A couple of VPN questions.
1. Does anyone know, or know of a good explanation of, how to set up a L2TP VPN based on a Windows Server 2003 machine? I’m tired of dicking around with little metal boxes running proprietary OSes that are impossible to configure without a special training class offered by the manufacturer.
2. Why do IPSEC VPNs cost money per user, while SSL VPNs are free? What’s so special about IPSEC that every VPN manufacturer charges extra for user licenses, on top of the cost of the box itself?
You set it up the same way as a PPTP VPN Server (actually you do it at the same time). The wizards are dead simple to follow – you only need to ensure that you forward port 1723 on the router to the server and allow pass through tunneling.
Well, I set up a policy on the firewall that allows ALL ports to communicate, but I didn’t enable NAT. Unless I need NAT enabled, that should be enough, even if it’s not as secure as I’d like.
The problem I have, specifically, is that encryption and domain logins keep failing. The VPN server relays DHCP requests to the domain controller, which is also the DHCP server for that network, but it’s not processing domain logins when I try to connect from a non-domain machine. Even if I use a domain machine, it still craps out when negotiating encryption, even though I’ve set up a certificate authority and all machines involved have certificates from it.
It’s really bugging the shit out of me.
EDIT: I should add that I’m not trying to use the VPN server as a gateway, so I just have one ethernet connection on it, which (theoretically) should be all I need.
Not yet. I was kinda scared of transmitting unencrypted data to my office network. I suppose I should give it a shot, though.
Just what I read online. As far as I could tell, you had to add IPSEC to the PPTP connection before it would be encrypted, either through a preshared key or a PKI certificate. Are you saying this is incorrect?
PPTP uses PPP encryption. This is an old doc, but it still applies:
Damn, and I thought I’d already read everything VPN-related on TechNet. I’ll give this a look.
In any event, is there anything special I have to do to run the VPN through a single ethernet port? Since I don’t need it to be a gateway, that’s how I’m trying to set it up, but the wizard forces me to use custom mode if I don’t have two ethernet ports connected to different subnets. Of course, as soon as I choose custom mode, it throws me to the proverbial wolves and gives me no further guidance whatsoever. In fact, ALL of the documentation I’ve seen abandons me when it comes to setting up the VPN server as anything but a gateway, despite the fact that it’s obviously a valid option.
Hmm don’t remember – my server at home only has one ethernet port, but I installed it years ago. I thought it just warned you about it, but it’s been a long time – I don’t remember.
Think about OpenVPN – we’ve used it across many OS’s across many continents – often with shit net access – and it is totally painless, really reliable – and utterly FREE.
I’m sure it has its merrits, but nothing beats something that’s already built into the OS for ease of use. It has the aded advantage of being able to log into the network with the same credentials at the same time, thus being able to apply policies prior to logging into the computer.
Sure – we use them between servers to create one big seamless network – so there are no sessions/logins to worry about.
We just use hardware IPSEC boxes to connect offices. Expensive little buggers, but they do alright.
There’s something to be said for a hardware solution, but I really like OpenVPN. I’ve used it on Windows, OS X, Linux and Solaris. Whenever the computer boots/user logs in, it just connects and works. The VPN connection is a virtual network device. Wherever I go on teh macbook (or any notebook… even a windows notebook) I am just on the company network. We have a central OpenVPN server at a colo, and everyone connects to that, as do the offices. It works out pretty well. To the point that I actually forget that I have openvpn running for long periods.
To me, it doesn’t get any more convenient than that. But I don’t do much windows networking.
I actually looked at OpenVPN at one point, but I need something that users can configure in five minutes or less, without having a single goddamned clue what they’re doing.
Any chance you can post a list of what the settings are on your VPN server? If I could just get any functional configuration, then I could modify it as needed.
There are GUIs that achieve that. However, its just a single config file and a key or two. You can easily script the setup, then its right click to connect.
Damn dude, that’s awesome. Thanks.
- – -
Okay, in this screenshot:
My "internal" connection isn’t configured, and it’s screwing up everything else that uses the "internal" connection. What is yours connected to? What is that "192.168.1.59" IP address for? I assume the "Local Area Connection" goes to your router, right?
.254 is the static IP address of the server. .59 was created when I created RRAS – it resolves to the same address. The only thing in the properties checked off is the first item.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.