VPN setup - is there a standard way to do this?

[Mike]

Archived from groups: comp.dcom.vpn (More info?)

First...I'm not a full blown network engineer...just kind of inherited
a network and am being looked to for supporting it. Small 25 person
office, have a netscreen firewall/vpn and a W2k domain. I'm being
asked to get the VPN working on the Netscreen (for remote users
working from home). Going into the config, I'm blown away by the
number of different ways to set the VPN up. IKE, XAuth, AU, L2TP,
Des, Triple Des, Hash Algorithms, Pre-Shared keys..etc...it's a little
overwhelming. Is there some kind of standard people use? Any good
website suggestions? Do I stick with the Netscreen-Remote clients or
set up the Microsoft 2000/XP PPTP/L2TP client? Any help would be
greatly appreciated.

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

https://www.juniper.net/customers/support/
This is Netscreen's support page. There's several articles including screen
shots about setting up the VPN on the Netscreen firewall. I used L2TP and
it works great. The only thing to remember though is on the client machines
you'll have to set up the following:
The following registry entry is required on the client machines before they
could connect via L2TP:

To add the ProhibitIpSec registry value to your Windows 2000-based computer,
use Registry Editor (Regedt32.exe) to locate the following key in the
registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

Add the following registry value to this key:

Value Name: ProhibitIpSec
Data Type: REG_DWORD
Value: 1

Note that you must restart your Windows 2000-based computer for the changes
to take effect.



I thought it was fairly straight forward on setting it up. You set up an
L2TP pool (under Objects on the firewall), configure the default settings,
configure the tunnel (both under VPN L2TP on the firewall), create your
users (under objects) and of course allow VPN in your Policies.

Again there's a bunch of articles with Screen Shots of how to do this, just
got to the above link and search the knowledge base. My info. above is a
basic overview though.

Hope this helps and good luck.



"Mike" <nonone@nowhere.com> wrote in message
news:a5f351lolrse47pflpbt8atboj6ff6ea6d@4ax.com...
> First...I'm not a full blown network engineer...just kind of inherited
> a network and am being looked to for supporting it. Small 25 person
> office, have a netscreen firewall/vpn and a W2k domain. I'm being
> asked to get the VPN working on the Netscreen (for remote users
> working from home). Going into the config, I'm blown away by the
> number of different ways to set the VPN up. IKE, XAuth, AU, L2TP,
> Des, Triple Des, Hash Algorithms, Pre-Shared keys..etc...it's a little
> overwhelming. Is there some kind of standard people use? Any good
> website suggestions? Do I stick with the Netscreen-Remote clients or
> set up the Microsoft 2000/XP PPTP/L2TP client? Any help would be
> greatly appreciated.

 

[Mike]

Archived from groups: comp.dcom.vpn (More info?)

On Tue, 5 Apr 2005 10:02:44 -0400, "MF" <nothankyou@nospam.com> wrote:
Thanks for the reply...I did manage to set up IKE VPN connections
using the Netscreen-Remote client. What I don't understand...is
bascially how to log someone in over the VPN connection directly to
the network. In other words, while testing this IKE connection, I
noticed that every mapped drive, opening Outlook...etc requires the
user to enter a username/password. Also, there's no way to change
your password when it expires (at least I don't see a way)...so I'm
guessing I need a way to log into the domain when first connecting.
Is this what L2TP does?


>https://www.juniper.net/customers/support/
>This is Netscreen's support page. There's several articles including screen
>shots about setting up the VPN on the Netscreen firewall. I used L2TP and
>it works great. The only thing to remember though is on the client machines
>you'll have to set up the following:
>The following registry entry is required on the client machines before they
>could connect via L2TP:
>

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

Well with the L2TP, the way it is set up is basically to establish the
connection, you log on using the Netscreen's user name and password (this
was set up under Objects -> Users on the Netscreen). Again this just
creates the tunnel between pt A and B. After it is connected, your computer
is now a computer on that network.
After that if you want to say Remote into a server or computer on that side,
you'd launch Remote Desktop to that private ip and then use your domain user
name and password to get in (of course this is also provided you have access
under that user name and password on the domain). Same for mapping drives,
you need to use a user name and password from that domain that you just
vpn'd into.
This is actually a nice feature because even if someone was able to make a
VPN connection and you didn't want them, they'd still need to be a user in
your domain to get to any of the machines on the domain.
I would have thought that the IKE VPN was set up similiarly. Again the
knowledge base articles are an excellent source for finding info too, but I
hope this at least helps or pts you in the correct direction.


"Mike" <nonone@nowhere.com> wrote in message
news:aoc5515t2odjuu4q2ain52ibm1hrjfqqiu@4ax.com...
>
>
> On Tue, 5 Apr 2005 10:02:44 -0400, "MF" <nothankyou@nospam.com> wrote:
> Thanks for the reply...I did manage to set up IKE VPN connections
> using the Netscreen-Remote client. What I don't understand...is
> bascially how to log someone in over the VPN connection directly to
> the network. In other words, while testing this IKE connection, I
> noticed that every mapped drive, opening Outlook...etc requires the
> user to enter a username/password. Also, there's no way to change
> your password when it expires (at least I don't see a way)...so I'm
> guessing I need a way to log into the domain when first connecting.
> Is this what L2TP does?
>
>
> >https://www.juniper.net/customers/support/
> >This is Netscreen's support page. There's several articles including
screen
> >shots about setting up the VPN on the Netscreen firewall. I used L2TP
and
> >it works great. The only thing to remember though is on the client
machines
> >you'll have to set up the following:
> >The following registry entry is required on the client machines before
they
> >could connect via L2TP:
> >
>

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

Anyone have any folloup to this? I'm basically concerned about
changing domain passwords when they expire. I'm using a NetScreen 25
with IKE/XAuth/IAS. It seems that if the domain password has expired
the user is locked out of everything until they manually hit
Ctrl+Alt+Delete to change their password and log back in again. This
could be really confusing.
Mike wrote:
> On Tue, 5 Apr 2005 10:02:44 -0400, "MF" <nothankyou@nospam.com>
wrote:
> Thanks for the reply...I did manage to set up IKE VPN connections
> using the Netscreen-Remote client. What I don't understand...is
> bascially how to log someone in over the VPN connection directly to
> the network. In other words, while testing this IKE connection, I
> noticed that every mapped drive, opening Outlook...etc requires the
> user to enter a username/password. Also, there's no way to change
> your password when it expires (at least I don't see a way)...so I'm
> guessing I need a way to log into the domain when first connecting.
> Is this what L2TP does?
>
>
> >https://www.juniper.net/customers/support/
> >This is Netscreen's support page. There's several articles
including screen
> >shots about setting up the VPN on the Netscreen firewall. I used
L2TP and
> >it works great. The only thing to remember though is on the client
machines
> >you'll have to set up the following:
> >The following registry entry is required on the client machines
before they
> >could connect via L2TP:
> >