I am supposed to help a friend of a friend set up SMB filesharing between two LANs in distand locations, through the internet. The only way I can think of to do this, is through a VPN. The problem is that both of his DSL routers that act as internet gateways for each LAN have no integrated VPN client/server. My initial thought, was to use a VPN server behind the first router (port-forwarding it to the outside), and use multiple VPN tunnels (one for each host of the remote LAN) to connect. However, because NAT modifies header information that VPN technologies (IPSEC/PPTP) rely on, this won't work unless the routers support a special capability for NATing IPSec/PPtP data. Even this way, I suspect only one client in LAN1 will be able to connect to a VPN server in LAN2. There is a windows update that appears to be related to the issue (described here
), but I don't know of how much help it will be -if at any. I realize of course that this whole plan is not optimal or scalable, I only need a viable solution for a couple of windows machines.
I have no details about the routers, other than that they are typical Linksys DSL routers (those in the range of 100$ - 150$). Unfortunately to find out more I would have to visit the place, which is quite far.
Any comment would be welcome -either pointing some alternative way to implement the needed functionality (filesharing) on the above scenario, suggesting how likely it is that those "typical 100$ linksys DSL routers" have a feature that will make possible implementing a VPN through NAT in both sides, indicating an incorrect speculation of mine or anything else.
I'm just a newbie when comes to this kind off stuff, but why dont you try to get a Linksys vpn routers and try to do a gateway to gateway VPN. That means you can specify whether you'll connect the whole subnet or range of computers IP address.
Here is a link at Linksys website that covers VPN to thier firewall router(note make sure that you have the 1.50.9 firmware loaded if your having internet connection prblems on the pre-loaded firmware.)
As far as I'm familiar with VPN technology, I would say that connections based on PPTP only require you to open port 1723 and GRE (protocol 47) on your firewall to pass through. If you are using a Microsoft VPN server you have the option to use either PPTP or L2TP/IPSEC connections.
When you use IPSEC as the transport protocol you should also open ESP (protocol 50) and/or AH (protocol 51). When you have a device (or more then on device) between you VPN client and your VPN server that performs NAT, then ESP is a problem because the encapsulation includes the IP header. One solution (security workaround) is using a VPN server that accepst NAT-T (NAT Traversal) connections e.g. ISA 2004, Windows 2000 and 2003 VPN server.
This brings us to the patch that MS has published and you referenced to in you post. My experience is that the pacth works fine BUT:
- As of XP SP2 you need a registry hack to make it work (see same MS article)
- It only works up to 2 NAT devices. So if you have 3 or more NAT devices, it won't work.
- When you view it from a security standpoint, NAT-T (nat traversal) is a bypass of IPSEC.
- Your NAT box should do 1-1 NAT no dynamic or multiple to one NAT.
- NAT-T requires several ports to be opened, see the same MS post.
I hope this makes it a bit clear,
I'm no expert at this stuff so don't rely soly on this post
Thanks both -great explanation Stefke, it sure let me understand the odds! I'll give it a try and see how it works in practice.
After browsing through the various entry-level adsl modem/routers, I realized that actually "vpn pass-through" is a standard feature, though it is differently deployed/interpreted from manufacturer to manufacturer. So characteristics like protocol support and maximum simultaneous connections varie (I would need 6 for this case).
If I can't manage to make it work, I'll recommend him to get two routers with vpn end-point support, like geng_001 said -it is the right way to implement this anyway.
The microsoft article specifically refers to L2TP/IPSec. I am wondering ... would PPTP work without having the problems you've described? Since PPTP is a less secure connection when compared with the above, and has not ESP header, it might just work for you.
I'd suggest you try setting up a simple PPTP tunnel and see what the results are.
The other alternative is for your friend to get some static IP addresses - that will surely help resolve the problem but at an additional cost.
Keep us upto date on how you go and the VPN technologies you try out to resolve the problem.