VPN connection problem using NTL

Hi

We have an employee that is trying to connect to our office server via a VPN
connection from home across their NTL cable broadband connection.

The VPN connection works when the cable modem is plugged directly into the
back of the laptop (including access to a shared drive on the server)
however he has several pcs at home and wishes to share the broadband
connection with them all.

We have tried both a Linksys and Netgear router and have setup port
forwarding on them both. The connection almost works - it connects to the
server - however when a router is placed between the cable modem and the
laptop the VPN connection doesn't work properly as the server cannot be
accessed.

I have tried changing the MTU so that it matches the router at our office
but that didn't work either.

Does anyone have any suggestions what could be causing the problem?

Many thanks
Graham





Graham Waller

Hello Graham,

Perhaps with port forwarding you are complicating matters.

I just connected a Linksys WRT54GS to my NTL modem and have 4 PC's and
3 wireless devices all accessing the internet via NTL without
difficulty, and one of the PC's connected to a work VPN extensively.

David

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hello Graham,
>
> Perhaps with port forwarding you are complicating matters.
>
> I just connected a Linksys WRT54GS to my NTL modem and have 4 PC's and
> 3 wireless devices all accessing the internet via NTL without
> difficulty, and one of the PC's connected to a work VPN extensively.
>
> David
>
I'm on NTL and have a firewalled router at home and do not have any port
forwarding set up on it and I can use Cisco VPN software to connect to my
work with no problems.

Simon

"Graham Waller" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi
>
> We have an employee that is trying to connect to our office server via a
> VPN connection from home across their NTL cable broadband connection.
>
> The VPN connection works when the cable modem is plugged directly into the
> back of the laptop (including access to a shared drive on the server)
> however he has several pcs at home and wishes to share the broadband
> connection with them all.
>
> We have tried both a Linksys and Netgear router and have setup port
> forwarding on them both. The connection almost works - it connects to the
> server - however when a router is placed between the cable modem and the
> laptop the VPN connection doesn't work properly as the server cannot be
> accessed.
>
> I have tried changing the MTU so that it matches the router at our office
> but that didn't work either.
>
> Does anyone have any suggestions what could be causing the problem?
>
> Many thanks
> Graham

I work at Barclays where we have VPN, one of our second line support agents
talked at length with NTL who say they do not support VPN at all. We were
informed that it was more than likely that you wouldn't get VPN to work with
Cable.

On Mon, 16 Oct 2006 16:07:43 +0100, "Graham Waller"
<(E-Mail Removed)> wrote:

>Hi
>
>We have an employee that is trying to connect to our office server via a VPN
>connection from home across their NTL cable broadband connection.
>
>The VPN connection works when the cable modem is plugged directly into the
>back of the laptop (including access to a shared drive on the server)
>however he has several pcs at home and wishes to share the broadband
>connection with them all.
>
>We have tried both a Linksys and Netgear router and have setup port
>forwarding on them both. The connection almost works - it connects to the
>server - however when a router is placed between the cable modem and the
>laptop the VPN connection doesn't work properly as the server cannot be
>accessed.
>
>I have tried changing the MTU so that it matches the router at our office
>but that didn't work either.
>
>Does anyone have any suggestions what could be causing the problem?



....try using an encapsulation mode on the client:

http://www.practicallynetworked.com/...t/VPN_help.htm

"Graham Waller" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi
>
> We have an employee that is trying to connect to our office server via a
> VPN connection from home across their NTL cable broadband connection.
>
> The VPN connection works when the cable modem is plugged directly into the
> back of the laptop (including access to a shared drive on the server)
> however he has several pcs at home and wishes to share the broadband
> connection with them all.
>
> We have tried both a Linksys and Netgear router and have setup port
> forwarding on them both. The connection almost works - it connects to the
> server - however when a router is placed between the cable modem and the
> laptop the VPN connection doesn't work properly as the server cannot be
> accessed.
>
> I have tried changing the MTU so that it matches the router at our office
> but that didn't work either.
>
> Does anyone have any suggestions what could be causing the problem?

When the cable modem is plugged into the laptop, the laptop takes the IP
address issued to it by the cable supplier. You say the VPN works, so the
cable company is doing nothing to prevent VPN traffic.

When you connect the router to the cable modem, the external port on the
router acquires its IP address from the cable supplier. The PCs now acquire
their IP addresses from the router. The router passes traffic from the
internal network to the external network - that is what the name "router"
implies. By virtue of NAT (Network Address Translation) packets entering
the router from a local PC are translated and sent to the cable modem - and
they appear at this point to come from the external IP address of the
router - the router is pretending to be a single computer. These outgoing
packets travel to their destination on the internet, and the replies are
sent back to the external port of the router. Now the router matches the
returned packets with the outgoing ones and translates them, then sends them
to the PC that made the original request.

This is how the router achieves security - incoming packets are discarded
unless they are replies solicited by outgoing packets.

A PC which runs a VPN client should behave correctly when connected to the
router. As far as the router is concerned, it simply translates these
packets. There is absolutely no need for any port forwarding.

The purpose of port forwarding is to allow unsolicited packets from the
internet to enter your local network. This is inherently unsafe so you do
it only if you add the necessary security, and understand what you are
doing. Domestically, you might consider port forwarding for a webcam so you
can watch the house while away.

So, remove all port forwarding. Prove that users on the local PCs can
browse websites succesfully, then try the VPN.

It's possible I have misunderstood your question. If you in the office
require to initiate the VPN connection to the user at home, perhaps to
manage the PC for him; then you will require a different configuration. If
this is the case, please ask.

-- Graham (not the same Graham, obviously!)

Thanks everyone for your help on this. You're right about the port
forwarding - it wasn't necessary.

I'm not sure about the encapsulation though - we are using a PPTP connection
from Windows XP to Windows Server 2003 and there doesn't seem to be any
setting for that (unless I am missing something).

Regards
Graham

"Graham" <(E-Mail Removed)> wrote in message
news:eh0uov$ktr$1$(E-Mail Removed)...
>
> "Graham Waller" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi
>>
>> We have an employee that is trying to connect to our office server via a
>> VPN connection from home across their NTL cable broadband connection.
>>
>> The VPN connection works when the cable modem is plugged directly into
>> the back of the laptop (including access to a shared drive on the server)
>> however he has several pcs at home and wishes to share the broadband
>> connection with them all.
>>
>> We have tried both a Linksys and Netgear router and have setup port
>> forwarding on them both. The connection almost works - it connects to
>> the server - however when a router is placed between the cable modem and
>> the laptop the VPN connection doesn't work properly as the server cannot
>> be accessed.
>>
>> I have tried changing the MTU so that it matches the router at our office
>> but that didn't work either.
>>
>> Does anyone have any suggestions what could be causing the problem?
>
> When the cable modem is plugged into the laptop, the laptop takes the IP
> address issued to it by the cable supplier. You say the VPN works, so the
> cable company is doing nothing to prevent VPN traffic.
>
> When you connect the router to the cable modem, the external port on the
> router acquires its IP address from the cable supplier. The PCs now
> acquire their IP addresses from the router. The router passes traffic
> from the internal network to the external network - that is what the name
> "router" implies. By virtue of NAT (Network Address Translation) packets
> entering the router from a local PC are translated and sent to the cable
> modem - and they appear at this point to come from the external IP address
> of the router - the router is pretending to be a single computer. These
> outgoing packets travel to their destination on the internet, and the
> replies are sent back to the external port of the router. Now the router
> matches the returned packets with the outgoing ones and translates them,
> then sends them to the PC that made the original request.
>
> This is how the router achieves security - incoming packets are discarded
> unless they are replies solicited by outgoing packets.
>
> A PC which runs a VPN client should behave correctly when connected to the
> router. As far as the router is concerned, it simply translates these
> packets. There is absolutely no need for any port forwarding.
>
> The purpose of port forwarding is to allow unsolicited packets from the
> internet to enter your local network. This is inherently unsafe so you do
> it only if you add the necessary security, and understand what you are
> doing. Domestically, you might consider port forwarding for a webcam so
> you can watch the house while away.
>
> So, remove all port forwarding. Prove that users on the local PCs can
> browse websites succesfully, then try the VPN.
>
> It's possible I have misunderstood your question. If you in the office
> require to initiate the VPN connection to the user at home, perhaps to
> manage the PC for him; then you will require a different configuration.
> If this is the case, please ask.
>
> -- Graham (not the same Graham, obviously!)
>
>
>
>
>
>
>

"Graham Waller" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks everyone for your help on this. You're right about the port
> forwarding - it wasn't necessary.
>
> I'm not sure about the encapsulation though - we are using a PPTP
> connection from Windows XP to Windows Server 2003 and there doesn't seem
> to be any setting for that (unless I am missing something).

I use PPTP through a Vigor router to connect to a VPN managed by another
Vigor router at the server site. This allows me to connect to anything on
the server site. Typically I connect to Server2003 or SBS2003. Note that
the VPN is not managed by the server, it is managed by the router at the
server site.

I have used the M$ PPTP client to connect in this way via a variety of
routers and it's never been a problem. I'm not specifically aware of having
used Linksys or Netgear. Encapsulation may be a problem because the
protocol uses a dynamically assigned port - however:
http://www.microsoft.com/technet/com...uy/cg0103.mspx
includes:

"The use of a separate mechanism for PPTP data encapsulation has an
interesting side effect for network address translators (NATs). For more
information about NATs, see Windows 2000 Network Address Translator (NAT)
(the March 2001 Cable Guy article). Most NATs can translate TCP-based
traffic for PPTP tunnel maintenance. However, PPTP data packets with the GRE
header are not typically translated without using either a static address
mapping or a PPTP NAT editor."

In practise this means that the router understands the VPN protocol and
looks at the outgoing packet with the dynamic port number defined in it,
then opens that port for incoming traffic. FTP is another protocol that
uses dynamic ports, and routers seem to handle this OK. Some very old (10
years plus) routers certainly do not understand common protocols.

So it's worth checking that the router specification says that it carries
VPN traffic.

At one time some ISPs did not carry VPN traffic on "home" services, because
they regarded VPN as a business requirement - but your experience suggests
that is not your problem.

Another issue may be the configuration of the VPN service on your Windows
Server 2003 - it may know that it should only accept traffic from the IP
address of the PC which was directly connected to the cable modem. When the
router is present, the start point IP address of the PPTP client will be the
IP address of the PC on the LAN managed by the router, so you may need to
edit your VPN settings accordingly.

My recommendation would be to use routers to manage the VPN. The user then
does not have to know anything about invoking the VPN client before using
the connection - it is all done in the router. Several computers at the
"home" location can share the VPN. Further, you can configure the routers
to bring up the VPN from either end, so you could manage the "home" router
itself from the office - and help the user via VNC, as necessary.

--
Graham

On Mon, 16 Oct 2006 19:57:51 +0100, in uk.telecom.broadband ,
"Atropos" <(E-Mail Removed)> wrote:

>I work at Barclays where we have VPN, one of our second line support agents
>talked at length with NTL who say they do not support VPN at all. We were
>informed that it was more than likely that you wouldn't get VPN to work with
>Cable.

While ntl don't offer any support for it, thats not to say their
network won't carry the traffic. I work for a different bank and we
run both VPN and secure remote desktop happily over most of the UK's
ISPs including ntl.
--
Mark McIntyre

On Mon, 16 Oct 2006 16:07:43 +0100, in uk.telecom.broadband , "Graham
Waller" <(E-Mail Removed)> wrote:

>We have tried both a Linksys and Netgear router and have setup port
>forwarding on them both.

Its not so much forwarding as opening ports. Your company tech
services should be able to tell you which ones exactly. I had to open
500 and 2746 UDP.

>I have tried changing the MTU so that it matches the router at our office
>but that didn't work either.

Thats not a factor.

--
Mark McIntyre