# Best Working VPN practise



## mayer (Feb 26, 2007)

Hi again,

Thanks for your quick help on my previous problem. I thought I will manage with Googling the needed steps for your advice, but it looks like I am not getting there.

So, as par your advice, I am now trying to set up a VPN connection between a remote (XP) workstation and a server (2003 R2 SP2).

I have found so many tutorials, and have kind of tried them all, alas, unsuccessfully.

I have tried setting up VPN on the server by
the new connection wizard (via Network Connections) - "set up an advanced connection"
The RRAS server setup - first option - Remote Access (dial-up or VPN)
The RRAS server setup - third option - Virtual Private Network (VPN) access and NAT

Each one of those has failed in one way or another. After having read so many tutorials and step-by-step-guides, each one giving their own "best practice", I wondered if someone here could help me get some clarity. I have prepared a whole list of questions. I would appreciate an answer on any of them, even if you can't answer them all.


By default no user can use VPN unless you allow it in the properties of his (or his group's) account, under the dial-in tab. Is there a way to allow it by default to all users?
By default the group policies of RRAS do not allow VPN. Tutorials tell you to change this in order to enable VPN. Do you have to EDIT the policies in order to allow it, or could you just DELETE the existing prohibiting policies? Are there any more policies to adjust, besides the two which show up in the RRAS MMC snap-in?
By default, the RRAS server will only set up VPN if you have a second dedicated NIC (unless you set it up via the custom configuration). Why is this of great importance?
If you choose the option that the VPN server should assign IP's from a specified range, do you need a DHCP server installed on the same machine, or will the VPN server handle this pool on its own? (I couldn't find anywhere an option to tell the VPN where the DHCP server is)
How should one set the details in the tcp/ip properties of the VPN NIC on the server?
The VPN NIC on the server obviously needs a static IP. Does it matter whether you set up this IP in the NIC's properties, or if you reserve an IP on the DHCP server for this NIC?
How should one set up the tcp/ip properties of the NIC on the client?
Do you have to specify a DNS server on the client? If yes, do you use the public IP of the DNS server or the internal IP on the server's Lan? If not, where do you set up the server to dynamically assign the DNS to the client?
What are the different security protocols one can choose of? (please explain the differences rather than just listing them)
Do you need to issue an authentication certificate for the default security settings? If yes, how?
I ticked the "Include Windows Logon Domain" option; when connecting, am I to use the format [email protected] for the user, or just user without @domain?
Am I to put in the domain name using the FQDN or the .local version?
Am I to open up any ports on the firewall to allow VPN?
After having tried many different things, I couldn't get the client connecting even once. When the server and client shared the same Lan I could get as far as having the system check the username and password, but it would always time out. Trying it remotely, it wouldn't even manage finding the server to begin with. Any explanation of what I might have done wrong? (I basically set up the VPN with all the default settings on both ends, using a dedicated NIC on the server, opening up the typical VPN ports as predefined in my router, allowing dial-in of the server for the user and allowing remote access in the group policies.)
Several attempts caused me to loose internet connectivity. This sometimes occurred on the server and sometimes on the client. Any input on that?
Sorry for this extensive list of questions, but I am really stuck here. 
Thanks for all,

Mayer


----------



## rhynes (Aug 14, 2006)

IMO, turf the RRAS and get a solid firewall - will save you so much trouble and grey hairs. Cisco ASA is a great option, then you're only having to deal with client connection software that's very easy for people to use. Not hard to set up, there are wizards to follow in the Cisco GUI.


----------



## mayer (Feb 26, 2007)

Thanks Rhynes for your advice. I wish I could just make it so simple, but I am afraid that the budget won't allow such expence. We are only a very small charity fund and have already invested in the computer and the server software. I am going to have to work it out with build in Windows' tools.


----------



## Squashman (Apr 4, 2003)

_Posted via Mobile Device_
I don't often recommend this but if you find it too complicated to setup a VPN in windows there are a couple of easier free vpn apps that you can download and install. I have posted them on the forums in the past but can't recall the names of them off hand. Search the forums or the Internet.


----------



## Squashman (Apr 4, 2003)

_Posted via Mobile Device_
Check out Comodo EasyVPN first.

I usually don't recommend Hamachi but if that works for you then go for it.


----------

