catcons
21st November 2003, 09:38 PM
Hi,
Just in case anyone else is battling with VPN, here's some of what I've learned. Am still researching and experimenting step by step so will add to this thread as the picture builds.
If your client is a Windows 98 (or even 95!) system then use Dial-Up Networking 1.4 rather than the version that comes with the OS. You can check whether this has been installed already by looking in Add/Remove Programs. If it has not been installed then go to Microsoft Knowledge Base Article 285189 (http://support.microsoft.com/support/kb/articles/q285/1/89.asp) for info and download.
VPN requires an IP connection. That does not have to be through the Internet. I have successfully opened a VPN connection from W98 (plain and SE) clients into a WXPP VPN server on the same network, 10.208.229.0. If you're having trouble and are not sure whether the ADSL router is to blame, it's nice to be able to remove it from the test this way.
There are a lot of different implementations of VPN server. They differ in their protocol and port usage. The best summary I found was this BlackICE FAQ entry (https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_sid=bXSGZWYg&p_lva=&p_faqid=1064&p_created=1023077841&p_sp=cF9zcmNoPTEmcF9ncmlkc29ydD0mcF9yb3dfY250PTQmc F9zZWFyY2hfdGV4dD12cG4mcF9zZWFyY2hfdHlwZT0zJnBfcHJ vZF9sdmwxPTMzJnBfcHJvZF9sdmwyPX5hbnl_JnBfY2F0X2x2b DE9fmFueX4mcF9zb3J0X2J5PWRmbHQmcF9wYWdlPTE*&p_li=) but it gives clues rather than the whole story unless you are familiar with BlackICE protection levels and firewall.ini files.
Diagnostic tools on WXPP:
Security Event Log
Remote Access Service (RAS) tracing. Start with command "netsh ras set tracing * enable". Logs in %SystemRoot%\WINDOWS\tracing. Stop with command "netsh ras set tracing * disable"
Commmand ipconfig /all
Commmand route print
Packet sniffing tools
VPN can be implemented using PPTP or L2TP and IPSec. This has a big impact on protocol and port usage.
PPTP normally uses only TCP port 1723 and IP protocol 47. Because IP 47 is not well-exercised and hence not always available some VPN clients and servers can use UDP port 47 instead of IP protocol 47.
L2TP and IPSec based VPN implemetations are more secure than PPTP based ones. They assure that the data has not been changed in transit and that it really does come from the source. It's a lot more complex to set up, requiring a certificate infrastructure. Horses for courses. For this type of implementation the protocol and port usage (possibly specific to the Microsoft implementation) is UDP port 500 for Internet Key Exchange, UDP port 1701 for IPSec, and IP protocol 50 for IPSec Encapsulating Security Protocol (ESP)
More later ...
Just in case anyone else is battling with VPN, here's some of what I've learned. Am still researching and experimenting step by step so will add to this thread as the picture builds.
If your client is a Windows 98 (or even 95!) system then use Dial-Up Networking 1.4 rather than the version that comes with the OS. You can check whether this has been installed already by looking in Add/Remove Programs. If it has not been installed then go to Microsoft Knowledge Base Article 285189 (http://support.microsoft.com/support/kb/articles/q285/1/89.asp) for info and download.
VPN requires an IP connection. That does not have to be through the Internet. I have successfully opened a VPN connection from W98 (plain and SE) clients into a WXPP VPN server on the same network, 10.208.229.0. If you're having trouble and are not sure whether the ADSL router is to blame, it's nice to be able to remove it from the test this way.
There are a lot of different implementations of VPN server. They differ in their protocol and port usage. The best summary I found was this BlackICE FAQ entry (https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_sid=bXSGZWYg&p_lva=&p_faqid=1064&p_created=1023077841&p_sp=cF9zcmNoPTEmcF9ncmlkc29ydD0mcF9yb3dfY250PTQmc F9zZWFyY2hfdGV4dD12cG4mcF9zZWFyY2hfdHlwZT0zJnBfcHJ vZF9sdmwxPTMzJnBfcHJvZF9sdmwyPX5hbnl_JnBfY2F0X2x2b DE9fmFueX4mcF9zb3J0X2J5PWRmbHQmcF9wYWdlPTE*&p_li=) but it gives clues rather than the whole story unless you are familiar with BlackICE protection levels and firewall.ini files.
Diagnostic tools on WXPP:
Security Event Log
Remote Access Service (RAS) tracing. Start with command "netsh ras set tracing * enable". Logs in %SystemRoot%\WINDOWS\tracing. Stop with command "netsh ras set tracing * disable"
Commmand ipconfig /all
Commmand route print
Packet sniffing tools
VPN can be implemented using PPTP or L2TP and IPSec. This has a big impact on protocol and port usage.
PPTP normally uses only TCP port 1723 and IP protocol 47. Because IP 47 is not well-exercised and hence not always available some VPN clients and servers can use UDP port 47 instead of IP protocol 47.
L2TP and IPSec based VPN implemetations are more secure than PPTP based ones. They assure that the data has not been changed in transit and that it really does come from the source. It's a lot more complex to set up, requiring a certificate infrastructure. Horses for courses. For this type of implementation the protocol and port usage (possibly specific to the Microsoft implementation) is UDP port 500 for Internet Key Exchange, UDP port 1701 for IPSec, and IP protocol 50 for IPSec Encapsulating Security Protocol (ESP)
More later ...