dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5550
share rss forum feed

helpmeeh

join:2013-01-14

PPTP VPN Actiontec MI424WR Port Forwarding Help Me

I have a domain in Los Angeles office trying to join the San Fransisco office to the Los Angeles domain by using a VPN.

On the Server 2008 R2 I added the role remote access and routing and added the user and set everything up.

Now I just need to learn how to port forward properly because locally I can connect to the VPN (Los Angeles office) but I cannot connect to the VPN in the San Fransisco office. I need to learn how to port forward. I'm new to this port forwarding, what is GRE what is all this stuff on the Actiontec MI424WR router. Can anyone teach me step by step? Thanks so much.


More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
kudos:31
»Verizon Online FiOS FAQ »Port Forwarding Instructions for the FiOS MI424 Router

GRE = Generic Routing Encapsulation
--
There are 10 kinds of people in the world; those who understand binary and those who don't.

McBane

join:2008-08-22
Plano, TX
reply to helpmeeh
While I doubt we can explain every feature on this router in an online forum, for PPTP clients it should just work with default settings, unless you are trying to setup a PPTP server at your local location behind NAT.

Which location are you at, San Francisco or Los Angeles?

Why use PPTP when
1) it's already compromised and no longer secure and
2) L2TP/IPSec on the routers/firewalls would be a much better and clean option for joining your LANs/domains than piping everything through your domain controllers with GRE

GRE is not encrypted so I doubt you'd want to use that.

helpmeeh

join:2013-01-14
Hi guys thanks for the reply. I'm at the Los Angeles office. Let me tell you what I'm trying to do. I'm trying to join the domains to use e-mail and file sharing. What do you recommend sir.

McBane

join:2008-08-22
Plano, TX
Nevermind I guess the actiontecs don't support L2TP/IPSec... So yea you're stuck tunneling directly between the servers unless you buy another decent firewall to replace the actiontec.

You need to find out what ports your Windows Server 2008 is using to serve VPN/Remote access and port forward those with the instructions More Fiber posted above.

This would all be MUCH easier and cleaner using a device that supports L2TP/IPSec at each end though since that will essentially join both location LANs together as if they were on the same network.

helpmeeh

join:2013-01-14
I saw a picture in a different forum that has L2TP/IPSec
Does this mean it will work or it won't?

McBane

join:2008-08-22
Plano, TX
In your case L2TP/IPSec would not work unless you bought another firewall to replace your actiontec

helpmeeh

join:2013-01-14
Type this in google
actiontec mi424wr L2TP/IPSec
And click the second forum link. It has a picture about L2TP/IPSec doesn't that mean I can do it?

McBane

join:2008-08-22
Plano, TX
Yeah it says Passthrough only, it doesn't say it actually supports it.

I have one myself and I see no place in the GUI to configure L2TP/IPsec

helpmeeh

join:2013-01-14
Oh so I need to buy a new fios router? So what is passthrough exactly. I know I can look it up but you can probably give a better example. So this modem is a no-go right? No VPN capabilities it can't do what I want it to do right? Thanks for helping me by the way.

McBane

join:2008-08-22
Plano, TX
You can kind of hack it into working by using port forwarding and using the Windows Servers as the tunneling endpoints. What passthrough means is it's configured to recognize those specific types of VPN and pass them through with no extra configuration

I won't lie, what your trying to do took me years to figure out completely. Most network engineers I also deal with don't get VPNs fully and completely. Maybe 25% of them and helping you do a full setup is not something I'm going to be able to guide you through doing over a forum and especially not for free.

It really requires someone who is good with VPNs having access to one or both locations, or having someone good at VPNs at each location to work together to configure.

helpmeeh

join:2013-01-14
So the ultimate answer is, this actiontec needs to be replaced right?

McBane

join:2008-08-22
Plano, TX

1 edit
Not necessarily. As stated previously you can use VPN on the Servers themselves and just port forward on the actiontecs.

It would be a much easier and cleaner and MUCH less complex setup if you replaced the actiontec with some device that supports L2TP/IPSec though at each location you want to join.

helpmeeh

join:2013-01-14
reply to McBane
Doesn't the picture in this forum mean you can do L2TP/IPSec? I just don't know how to do it

»forums.verizon.com/t5/FiOS-Inter···p/239526

helpmeeh

join:2013-01-14
reply to McBane
Can I buy a VPN switch and plug that into the actiontec router? OR will that complicate things even more?

McBane

join:2008-08-22
Plano, TX
I've never heard of a VPN switch, so I'm not sure what you're referring to. The term itself is kind of an oxymoron in network speak.

helpmeeh

join:2013-01-14
A switch with VPN like a netgear. You know what I mean

McBane

join:2008-08-22
Plano, TX
If by firewall/router that support L2TP/IPSec yes, but it's not going to work very well behind the actiontec since they both serve the same purpose, and yes using both of them together would be totally redundant and unnecessarily complicate things, but it can be done if that's what you're trying to achieve.

helpmeeh

join:2013-01-14
I appreciate your help.

rlstarry
Premium
join:2002-05-22
California
helpmeeh,
you can use the actiontech to forward your l2tp/ipsec vpn to a remote windows server running the vpn. It took me a bit to get it working but now I have no issues. In the action tech router go to the advanced page. then click on port forwarding rules near the bottom of the page. here is where you can add the "advanced" forwarding rules like GRE and IPSec. I added a rule for l2tp for UDP any -> 1701 and IPSec UDP 500->500 ESP and AH.

If you're using a windows machine you'll need to add a key to the registry since microsoft doesn't think you should be connecting to an l2tp vpn through a nat.

Heres how to do that:
In the Start menu search box, type "regedit" and press ENTER
You will be prompted to allow Administrator rights, click Yes.
Locate and click the registry subkey named HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
On the Edit menu, point to New, and click DWORD Value
In the New Value #1 box, type "AssumeUDPEncapsulationContextOnSendRule" (this is case-sensitive and contains no spaces), and press ENTER.
Right-click AssumeUDPEncapsulationContextOnSendRule, and select Modify.
In the Value data box, type "2" and click OK
You'll probably need to reboot.

I'm using a preshared key on the windows 2008 server so I didn't have to worry about installing certificates.

Hope that offers some help to you.