This topic contains 7 replies, has 0 voices, and was last updated by 
-
Posts
-
Thanks for putting up the Forums!
I have a question about VPN.
Here is how I have my test setup:
network 1 Local client 1-> Zeroshell router-> nat box with DMZ set to Zeroshell router
network 2 Local client 2 -> Zeroshell router-> linux firewall with nat enabled… (I have a little less control over this router)
the network 1 router is the Server for the VPN.
Both Zerosell routers have 2 nic’s in them one is set to the internet and NAT’ed and the other is the internal network and bridged to the VPN.
when I try to connect with XP’s VPN client I get error 800
and when I try and telnet to the port I get this:
$ telnet XX.XX.XX.XX 1723
Trying XX.XX.XX.XX…
telnet: Unable to connect to remote host: Connection refusedany idea what I need to fix?
Thanks
thanks for a nice packaged solution! I hope to use it soon.
The tcp port 1723 is used by PPTP VPN protocol but I had some problems and I removed it from ZeroShell. I will try to support it as soon as possible. At moment the only supported VPN host-to-lan is L2TP/IPSec which is much more secure than PPTP protocol. Windows XP has a builtin client for L2TP/IP and you could use that. The only problem is that you have to generate a host X.509 certificate and install it in the computer account. This Certificate with its private key are used to authenticate both IPSec endpoint (client and server). To create the host certificate you could use the ZeroShell Certification Authority. The user is then authenticated with MSChapv2 with the same username and password used on Kerberos 5 KDC.
Your LAN-to-LAN VPN setup is very interesting. Could you describe it using pdf or html format?
If you want I will link it from the ZeroShell documentation page.Bye
FulvioI’ll help with the documentation but I’m no expert.
I’ll post a how-to for Lan to Lan VPN the way I have it set up.
how do I create the Pre-shared key for L2TP or is there some other way to get the certificate over to XP I’d appreciate how to do it.
You should not use preshared key to establish an IPSec tunnel because X.509 authentication is more secure. ZeroShell manages X.509 certificates with its CA. You have just to add your Windows XP Client into Host LDAP database of ZeroShell and automatically a related certificate with private key will be created. Then you must export it in pkcs12 format and import it in the Account Computer of XP. To do it you have to use mmc console using administrator user.
Regards
FulvioI, too, am working on “HowTo” documents for host-LAN and LAN-LAN VPN networking. For now, I would like to add an important step. I had an issue where the VPN would suddenly stop working during high-speed transfers. I am using Windows XP on a public network to connect to a private network behind Zeroshell:
Windows XP < ---> Zeroshell < --> private network
Here are two important registry entries:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]
“EnablePMTUDiscovery”=dword:00000001
“EnablePMTUBHDetect”=dword:00000001These settings are discussed at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/58752.mspx?mfr=trueand
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/58751.mspx?mfr=truerespectively.
Regards,
Daniel BarnesI wanted to point out that in the Network section of the forum I posted a mini diagram of what the LAN-LAN VPN looks like.
What ports are needed to be opened to allow host-to-lan VPN connections. Also since I have ppp0 bound to ETH00 for PPPoE what interface should my rules be set for. (ppp0 or ETH00).
TIA
You don’t need to permit traffic on TCP or UDP to enable the host-to-LAN VPNs. You just need to allow IPsec clients on ppp0 to be able to comunicate with the L2TP server. In other words, you have to add in the INPUT Chain a rule with Protocol Matching set to ESP (Encap Security Payload) and input interface set to ppp0.
Notice that AH (Authentication Header) is not involved in the L2TP/IPSec VPNs.Regards
Fulvioits important to use the certificate-import tool from ->start ->settings ->systemsettings ->internetoptions ->content ->certificates
direct import of the client-certificate will save the certificate in User-Certificate-Store and a manual copy from there to the Machine-Certificate-Store results in an auth-error (no certificate found for this computer) of the l2tp-client
maybe you can spare some time with this information … (could be measured in hours for me 🙄 )
You must be logged in to reply to this topic.