

I won't set up my Vista PC as a VPN server for exactly the reason that you
mentioned: poor user credentials.

JJ

 

[Guest]

So, what is your password? I'll need it to help you further.