VPN with both lan to lan and lan to Host.

Home Page Forums Network Management ZeroShell VPN with both lan to lan and lan to Host.

This topic contains 7 replies, has 0 voices, and was last updated by  kenadak 12 years, 7 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #40497

    kenadak
    Member

    Thanks for putting up the Forums!

    I have a question about VPN.

    Here is how I have my test setup:

    network 1 Local client 1-> Zeroshell router-> nat box with DMZ set to Zeroshell router

    network 2 Local client 2 -> Zeroshell router-> linux firewall with nat enabled… (I have a little less control over this router)

    the network 1 router is the Server for the VPN.

    Both Zerosell routers have 2 nic’s in them one is set to the internet and NAT’ed and the other is the internal network and bridged to the VPN.

    when I try to connect with XP’s VPN client I get error 800

    and when I try and telnet to the port I get this:

    $ telnet XX.XX.XX.XX 1723
    Trying XX.XX.XX.XX…
    telnet: Unable to connect to remote host: Connection refused

    any idea what I need to fix?

    Thanks

    thanks for a nice packaged solution! I hope to use it soon.

    #44955

    imported_fulvio
    Participant

    The tcp port 1723 is used by PPTP VPN protocol but I had some problems and I removed it from ZeroShell. I will try to support it as soon as possible. At moment the only supported VPN host-to-lan is L2TP/IPSec which is much more secure than PPTP protocol. Windows XP has a builtin client for L2TP/IP and you could use that. The only problem is that you have to generate a host X.509 certificate and install it in the computer account. This Certificate with its private key are used to authenticate both IPSec endpoint (client and server). To create the host certificate you could use the ZeroShell Certification Authority. The user is then authenticated with MSChapv2 with the same username and password used on Kerberos 5 KDC.
    Your LAN-to-LAN VPN setup is very interesting. Could you describe it using pdf or html format?
    If you want I will link it from the ZeroShell documentation page.

    Bye
    Fulvio

    #44956

    kenadak
    Member

    I’ll help with the documentation but I’m no expert.

    I’ll post a how-to for Lan to Lan VPN the way I have it set up.

    how do I create the Pre-shared key for L2TP or is there some other way to get the certificate over to XP I’d appreciate how to do it.

    #44957

    imported_fulvio
    Participant

    You should not use preshared key to establish an IPSec tunnel because X.509 authentication is more secure. ZeroShell manages X.509 certificates with its CA. You have just to add your Windows XP Client into Host LDAP database of ZeroShell and automatically a related certificate with private key will be created. Then you must export it in pkcs12 format and import it in the Account Computer of XP. To do it you have to use mmc console using administrator user.

    Regards
    Fulvio

    #44958

    I, too, am working on “HowTo” documents for host-LAN and LAN-LAN VPN networking. For now, I would like to add an important step. I had an issue where the VPN would suddenly stop working during high-speed transfers. I am using Windows XP on a public network to connect to a private network behind Zeroshell:

    Windows XP < ---> Zeroshell < --> private network

    Here are two important registry entries:
    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]
    “EnablePMTUDiscovery”=dword:00000001
    “EnablePMTUBHDetect”=dword:00000001

    These settings are discussed at
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/58752.mspx?mfr=true

    and
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/58751.mspx?mfr=true

    respectively.

    Regards,
    Daniel Barnes

    #44959

    kenadak
    Member

    I wanted to point out that in the Network section of the forum I posted a mini diagram of what the LAN-LAN VPN looks like.

    #44960

    greyman
    Member

    What ports are needed to be opened to allow host-to-lan VPN connections. Also since I have ppp0 bound to ETH00 for PPPoE what interface should my rules be set for. (ppp0 or ETH00).

    TIA

    #44961

    imported_fulvio
    Participant

    You don’t need to permit traffic on TCP or UDP to enable the host-to-LAN VPNs. You just need to allow IPsec clients on ppp0 to be able to comunicate with the L2TP server. In other words, you have to add in the INPUT Chain a rule with Protocol Matching set to ESP (Encap Security Payload) and input interface set to ppp0.
    Notice that AH (Authentication Header) is not involved in the L2TP/IPSec VPNs.

    Regards
    Fulvio

    #44962

    floaty
    Member

    its important to use the certificate-import tool from ->start ->settings ->systemsettings ->internetoptions ->content ->certificates

    direct import of the client-certificate will save the certificate in User-Certificate-Store and a manual copy from there to the Machine-Certificate-Store results in an auth-error (no certificate found for this computer) of the l2tp-client

    maybe you can spare some time with this information … (could be measured in hours for me 🙄 )

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.