Topic: VPN+router

[afranc]

Hi
I'm blocked on configuring my router to access the e-smith server via VPN.

My configuration is
Server E-smith : 192.168.0.100 (internal)
USR9003 (ADSL router): 192.168.1.1 (internal)
USR9003 (ADSL router): reserved public ip (external)
USR9003 (ADSL router): connection using RFC1483 routed, NAT on, DHCP off

In order to configure server and client I followed the instruction provided from Randall Perry (http://domain-logic.com/support/secure_tunnel.htm).

For the USR9003, on http://www.homepagez.com/usr9003/pptp.htm I found a possible configuration, but doesn't work maybe because my DSL connection is RFC1483 routed (the proposed configuration is regarding of PPPoE) or I couldn't turn on DHCP as request in WAN setup chapter.

So I tried again with the router following the tech-greeks instruction (http://www.tech-geeks.org/geeklog/article.php?story=20040223114208788&query=vpn), but does't work.

I'm new to e-smith / router problems. Someone could help me??

Where I'm wrong?

thanks in advance

[RobRoye]

Problem: Your server is not on the same internal subnet as your router. The router is on the 192.168.0.x subnet and the server is on 192.168.1.x - this does not work. You need them to be on the same subnet to communicate.

A VPN passthrough router is only really for accessing someone else's VPN from the router's internal network. It's not meant for accessing a VPN server from the internet. An easy fix is to put the server on the DMZ, which directs all inbound traffic to the server. A better fix is basically to use the server as intended and make it the gateway itself. It would actually replace the router. Setting this up is quite easy and requires two network cards, but can easily be done. If the USR router is used for wireless access to the network, that can also continue, but the router would go into AP mode and only be connected via the LAN port to the internal network. I have a USR router that I use as an access point for my home network in this manner.[/code]

[afranc]

RobRoye,
thanks for your help. I understood a part of my problem:
The NAT configuration of the router was pointing on internal lan card (192.168.0.100), in effect my e-smith server have 2 card, the second one connected to the router(192.168.1.2). Replacing the ip in the NAT config, now I do a step ahead! Thanks

Launching the VPN connection from the client I saw the Verification of user name and password, but the error 619 "The specified port is not connected". Where is the problem?

Could be the router firewall? Its configuration is:
Precedence   Interface   Direction   Src IP Addr/Netmask   Dest IP Addr/Netmask   Src Port   Dest Port   Protocol   Tcp Flags    FW Action
10000   atm1   Any   0.0.0.0/32   0.0.0.0/32   0   80   TCP   None   Allow
30001   atm1   In   0.0.0.0/32   external public ip/32   0   0   ICMP   None   Allow
30000   eth1   In   192.168.1.0/24   0.0.0.0/32   0   0   ANY   None   Allow
29000   Any   Any   0.0.0.0/32   0.0.0.0/32   0   67   UDP   None   Allow
29000   Any   Any   0.0.0.0/32   0.0.0.0/32   520   520   UDP   None   Allow
5000   atm1   Any   0.0.0.0/32   0.0.0.0/32   0   1723   TCP   None   Allow
5000   atm1   Any   0.0.0.0/32   0.0.0.0/32   0   0   GRE   None   Allow

5000 entries are related to VPN port.

Thanks a lot in advance!

[RobRoye]

What works best is to place the VPN server on the DMZ. This will insure that any needed port is available for that server. There are so many ports and protocols used for a VPN that this is the easiest way by far. Using SME Server, it also is pretty safe as it is designed to be exposed like that.

[afranc]

Ok
in which way I could do that: "place the VPN server on the DMZ"?
Really I don't how to configure the router and the SME server to work as DMZ.

Could you gimme some hits?

Thanks

[RobRoye]

A US Robotics router has a tab for Access along the top, and then a button (under the big graphic) that says DMZ. Set that address to the IP of your SME and make sure to click the Enabled option. Click Apply and after a reset (which it does automatically) you're all set.

[afranc]

my router usb9003 don't have dmz option where you said. maybe because the configuration is under another command.
please could you tell me the right steps and path to configure the dmz on the router?
thanks a lot

[micropitt]

http://www.homepagez.com/usr9003/index.html

[micropitt]

The USR9003 has ALG (Advanced Level Gateway) which will open certain known ports as needed (pptp and ipsec as example) by itself.
The USR9003 does not have a DMZ

[rmarshall]

Can you give a little more info please. How is your server setup? Server/Gateway or server only. What vpn are you using- pptp on the server or openvpn. Have you created a static route in the router for the 0.100 subnet?

[afranc]

rmarshall
I give you more detailed info about the configuration of sme server:

Server Mode   servergateway
Local IP address / subnet mask   192.168.0.100/255.255.255.0
External IP address / subnet mask   192.168.1.2/255.255.255.0 (connected to router)
Gateway   192.168.1.1 (that is the router)
Additional local networks   192.168.0.0/255.255.255.0
DHCP server   enabled
DNS server   192.168.0.100

I'm using Vpn pptp on the server setted up as provided from Randall Perry (http://domain-logic.com/support/secure_tunnel.htm).

The router configuration is:
Precedence Interface Direction Src IP Addr/Netmask Dest IP Addr/Netmask Src Port Dest Port Protocol Tcp Flags FW Action
10000 atm1 Any 0.0.0.0/32 0.0.0.0/32 0 80 TCP None Allow
30001 atm1 In 0.0.0.0/32 external public ip/32 0 0 ICMP None Allow
30000 eth1 In 192.168.1.0/24 0.0.0.0/32 0 0 ANY None Allow
29000 Any Any 0.0.0.0/32 0.0.0.0/32 0 67 UDP None Allow
29000 Any Any 0.0.0.0/32 0.0.0.0/32 520 520 UDP None Allow
5000 atm1 Any 0.0.0.0/32 0.0.0.0/32 0 1723 TCP None Allow
5000 atm1 Any 0.0.0.0/32 0.0.0.0/32 0 0 GRE None Allow

5000 entries are related to VPN port.
Also I configured a NAT policy in order to connect external public ip to SME server on 192.168.1.2.

...

thanks in advance

[rmarshall]

As I see it you should only have to forward the vpn port (47 and 1723) needed from the router(192.168.1.1) to the server(192.168.1.2) and your vpn should work. Routing beyond the server should then be simple and a function of the server and not your router.

[afranc]

Maybe routing setup of the router could be enough to configure the vpn?

In fact I could configure:
Destination Network ID:   192.168.1.2 (SME server side of router)
Destination Subnet Mask:   255.255.255.0
Next Hop IP 82.90.11.40

And delete the other entries:

Network ID        ,    Subnet         ,     Mask Next Hop IP  
  0.0.0.0      ,       0.0.0.0       ,      external public ip
  external public ip ,   255.255.255.0   ,    external public ip
  192.168.1.0   ,      255.255.255.0   ,    192.168.1.1


What do u think?

[rmarshall]

I looked over the config on the homepagez link and other than the wan setup the nat and passthru setups look correct. That should allow you to connect out pptp to a server. You should also setup port forwarding on the router to pass the the ports directly from outside in to the server.

[afranc]

Hi
the config on the homepagez doesn't work!

Launching the VPN connection from the client I saw the Verification of user name and password, but the error 619 "The specified port is not connected"


what is it wrong?

help