Configuring VPN from server to Linksys router

Hi All,

I hoping to get a consensus on what would be my best approach here.

My setup is as follows:

I work on a Dev Machine which is running Server 2003, it and my other machine(s) set behind a Windows Advanced Server 2K running Zone Alarm Pro and ICS which acts as a router/firewall.

I want to set up a VPN from my DEV server to a client running a LinkSYS RV016.

If I try to create a vpn client on the dev machine using the Windows PPTP client I get a BSOD whenever it connects.

SO I'm thinking I should setup a VPN through my router/firewall since it doesn't barf when it connects. Of course this prevents my other systems from accessing the internet via my dsl...

What would be the best way to set this up so that my other machines can get out through the DSL and my dev machine can RD via the VPN but otherwise hit the internet via the DSL?

Thanks,
BRad

 

Hello Brad

Welcome to the best the WindowsBBS!

OOOKKKK!

First I might say that under normal circumstances you should not BSOD here but you should get some kind of recoverable error.

What did the event logs say after this BSOD?

Does this machine have other issues?

Next read the following thread my post near the bottom

http://windowsbbs.com/showthread.php?t=60277

Give me a little better description of the path thru the routers to the other machine. Is it going tru 2 routers (1 at each location).

Do you know the LAN and WAN ip's of both machines?

Are they in the same Workgroup and Subnet?

One has to the intiator and the other the answerer, tell be bout it!

The 2003 has a native windows Firewall, the 2k don't not, does it have a software firewall installed or are you relieing on a hardware firewall.

On the 2003 if using hardware firewall do you have the windows firewall enabled also?

Give me details?

Mike

 

don't not

i spel n rite god cyper to, u kno ad n sbtrac

Mike

 

Hi Mike,

First off, much thanks for the reply!

The only thing of note in the event log is a system error of:
"Error code 1000007e, parameter1 c0000005, parameter2 88d95048, parameter3 f78baca0, parameter4 f78ba99c. "

Which is what shows up in the BSOD

Other than that the machine runs fine. I do get one other issue with it not being able to configure a serial port but I that only started when I enabled it thinking it might have had something to do with the BSOD.

I had run through that thread and it was actually what got me started in this direction.

Starting from My Dev Machine (which is where I want to RD into my clients server from) I first go to the Win Adv Srvr 2K which has 2 NICs. It connects to my DSL modem. It is running ZA Pro and is using ICS with the NIC connected to the dsl modem set to share the connection.

After that I want to connect to my Clients Linksys rv016 router which has a client to Network VPN setup for a PPTP conenction.

I do know the IPs of all machines.

Windows Firewall is NOT enabled on the 2k3 machine.


Basically I want my local router (which is the Win2k Adv Srvr running ZA Pro and ICS) to be able to provide the following:

1) Connectivity directly to the internet via my DSL for my local network

AND simultaneously

2) VPN to my clients linksys router.

Not too much to ask... ;-)

Anyway thanks in advance for any light you can shed on the subject...

 

Sorry so long getting back.

What did you mean by 2k3? I will assume 2K.

1st things first, does the Remote desktop work for you?

mike

 

Hi Mike,

Thanks for the quick response.

2k3 is just me being lazy and not typing 2003. So srv 2k3 is Server 2003

I can RD from my dev machine out through the non vpn dsl connection. The problem is that thier router (the linksys rv016) has two wan ports. One has a statis IP and the other is dynamic and a "raw" connection (non-vpn) can arbitrarily be assigned to either one during communication (i.e. Request goes in on one port response comes back on the other, the connection gets dropped).

There's two problems I'm having to deal with. The first is that I need to RD to several different machines at their site. So in order to hit them all we have to start port juggling if I go direct.

The second is that if I vpn I can specify (via configuration on the VPN to always use the static) but if I'm coming in directly from the internet I get ping-ponged between the two ports (see above) and am constantly losing connection. (BTW, if anyone knows a fix for that we'd be very thankful, it causes major problems for them).

Hope that sheds some new light on it.

Thanks again,
Brad

 

Nope.

RD to the server you want and then RD from there to the other station on that LAN, I do this quit often do not notice any loss of performance.

Besides if the server is not a terminal server you would be limited to only 2 concurrent connections.

Or do I understand.

Yes/no can you now Rd to the server you want?

Mike

 

Hi Mike,

Thanks again.

>>Yes/no can you now Rd to the server you want?

Yes, but because I have no control over which of their two WAN ports the traffic goes through I get disconnected after a few seconds. So a straight RD approach doesn't work for me.

Thanks,
Brad

 

Are you their tech/system support?

Do they (IT) know you well?

Do they want you in their system?

Because if they need you, all they need do is port forward/map the router for port 3389 to point to the static "LAN" ip of the server you wish to connect to.

It is not going to be easy/convienient to connect to a Dynanic WAN. Can be done but you will still need some settings on their router.

Do each of these 2 WAN (1 static 1 dynamic) have a different router?

And if the Server is not a Terminal Server what you propose will only work 2 times any way. On the other hand one connection to their server will allow you to go out many times or cycle from computer to computer.

I am not being nosy but trying to understand the limitations to a simple thing!

With access and permission to the router this is simple! Same with VPN but the router will need to be configured.

Mike

 

By access to router I mean to configure and setup.

In case a liile birdie wanted to coment!

Mike

 

No Problem. I don't consider it nosy at all! As a matter of fact I appreciate the effort at understanding my problem in detail as well as trying to help me solve it.

I'm actually their programmer and they are a call center. We have a predictive dialer, an IIS server running asp.net, 3 sql servers, etc... and I'm programming an app which allows real time CSR interact with their customers on both the phone and internet simultaneously. So there's a lot of web services, screen pops, etc... going back and forth.

the various machines I need to get into all provide terminal services.

Because I need to be able to "see" multiple desktops at once to properly debug their systems (what is the dialer doing while I'm watching code execute on the IIS instance and looking at what a users machine is seeing from the IIS browser as well as their screen pop) trying to run nested RD sessions won't work because I run out of screen real estate (I can spread it accross two monitors at my house), well I can do it, it's just not a lot of fun... ;-).

We also have several other users who have to access other machines via RD (fortunately I've been able to get them going on the VPNs).

Yes, I do have complete access to the router and both WAN ports are on the same router.

There is some hesitation (I don't know if if valid or not) to directly exposing the particular server I debug on to the internet since it has a pretty wide security profile due to the need to debug the sql servers, iis servers, etc....


I guess the "proer "fix would be to get the VPN client working on me dev machine anway, I was just trying to avoid the constant reboot and BSOD until I figure it out... ;-)

 

OK Brad

This will be my last post for tonight it has been a long day.

I don't understand running out of screen real estate if you are running multiple screens or not, RD on vpn or direct will still take the same amount of real estate for the same number of screens.

Of course they do if XP or 2k. But not to be confused with a "Terminal Server ".

RD to xp or 2k come in on the forground (takes over the screen/session) can only be done twice for each XP or 2K computer.

A Terminal Server (only on Server 2k or 2003 or NT) will allow numerous background sessions that do not involve the main console screen.

Terminal services costs extra and has to be installed so don't assume since it is a server that it has Terminal Server capibility.

Unless terminal services is installed you are still limited to 2 concurrent logons tho on a server they are in the background unlike 2k pro or XP.

The above may have no bearing here I just want you to understand.

So to VPN the router will need to be set to allow VPN passthru. It will also need to be port forwarded ( also called port mapped) for port 1723 (VPN port) to be sent to the local LAN IP of the server you wish to connect to.

That server should have VPN "accept incoming connections" and configed with proper user access for your login.

Your computer or router need no special setup other than a VPN connection "Connect to a computer at my workplace" with the WAN ip of the server to connect to. Once connected you are a node as if you were in that office as all permitted shares will be available to you.

We will need to fix the BSOD before anything else. Tomorrow!

OK time to stop, I am draging.

I will be back in the morn no later than 7:00 EST.

Mike

 

Morning Brad

Ok in re reading the entire thread I see I was asking for info you did already post. I was very tired yesterday.

The issue of port forwarding port 3389 on the Static WAN IP at the remote is not an issue if you use complex passwords and the other security measures of Server.

This method is used widely in corporate America and the DOD .

On your end I think you have an unnecessarily complex setup by using the server as a router.

If you were to purchase an inexpensive basic 4 port Linksys "VPN" router, then the VPN would be handled by hardware (usually the best choice) and no setup at all on either your or remote server would be necessary. All the settings would be in the 2 routers.

Using VPN routers makes the connection look and feel like a direct connection by CAT5.

In this case you would remove the VPN connections (Accept incoming on remote and Outgoing on your end) on both ends. Less CPU overhead and faster.

You could do away with the ICS which is for someone who can do no better.

Additionally remove the routing setup on the 3k server. Releasing resources and complexity.

This does the same as mentioned above for the HW VPN on your own small network, it allows a router to handle in hardware what you now have as software. Faster here also and using less resources.

This would eliminate the BSOD with VPN problem also.

And finally with the switched ports on the router you could add another PC for viewing the screens you need.

What do you think of this?

If you want to proceed without considering above we can, but in the end, in man hours it will cost more.

Let me know how you wish to proceed.

Mike

 

Hey TonyT Long tome no see!

I am a poet and don't know it!

Good to thread with you again. Hope all the best you and yours.

I checked the Model of the router in use at his clients office.

It happens to be speciffically a VPN router and not a standard router with vpn pass thru.

He is lucky here as all he has to do is get an inexpensive Linksys VPN router switch.

Once he has a true VPN router on his end (same brand, Linksys but not the bigger more expensive one they have on the other end). He will be able to do it all in hardware and no windows settings or resources at all.

I have found the same brands connect easier and the router setup is easier because it is identical on both ends.

Since he has no router or switch on his end at all. By spendiing 120.00 bucks or so he could do away with the routing functions and ICS etc on his 3k server. Not require the other computer to reach the internet. That reminds me Brad using the 3k for routing and ICS of what happens if that computer fails. No internet. A router would eliminate this issue also.

This would gain him resources performance and less complexity on his end.

Look it over closer and see if you agree. If you have another way, what he wants is some input/suggestions.

Good to tread the threads with you again.

Mike

 

Where are you anyway Brad?

Mike:

 

Hi Brad and TonyT

I can tell you for sure vpn with ICS (heck ICS has its own issues) will have issues, much more complexity added to what is already there.

But Brad I thought of another benefit of a nat router. Safer. And if the router you decide on has an onboard hardware firewall you could remove the software firewall. Again more free resources simplify the system.

We are giving you ammo! Where are you gonna shoot?


Mike

 

Hi Everyone,

Sorry for not replying. The email notifications stopped coming so I just assumed the thread had died. It wasn't until I was searching on google and it turned up that I realized there had been additional replies.

Anyway.... To get back to things,

I've got a hardware solution coming (Linksys rv42) so hopefully this'll be the end of it. The problem with a "pure" terminal services solution is that I lose the connection every few seconds. Both myself and their guy have gone through the router/firewall and done everything possible to fix the terminal services problem.

Essentially it boils down to this, they have a Linksys rv-016 setup for load balancing with WAN1 -> static IP and WAN2 -> dynamic IP. I've read elsewhere that the RV will not properly port bind on a protocol level so I cannot go directly through to the terminal services machine(s) I need to access. It will however bind a VPN to a particular WAN port but the problem is that Win server 2003 barfs when I try to connect it as a VPN client.

My home network is setup such that while I can create a VPN through my proxy machine (running ICS and ZA Pro) I can't properly share the VPN because both my wife and I need to access the internet outside of the VPN to my clients (and yes I am aware of the dangers).

What I need to do is to be able to VPN directly from my Dev Machine to my Clients in order to get around the router dropping the Term Srvcs session and yet still be able to get out to the internet via my DSL and Cagble modem so I can access my other clients when neccessary without having to reboot or reconnect.

I think I might be able to set my local IPs to the same subnet as my clients and be able to connect that way but ICS defaults to a 192.168.0 subnet and I don't know that it'll let me set it up any different.

This was easy to do with Win 2K adv server and it worked great... but 2003 seems to barf when the VPN tries to assign the subnet to the card. I went into the DMP and it's the NDIS everytime....

Anyway, again I MUCH appreciate everyone's attempts to help with this and should I come up with something I'll let everyone know.

Thanks again,
Brad

 

Brad, Brad, Brad

1. If you intall a VPN router to connect to their VPN router you will not need a VPN client. It will all be handled in the routers themselves.

2. Get rid of the ICS (which you don't need anyway with a router) and the problem with RDP will dissapear even on a direct connect (meaning not via VPN). You will aso be able to connect RDP via VPN. The problem was never the Router or anything on their end.

3. Get rid of ICS and you can set your workgroup and subnet to anything you want.

Come back and let us know!

Mike