VPN Router Newbie, some connection questions

[hamzajosh]

I have a NT SBS4.5 server in my office setup for accepting VPN connections. It works fine and accepts and connects VPN connections. Until now, we were using individual users connecting via Cable/DSL/Dial up. Now i need to give access to a remote office which will have at least 3 computers connected at any given time. They have DSL at the remote office with direct connection to internet. If one of the computers has VPN'd into my server, the others cannot connect unless the 1st one disconnects. So i bought a VPN router which i assumed will connect to my server and provide connectivity to all the machines.
My NT server is setup for
* allow microsoft authentication
* allow packet encryption. These setting are in the RAS setup of networking in NT

What settings for authentication and encryption do i setup in the VPN router at the remote office? Also i want the VPN router to sned an incoming request to my server. How do i do that? I assumed there would be a password and username entry somewhere in the router setup but don't see that anywhere. Any help would be appreciated, thanks

Learn everything but implement only what is needed.

 

[deeno]

What protocol are you using for the VPN connections (IPSec, PPTP, L2TP)? Make sure that your VPN router supports the connection you are trying to make.

I'm guessing that your VPN router supports IPSec, but I'm not sure that it supports the others. I also am guessing that you're currently using something other than IPSec for the VPN.

With your current configuration, your reomote location with multiple incoming connections may be best off with a windows server as the router.

Give some more info and I'm sure somebody will be able to help more...

deeno

 

[hamzajosh]

I guess the NT server is configured to use PPTP. where can i check this protocol?

Learn everything but implement only what is needed.

 

[deeno]

I'm not sure where to look this up on a Windows NT SBS 4.5 system, but that is probably the most likely protocol that your NT server is running unless you specifically set it otherwise.

To make this work, you need to make sure that your VPN router supports being the endpoint for a PPTP VPN. I doubt that it does. The product documentation for the router should say what VPN protocol(s) it supports, and most likely you will find that it only supports being an endpoint for IPSec (I don't know what VPN router you're using so I can't verify this). PPTP Pass Through does not mean that it is can be the endpoint for a PPTP VPN connection.

For those reasons, I think the least disruptive thing you could do would be to use a multi-home Windows server at the remote location. One NIC in this computer would connect to the internet, and the other NIC would connect to the local network (into a switch I'm guessing). This server would establish the VPN connection with your computer at the main location. It would also be the gateway for the remote office and would be that locations router.

Alternatively, you could look into giving your main office the ability to accept IPSec connections in addition to the current connections it accepts. I have not configured an IPSec (server) connection like this in Windows so I'm not sure what is involved. I'm only familiar with setting up an IPSec VPN server through hardware specifically designed to act as VPN routers.

Let me know if that makes sense or if you have any questions about it. I hope this helps...

deeno

 

[hamzajosh]

OK, so what i make from your post is VPN routers usually use IPSec protocol for VPN and might not be able to handle PPTP connections, especially as an endpoint. Servers may have the capability to do both. Even if i set up a server at the remote end, multihome it, use it to make a VPN connection to my main office, how would i configure it as router? how would i configure my other PC's to use this VPN connection to connect to my main office? Is it recommended that I disable my NT RAS for VPN and buy, install and configure a hardware router to support my incoming VPN connections at my main office? thanks

Learn everything but implement only what is needed.

 

[deeno]

Basically, yes, that is correct. I don't know what VPN router you have so I can't say for sure what protocols you can use with it (either through it or more importantly as an endpoint).

A VPN router can be called a server, so I'm assuming you're talking about a computer-based server (such as a Windows server) in your comment about how servers have the capability to do both. That is also correct, a Windows server can be a PPTP and L2TP VPN server, and also a IPSec VPN server (I have never used Windows as an IPSec VPN server). I'm not saying that VPN Routers don't have the capability to use different protocols, but it is not likely that the one you have supports all these different protocol types.

Anyway, the reason I suggested that you add a Windows server to your remote location was because it wound not likely require much change in configuration at your home location or with your other VPN users.

When you have a computer with more than one NIC, and when the packets are allowed and setup to pass from one NIC to the other, you essentially have a router. This is a very simple explanation. Simply having more than one NIC does not mean you have a router, you need to set it up so they communicate information with each other.

If you were to configure a Windows server (or some other server that supports PPTP) at your remote office, I am recommend that it would be the entpoint for your VPN connection. It would connect the computers behind it to the remote network (which computers can be configured I believe if you don't want to connect them all to the remote network). It would be the gateway for the computers behind it. Here is a quick example:

HomeOfficeLAN<->VPNServer<->Internet<->VPNServer<->RemoteLAN

In this configuration, the computers on the RemoteLAN would be connected to the HomeOffice and would not have to use client software to physically establish a VPN connection with the VPNServer at the HomeOffice. On both sides, the tunnel ends at the VPNServer. (I didn't show a firewalls in the configuration example to keep it simple)

I hope I am communicating that information in a manner that is understandable. Sometimes it's difficult to get the thoughts put down like this.

As far as what is recommended, it really depends on your situation. I don't know the setup at your home office (for example, is there only a single internet connection to use), I don't know what kind of VPN Router you have at your remote office, I don't know how many VPN tunnels are required for people to connect to your Home office, I don't know your security requirements, and I don't know your budget, and I don't know your future plans for your network. There are a lot of unknowns.

Personally, I think that a Windows server would be the quickest and simplest solution for your remote network. Is it the best solution? Probably not. The problem still exists if you run into other situations like this. This solution just fixes this problem at hand.

One thing to consider, which I think I mentioned earlier but I don't think I gave enough attention to, is that maybe you can configure your Windows NT SBS 4.5 computer to accept incoming IPSec connections. I just don't know how to do that. I'm sure there has to be a way to do that. If you got that going, then at your remote office you could (probably) use the VPN Router to establish the VPN connection. At that point, the computers behind it would be connected as well (they wouldn't need client software installed).

I need to run. I hope that helps some...

deeno

 

[VPNing]

Why not setup a vpn router at each location to create a secure connection and then use an LMHOSTS file on your remote machines to authenticate into the domain. An additional vpn box will run you a little over $100 vs the cost of another server and once the tunnel is up it's up.
What exactly will you be using the tunnel for? Will it be fast enough?