Complete VPN Fundamentals and VPN Router RV042

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

So far I have a laptop at home, and I want to connect to
a server in another house and the situation looks like
this:

laptop1---Router1--Internet--VPNRouter---Server

or equivalently:

NETA---Router1--Internet--VPNRouter---NETB

Router1 is Linksys BEFW11S4
The VPNRouter is Linksys RV042
www.linksys.com Their manual is almost worthless.
Their support inane.

The ROUTERS HAVE TOTALLY DIFFERENT INTERNET ipS.
THAT IS, ONE HAS 200.3.34.4, THE OTHER 127.6.32.3
Each provides NAT and Private ips, one to NETA and the
other router to NETB respectively.


Laptop has XP Professional
Laptop and server have PRIVATE IPs

Server is a DOMAN controller. Has Window Server 2003 and
VPN is NOT configured, since the VPNrouter will do the
VPN job. Is this thinking correct?

To configure this WHY do we do the following steps? In
other words what are we doing? Can someone explain? One
short paragaph should do wonders.

1. On the laptop with Windos XP I create IPsec Policy
FROM the laptop to the VPNrouter. DO I need another
security policy from the VPNRouter to the laptop?

2. On the laptop Create two Filter Lists for the
connection from the laptop to the VPN router and another
filter list from the connection from the VPN router to
the laptop.

3. On the Laptop create security rules for the filter
lists created on step 2. This is where encription and
authentication methods are defined.

4. On the laptop create two tunnels for each Filter List
on step 2.

5. Assign the security policy create on step 1.

6. The mising step. WHEN AND HOW THE PREVIOUS STEPS are
used or activated to create the VPN?


7. The router for NEtA has vpn passthrough. Is this
correct?

8. The VPNrouter for NETB should it have vpn passthrough
DISABLED? This router has VPN capabilities and can
establish 30 tunnels they say.

9. DO I need to configure the server on NETB just like
the laptop? In other words perform steps 1 through 6 on
the server?

10. When all is working properly and the laptop joins
NETB throgh VPN. what happens? Does one see a small
window to login into the server? or does the VPN router
does the authentication and how? Or nothing should happen
until one accesses shares on the server?

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

I'm a novice on non-pptp VPN's so take this with a grain of salt:

I'd rather you tested this without router1, if possible. I don't believe
you can do what you are trying to do through the average NAT.
Jeffrey--correct me??

As to what happens when you connect in the end--with other VPN's I've used,
the answer is nothing--just what happens when you plug in an ethernet
connection. You have an open pipe--you may be able to see bytes exchanged
if you've chosen to have the connection visible as a system tray icon--but
you'll need to actually connect to something to "see" something happen.


"Lewis Giana" <anonymous@discussions.microsoft.com> wrote in message
news:5ca601c49205$2e4f57a0$a601280a@phx.gbl...
>
> So far I have a laptop at home, and I want to connect to
> a server in another house and the situation looks like
> this:
>
> laptop1---Router1--Internet--VPNRouter---Server
>
> or equivalently:
>
> NETA---Router1--Internet--VPNRouter---NETB
>
> Router1 is Linksys BEFW11S4
> The VPNRouter is Linksys RV042
> www.linksys.com Their manual is almost worthless.
> Their support inane.
>
> The ROUTERS HAVE TOTALLY DIFFERENT INTERNET ipS.
> THAT IS, ONE HAS 200.3.34.4, THE OTHER 127.6.32.3
> Each provides NAT and Private ips, one to NETA and the
> other router to NETB respectively.
>
>
> Laptop has XP Professional
> Laptop and server have PRIVATE IPs
>
> Server is a DOMAN controller. Has Window Server 2003 and
> VPN is NOT configured, since the VPNrouter will do the
> VPN job. Is this thinking correct?
>
> To configure this WHY do we do the following steps? In
> other words what are we doing? Can someone explain? One
> short paragaph should do wonders.
>
> 1. On the laptop with Windos XP I create IPsec Policy
> FROM the laptop to the VPNrouter. DO I need another
> security policy from the VPNRouter to the laptop?
>
> 2. On the laptop Create two Filter Lists for the
> connection from the laptop to the VPN router and another
> filter list from the connection from the VPN router to
> the laptop.
>
> 3. On the Laptop create security rules for the filter
> lists created on step 2. This is where encription and
> authentication methods are defined.
>
> 4. On the laptop create two tunnels for each Filter List
> on step 2.
>
> 5. Assign the security policy create on step 1.
>
> 6. The mising step. WHEN AND HOW THE PREVIOUS STEPS are
> used or activated to create the VPN?
>
>
> 7. The router for NEtA has vpn passthrough. Is this
> correct?
>
> 8. The VPNrouter for NETB should it have vpn passthrough
> DISABLED? This router has VPN capabilities and can
> establish 30 tunnels they say.
>
> 9. DO I need to configure the server on NETB just like
> the laptop? In other words perform steps 1 through 6 on
> the server?
>
> 10. When all is working properly and the laptop joins
> NETB throgh VPN. what happens? Does one see a small
> window to login into the server? or does the VPN router
> does the authentication and how? Or nothing should happen
> until one accesses shares on the server?
>
>

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Thanks Bill:

I am afraid you may be correct. Linksys support which is
very weak and also are very confused themselves seem to
insist that it is possible. They make you set up the
IPsec configuration (Policy) on the PC w/Windows XP with
two tunnels. Somewhere I read that tunnel mode can do
VPN over NAT. HOwever I dont know whether creating
tunnels in the IPsec policy is the same as Tunnel Mode
IPsec. Nevertheless, a complicating factor is that
Microsoft has a paper that says that this TUnnel
configuration is only for a server with two NICs acting
as a GATEWAY with the other end of the tunnel a
VPNrouter. The single PC with a NAT address connecting
to the VPN router seems in their view hopeless.

Has anybody done a VPN over NAT with a single PC w/winXP
or win2000?

PCw---Router1--Internet--VPNRouter---Server
Router1 and VPNRouter are doing NAT and providing private
IPs.

In this diagram which side of Router1 and VPNRouter are
the VPN end points?? Perhaps the PC Address is one of the
endpoints?


>-----Original Message-----
>I'm a novice on non-pptp VPN's so take this with a grain
of salt:
>
>I'd rather you tested this without router1, if
possible. I don't believe
>you can do what you are trying to do through the average
NAT.
>Jeffrey--correct me??
>
>As to what happens when you connect in the end--with
other VPN's I've used,
>the answer is nothing--just what happens when you plug
in an ethernet
>connection. You have an open pipe--you may be able to
see bytes exchanged
>if you've chosen to have the connection visible as a
system tray icon--but
>you'll need to actually connect to something to "see"
something happen.
>
>
>"Lewis Giana" <anonymous@discussions.microsoft.com>
wrote in message
>news:5ca601c49205$2e4f57a0$a601280a@phx.gbl...
>>
>> So far I have a laptop at home, and I want to connect
to
>> a server in another house and the situation looks like
>> this:
>>
>> laptop1---Router1--Internet--VPNRouter---Server
>>
>> or equivalently:
>>
>> NETA---Router1--Internet--VPNRouter---NETB
>>
>> Router1 is Linksys BEFW11S4
>> The VPNRouter is Linksys RV042
>> www.linksys.com Their manual is almost worthless.
>> Their support inane.
>>
>> The ROUTERS HAVE TOTALLY DIFFERENT INTERNET ipS.
>> THAT IS, ONE HAS 200.3.34.4, THE OTHER 127.6.32.3
>> Each provides NAT and Private ips, one to NETA and the
>> other router to NETB respectively.
>>
>>
>> Laptop has XP Professional
>> Laptop and server have PRIVATE IPs
>>
>> Server is a DOMAN controller. Has Window Server 2003
and
>> VPN is NOT configured, since the VPNrouter will do the
>> VPN job. Is this thinking correct?
>>
>> To configure this WHY do we do the following steps? In
>> other words what are we doing? Can someone explain? One
>> short paragaph should do wonders.
>>
>> 1. On the laptop with Windos XP I create IPsec Policy
>> FROM the laptop to the VPNrouter. DO I need another
>> security policy from the VPNRouter to the laptop?
>>
>> 2. On the laptop Create two Filter Lists for the
>> connection from the laptop to the VPN router and
another
>> filter list from the connection from the VPN router to
>> the laptop.
>>
>> 3. On the Laptop create security rules for the filter
>> lists created on step 2. This is where encription and
>> authentication methods are defined.
>>
>> 4. On the laptop create two tunnels for each Filter
List
>> on step 2.
>>
>> 5. Assign the security policy create on step 1.
>>
>> 6. The mising step. WHEN AND HOW THE PREVIOUS STEPS
are
>> used or activated to create the VPN?
>>
>>
>> 7. The router for NEtA has vpn passthrough. Is this
>> correct?
>>
>> 8. The VPNrouter for NETB should it have vpn
passthrough
>> DISABLED? This router has VPN capabilities and can
>> establish 30 tunnels they say.
>>
>> 9. DO I need to configure the server on NETB just like
>> the laptop? In other words perform steps 1 through 6 on
>> the server?
>>
>> 10. When all is working properly and the laptop joins
>> NETB throgh VPN. what happens? Does one see a small
>> window to login into the server? or does the VPN router
>> does the authentication and how? Or nothing should
happen
>> until one accesses shares on the server?
>>
>>
>
>
>.
>

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

The easiest and best option for an end user is to get one of the
WRT54G devices and install one of the 3rd party firmware (SVEASOFT for
one) that provides a PPTP-based VPN server integrated into it...

Jeffrey Randow (Windows Networking & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Tue, 7 Sep 2004 09:06:14 -0400, "Bill Sanderson"
<Bill_Sanderson@msn.com.plugh.org> wrote:

>There is a new standard, colloquially known as NAT-T, which allows a client
>machine to use an IPSEC VPN through a NAT device to a host. This standard
>must be supported by both the client and the host. Linksys should be able
>to tell you whether or not the router supports this (as the host) and what
>client software you need to be running to support this at the client end.
>Theres a good chance that making this work well requires the latest firmare
>for the router, as well.
>
>
><anonymous@discussions.microsoft.com> wrote in message
>news:72ca01c494c1$d376be30$a601280a@phx.gbl...
>> Thanks Bill:
>>
>> I am afraid you may be correct. Linksys support which is
>> very weak and also are very confused themselves seem to
>> insist that it is possible. They make you set up the
>> IPsec configuration (Policy) on the PC w/Windows XP with
>> two tunnels. Somewhere I read that tunnel mode can do
>> VPN over NAT. HOwever I dont know whether creating
>> tunnels in the IPsec policy is the same as Tunnel Mode
>> IPsec. Nevertheless, a complicating factor is that
>> Microsoft has a paper that says that this TUnnel
>> configuration is only for a server with two NICs acting
>> as a GATEWAY with the other end of the tunnel a
>> VPNrouter. The single PC with a NAT address connecting
>> to the VPN router seems in their view hopeless.
>>
>> Has anybody done a VPN over NAT with a single PC w/winXP
>> or win2000?
>>
>> PCw---Router1--Internet--VPNRouter---Server
>> Router1 and VPNRouter are doing NAT and providing private
>> IPs.
>>
>> In this diagram which side of Router1 and VPNRouter are
>> the VPN end points?? Perhaps the PC Address is one of the
>> endpoints?
>>
>>
>>>-----Original Message-----
>>>I'm a novice on non-pptp VPN's so take this with a grain
>> of salt:
>>>
>>>I'd rather you tested this without router1, if
>> possible. I don't believe
>>>you can do what you are trying to do through the average
>> NAT.
>>>Jeffrey--correct me??
>>>
>>>As to what happens when you connect in the end--with
>> other VPN's I've used,
>>>the answer is nothing--just what happens when you plug
>> in an ethernet
>>>connection. You have an open pipe--you may be able to
>> see bytes exchanged
>>>if you've chosen to have the connection visible as a
>> system tray icon--but
>>>you'll need to actually connect to something to "see"
>> something happen.
>>>
>>>
>>>"Lewis Giana" <anonymous@discussions.microsoft.com>
>> wrote in message
>>>news:5ca601c49205$2e4f57a0$a601280a@phx.gbl...
>>>>
>>>> So far I have a laptop at home, and I want to connect
>> to
>>>> a server in another house and the situation looks like
>>>> this:
>>>>
>>>> laptop1---Router1--Internet--VPNRouter---Server
>>>>
>>>> or equivalently:
>>>>
>>>> NETA---Router1--Internet--VPNRouter---NETB
>>>>
>>>> Router1 is Linksys BEFW11S4
>>>> The VPNRouter is Linksys RV042
>>>> www.linksys.com Their manual is almost worthless.
>>>> Their support inane.
>>>>
>>>> The ROUTERS HAVE TOTALLY DIFFERENT INTERNET ipS.
>>>> THAT IS, ONE HAS 200.3.34.4, THE OTHER 127.6.32.3
>>>> Each provides NAT and Private ips, one to NETA and the
>>>> other router to NETB respectively.
>>>>
>>>>
>>>> Laptop has XP Professional
>>>> Laptop and server have PRIVATE IPs
>>>>
>>>> Server is a DOMAN controller. Has Window Server 2003
>> and
>>>> VPN is NOT configured, since the VPNrouter will do the
>>>> VPN job. Is this thinking correct?
>>>>
>>>> To configure this WHY do we do the following steps? In
>>>> other words what are we doing? Can someone explain? One
>>>> short paragaph should do wonders.
>>>>
>>>> 1. On the laptop with Windos XP I create IPsec Policy
>>>> FROM the laptop to the VPNrouter. DO I need another
>>>> security policy from the VPNRouter to the laptop?
>>>>
>>>> 2. On the laptop Create two Filter Lists for the
>>>> connection from the laptop to the VPN router and
>> another
>>>> filter list from the connection from the VPN router to
>>>> the laptop.
>>>>
>>>> 3. On the Laptop create security rules for the filter
>>>> lists created on step 2. This is where encription and
>>>> authentication methods are defined.
>>>>
>>>> 4. On the laptop create two tunnels for each Filter
>> List
>>>> on step 2.
>>>>
>>>> 5. Assign the security policy create on step 1.
>>>>
>>>> 6. The mising step. WHEN AND HOW THE PREVIOUS STEPS
>> are
>>>> used or activated to create the VPN?
>>>>
>>>>
>>>> 7. The router for NEtA has vpn passthrough. Is this
>>>> correct?
>>>>
>>>> 8. The VPNrouter for NETB should it have vpn
>> passthrough
>>>> DISABLED? This router has VPN capabilities and can
>>>> establish 30 tunnels they say.
>>>>
>>>> 9. DO I need to configure the server on NETB just like
>>>> the laptop? In other words perform steps 1 through 6 on
>>>> the server?
>>>>
>>>> 10. When all is working properly and the laptop joins
>>>> NETB throgh VPN. what happens? Does one see a small
>>>> window to login into the server? or does the VPN router
>>>> does the authentication and how? Or nothing should
>> happen
>>>> until one accesses shares on the server?
>>>>
>>>>
>>>
>>>
>>>.
>>>
>

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

The third party firmware is excellent.. If one doesn't want to do a
PPTP-based VPN, one can easily setup tunnels with SSH (a bit more
difficult in the Windows world, but it can be nice for secure
connection tunnels).

Jeffrey Randow (Windows Networking & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Wed, 8 Sep 2004 00:02:21 -0400, "Bill Sanderson"
<Bill_Sanderson@msn.com.plugh.org> wrote:

>Interesting--that should save quite a few users who are finding they can't
>make use of what they've just spent $ on.
>
>"Jeffrey Randow (MVP)" <jeffreyr-support@remotenetworktechnology.com> wrote
>in message news:t5nsj0te6aau6rsmqq05m4ch3jpqfpc8hh@4ax.com...
>> The easiest and best option for an end user is to get one of the
>> WRT54G devices and install one of the 3rd party firmware (SVEASOFT for
>> one) that provides a PPTP-based VPN server integrated into it...
>>
>> Jeffrey Randow (Windows Networking & Smart Display MVP)
>> jeffreyr-support@remotenetworktechnology.com
>>
>> Please post all responses to the newsgroups for the benefit
>> of all USENET users. Messages sent via email may or may not
>> be answered depending on time availability....
>>
>> Remote Networking Technology Support Site -
>> http://www.remotenetworktechnology.com
>> Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
>>
>> On Tue, 7 Sep 2004 09:06:14 -0400, "Bill Sanderson"
>> <Bill_Sanderson@msn.com.plugh.org> wrote:
>>
>>>There is a new standard, colloquially known as NAT-T, which allows a
>>>client
>>>machine to use an IPSEC VPN through a NAT device to a host. This standard
>>>must be supported by both the client and the host. Linksys should be able
>>>to tell you whether or not the router supports this (as the host) and what
>>>client software you need to be running to support this at the client end.
>>>Theres a good chance that making this work well requires the latest
>>>firmare
>>>for the router, as well.
>>>
>>>
>>><anonymous@discussions.microsoft.com> wrote in message
>>>news:72ca01c494c1$d376be30$a601280a@phx.gbl...
>>>> Thanks Bill:
>>>>
>>>> I am afraid you may be correct. Linksys support which is
>>>> very weak and also are very confused themselves seem to
>>>> insist that it is possible. They make you set up the
>>>> IPsec configuration (Policy) on the PC w/Windows XP with
>>>> two tunnels. Somewhere I read that tunnel mode can do
>>>> VPN over NAT. HOwever I dont know whether creating
>>>> tunnels in the IPsec policy is the same as Tunnel Mode
>>>> IPsec. Nevertheless, a complicating factor is that
>>>> Microsoft has a paper that says that this TUnnel
>>>> configuration is only for a server with two NICs acting
>>>> as a GATEWAY with the other end of the tunnel a
>>>> VPNrouter. The single PC with a NAT address connecting
>>>> to the VPN router seems in their view hopeless.
>>>>
>>>> Has anybody done a VPN over NAT with a single PC w/winXP
>>>> or win2000?
>>>>
>>>> PCw---Router1--Internet--VPNRouter---Server
>>>> Router1 and VPNRouter are doing NAT and providing private
>>>> IPs.
>>>>
>>>> In this diagram which side of Router1 and VPNRouter are
>>>> the VPN end points?? Perhaps the PC Address is one of the
>>>> endpoints?
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>I'm a novice on non-pptp VPN's so take this with a grain
>>>> of salt:
>>>>>
>>>>>I'd rather you tested this without router1, if
>>>> possible. I don't believe
>>>>>you can do what you are trying to do through the average
>>>> NAT.
>>>>>Jeffrey--correct me??
>>>>>
>>>>>As to what happens when you connect in the end--with
>>>> other VPN's I've used,
>>>>>the answer is nothing--just what happens when you plug
>>>> in an ethernet
>>>>>connection. You have an open pipe--you may be able to
>>>> see bytes exchanged
>>>>>if you've chosen to have the connection visible as a
>>>> system tray icon--but
>>>>>you'll need to actually connect to something to "see"
>>>> something happen.
>>>>>
>>>>>
>>>>>"Lewis Giana" <anonymous@discussions.microsoft.com>
>>>> wrote in message
>>>>>news:5ca601c49205$2e4f57a0$a601280a@phx.gbl...
>>>>>>
>>>>>> So far I have a laptop at home, and I want to connect
>>>> to
>>>>>> a server in another house and the situation looks like
>>>>>> this:
>>>>>>
>>>>>> laptop1---Router1--Internet--VPNRouter---Server
>>>>>>
>>>>>> or equivalently:
>>>>>>
>>>>>> NETA---Router1--Internet--VPNRouter---NETB
>>>>>>
>>>>>> Router1 is Linksys BEFW11S4
>>>>>> The VPNRouter is Linksys RV042
>>>>>> www.linksys.com Their manual is almost worthless.
>>>>>> Their support inane.
>>>>>>
>>>>>> The ROUTERS HAVE TOTALLY DIFFERENT INTERNET ipS.
>>>>>> THAT IS, ONE HAS 200.3.34.4, THE OTHER 127.6.32.3
>>>>>> Each provides NAT and Private ips, one to NETA and the
>>>>>> other router to NETB respectively.
>>>>>>
>>>>>>
>>>>>> Laptop has XP Professional
>>>>>> Laptop and server have PRIVATE IPs
>>>>>>
>>>>>> Server is a DOMAN controller. Has Window Server 2003
>>>> and
>>>>>> VPN is NOT configured, since the VPNrouter will do the
>>>>>> VPN job. Is this thinking correct?
>>>>>>
>>>>>> To configure this WHY do we do the following steps? In
>>>>>> other words what are we doing? Can someone explain? One
>>>>>> short paragaph should do wonders.
>>>>>>
>>>>>> 1. On the laptop with Windos XP I create IPsec Policy
>>>>>> FROM the laptop to the VPNrouter. DO I need another
>>>>>> security policy from the VPNRouter to the laptop?
>>>>>>
>>>>>> 2. On the laptop Create two Filter Lists for the
>>>>>> connection from the laptop to the VPN router and
>>>> another
>>>>>> filter list from the connection from the VPN router to
>>>>>> the laptop.
>>>>>>
>>>>>> 3. On the Laptop create security rules for the filter
>>>>>> lists created on step 2. This is where encription and
>>>>>> authentication methods are defined.
>>>>>>
>>>>>> 4. On the laptop create two tunnels for each Filter
>>>> List
>>>>>> on step 2.
>>>>>>
>>>>>> 5. Assign the security policy create on step 1.
>>>>>>
>>>>>> 6. The mising step. WHEN AND HOW THE PREVIOUS STEPS
>>>> are
>>>>>> used or activated to create the VPN?
>>>>>>
>>>>>>
>>>>>> 7. The router for NEtA has vpn passthrough. Is this
>>>>>> correct?
>>>>>>
>>>>>> 8. The VPNrouter for NETB should it have vpn
>>>> passthrough
>>>>>> DISABLED? This router has VPN capabilities and can
>>>>>> establish 30 tunnels they say.
>>>>>>
>>>>>> 9. DO I need to configure the server on NETB just like
>>>>>> the laptop? In other words perform steps 1 through 6 on
>>>>>> the server?
>>>>>>
>>>>>> 10. When all is working properly and the laptop joins
>>>>>> NETB throgh VPN. what happens? Does one see a small
>>>>>> window to login into the server? or does the VPN router
>>>>>> does the authentication and how? Or nothing should
>>>> happen
>>>>>> until one accesses shares on the server?
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>.
>>>>>
>>>
>>
>