VPN setup - is there a standard way to do this?


First...I'm not a full blown network engineer...just kind of inherited
a network and am being looked to for supporting it. Small 25 person
office, have a netscreen firewall/vpn and a W2k domain. I'm being
asked to get the VPN working on the Netscreen (for remote users
working from home). Going into the config, I'm blown away by the
number of different ways to set the VPN up. IKE, XAuth, AU, L2TP,
Des, Triple Des, Hash Algorithms, Pre-Shared keys..etc...it's a little
overwhelming. Is there some kind of standard people use? Any good
website suggestions? Do I stick with the Netscreen-Remote clients or
set up the Microsoft 2000/XP PPTP/L2TP client? Any help would be
greatly appreciated.
Reply to
Mike
Loading thread data ...
formatting link
is Netscreen's support page. There's several articles including screen shots about setting up the VPN on the Netscreen firewall. I used L2TP and it works great. The only thing to remember though is on the client machines you'll have to set up the following: The following registry entry is required on the client machines before they could connect via L2TP:
To add the ProhibitIpSec registry value to your Windows 2000-based computer, use Registry Editor (Regedt32.exe) to locate the following key in the registry:
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Rasman\\Parameters
Add the following registry value to this key:
Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1
Note that you must restart your Windows 2000-based computer for the changes to take effect.
I thought it was fairly straight forward on setting it up. You set up an L2TP pool (under Objects on the firewall), configure the default settings, configure the tunnel (both under VPN L2TP on the firewall), create your users (under objects) and of course allow VPN in your Policies.
Again there's a bunch of articles with Screen Shots of how to do this, just got to the above link and search the knowledge base. My info. above is a basic overview though.
Hope this helps and good luck.
Reply to
MF
Well with the L2TP, the way it is set up is basically to establish the connection, you log on using the Netscreen's user name and password (this was set up under Objects -> Users on the Netscreen). Again this just creates the tunnel between pt A and B. After it is connected, your computer is now a computer on that network. After that if you want to say Remote into a server or computer on that side, you'd launch Remote Desktop to that private ip and then use your domain user name and password to get in (of course this is also provided you have access under that user name and password on the domain). Same for mapping drives, you need to use a user name and password from that domain that you just vpn'd into. This is actually a nice feature because even if someone was able to make a VPN connection and you didn't want them, they'd still need to be a user in your domain to get to any of the machines on the domain. I would have thought that the IKE VPN was set up similiarly. Again the knowledge base articles are an excellent source for finding info too, but I hope this at least helps or pts you in the correct direction.
screen
Reply to
MF
Thanks for the reply...I did manage to set up IKE VPN connections using the Netscreen-Remote client. What I don't understand...is bascially how to log someone in over the VPN connection directly to the network. In other words, while testing this IKE connection, I noticed that every mapped drive, opening Outlook...etc requires the user to enter a username/password. Also, there's no way to change your password when it expires (at least I don't see a way)...so I'm guessing I need a way to log into the domain when first connecting. Is this what L2TP does?
Reply to
Mike
Anyone have any folloup to this? I'm basically concerned about changing domain passwords when they expire. I'm using a NetScreen 25 with IKE/XAuth/IAS. It seems that if the domain password has expired the user is locked out of everything until they manually hit Ctrl+Alt+Delete to change their password and log back in again. This could be really c> > Thanks for the reply...I did manage to set up IKE VPN connections
including screen
Reply to
serafim

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.