[vpn] microsoft vpn and network address translation

Ryan Malayter rmalayter at bai.org
Tue Feb 19 14:20:36 EST 2002


When you say "turn on sharing"... You mean internet connection sharing,
right? If so, any box on the ICS network should support outbound PPTP
connections. See Micrsosoft KnowledgeBase article
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q310563.

Now, if you want the ICS host to route packets from all machines over the
VPN connection, that's a bit different. I think you need to set up ICS to
share the PPTP connection, not standard internet connection. I'm not sure if
this can be done in XP.

You can make sure you're using PPTP by checking out the connection
properties box. Set the VPN server type to PPTP, not "Automatic".

The way I would set up your network: 
1) buy an inexpensive NAT/firewall box, like the NETGEAR FR314 Cable/DSL
Firewall Router for about $175
2) set up the firewall/router to do NAT, and act as a DHCP server
3) plug all home network machines into the firewall/router
4) Set up PPTP VPN connections independently on each client machine. You
won't have to deal with ICS at all.

HTH,
	-ryan-

-----Original Message-----
From: Paul Fletcher [mailto:Paul.Fletcher at newcastle.ac.uk] 
Sent: Monday, February 18, 2002 5:59 PM
To: vpn at securityfocus.com
Subject: FW: [vpn] microsoft vpn and network address translation


Thanks for input on this: but I'm still stuck.
I am trying to get the ICS host to connect over vpn.  That is the box 
with the connection to the outside world, which I want to share. It is very
clear where the problem is; I connect very quickly on the vpn if I disable
sharing, as soon as I enable it the vpn connection is dropped.

I seem to be using PPTP.  If I look at the network traffic, when I start
sharing the machine starts listening on ports in the 3000+ range, these seem
to be different each time I do it, as well as on 2234.  I don't have much
understanding of this stuff, sorry.

Do I need the server to be listening on other ports than it currently is?
Any ideas what else I can look at to identify the problem?

Or is this just a non-starter?

Paul

> -----Original Message-----
> From: Ryan Malayter [mailto:rmalayter at bai.org]
> Sent: 13 February 2002 06:00 PM
> To: 'Paul Fletcher'
> Subject: RE: [vpn] microsoft vpn and network address translation
> 
> 
> L2TP/Ipsec does not work over NATed networks, due to choices
> made during its design. The only way you can get around this 
> with your setup is to fall back to Microsoft's PPTP protocol, 
> which is less secure but works over NAT.
> 
> Of course, ICS is not really that flexible or powerful as a
> NAT device, and you might not even be able to make PPTP work 
> over it. In which case, you'll need to redesign things, using 
> a hardware NAT device/firewall.
> 
> 
> -----Original Message-----
> From: Paul Fletcher [mailto:Paul.Fletcher at newcastle.ac.uk]
> Sent: Tuesday, February 12, 2002 4:46 PM
> To: vpn at securityfocus.com
> Subject: [vpn] microsoft vpn and network address translation
> 
> 
> Hello vpn experts
> 
> I wish to connect to a microsoft vpn server from a home
> lan using windows xp internet connection sharing.  I don't
> know the details of the vpn set up except that it is MS win 
> 2k 'out of the box'.  It works fine until I switch on 
> internet connection sharing, at which point I can't 
> authenticate. I guess this is because of network address 
> translation although I don't quite understand why it does not 
> work on the ICS host machine, as well as not working on the 
> ICS clients.
> 
> Is there a solution?  Any experience of this?  Even a better
> understanding of why it is impossible would help !
> 
> Thanks
> 
> Paul
> 
> VPN is sponsored by SecurityFocus.com
> 

VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list