This "..enabled IP forwarding in the through Registry.." is a bit unclear; exactly what registry change(s) did you make? If you edited anything under HKLM\System\CCS\Services\TCPIP, then undo it. James' instructions gave you all you need to enable routing through your RRAS server.
You also have to consider the routing structure in your LAN. Q1 - what IP assignments did you apply to the VPN clients? Q2 - what is the routing path between the LAN hosts and the VPN server? [you need to use a netcap tool (netmon, Wireshark, etc.) for the next two] Q3 - did the LAN machine even see the ping? Q4 - If Q3 = 'yes', did the LAN machine respond to the ping? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of dubaisans dubai Sent: Thursday, January 04, 2007 6:48 AM To: James D. Stallard Cc: [email protected] Subject: Re: Secure Remote access - windows 2003 Using the instructions I have successfully setup the L2TP/IPSEC tunnel up till the gateway. Now if I want to access the internal network what else should I do on the RRAS server. From Internet user machine I am able to ping both the Internet interface and the internal interface [ 192.168.0.200] of the RRAS server. But I cannot ping any other internal machine [192.168.0.201].connected on the same LAN as internal network interface. On the RRAS server I have enabled IP forwarding in the through Registry. Address pool is configured and is getting allocated to Internet user when he connects. On 1/3/07, James D. Stallard <[EMAIL PROTECTED]> wrote: > You don't mention the number of users, but the budget suggests small > scale > :) > > Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and > with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption > available. > > Setting up RRAS to perform this task is done in less than 20 minutes > and is easy to get through a firewall inbound (IE your firewall). The > problems you have to face are: > > . If you wish to use pre-shared keys (the "cheapest" way of doing it) > you will need to configure the PSK passphrase on each client > individually - easy with a small number of clients. Otherwise, you > will need to invest in a certificate authority. > > . This is only suitable for access by known machines, not for internet > café type environments. > > . This solution works great for the remote home user, but is less > successful for your travelling salesmen using the client's internet > connection as they generally have the relevant ports/protocols blocked. > > . The locally configured PSK may not be stored in a highly secure > manner on the client machines and could possibly become known in the > event a machine configured with it is stolen. You may find yourself > having to re-deploy a new PSK. > > I wrote a quick and dirty step-by-step here: > http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus > > In case one of your configured laptops is stolen and an attempt is > made on your RRAS solution, pay attention to your account locking on > failed password settings. You want permanent locks on a small number > of attempts (say 5), thus forcing administrative intervention and > investigation in the event of an account becoming locked. > > Cheers > > James D. Stallard > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of dubaisans dubai > Sent: 02 January 2007 04:17 > To: [email protected] > Subject: Secure Remote access - windows 2003 > > I am planning to provide remote access from Internet to a windows 2003 > domain > > controller.User-ids, NTFS permissions are all configured. > > The objective is file sharing and access. > > Files will need to be copied. The machine has valid Internet IP > address and is > > sitting behind a Firewall. > > I would like to keep solution independent of Firewall.This will be > accessed by roaming users. I am thinking of something like 0penssh for > windows or maybe just GUI based Secure-FTP > > Challenges I am facing > ------------------------------------ > Authentication should be strong. Something more than a password. [ No > budget for RSA securiD :-))) ] > > Encryption for user-crentials/data access > > Options considered > ---------------------------------- > I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy > is not simple and also you require Application Mode license. > > The number of remote users - less than 100 > > Cost effective , easy to implement and easy to manage solution sought > > > > All mail to and from this domain is GFI-scanned.
