VPN 'end point'

Hi all,

Along the same lines as my other recent post re a weird VPN thing
which may or may not be to do with a Vigor 2800 I was wondering if it
was to do with the VPN 'end point'.

So, a mate is trying to establish a 'connection' to the shares on a
remote PC.

He creates a M$ XPPro VPN connection from one machine, out though a
Netgear router, over the INet into a Draytek Vigor 2800 and to the
remote PC. There seems to be the incoming end VPN bit configured on
the remote PC.

The above was working for ages with a D-Link router at the remote end
and similarly with an iffy Belkin before the Vigor arrived.

If you configure the Vigor to accept incoming VPN clients (username
and password) I can connect from home and 'see' the shares. If I don't
configure the VPN thing I can't complete the connection (but feel I
should be able to .. the remote PC being the real 'end point') ?

I have forwarded (and opened?) TCP port 1723 as it was with the other
routers. I understand with the Vigor we may also have to set other
stuff elsewhere?

With no info set in the router you can dial, connect it starts to
authenticate and (currently) comes back with a "Can't connect with
that username and password' (even though I can log in locally with
same and they show in the allowed users box in the incoming VPB bit).

It's all very confusing ... ;-(

All the best ..

T i m

p.s. It currently fails with an error 734 but I've checked all the
suggestions and they are all ok? It all seems to revolve around this
new Draytek router ...

On 05/08/2007 10:49, T i m wrote:

> I have forwarded (and opened?) TCP port 1723 as it was with the other
> routers. I understand with the Vigor we may also have to set other
> stuff elsewhere?

Assuming your VPN is PPTP you need TCP port 1723 and GRE protocol (i.e.
protocol 47, not TCP or UDP port 47)

If you were using IPSEC VPN you'd need UDP port 500 and ESP and AH
protocols (i.e. protocols 50 and 51, not TCP or UDP port numbers 50 and 51)

On Sun, 05 Aug 2007 11:02:43 +0100, Andy Burns
<(E-Mail Removed)> wrote:

>On 05/08/2007 10:49, T i m wrote:
>
>> I have forwarded (and opened?) TCP port 1723 as it was with the other
>> routers. I understand with the Vigor we may also have to set other
>> stuff elsewhere?
>
>Assuming your VPN is PPTP you need TCP port 1723 and GRE protocol (i.e.
>protocol 47, not TCP or UDP port 47)

Ah, I saw that mentioned somewhere Andy but when I went to set / check
it I couldn't see it? Do you know the Vigor and if so where would I
find / set it please?

All the best ..

T i m

In message <(E-Mail Removed)>, T i m
<(E-Mail Removed)> writes
>Hi all,
>
>Along the same lines as my other recent post re a weird VPN thing
>which may or may not be to do with a Vigor 2800 I was wondering if it
>was to do with the VPN 'end point'.
>
>So, a mate is trying to establish a 'connection' to the shares on a
>remote PC.
>
>He creates a M$ XPPro VPN connection from one machine, out though a
>Netgear router, over the INet into a Draytek Vigor 2800 and to the
>remote PC. There seems to be the incoming end VPN bit configured on
>the remote PC.
>
>The above was working for ages with a D-Link router at the remote end
>and similarly with an iffy Belkin before the Vigor arrived.
>
>If you configure the Vigor to accept incoming VPN clients (username
>and password) I can connect from home and 'see' the shares. If I don't
>configure the VPN thing I can't complete the connection (but feel I
>should be able to .. the remote PC being the real 'end point') ?
>
>I have forwarded (and opened?) TCP port 1723 as it was with the other
>routers. I understand with the Vigor we may also have to set other
>stuff elsewhere?
>
>With no info set in the router you can dial, connect it starts to
>authenticate and (currently) comes back with a "Can't connect with
>that username and password' (even though I can log in locally with
>same and they show in the allowed users box in the incoming VPB bit).
>
>It's all very confusing ... ;-(
>
>All the best ..
>
>T i m
>
>p.s. It currently fails with an error 734 but I've checked all the
>suggestions and they are all ok? It all seems to revolve around this
>new Draytek router ...
>
10 secs on google found this
http://www.draytek.co.uk/support/kb_...ssthrough.html
If you cannot understand it get a pro in.
--
Devs
"Punchdown Pete the old Kroner"

On 05/08/2007 11:28, T i m wrote:

> Ah, I saw that mentioned somewhere Andy but when I went to set / check
> it I couldn't see it? Do you know the Vigor

Sorry, the only thing I know about Vigor is they have a good reputation,
I use openwrt.org

On Sun, 05 Aug 2007 11:48:16 +0100, Andy Burns
<(E-Mail Removed)> wrote:

>On 05/08/2007 11:28, T i m wrote:
>
>> Ah, I saw that mentioned somewhere Andy but when I went to set / check
>> it I couldn't see it? Do you know the Vigor
>
>Sorry, the only thing I know about Vigor is they have a good reputation,
>I use openwrt.org

Thanks anyway Andy.

I think I'm getting closer and it was after a further look based on
your thoughts I 'found' that the Vigor tries to 'process' VPN PPP
traffic itself by default (hence my thoughts re 'end points' etc).

I turned off all the extra support and it now seems I can connect to
the actual machine rather than to the router ;-)

Now I just need to find out why I 'now' (I could before) see the
shares .. ;-(

All the best ..

T i m

On Sun, 5 Aug 2007 11:38:27 +0100, Devs <(E-Mail Removed)>
wrote:


>>p.s. It currently fails with an error 734 but I've checked all the
>>suggestions and they are all ok? It all seems to revolve around this
>>new Draytek router ...
>>
>10 secs on google found this

What was your search criteria Devs? If it included 'passthrough' there
would be the assumption that I would know of that term (as my 30 mins
gogling hadn't found anything directly useful).

>http://www.draytek.co.uk/support/kb_...ssthrough.html

Yep, and as I've just replied to Andy the 'Remote Access Control
setup' boxes I had just noticed were set on by default, I unset them
and am now making progress (I felt there was something 'special /
different' about what the Vigor was doing over say a basic D-Link /
Belkin router but couldn't put my finger on it. Especially as I had
got PCAW / CCTV side working ok).

The rest of the fields might actually be screen shots from our router
as I had already set it.

>If you cannot understand it get a pro in.

I (he) might still need to if I can't get back to seeing the shares ..
like I *was* doing yesterday .... <sigh>.

All the best ..

T i m

In message <(E-Mail Removed)>, T i m
<(E-Mail Removed)> writes
>On Sun, 5 Aug 2007 11:38:27 +0100, Devs <(E-Mail Removed)>
>wrote:
>
>
>>>p.s. It currently fails with an error 734 but I've checked all the
>>>suggestions and they are all ok? It all seems to revolve around this
>>>new Draytek router ...
>>>
>>10 secs on google found this
>
>What was your search criteria Devs? If it included 'passthrough' there
>would be the assumption that I would know of that term (as my 30 mins
>gogling hadn't found anything directly useful).

Indeed it was "passthrough" but surely a search for vpn and router would
reveal this term? It's how I found out how to do in when I was in your
situation way back when! :O)
>
>>http://www.draytek.co.uk/support/kb_...ssthrough.html
>
>Yep, and as I've just replied to Andy the 'Remote Access Control
>setup' boxes I had just noticed were set on by default, I unset them
>and am now making progress (I felt there was something 'special /
>different' about what the Vigor was doing over say a basic D-Link /
>Belkin router but couldn't put my finger on it. Especially as I had
>got PCAW / CCTV side working ok).
>
>The rest of the fields might actually be screen shots from our router
>as I had already set it.

Good good.

>
>>If you cannot understand it get a pro in.
>
>I (he) might still need to if I can't get back to seeing the shares ..
>like I *was* doing yesterday .... <sigh>.
>
I presume you are networking using the IP no rather than comp names? E.g
go to run and type \\192.168.0.5\ and hopefully the shares should show
up.
--
Devs
"Punchdown Pete the old Kroner"

On Sun, 5 Aug 2007 13:54:39 +0100, Devs <(E-Mail Removed)>
wrote:

>In message <(E-Mail Removed)>, T i m
><(E-Mail Removed)> writes
>>On Sun, 5 Aug 2007 11:38:27 +0100, Devs <(E-Mail Removed)>
>>wrote:
>>
>>
>>>>p.s. It currently fails with an error 734 but I've checked all the
>>>>suggestions and they are all ok? It all seems to revolve around this
>>>>new Draytek router ...
>>>>
>>>10 secs on google found this
>>
>>What was your search criteria Devs? If it included 'passthrough' there
>>would be the assumption that I would know of that term (as my 30 mins
>>gogling hadn't found anything directly useful).
>
>Indeed it was "passthrough" but surely a search for vpn and router would
>reveal this term? It's how I found out how to do in when I was in your
>situation way back when! :O)

Maybe you are quicker than me .. I'm just an old hardware engineer
trying his best ... <weg> "My legs are grey, my ears are nulled, my
eyes are old, and bent" ...
>>
>>>http://www.draytek.co.uk/support/kb_...ssthrough.html
>>
>>Yep, and as I've just replied to Andy the 'Remote Access Control
>>setup' boxes I had just noticed were set on by default, I unset them
>>and am now making progress (I felt there was something 'special /
>>different' about what the Vigor was doing over say a basic D-Link /
>>Belkin router but couldn't put my finger on it. Especially as I had
>>got PCAW / CCTV side working ok).
>>
>
>The rest of the fields might actually be screen shots from our router
>>as I had already set it.
>
>Good good.

Hey, I have my moments! ;-)
>>
>>>If you cannot understand it get a pro in.
>>
>>I (he) might still need to if I can't get back to seeing the shares ..
>>like I *was* doing yesterday .... <sigh>.
>>
>I presume you are networking using the IP no rather than comp names? E.g
>go to run and type \\192.168.0.5\ and hopefully the shares should show
>up.

Ah, well, it would appear that once I had removed the VPN support from
the Draytek and was actually talking to the remote PC I was actually
there. Just that a couple of things were stopping me seeing what I
should .. namely pinging 192.168.1.11 (ip of remote box) came back
with nothing as did \\192.168.1.11 because it appears it's actually on
10.10.10.1 (as assigned by the remote i/c vpn thingy (that I didn't
set up)) ?

Browsing the remote share was also possible, once I had put the 10
network in as a trusted zone in my ZA... (so wasn't an issue from my
mates HQ as I have just tested) ;-)

What I think threw me (further) was when the Draytek was dealing with
the VPN itself the dial-in component was allocating the 192.168.1.20
address so I could browse it ok (as I'd previously set that in my FW).

Oh well, we live and learn (and at my age only to forget it all again
tomorrow) and thanks to the prompts here (and elsewhere) we can stand
the 'Pro' down for another day. ;-)

All the best ..

T i m

(E-Mail Removed) declared for all the world to hear...
> If you configure the Vigor to accept incoming VPN clients (username
> and password) I can connect from home and 'see' the shares. If I don't
> configure the VPN thing I can't complete the connection (but feel I
> should be able to .. the remote PC being the real 'end point') ?

If you want the PC being the vigor to be the endpoint then you will need
to forward the correct ports for VPN to the LAN IP of the PC concerned.

> p.s. It currently fails with an error 734 but I've checked all the
> suggestions and they are all ok? It all seems to revolve around this
> new Draytek router ...

The Draytek range have LAN > LAN functionality, can you make use of this
to effectively create a permanent VPN from B and C back to A, and
therefore have them all on the same subnet?
--
Regards
Jon