VPN and Network Browsing Problem

[homecomputeraid]

MikeS,

I tried downloading the user manual for the D-Link DFL-200 from D-Link's site, and did not find it. You'll have to make sure PPTP is enabled to use the Microsoft Client. (IPSec may be an option, but I don't know offhand how to configure it).

I'm using XP Pro, so your steps may be a little different. If so, please post.

To set your Windows XP Client up, go to Start, All Programs, Accessories, Communications, New Connection Wizard.

Click Next, and under Network Connection Type, click the radio button next to Connect to the network at my workplace.

Click Next again, and under Network Connection, click Virtual Private Network Connection.

Click Next and create a Connection Name (This name is descriptive only).

Click Next and under Public Network, click the Do not dial the inital connection radio button.

Click Next and under VPN Server Selection, type the external Internet IP of your VPN Server (the router's outside IP).

Under Connection Availability, select either Anyone's use, or My use only, and click Next. In the Completing the New Connection Wizard window, check the box for Add shortcut to this connection to my desktop if you desire, and click Next.

You should now be able to connect using the VPN Connection you just created provided you have enabled incoming PPTP connections on the D-Link DFL-200.

Using this procedure, you'll connect to the ISP via dial-up and once it's connected, double click the VPN Connection you created and enter the authentication information.

Sorry if it's silly to ask, but I've had customers become confused over this. Your network doesn't sound big enough to have its own Remote Access Services (RAS) Server, so when you say you're dialing to your ISP, you mean you're dialing a connection to a service provider like AOL, or Earthlink, not into a server on your LAN, right?

Hope this helps!

Sincerely,

[MikeS]

homecomputeraid,

I've already spent some time experimenting with an XP VPN client, which I set up using the procedure you described. It appears to connect thru to the router OK, but fails to establish a VPN tunnel. On the router's log there's an IPSEC message that says "Cannot get QM policy for ipv4 ......" & quoting the source IP address of the remote PC. I've tried researching what this message means, but without success so far.

Do I need to have an appropriate IPSEC policy on the client PC? I've spent a lot of time experimenting with this (using MMC), but again without any apparent success. This is the area I'm finding particularly complex.

The DFL-200 manual can be found at ftp://ftp.dlink.co.uk/dfl_firewall/dfl-200. The device does not have an explicit configuration option to enable PPTP. It requires specific VPN tunnels to be defined for fixed IP addresses, or a generic 'roaming' tunnel for dynamic IP addresses (eg. dial-in users).

Finally, you're right in thinking I dial-in via a third-party ISP.

Thanks again for your interest & assistance.

MikeS

[homecomputeraid]

MikeS,

I was unable to connect to the FTP Server in your link.

Perhaps the dfl-200 only allows IPSec connections? There is an IPSec Settings button in the Security tab of the properties for that VPN connection, but the options shown there are extremely limited. You can only use shared password authentication.

For vendor clients, there are usually many more options for IPSec. Is the dfl-200 manual large? Is it something you could zip and e-mail me?

[MikeS]

It's a 1.6MB pdf. How do I get it to you? I can't find an email address for you.

[spikeychris]

Don't mean to muddy the waters but I have just tried to setup an equivalent tunnel. Problem is I'm on a domain and the only problem I hit was to add the server to DHCP and add to the scope options. It seems that using Remote Access Management and pptp makes life a lot easier. There is no such thing as an IPsec tunnel info

[homecomputeraid]

MikeS,

I sent you a Private Message with my e-mail address in it.

SpikeyChris,

I think MikeS is on a small peer-to-peer network with all of the IP's being assigned by the router. The router does appear to have a scope for the VPN user's already.

Sincerely,

[homecomputeraid]

MikeS,

I received the manual. Thanks. I'm looking through it.

Sincerely,

[homecomputeraid]

You're following the instructions on Page 43 for Roaming User VPN, right?

It looks to me like the device will only allow IPSec VPN Connections. Please make sure your pre-shared key is exactly the same, including case on both the router and the client (Page 43, Step 4).

Also, if you haven't enabled NAT Traversal, you might want to turn it on (Page 44 of the manual).

I do recommend using the D-Link client, and keeping all settings but the ones discussed above at their defaults.

According to the Routing Table on Page 19, the default IP that should be assigned to the VPN Adapter when connected should be in the 192. 168.2.0 range, but you said yours was 192.168.254.2, didn't you? Can you please check the Routing settings by going to System, Routing in the Admin browser, and make sure you have a VPN subnet identified? Please post it here.

I'm not too clear on what you're authenticating to to gain access to your network. Did you create an account on the D-Link for the VPN User?

[MikeS]

Yes, I've followed the procedure for creating a roaming users tunnel. For NAT, I have configured the 'only if needed & supported option'.

The IP address of the remote PC seems to be controlled by the VPN client software. I do not know where the value of 192.168.254.2 is coming from. There is no manually-configured IP address on this machine.

Here's the routing table on the firewall:

The manual does not specify that a VPN subnet needs to be defined in the routing table. However, there is a 'global firewall policy' setting that allows VPN traffic to pass:

There is no authentication to gain access to the network, other than when the VPN tunnel is established. It's a peer-to-peer network & there's no domain controller.

[homecomputeraid]

MikeS,

On all other devices I've worked on, the subnet assigned to incoming VPN computers is given out either by the device where the VPN is terminating (your firewall), or a DHCP Server with a scope set aside for VPN traffic. Since you don't have a DHCP Server (other than your Router), the Router should be set up to give out the IP's for incoming VPN connections.

I don't see one defined in the graphic you posted. I think you have to click add, and put in a subnet for VPN users. It should look like the shot in the manual on Page 19. I would make the scope 192.168.2.0 with a mask of 255.255.255.0. Your usable IP's within that subnet will be 192.168.2.1 through 192.168.2.254.

[edit]Adding that will also notify the router of the new subnet, and let it know how to handle VPN traffic.

[MikeS]

Added a route for the VPN tunnel, but this made no apparent difference. Tried to get the client to obtain IP address from router, but without success.

Due to time constraints I'll have to suspend further effort on this issue for now. I can manually add shared drives/folders to My Network Places using IP addresses & I can map network drives the same way. It would be far more desirable to be able to browse the network, but I'll have to live with this for the time being. We'll probably be adding a Windows Server to the network in the next 6-12 months, so I'll probably re-visit this issue then.

Thanks to everyone who contributed, especially homecomputeraid.

MikeS

[spikeychris]

We'll probably be adding a Windows Server to the network in the next 6-12 months

You will find life a lot easier that way.

Good luck.

[homecomputeraid]

Sorry we couldn't resolve it for you! Please stop back in if you need help with the server networking.