VPN Help

Quote:
put a VPN endpoint box in a DMZ

Quote:
All routers must support VPN passthrough at the least.

Quote:
I think that genixia was referring to the possible routers people might have on the client side.

Quote:
NAT-T and Firewall Rules
Because the new NAT-T code is designed around the IETF RFC 3193 and draft-02 of the IETF NAT-T specification, for these services to run through a firewall, you may have to open the following ports and protocols in the firewall rules: • L2TP - User Datagram Protocol (UDP) 500, UDP 1701
• NAT-T - UDP 4500
• ESP - Internet Protocol (IP) protocol 50

Supported Scenarios Using NAT-T
The following scenarios will successfully allow L2TP/IPSec NAT-T connections. In these scenarios, Client is a client that is running Windows 2000 and that has the 818043 update installed or is a Windows XP-based computer with SP2 installed. Server is an L2TP/IPSec server that is running Windows Server 2003 and that is using Routing and Remote Access. In the first scenario, for example, Client is behind a NAT router; the connection goes through the Internet and connects to Server. In the second scenario, Server is behind another NAT router.
Client----> NAT ----Internet---->Server
Client---->Internet---- NAT ---->Server
Client----> NAT ----Internet----> NAT ----> Server
In these scenarios, where an L2TP/RRAS server is behind a NAT router, the NAT router must open the required ports and protocols for L2TP/IPSec NAT-T connections. The L2TP/IPSec server may also be a third-party gateway product that supports NAT-T connections.

Note If you apply the 818043 update to a Windows 2000-based server that is using Routing and Remote Access, the server cannot function as an L2TP/IPSec server in these scenarios. It cannot allow connections from L2TP/IPSec clients when one or more NAT routers is involved. This update is a client-side update only. Server-side NAT-T functionality is a new feature in Windows Server 2003 Routing and Remote Access only. NAT-T server-side support will not be added to Windows 2000 Routing and Remote Access.

Quote:
- A select few people, all NATed broadband at home, need to get into the office LAN remotely, in order to run a certain piece of client/server software and also for me to get in and remotely manage the server.

Quote:
How about putting terminal services on the server and let people remote into the server to run apps?

Quote:
You could make it a little safer by changing the public port to a different port than 3389.

Quote:
The way that many consumer 'routers' deal with NAT and VPNs prevent more than one tunnel from being open at a time

Quote:
I also cannot resolve names across the VPN link.

Quote:
Try adding domain name of the network you are connecting to the configuration of your VPN connection.

Quote:
Didn't work, but it was worth a try.

Err, yes, sorry, this just avoids having to append domain to hostname... Hmmm.. I was just about to ask whether you checked that your name resolution requests go to remote network's DNS server, but decided to test here. Curious: I dial the local ISP (I am not in my office now), then 'dial' VPN connection. Name resolution works (I can telnet through VPN using hostname), but nslookup does not resolve the name and shows it is using ISP's DNS. Then who and how resolves the name for telnet!? I checked - I did not put those hostnames in my local hosts file.

If you figure this out let us know.

Quote:
if you have a WINS server still, setup the vpn connection to use that.

That's a good idea, too. I tried that, too, didn't work either.

Quote:
I just found Tom's Networking which says the BEFVP41 I was looking at is a VPN endpoint.

Quote:
I don't want to mess with installing linux on a computer, taking two weeks to learnin how to set it up, and then having no support number to call if it doesn't work.

Quote:
But please drop that rubbish comment about no support number to call. Pleeeeaaaassseee!

Quote:
do I have to throw out the current, working configuration and re-configure the DSL router with the first set of numbers if I want to use those static IPs?

Quote:
Customer's IP's or LAN IP's (For routers):
Static IP addresses:
64.197.129.33
64.197.129.34
64.197.129.35
64.197.129.36
64.197.129.37
Gateway:
64.197.129.38
Subnet Mask:
255.255.255.248

WAN Side (For routers):
IP Address:
69.125.107.154
Subnet Mask:
255.255.255.254
Gateway:
69.125.107.153

Quote:
They are what determine if a packet stays on the LAN or is passed to the WAN. Given the list of static addresses earlier the mask should have been 255.255.255.216 216 is 39 after it was converted to binary, had all the digits inverted and then converted back to decimal.

Hope someone else will correct this if wrong.

Quote:
I think it'll be a heck of a lot easier to just put your modem in bridge mode and then plug it into your SonicWall and manage the rest from there (using the same settings you're using now.)

Quote:
Don't worry, the SonicWall will route the traffic between the two subnets and it will work the way you want it to work.

Quote:
One work around would be simply to add 192.168.3.1 as an alternate IP address for the main server.

Quote:
When creating a L2TP IP pool on the SonicWALL device, the IP addresses must be a unique IP subnet – you cannot specify IP addresses from the LAN (or any other) interface subnet on the device.

Quote:
This will, apparently, kill any TCP session that's been open for 15 minutes, no matter if it's being used. Or maybe there's an idle thing. I don't quite remember, but I do remember it turning off legitimate TCP traffic. Anyway, the setting is there as a global setting, but the global setting doesn't actually affect anything. You have to set it in the connection-specific area.

Quote:
Do you happen to remember exactly which screen this is on?

Quote:
Can you ping from a .3.x address to any .2.x address (not just the server) and get a reply? Vice versa?

Quote:
Does the firewall have any log files showing what it's doing with the packets?

Quote:
Do you have any sort of sniffer to see if any .3.0 packets are entering the .2.0 subnet?

Quote:
SonicWall claim not to be consumer grade.

Quote:
SonicWall claim not to be consumer grade.

I really meant the Linksys...

-jk

Quote:
So you've successfully gotten remote clients to connect and get assigned 192.168.3.x addresses, right? And that's a separate pool from the .2 network that your in-office machines are on, right? So your problem at this point is that the routing doesn't work.

Quote:
"route add 192.168.2.0 mask 255.255.255.0 192.168.3.x", where that last IP address is the SonicWall's address on the .3 network (which, hopefully, it has).

Quote:
You entered a range of addresses into the SonicWall to be the ones handed out to VPN clients, right? And the VPN clients are successfully getting those IP addresses, right?

Quote:
Does the SonicWall have an IP address in that range?

Quote:
Get a VPN client going and then post the output from "route print" and "ipconfig /all".