VPN through a router that has a dynamic IP; problem?

[Guest]

Hi...

I have:

Windows XP Pro SP2 wired via ethernet to BTVOYAGER 2100 ADSL modem/router
and Windows XP Pro SP2 laptop wirelessly connected to the same router.

I am trying to set up a VPN from the desktop to a secure server at work.

In the BTVOYAGER 2100 configuration manager at Virtual Server -> Port
Forwarding - Add new rule, I have:

1) In IP address box I have added the IP of the work server & set the ports
to 1723 (TCP)
2) I have made an exception for port 1723 in the Windows Firewall

The problem I am trying to solve is that the server at work needs to know
which IP the connection is coming from inorder for authentication to succeed;
however, I am told that my ISP, which is BT Broadband creates a new IP
address for my router every time I connect to the internet, which is about
once a day. I have ADSL 1MB/s connection.
The server will only accept an IP address and not a resolved DNS, which I
could have created at www.dyndns.org; is there any way to resolve a dynamic
IP address into a static one, so that I can give the IT guys at work an IP
address that will identify my router.

Thanks...

Charlie

 

[Robin Walker [MVP]]

Windows XP Pro SP2 wired via ethernet to BTVOYAGER 2100 ADSL
modem/router and Windows XP Pro SP2 laptop wirelessly connected to
the same router.

I am trying to set up a VPN from the desktop to a secure server at
work.

In the BTVOYAGER 2100 configuration manager at Virtual Server -> Port
Forwarding - Add new rule, I have:

1) In IP address box I have added the IP of the work server & set the
ports to 1723 (TCP)

Wrong. It is always wrong to forward a port to an IP address that is not on
your LAN. But anyway, since your connection is an outward, not an inward
one, then you do not need to make any port-forward configuration in your
router to support outward VPN calls.

2) I have made an exception for port 1723 in the Windows Firewall

Unnecessary. You are making outward VPN connections, not inward ones, so
there is no need to open any inward port.

The problem I am trying to solve is that the server at work needs to
know which IP the connection is coming from inorder for
authentication to succeed; however, I am told that my ISP, which is
BT Broadband creates a new IP address for my router every time I
connect to the internet, which is about once a day. I have ADSL 1MB/s
connection.
The server will only accept an IP address and not a resolved DNS,
which I could have created at www.dyndns.org;

I find the restriction to bare IP address rather than DNS name to be
extraordinary. Are you really quite sure about this? If this is the case,
how does anyone at your place of work ever get a VPN conenction into work?

is there any way to
resolve a dynamic IP address into a static one, so that I can give
the IT guys at work an IP address that will identify my router.

You can't resolve one IP address into another. The only way you can get a
static IP address is to pay your ISP extra to get one, e.g. a business
account rather than a domestic one.

 

[Guest]

Thanks again Robin...

I now understand that for outward VPN connections I do not need to make any
Port Forwarding Rules or firewall exceptions.

I will double check to see if DNS names can be used aswell as IP addresses;
I suppose the people at work, use static IPs as a reference (that is not so
unusual, is it??).

One last question; am I (home computer) allowed to use the same private LAN
IP address (192.168.1.3) as my office computer or does this have to have a
different private LAN IP address?

We have found that when we make a connection to our office server using
Sonic wall Global VPN Client, when viewing the log, the connection gets
passed the Ist phase and behind the office server's firewall and sometimes
gets passed the 2nd phase.
When we try and make a remote desktop connection, a dialog box comes up
about 30 seconds after the connection, saying the remote computer cannot be
accessed.

Do you have any comments to add to the above?

Thanks again for all your help; I find it a very interesting subject and it
is great to learn about these things off an expert...

Charlie

 

[Robin Walker [MVP]]

One last question; am I (home computer) allowed to use the same
private LAN IP address (192.168.1.3) as my office computer or does
this have to have a different private LAN IP address?

Not only may you not use the same IP address, you may not use the same IP
sub-net at each end of the VPN link.

If your office network uses 192.168.1.xxx addresses, then you may not use
any 192.168.1.xxx addresses in your home LAN: if necessary you must
reconfigure your router so that it and its dependent LAN use a different IP
sub-net.

 

[Guest]

Thanks Robin...

That is very useful information; I will change the relevant IPs and subnet,
so that they do not clash and then send you the results...

However, I do not understand why this is the case?

Surely if the IP I access the server with is an external IP (public), the
server's computers will never see my LAN IP; I do not understand why there
should be a clash...

Thanks...

Charlie

 

[Robin Walker [MVP]]

That is very useful information; I will change the relevant IPs and
subnet, so that they do not clash and then send you the results...

However, I do not understand why this is the case?

Surely if the IP I access the server with is an external IP (public),
the server's computers will never see my LAN IP; I do not understand
why there should be a clash...

You said you were setting up a VPN. The effect of the VPN is to set up a
virtual link directly between your LAN addresses and the LAN addresses
behind the office's router: both ends are ignorant of the public IPs of the
router(s) by which you create the VPN connection.

For IP routing to work properly on the virtual link, the IP sub-net at the
far end must be distinct from the IP sub-net at the local end. Once sub-net
is accessed by broadcasting ARPs on the local LAN, the other sub-net is
routed via the VPN gateway.

 

[Guest]

Thanks Robin...

I now totally understand what a VPN is.

We have changed our LAN IP and subnet, so that:

Router: 192.168.0.41
Desktop: 192.168.0.43
Laptop: 192.168.0.42
Subnet: 255.255.255.128

The server we are connecting to:

Server: 192.168.1.0
Computer: 192.168.1.193
Subnet: 255.255.255.0

In the log view of the Sonicwall Global VPN Client, the connection gets to
and completes phase 2, which in the help file indicates a successful
connection; so the connection has got behind the server's firewall!
However, when I type in 192.168.1.193 into the Remote Desktop Connection,
after about 30 seconds, I get a message saying that it could not connect with
remote computer.

Do you know why this would be?

Thanks...

Charlie

 

[Guest]

Robin I forgot to add that when I generate a report for the VPN connection,
the following lines may be of interest to you; these lines are generated,
when I start the Remote Desktop Connection:


2005/02/03 17:07:07:785
Information 195.152.75.254
calling NetUserGetInfo: Server: \\D289LZ0J, User: charles robertson, level: 3

2005/02/03 17:07:07:786
Information 195.152.75.254
NetUserGetInfo returned: home dir: , remote dir: , logon script:

2005/02/03 17:07:11:502
Information 195.152.75.254
Sending dead peer detection request.

2005/02/03 17:07:11:518
Information 195.152.75.254
Received dead peer detection acknowledgement.

2005/02/03 17:07:28:940
Information 195.152.75.254
Received dead peer detection request.

2005/02/03 17:07:28:941
Information 195.152.75.254
Sending dead peer detection acknowledgement.

2005/02/03 17:15:41:518
Information 195.152.75.254
Sending phase 2 delete for 192.168.1.0/255.255.255.0.

2005/02/03 17:15:41:519
Information 195.152.75.254
Sending phase 1 delete.

2005/02/03 17:15:41:846
Information 195.152.75.254
Starting ISAKMP phase 1 negotiation.

2005/02/03 17:15:42:018
Information 195.152.75.254
Starting aggressive mode phase 1 exchange.

2005/02/03 17:15:42:019
Information 195.152.75.254
NAT Detected: Local host is behind a NAT device.

2005/02/03 17:15:42:020
Information 195.152.75.254
The SA lifetime for phase 1 is 28800 seconds.

2005/02/03 17:15:42:021
Information 195.152.75.254
Phase 1 has completed.

2005/02/03 17:15:42:034
Information 195.152.75.254
Received request for policy version.

2005/02/03 17:15:42:035
Information 195.152.75.254
Sending policy version reply.

2005/02/03 17:15:42:065
Information 195.152.75.254
Received policy change is not required.

2005/02/03 17:15:42:066
Information 195.152.75.254
Sending policy acknowledgement.

2005/02/03 17:15:42:067
Information 195.152.75.254
The configuration for the connection is up to date.

2005/02/03 17:15:49:502
Information 195.152.75.254
Starting ISAKMP phase 2 negotiation with 192.168.1.0/255.255.255.0:*:*:*.

2005/02/03 17:15:49:503
Information 195.152.75.254
Starting quick mode phase 2 exchange.

2005/02/03 17:15:49:534
Information 195.152.75.254
The SA lifetime for phase 2 is 28800 seconds.

2005/02/03 17:15:49:535
Information 195.152.75.254
Phase 2 with 192.168.1.0/255.255.255.0:*:*:* has completed.

2005/02/03 17:15:49:536
Information 195.152.75.254
NetWkstaUserGetInfo returned: user: charles robertson, logon domain: D289LZ0J

2005/02/03 17:15:51:784
Information 195.152.75.254
NetGetDCName failed: Could not find domain controller for this domain.


Could this be something to do with why the Remote Desktop Connection is
failing? I refer to the last 2 entries...

Thanks...

Charlie