General

[dwieczor]

I would like to set up a VPN on a Windows 2003 sever. My problem is that we have a Cisco 2611xm router that our internet comes through. Is there a way to port forward through the router to the Server ? Being new at this I take any advise. Have looked over the internet and found stuff and even put VPN on one my computer at home and that works but when I do the same at the office it does not. I figure it must be the Cisco router. Any suggestions

I am using Hamachi right now to get to our system when I am at home, but I would rather use the VPN that would work with Windows 2003

 

[JustAGuy51]

For standard IPSec VPN, ports are UDP 500 and UDP 4500 (for NAT Traversal). Some vendors use different ports that you have to find out. For Cisco, either TCP 10000 or UDP 10000. You only need to port-forward the actual port being used.

In addition, for standard IPSec, if you don't use NAT traversal, you also have to accept protocol ESP connections at the firewall. ESP does not have ports.

 

[dwieczor]

For standard IPSec VPN, ports are UDP 500 and UDP 4500 (for NAT Traversal). Some vendors use different ports that you have to find out. For Cisco, either TCP 10000 or UDP 10000. You only need to port-forward the actual port being used.

In addition, for standard IPSec, if you don't use NAT traversal, you also have to accept protocol ESP connections at the firewall. ESP does not have ports.

So I just put in something like this in the Cisco and then let the Windows 2003 server accept incoming VPN ? Or is there a another way ?

ip nat inside source static tcp 192.168.2.245 10000 69.65.229.97 10000 extendable
ip nat inside source static udp 192.168.2.245 10000 69.65.229.97 10000 extendable

 

[JustAGuy51]

So I just put in something like this in the Cisco and then let the Windows 2003 server accept incoming VPN ? Or is there a another way ?

ip nat inside source static tcp 192.168.2.245 10000 69.65.229.97 10000 extendable
ip nat inside source static udp 192.168.2.245 10000 69.65.229.97 10000 extendable

I didn't read carefully in 1st post that you intend to make Windows VPN server. My first answer applies to IPSec VPN and TCP/UDP 10000 are for Cisco concentrators.

For Windows, you have 2 options: PPTP VPN and IPSec/L2TP VPN.

If you are enabling PPTP, you need to port-forward PPTP (1723) and gre protocol. PPTP uses GRE to carry internal traffic. I look around on the net for forwarding GRE on Cisco routers and had a hard time. Here is what I found:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_q_and_a_item09186a00800946ef.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

So on your 2611xm,
ip nat inside source static tcp 192.168.2.245 1723 69.65.229.97 1723 extendable
<whatever IOS commands you need to issue to forward GRE>

If you are enabling L2TP, you just need to forward the IPSec since IPSec *contains* L2TP traffic. So on your 2611xm,
ip nat inside source static udp 192.168.2.245 500 69.65.229.97 500 extendable
ip nat inside source static udp 192.168.2.245 4500 69.65.229.97 4500 extendable

In both cases, 2611xm ACLs should allow appropriate ports/protocols.

Do me a favor and let me know how it work out (or not work out). I like to know your solution.

 

[dwieczor]

I didn't read carefully in 1st post that you intend to make Windows VPN server. My first answer applies to IPSec VPN and TCP/UDP 10000 are for Cisco concentrators.

For Windows, you have 2 options: PPTP VPN and IPSec/L2TP VPN.

If you are enabling PPTP, you need to port-forward PPTP (1723) and gre protocol. PPTP uses GRE to carry internal traffic. I look around on the net for forwarding GRE on Cisco routers and had a hard time. Here is what I found:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_q_and_a_item09186a00800946ef.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

So on your 2611xm,
ip nat inside source static tcp 192.168.2.245 1723 69.65.229.97 1723 extendable
<whatever IOS commands you need to issue to forward GRE>

If you are enabling L2TP, you just need to forward the IPSec since IPSec *contains* L2TP traffic. So on your 2611xm,
ip nat inside source static udp 192.168.2.245 500 69.65.229.97 500 extendable
ip nat inside source static udp 192.168.2.245 4500 69.65.229.97 4500 extendable

In both cases, 2611xm ACLs should allow appropriate ports/protocols.

Do me a favor and let me know how it work out (or not work out). I like to know your solution.

Well I put the

ip nat inside source static udp 192.168.2.245 500 69.65.229.97 500 extendable
ip nat inside source static udp 192.168.2.245 4500 69.65.229.97 4500 extendable

into the cisco router and tried to connect to my server at work from home and now I get a error message 781 saying the connection requires a certificate, and no valid certificate was found.

Does that mean I am at least getting though the Cisco router to the Windows 2003 server ? If so where do I get the certificate ?

Thank you for all your help so far.

 

[JustAGuy51]

Yes, you are set up properly in Cisco router for IPSec/L2TP. The certificate is asked by your Windows server. Two routes for certificates:

1st route:
- You need one root CA certificate that is privately generated (self-signed) and install it in 2k3 server and *every* client
- generate a server cert and have it signed by the CA cert. You install this only on 2k3 server
- generate a cert for *every* client that need remote access. Each cert also needs to be signed by CA cert. Install each unique cert on corresponding unique client

2nd route:
- generate one or more self-signed certs
I am unclear on how Windows uses or requires for these certs. Your research!

Windows servers require (a little) special attributes in certificates. I don't know them. It is your research. Authentication and encryption are carried out in both directions between server and clients.

PPTP is easier if you can get around GRE problem on the Cisco router. IPSec route is a lot more secure but you'll likely bump into troubleshooting related to certs.

 

[JustAGuy51]

A little terminology clarification:
"generate a cert and have it signed by CA cert" should be "generate a certificate signing request (CSR) and have it signed by CA cert".

After signed by CA, it is called certificate.

 

[JustAGuy51]

Another thought:

Instead of certificates, you might be able to work it out with "pre-shared keys". You just install pre-shared keys on 2k3 server and every client. Don't know if 2k3 server VPN will support it.

 

[dwieczor]

Another thought:

Instead of certificates, you might be able to work it out with "pre-shared keys". You just install pre-shared keys on 2k3 server and every client. Don't know if 2k3 server VPN will support it.

Just to give you an update.

VPN still not working

I can go to the internet and get a certificate from the server. But it then just times out.
Also tried the preshared key on both the server and client still times out.

I am trying to use L2Tp IPSec.


Thanks again for your help

 

[JustAGuy51]

To eliminate the possibility that 2600 is not acting as VPN, can you download WinDump (and WinPCap) and run it on 2003 Server? Like this:

windump.exe -D => show you a list of interfaces as registry keys, take note of the number for desired interface

windump.exe -n -e -ttt -i 3 udp and dst port 500
=> instead of typing in entire registry key, just its number is good enough


Go and initiate the client connection. If windump shows any line besides initial "listening ..." line, then router is not the problem and you can completely take it out from the picture.

++++++++

Here is one link I found for IPSec/L2TP. I know it is with Linux VPN concentrator (OpenSWAN) but you can ignore non-relevant stuffs. It does have some good info on L2TP.

http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

Possible problems (take it with a bit of salts):

1) MTU size problem. IPSec contains L2TP, L2TP uses PPP, each adding some bytes to the packet.
2) Hotfix require? See http://forums.techarena.in/server-networking/967204.htm
3) Filtering is enabled on your 2003 server (not the router), blocking some connections

I have not set up IPSec/L2TP tunnels before. You should rely on what logs say, in *both* server log (IPSec log, L2TP log, PPP log) and client logs. Then google on specific log errors. Can you also post when you are successful?

 

[JustAGuy51]

Forgot to mention "3" in windump cmd line refers to interface number

 

[JustAGuy51]

Here is troubleshooting *thinking*. The way it works in OSI model sense:


==========Roadwarrior Side=================================================== Intranet Side

data (upper layers) --> L2TP --> IPSec | <--------------Internet--------------> | decrypt IPSec --> forward L2TP --> destination host


The problem can lie in IPSec level, L2TP level, or local intranet hosts

IPSec level:
- the IPSec, in your case, is terminated/decrypted by 2003 server. After decryption, resultant L2TP traffic is *just like* L2TP traffic generated within local intranet
- always use preshared keys initially, eliminating problems arise from certificates. After preshared working, you can upgrade

L2TP level:
- Ensure L2TP is working without involving VPN. I.e Does one local L2TP client sees and communicates with another local L2TP client?
- L2TP uses PPP for authenticating (and anything?) purposes. So it can be PPP causing problems

Local Intranet Hosts level:
- Remember that 2003 server is the one forwarding L2TP traffic on behalf of roadwarrior client. But when other local hosts see the packet, they may not see the packet coming from 2003 server but rather an IP address they have no knowledge of (not in their host routing table). So they send it to defualt gateway, your 2600 router (which won't also know how to respond, so it will trash it)
- MTU size problem also applies here
- To *not* have to deal with these problems during initial setup phase, always use 2003 server itself as L2TP peer. Set up L2TP on 2003 server if need to. Once working, you can deal with this problem by configuring 2600 or entering static routes in local clients