A couple of VPN questions.

Discussion in 'OT Technology' started by deusexaethera, Jul 20, 2008.

  1. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    1. Does anyone know, or know of a good explanation of, how to set up a L2TP VPN based on a Windows Server 2003 machine? I'm tired of dicking around with little metal boxes running proprietary OSes that are impossible to configure without a special training class offered by the manufacturer.

    2. Why do IPSEC VPNs cost money per user, while SSL VPNs are free? What's so special about IPSEC that every VPN manufacturer charges extra for user licenses, on top of the cost of the box itself?
     
  2. ormand

    ormand New Member

    Joined:
    May 11, 2005
    Messages:
    43
    Likes Received:
    0
    The joys of Cisco OS :)
     
  3. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    You set it up the same way as a PPTP VPN Server (actually you do it at the same time). The wizards are dead simple to follow - you only need to ensure that you forward port 1723 on the router to the server and allow pass through tunneling.
     
  4. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Well, I set up a policy on the firewall that allows ALL ports to communicate, but I didn't enable NAT. Unless I need NAT enabled, that should be enough, even if it's not as secure as I'd like.

    The problem I have, specifically, is that encryption and domain logins keep failing. The VPN server relays DHCP requests to the domain controller, which is also the DHCP server for that network, but it's not processing domain logins when I try to connect from a non-domain machine. Even if I use a domain machine, it still craps out when negotiating encryption, even though I've set up a certificate authority and all machines involved have certificates from it.

    It's really bugging the shit out of me. :(

    EDIT: I should add that I'm not trying to use the VPN server as a gateway, so I just have one ethernet connection on it, which (theoretically) should be all I need.
     
  5. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Have you tried PPTP tunneling to see if that works?
     
  6. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Not yet. I was kinda scared of transmitting unencrypted data to my office network. I suppose I should give it a shot, though.
     
  7. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    What makes you think PPTP is not encrypted?
     
  8. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Just what I read online. As far as I could tell, you had to add IPSEC to the PPTP connection before it would be encrypted, either through a preshared key or a PKI certificate. Are you saying this is incorrect?
     
  9. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
  10. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Damn, and I thought I'd already read everything VPN-related on TechNet. I'll give this a look.

    In any event, is there anything special I have to do to run the VPN through a single ethernet port? Since I don't need it to be a gateway, that's how I'm trying to set it up, but the wizard forces me to use custom mode if I don't have two ethernet ports connected to different subnets. Of course, as soon as I choose custom mode, it throws me to the proverbial wolves and gives me no further guidance whatsoever. In fact, ALL of the documentation I've seen abandons me when it comes to setting up the VPN server as anything but a gateway, despite the fact that it's obviously a valid option.
     
  11. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Hmm don't remember - my server at home only has one ethernet port, but I installed it years ago. I thought it just warned you about it, but it's been a long time - I don't remember.
     
  12. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Think about OpenVPN - we've used it across many OS's across many continents - often with shit net access - and it is totally painless, really reliable - and utterly FREE.
     
  13. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    I'm sure it has its merrits, but nothing beats something that's already built into the OS for ease of use. It has the aded advantage of being able to log into the network with the same credentials at the same time, thus being able to apply policies prior to logging into the computer.
     
  14. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Sure - we use them between servers to create one big seamless network - so there are no sessions/logins to worry about.
     
  15. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    We just use hardware IPSEC boxes to connect offices. Expensive little buggers, but they do alright.
     
  16. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    There's something to be said for a hardware solution, but I really like OpenVPN. I've used it on Windows, OS X, Linux and Solaris. Whenever the computer boots/user logs in, it just connects and works. The VPN connection is a virtual network device. Wherever I go on teh macbook (or any notebook... even a windows notebook) I am just on the company network. We have a central OpenVPN server at a colo, and everyone connects to that, as do the offices. It works out pretty well. To the point that I actually forget that I have openvpn running for long periods.

    To me, it doesn't get any more convenient than that. But I don't do much windows networking.
     
  17. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    I actually looked at OpenVPN at one point, but I need something that users can configure in five minutes or less, without having a single goddamned clue what they're doing.
     
  18. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Any chance you can post a list of what the settings are on your VPN server? If I could just get any functional configuration, then I could modify it as needed.
     
  19. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    There are GUIs that achieve that. However, its just a single config file and a key or two. You can easily script the setup, then its right click to connect.

    http://openvpn.se/screenshots.html
     
  20. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    :dunno:
     
  21. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Damn dude, that's awesome. Thanks.

    - - -

    Okay, in this screenshot:

    [​IMG]

    My "internal" connection isn't configured, and it's screwing up everything else that uses the "internal" connection. What is yours connected to? What is that "192.168.1.59" IP address for? I assume the "Local Area Connection" goes to your router, right?
     
  22. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    .254 is the static IP address of the server. .59 was created when I created RRAS - it resolves to the same address. The only thing in the properties checked off is the first item.
     

Share This Page