Topic: Problems with setting up a VPN

[phxtech]

I am trying to set up a VPN for an office that is behind an SME server that acts as the Gateway for the building (building has multiple offices from different companies). I had heard that you can not have a vpn server insided of a network that has an sme server as the gateway. Is this true? If so then is there a work around? If not then how to I set up port forwarding for the outside clients to vpn into the vpn server?

[janet]

phxtech

http://wiki.contribs.org/VPN_practical_tips

[phxtech]

Does "You cannot establish a VPN passthrough connection through an SME server to a local machine due to problems with the sme server supporting the passthrough of protocol 47 (GRE)." mean that I cannot run a vpn server behind the sme server?

If so then I can use the SME server as a vpn server and map a share (ibay) to the server that the user needs to connect to?

I am not familiar with linux based servers at all... sorry for all the questions.

[phxtech]

Here is the network set up.

WAN > Cisco 2620 > SME server (is not setup for DHCP) / Linksys DHCP router > Private office w/ Linksys DHCP Server > WinXP VPN server.

The setup is strange but this is how it was setup. This is a building that has many different offices for rent so they are all on the same network under the SME server (it is mainly acting as a Gateway) but have their own private setups inside the office space.

Do I have to port forward on the cisco to the sme to the linksys in the office to the VPN server? Even to get RDP to work I would have to port forward on all these devices? Can anyone help guide me through this?

[zatnikatel]

well the SME server would have to be doing what the cisco router does then you could use SME VPN how is the cisco router setup
does the SME server have a public IpAddress
with any VPN server it needs to be at the front of the network it would be messy to setup a VPN server on a internal network
the way you have explained it if the SME server is the gateway the cisco router must be in bridge mode is this correct what type of link is in the building ADSL ATM ISDN etc
even if the SME server was not in the network is would still be messy to port forward though 3 router way to much problems
but if the SME server has a public IpAddress then you should be able to use it as a VPN server

[phxtech]

The SME server has an internal ip address. The Cisco has the WAN ip of say 206.25.26.3 and then the SME server has on it's external NIC 192.168.31.1 and it's internal nic 192.168.41.1. Then they have a seperate DHCP router (linksys) and then a switch going to the offices. In the office I am working on he has a Linksys router and then his WinXP VPN server.

[mercyh]

Whew, Your network is confusing

If so then I can use the SME server as a vpn server and map a share (ibay) to the server that the user needs to connect to?

If i understand correctly all you are trying to achieve is allow the user in the private office to access a share on the SME. If this is correct all we have to worry about is the part of the network pictured below:

SME internal NIC
V
V
V
INTO WAN PORT
Router 1 (Public DHCP Server)
LAN PORTS
V
V
>>>>>>>Other Private offices
V
INTO WAN PORT
Router 2 (Private office DHCP SERVER)
LAN PORTS
V
V
YOUR USER WINXP

Does it work to add your user's IP address range to the SME's Local networks without a VPN? Can you directly PING the SME's ip address without any special settings from the WINXP?

http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11#Local_networks

If you are trying to VPN to a remote site (outside of the building). I would suggest simplifying the network if at all possible. It looks like the Cisco is routing as the SME's external IP is in the private network range.  You could either set the Cisco in Bridge mode and let SME have the Public address or DMZ the SME. Another option would be to build the VPN on the Cisco but that will open it to all offices.

[mercyh]

You cannot establish a VPN passthrough connection through an SME server to a local machine due to problems with the sme server supporting the passthrough of protocol 47 (GRE)

This is also a problem with some Linksys routers

[phxtech]

I was confused about ibays.. the share he needs to connect to is on a linux server inside his office. He wants to be able to vpn to his office from home etc. So he would go to the cisco router first > then the sme server> then the DHCP router > then the router in his office > and finally to his box in his office..  I know it is a mess and I don't have any right to reconfigure the network beyond software configurations..   If I can't get vpn to work for him I have thought about Remote Desktop but I would still have to do port forwarding.

[janet]

phxtech

Does "You cannot establish a VPN passthrough connection through an SME server to a local machine... mean that I cannot run a vpn server behind the sme server?

Yes

[zatnikatel]

mercyh is correct
putting the cisco router in to bridge mode then the sme server would have a public IP or putting the the SME in to a DMZ would also work
linksys routers have a gre setting in them but it is grayed out i know i have one i use DMZ with my SME box and it works well
SME server is the best i have used it since 4. something never been hacked 

[phxtech]

Thanks for all your help. I am just going to set him up with logmein pro. Think he will like that better and it uses port 80.