I am starting a new project, and anticipate some problems with getting multiple VPN's set up on my server.
What I want to do is put dude (& PRTG - Possibly another package as well) on my Windows 2003 server.
I then want to be able to poll multiple remote networks, each on a separate VPN gateway.
I also want to provide remote access to the Dude (and other packages) though a public IP on the server.
I have a single DSL link to the internet running over a DSL.
Running a single VPN on my workstation screws up my internet connectivty on the workstation, so multiple VPN's are going to screw things up even more.
I would not mind putting in more NIC cards on the server, idealy a multiple port NIC card. Equally I would not mind putting a routerboard between the server and my DSL gateway.
I have several spare public IP's and can get more if that is going to be required.
At this point I am experimenting with the Dude on single VPN connections, but as soon as I have that worked out I will need to try to get into production with at least 3 VPN's as well as password restricted access to the server over a single public IP.
Not looking for someone to wave a magick wand and make all my problems go away, however I would appreciate it very much if someone could give me some guidance on the general approach I should take (Multiple NIC's ? External Router? some magick box that is intended to provide connectivity to multiple remote locations using PPTP? A service of some kind or other)
I am really clueless about how to tackle this issue
Thanks in advance
jayc@vegas-wireless.com
Re: Dude and multiple VPN
On your VPN adapter in the tcp/ip settings, advanced remove the check box for "default gateway" This will stop the vpn connection from breaking your internet connection.
Next you will want to create your own routing setup and use a batch job to connect the VPN.
Here is a batch job that looks for "MY VPN", and updates the routing table, you use this batch job to connect "MY VPN"
:start batch
@Echo Off
: Dials "MY VPN" connection and adds static route.
: Check to see if we're already connected by searching RASPHONE output for "MY VPN"
: FINDSTR sets ErrorLevel=1 if the string isn't found which means we must connect.
: Display routing table and put MY VPN default route into a temp file.
: Then use the FOR /F command to read the temp file and create the new route.
: Modify the addresses to mach your environment.
: This batch job finds the route to address 172.31.0.0 which came from connecting VPN.
: Then it adds a single route for 192.168.0.0/16 to go out the 172.31.x.x connection.
RASDial | FindStr /i "MY VPN" > nul 2>&1
If ErrorLevel 1 RASPhone -d "MY VPN"
Route Print | FindStr "172.31.0.0" > $VPN$.txt
For /f "tokens=3" %%i in ($VPN$.txt) do Route Add 192.168.0.0 Mask 255.255.0.0 %%i metric 1
Del $VPN$.txt : if needed comment out the delete and examine $VPN$.txt to see which token is being picked up.
:Route Print : uncomment route print to examine routing table.
:pause : uncomment pause to see what happened.
: NETWORK DRIVE MAPPINGS
Net use G: \\computer\stuff
:end batch
Next you will want to create your own routing setup and use a batch job to connect the VPN.
Here is a batch job that looks for "MY VPN", and updates the routing table, you use this batch job to connect "MY VPN"
:start batch
@Echo Off
: Dials "MY VPN" connection and adds static route.
: Check to see if we're already connected by searching RASPHONE output for "MY VPN"
: FINDSTR sets ErrorLevel=1 if the string isn't found which means we must connect.
: Display routing table and put MY VPN default route into a temp file.
: Then use the FOR /F command to read the temp file and create the new route.
: Modify the addresses to mach your environment.
: This batch job finds the route to address 172.31.0.0 which came from connecting VPN.
: Then it adds a single route for 192.168.0.0/16 to go out the 172.31.x.x connection.
RASDial | FindStr /i "MY VPN" > nul 2>&1
If ErrorLevel 1 RASPhone -d "MY VPN"
Route Print | FindStr "172.31.0.0" > $VPN$.txt
For /f "tokens=3" %%i in ($VPN$.txt) do Route Add 192.168.0.0 Mask 255.255.0.0 %%i metric 1
Del $VPN$.txt : if needed comment out the delete and examine $VPN$.txt to see which token is being picked up.
:Route Print : uncomment route print to examine routing table.
:pause : uncomment pause to see what happened.
: NETWORK DRIVE MAPPINGS
Net use G: \\computer\stuff
:end batch
Re: Dude and multiple VPN
Thanks for the reply, but I am really clueless so I need to ask a couple of questions.
From your reference to the VPN adapter, it sounds like I need to at least add new NIC cards for each VPN I want to connect to.
Is this something that I do on the 2003 server ? It kinda sounds like that from your reference to the RASDial command in the batch file.
I am attempting to connect to remote RB493AH that are set up for PPTP, I don't have much control over their settings because of existing access by others.
This pretty much says that I have to establish a client connection from my server to the individual RB's.
In going over the MS documentation the focus is on setting up the server to accept in bound connections.
Overall (at present) my goal is to run dude against three remote networks connecting to them using PPTP. Once dude is working I may be adding both PRTG and PRIZM to the server.
Once this is working I will be granting remote access to dude clients over the internet pipe.
It may be that using the 2003 Server is a bad choice, I can put up a XP workstation with the same hardware if that is going to be a better choice.
I can also put up a routerboard and let the server connect via that, if that is a better choice.
At this point I am simply looking for some advice as to the best way to proceed.
Thanks in advance
JayR
From your reference to the VPN adapter, it sounds like I need to at least add new NIC cards for each VPN I want to connect to.
Is this something that I do on the 2003 server ? It kinda sounds like that from your reference to the RASDial command in the batch file.
I am attempting to connect to remote RB493AH that are set up for PPTP, I don't have much control over their settings because of existing access by others.
This pretty much says that I have to establish a client connection from my server to the individual RB's.
In going over the MS documentation the focus is on setting up the server to accept in bound connections.
Overall (at present) my goal is to run dude against three remote networks connecting to them using PPTP. Once dude is working I may be adding both PRTG and PRIZM to the server.
Once this is working I will be granting remote access to dude clients over the internet pipe.
It may be that using the 2003 Server is a bad choice, I can put up a XP workstation with the same hardware if that is going to be a better choice.
I can also put up a routerboard and let the server connect via that, if that is a better choice.
At this point I am simply looking for some advice as to the best way to proceed.
Thanks in advance
JayR
Re: Dude and multiple VPN
You will not need a new network card for each VPN but you will want 2 cards (one for inside and one for outside) if the 2k3 server is going to run "routing and remote access" to serve up the VPN connections. I was thinking you were going to originate the connections from your 2k3 server where it would be the client, only use the rasdial script for that. What the best or easiest I don't know, depends how much you know RB or 2k3.
You can setup RAS on a 2k3 server and then RB clients(pptp) should be able to connect to it but I would get it working between an XP Client and a 2k3 server first. If you have done a VPN with a RB then I would go that way.
If you have never created a VPN server and then connected clients to it you have got some reading to do... and ask more questions as you start to figure it out. I could offer up some steps to setup RAS on 2k3 if that would help.
You can setup RAS on a 2k3 server and then RB clients(pptp) should be able to connect to it but I would get it working between an XP Client and a 2k3 server first. If you have done a VPN with a RB then I would go that way.
If you have never created a VPN server and then connected clients to it you have got some reading to do... and ask more questions as you start to figure it out. I could offer up some steps to setup RAS on 2k3 if that would help.
Re: Dude and multiple VPN
Running a single VPN on my workstation screws up my internet connectivity on the workstation, so multiple VPN's are going to screw things up even more.
The scipt in my first post is meant to solve this problem. That is only if your workstation is a Microsoft built in VPN client which i assumed...
Re: Dude and multiple VPN
Ok, am always amazed to find out just how much I don't know about this stuff.
I am still struggling with getting RRAS installed on my server, main problem so far is that in order to install it I have to first kill my IP connection from the workstation to the server, meaning I had to run out and get a new monitor, keyboard and mouse so I can talk to the server during the process.
Just for the S&G I ran RASDial from the command prompt on the workstation (Vista) as well as ROUTE and to my surprise they are installed on the workstation already.
More surprising is the discovery that they are also installed on the server, does this mean that I don't need to install RRAS on the server? Or should I go ahead and do that anyways ?
jayr
I am still struggling with getting RRAS installed on my server, main problem so far is that in order to install it I have to first kill my IP connection from the workstation to the server, meaning I had to run out and get a new monitor, keyboard and mouse so I can talk to the server during the process.
Just for the S&G I ran RASDial from the command prompt on the workstation (Vista) as well as ROUTE and to my surprise they are installed on the workstation already.
More surprising is the discovery that they are also installed on the server, does this mean that I don't need to install RRAS on the server? Or should I go ahead and do that anyways ?
jayr
Re: Dude and multiple VPN
I just depends on how you installed the server, it might be already installed. Click on start, all programs, administrative tools, routing and remote access... It will be there if it is already installed.
Re: Dude and multiple VPN
Checked and it is running as an automatic service.
Something I should mention, when I first set up this server it could not find the on-board NIC port on the mother board. Because I was fighting a different customer facing issue at the time I simply installed a PCI NIC card and moved on.
When I was attempting to set up a VPN before the system seemed to want to connect to the on-board NIC port for the service.
While I was out buying the stuff for a wired connection to the server I tossed a new NIC card into the shopping basket as well.
At this point in time do I need to fall back and try to get the on board port working again, or should I simply install the new NIC card and attempt to get the VPN connection working on it.
Noted in passing that the route print command on the vista workstation gave me some really interesting and strange stuff to look at.
Thanks for your pointers, apologize if this is starting to look like leading a newbie by the hand. I am beginning to regret walking away from Linux about ten years ago, seemed to be a good idea at the time
jayr
Something I should mention, when I first set up this server it could not find the on-board NIC port on the mother board. Because I was fighting a different customer facing issue at the time I simply installed a PCI NIC card and moved on.
When I was attempting to set up a VPN before the system seemed to want to connect to the on-board NIC port for the service.
While I was out buying the stuff for a wired connection to the server I tossed a new NIC card into the shopping basket as well.
At this point in time do I need to fall back and try to get the on board port working again, or should I simply install the new NIC card and attempt to get the VPN connection working on it.
Noted in passing that the route print command on the vista workstation gave me some really interesting and strange stuff to look at.
Thanks for your pointers, apologize if this is starting to look like leading a newbie by the hand. I am beginning to regret walking away from Linux about ten years ago, seemed to be a good idea at the time
jayr
Re: Dude and multiple VPN
No problem it took me a few days to configure vpn on 2k3 so put your patience cap on and read the microsoft RAS setup.
I'd say look in device manager and see if the driver is installed for the onboard nic if not try to get the driver installed.
Do you have a firewall or are you going to make 2k3 a firewall as well?
I don't know your network so it would be easiest to just take a basic stab at what a good setup would be.
One network card will be connected to the internet and one network card will be connected to your inside network.
It would be best if you had a more complex setup with a DMZ/Firewall. So your server would not be exposed directly to the internet.
Internet - firewall - dmz nat translate - VPN network - 2k3 server - inside network.
I don't have enough time to do a step by step today though so...
I'd say look in device manager and see if the driver is installed for the onboard nic if not try to get the driver installed.
Do you have a firewall or are you going to make 2k3 a firewall as well?
I don't know your network so it would be easiest to just take a basic stab at what a good setup would be.
One network card will be connected to the internet and one network card will be connected to your inside network.
It would be best if you had a more complex setup with a DMZ/Firewall. So your server would not be exposed directly to the internet.
Internet - firewall - dmz nat translate - VPN network - 2k3 server - inside network.
I don't have enough time to do a step by step today though so...