Home Page › Forums › Network Management › ZeroShell › VPN with both lan to lan and lan to Host.
- This topic is empty.
-
AuthorPosts
-
November 3, 2006 at 10:16 pm #40497
kenadak
MemberThanks for putting up the Forums!
I have a question about VPN.
Here is how I have my test setup:
network 1 Local client 1-> Zeroshell router-> nat box with DMZ set to Zeroshell router
network 2 Local client 2 -> Zeroshell router-> linux firewall with nat enabled… (I have a little less control over this router)
the network 1 router is the Server for the VPN.
Both Zerosell routers have 2 nic’s in them one is set to the internet and NAT’ed and the other is the internal network and bridged to the VPN.
when I try to connect with XP’s VPN client I get error 800
and when I try and telnet to the port I get this:
$ telnet XX.XX.XX.XX 1723
Trying XX.XX.XX.XX…
telnet: Unable to connect to remote host: Connection refusedany idea what I need to fix?
Thanks
thanks for a nice packaged solution! I hope to use it soon.
November 4, 2006 at 11:33 am #44955imported_fulvio
ParticipantThe tcp port 1723 is used by PPTP VPN protocol but I had some problems and I removed it from ZeroShell. I will try to support it as soon as possible. At moment the only supported VPN host-to-lan is L2TP/IPSec which is much more secure than PPTP protocol. Windows XP has a builtin client for L2TP/IP and you could use that. The only problem is that you have to generate a host X.509 certificate and install it in the computer account. This Certificate with its private key are used to authenticate both IPSec endpoint (client and server). To create the host certificate you could use the ZeroShell Certification Authority. The user is then authenticated with MSChapv2 with the same username and password used on Kerberos 5 KDC.
Your LAN-to-LAN VPN setup is very interesting. Could you describe it using pdf or html format?
If you want I will link it from the ZeroShell documentation page.Bye
FulvioNovember 7, 2006 at 4:23 pm #44956kenadak
MemberI’ll help with the documentation but I’m no expert.
I’ll post a how-to for Lan to Lan VPN the way I have it set up.
how do I create the Pre-shared key for L2TP or is there some other way to get the certificate over to XP I’d appreciate how to do it.
November 7, 2006 at 11:00 pm #44957imported_fulvio
ParticipantYou should not use preshared key to establish an IPSec tunnel because X.509 authentication is more secure. ZeroShell manages X.509 certificates with its CA. You have just to add your Windows XP Client into Host LDAP database of ZeroShell and automatically a related certificate with private key will be created. Then you must export it in pkcs12 format and import it in the Account Computer of XP. To do it you have to use mmc console using administrator user.
Regards
FulvioNovember 8, 2006 at 9:32 pm #44958danielibarnes
MemberI, too, am working on “HowTo” documents for host-LAN and LAN-LAN VPN networking. For now, I would like to add an important step. I had an issue where the VPN would suddenly stop working during high-speed transfers. I am using Windows XP on a public network to connect to a private network behind Zeroshell:
Windows XP <---> Zeroshell <--> private network
Here are two important registry entries:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]
“EnablePMTUDiscovery”=dword:00000001
“EnablePMTUBHDetect”=dword:00000001These settings are discussed at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/58752.mspx?mfr=trueand
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/58751.mspx?mfr=truerespectively.
Regards,
Daniel BarnesDecember 6, 2006 at 9:40 pm #44959kenadak
MemberI wanted to point out that in the Network section of the forum I posted a mini diagram of what the LAN-LAN VPN looks like.
January 3, 2007 at 11:10 pm #44960greyman
MemberWhat ports are needed to be opened to allow host-to-lan VPN connections. Also since I have ppp0 bound to ETH00 for PPPoE what interface should my rules be set for. (ppp0 or ETH00).
TIA
January 5, 2007 at 8:55 pm #44961imported_fulvio
ParticipantYou don’t need to permit traffic on TCP or UDP to enable the host-to-LAN VPNs. You just need to allow IPsec clients on ppp0 to be able to comunicate with the L2TP server. In other words, you have to add in the INPUT Chain a rule with Protocol Matching set to ESP (Encap Security Payload) and input interface set to ppp0.
Notice that AH (Authentication Header) is not involved in the L2TP/IPSec VPNs.Regards
FulvioJanuary 15, 2007 at 9:37 pm #44962floaty
Memberits important to use the certificate-import tool from ->start ->settings ->systemsettings ->internetoptions ->content ->certificates
direct import of the client-certificate will save the certificate in User-Certificate-Store and a manual copy from there to the Machine-Certificate-Store results in an auth-error (no certificate found for this computer) of the l2tp-client
maybe you can spare some time with this information … (could be measured in hours for me 🙄 )
-
AuthorPosts
- You must be logged in to reply to this topic.