How to create a VPN client in Windows XP

From OpenFSG

Contents 1 How to create a virtual private network (VPN) in Windows XP 2 Introduction 2.1 What does this article address? 2.2 What is a VPN? 2.3 What can we do with a VPN? 2.4 How does a VPN work? 3 Culture on VPN's 3.1 PPTP: Point to Point Tunnelling Protocol 3.2 L2TP: Layer Two Tunnelling Protocol 3.3 Comparison between PPTP and L2TP 4 Case Study 5 Troubleshooting 5.1 Why did I lose my Internet connection? 5.2 Not Open Ports Problem 5.3 FW Release problem 5.3.1 Introduction: 5.3.2 Solution: 5.3.3 Explanation:

How to create a virtual private network (VPN) in Windows XP

Introduction

We can imagine that we might require access to FSG resources from anywhere in the world. Using a VPN we can safely access all the resources of our intranet (FSG), using a service like the Internet connection, and working as if we were on the local network.

What does this article address?

Domestic VPN's. We will see that with Windows 2000 and XP it is possible to quickly create private networks that allow us to share our resources with other users safely.

What is a VPN?

A VPN (Virtual Private Network) is an extension of a local area network (LAN) that uses a public network (such as the Internet) to link directly into it. (Apart from the Internet, it is also possible to use other WAN infrastructures such as Frame Relay, ATM, etc..)

• This method allows for linking two or more networks by simulating a single private network allowing communication between computers as if it were point-to-point. In the case of the FSG, you need an FSG as a VPN server and another FSG as a VPN client .

• Also a remote user (with a XP-VPN-Client) can connect individually to a FSG-VPN-server and his LAN using a VPN connection, and then use applications, and send data, safely. This is the VPN connection that this HowTo talks about!

Conventionally we have a network connected like this. Computer C1 can "see" FSG folders, the other computers, and print using the shared printer.

FIG 1

A VPN is a virtual network that is created "inside" another network such as the Internet. The VPN will allow us to work as if we were on the local network. The connection using the internet is totally transparent to the user. Now, remotely located Computer C1 also will be able to "see" FSG folders, the other computers, and print on the shared printer.

FIG 2

Once the connection to the Virtual Private Network is established, the data transferred is encrypted so that only the sender and the receiver are able to read them.

To make a VPN requires a server (or host) waiting for incoming connections (in our case, the FSG), and one or more clients that connect to the server to form the private network.

What can we do with a VPN?

By allowing us to establish secure connections between different locations we can access the resources of the FSG (such as printers, documents, database servers, applications, ...), when we are working at a distance, through the internet, in a safe and protected manner.

How does a VPN work?

As previously mentioned this is a process that is completely transparent to the user. For most applications it works exactly like any other network connection, i.e. within the VPN each computer will have an IP, all connections using IP that will be operational within the VPN and will be encrypted, the user simply has to use the IPs of the VPN and not worry about anything else, the rest is done by the VPN client (the computer at home) and the VPN server (the FSG at the office).

Culture on VPN's

The Virtual Private Network uses the tunnel (tunnelling) through the internet for the transmission of data through a process of encapsulation (and encryption). That is the important point in differentiating between a Virtual Private Network and a Private Network (A Private Network simply uses telephone lines or cables to form the network).

FIG 3

One of the main advantages of a VPN is the in-built security. Packages are transmitted in an encrypted form through a tunnel in the public infrastructure (Internet) and are unreadable to anyone intercepting these packages.

This technology is very useful for building networks that extend over large geographical areas, for example between different cities, sometimes between different continents. As an example, for companies that have many remote offices, the idea of implementing a VPN would substantially reduce the cost of inter-office communication. This is because the cost of telephone calls (if using dial-up) would be just short distances to the local ISP, or use their normal DSL connections to connect to the internet, otherwise the company would have to lease dedicated lines that are very expensive or cable lines that would be even more costly.

Before starting to work with VPN's it is good to have some basic knowledge of the world in which we are getting into. Two technologies are used for creating VPN's, in reality there are two different sets of protocols, PPTP and L2TP.

PPTP: Point to Point Tunnelling Protocol

PPTP is a protocol developed by Microsoft and is available for all Windows platforms. It is simple and easy to implement but offers less security than L2TP. In this article we will implement a VPN connection through PPTP using MS-CHAP v2. It is also possible to use PPTP with EAP-TLS for bear safety certificates.

L2TP: Layer Two Tunnelling Protocol

This is an open standard and is available for most platforms including Windows, Linux, Mac, etc.. Implemented on IPSec and provides high levels of security. You can use security certificates public key to encrypt data and ensure the identity of users of VPN.

Comparison between PPTP and L2TP

With PPTP, encryption of data starts after the connection is processed (and, of course, after the authentication PPP). With L2TP/IPSec, data encryption starts before the PPP connection negotiating a security partnership IPSec. The PPTP connections use MPPE, an encryption method based on the encryption algorithm Rivest-Shamir-Aldeman (RSA) RC-4, and uses keys for 40, 56 or 128 bits. Connections for L2TP/IPSec use Data Encryption Standard (DES), with 56-bit keys to DES or three 56-bit keys for 3-DES. The data is encrypted in blocks (blocks of 64 bits for the event DES). The PPTP connections require only a basic level of user authentication through an authentication protocol based on PPP. L2TP/IPSec connections require the same level of authentication at user level, in addition to machine level authentication using digital certificates.

There are other differences, but to make a more detailed study of these will go beyond the initial idea of this article, so it will stop by only considering these three fundamental differences.

Case Study

The best way to understand it is to see how it is implemented, and that is what we now consider.

Scenario: One computer at home, and the FSG at the office. They are far apart and both are connected to the Internet, and you want to share their resources (files, printers, etc.) each with the other privately and easily. Software: Computer at home using Windows XP or 2000. It is also possible to connect computers using Windows 98 and 95 by downloading the updated files from the Microsoft website.

Solution: Mounting a VPN over the Internet between these teams. We need to establish a computer as a server, it will be responsible for authenticating, the remaining teams will establish the connection with this computer.

VPN Server: This will be the FSG. Read the article about creating a VPN server.

Client VPN: Open the folder "Network Connections" in the File menu and select "New Connection Wizard". The new connection wizard to select "Connect to the network from my workplace", and click Next.

• Select "Connect virtual private network" or "Connect to the network at my workplace", and click Next.

• Select "Virtual Private Network connection" and click next.

• Put a name for the connection (this is an internal name, and not important).

• In the next window, check the option "not to use initial connection" unless we want to use another VPN our connections to the Internet, if we indicate that when this connection is activated before another connection, such as a telephone connection, will connect to the Internet first and then establish the VPN.
  If you have cable or DSL it is not necessary to activate any of these connections. Is not necessary too, if we are connected to the Internet when we activate the VPN connection or we do not want the VPN conection to activate an internet conection by itself. Click next.

• Finally we put the IP address of the VPN server (the public IP of the FSG internet conection if it has a fixed IP, or the name through a dynamic DNS service (like no-ip.com / dyndns.org etc.)). This is the public IP address, that is, which is on the Internet at the time of establishing the connection between client (computer at home) and server (FSG).

• At the end of the wizard and we will be ready for connection to be activated. Now we must put the user and the password we have activated on the FSG VPN server and we can connect to the server.

• We already have the VPN connection ready to run.

---

If we work with slow connections (modem or similar) VPN will also be slow. It is advisable to have broadband connections to get the performance in this type of connections.

To make communications using the VPN we must use the IPs of the VPN. In other words, in addition to the IP you use, the server and clients have generated other internal IP VPN, as such we must use to communicate with the computers from VPN. These will be obtained as usual, with the icon of the new connection that appears on the bar notification (by the clock).

In slow connections, Windows Explorer will not be able to show the other computers in the network, or takes a long time, in this case, we can access them by typing in the address bar of Windows Explorer "\ \ ip_at_VPN" "\ \ computer_name" of the machine to which we have access. For example, if the IP (VPN) from the FSG is 169.254.3.117 we put \ \ 169.254.3.117 in the address bar of Windows Explorer and in this way we will have access to files and printers on the FSG, or the computer of our intranet (network at the office). To use other resources, such as database servers, and so on. Simply use the IP VPN in the destination system.

Also, if the computer has incorrect network settings, or has badly assigned permissions you may not be able to access resources. This is not a problem with the VPN, it is a problem of the permisions established in each computer, as happens in a local area network.

Finally, and as a final recommendation, it is good to keep your Windows XP computer updated and install patches and services packs. As a network service it is very vulnerable to being attacked and if not properly updated can be attacked, or our data may not travel safe enough as hoped.

Troubleshooting

Why did I lose my Internet connection?

One of the things that can happen to you when you connect to the FSG or another computer remotely is even miss the current connection to the Internet. Not even miss the connection to the remote computer, but cannot access from your computer to send a mail or open a Web page.

These cases probably occur when the remote computer (FSG) using a gateway (gateway) that is not within our range ... Do not worry, now we will explain what to do if when the VPN connects to another computer (FSG), it turns out that your computer (with which you created this VPN connection) lets you browse or view mail, and so on.

Look for the connection you created (the VPN conection) and click the secondary mouse button to display the context menu, where you must select Properties.

By clicking on a window display properties, which we have to select the tab Networking (Functions network). Then select Internet Protocol Version 4 (TCP/IPv4) (if you are at Windows Vista) or Internet Protocol (TCP / IP) if you are in Windows XP. Click on the Properties button (Properties)

Leave all here as is, all automatic, i.e. the server assigned IP VPN and others. Select Advanced (Advanced).

And in advanced, make sure the option Use default gateway on remote network is unchecked.

Finally click OK until you close all windows.

In this way, you can connect to your computer by remote VPN and you will not lose your Internet connection into your computer while logged.

Not Open Ports Problem

Sometimes, you need to open some ports to the modem/router that is before of the FSG:

For PPTP:

must be open TCP port 1723 and also open the protocol with an ID. 47 (GRE).

(note: in some routers, this protocol opening means to open 47 TCP&UDP. - Other routers (like USR9108) state they they can handle VPN tunnelling, because once you set the port forwarding (or virtual server) for 1723 TCP the router automatically does the GRE forwarding)

For L2TP:

must be open TCP port 1701.

If you want to use also IPSec, it should be opened UDP port 500 and protocols Id. 50 (IPSec ESP) and 51 (IPSec AH).

(Note: in some routers, this protocol opening means to open 50 UDP and 51 UDP)

NOTE:

- The Router where you have to open all this stuff is the one that is beside the FSG (between FSG and the internet).

- The Router between the XP VPN client and internet does not need to open those.

FW Release problem

Introduction:

VPN conection with PPTP works fine with 3.3.14 With 4.2.7 and 4.3.8 does not. The VPN conects, but you can not see the FSG folders or anybody "at the other side of the tunnel".

Solution:

Thanks to Toddi, here is the solution: As you can see in this forum, there is a easy solution to have the VPN working in 4.2.7 and 4.3.8 releases.

1. Conect to FSG using SSH via Putty.
   1. log in as Admin
   2. log in as a root
2. Edit with vi the file /etc/ppp/options.pptpd
   1. type 'vi /etc/ppp/options.pptpd' and it list the text
   2. Scrool down to the last line and to the end of the line
   3. type 'i' and hit return [i](this makes to enter in "insert mode")
3. Change the last line from:

mppe required

to

mppe required,stateless

(with NO space between "," and "stateless")

1. Exit save file and exit vi
   1. hit escape
   2. type :x '(this makes to save file and exit vi editor)'
2. No need to restart FSG or VPN server. This file seems to be used only when a VPN-client try to make the connection.
3. Now, you will see everybody "at the other side of the tunnel". :-)

And the VPN connection is [b]much more stable than with 3.3.14 ... 20:41, 27 January 2008 (CET)

Explanation:

The difference between stateless and statefull refers to the synchronization of encryption.

• Statefull reinitialized the key usually all 256 packages or with the appropriate request (for example, if packets are lost)
• Stateless against everybody package

It is something statefull against stateless performance. The stateless mode should be on the Internet or networks with larger packet losses.