The Dial-Up Networking Monitor
5.6.2 Connectivity Testing
If your PPTP client is having trouble dialing in, one of the first things to check is connectivity. This includes the PPP connectivity between your client and your ISP, and between your dial- up ISP and the ISP to which the RAS server is connected. Note that connectivity testing will work only for connections where youre dialing into an ISP that doesnt support PPTP. Thats because in the cases where youre dialing into a provider that does support PPTP, youre not really connected until youre authenticated by the RAS server. If that much can happen, theres nothing wrong with the connectivity.5.6.2.1 ping and traceroute
The best way to test connectivity is to run the ping command from the Start Run menu item. After youve connected to the ISP, you can attempt to ping the RAS server with the following command: PING IP address of RAS server In our case, you would attempt to ping 2.1.1.60. If you get a successful return, your connectivity is okay. If you dont, you should try to ping something else on the Internet for which you know the IP address or hostname—an excellent test would be your ISPs DNS servers. If you can ping something else on the other side of your connection, but you cant ping your RAS server, the problem could be one of the following: • Youve been disconnected. Sometimes it happens that a modem will disconnect you, but Dial-Up Networking will still report you as connected. If you have an external 87 modem, you might be able to check the carrier detect to see if youre actually connected. • Your PPP link is incorrectly configured. Double-check the PPP and TCPIP information given to you by your ISP against what you have in your TCPIP properties. Unless you have a fixed IP address, your IP address and gateway should be assigned by the ISPs PPP server. Also, make sure you have your ISPs correct DNS servers listed. • Congestion or backbone routing problems on the greater Internet are preventing you from reaching the corporate network a common occurrence. A good test would be to attempt to ping your corporate Internet gateway routers IP address. If you can reach it across the Internet, then you can probably assume the RAS server is configured incorrectly or not connected. Another good tool for testing connectivity is Traceroute. Traceroute is familiar to Unix users as the traceroute program, which traces the path of packets sent from the starting host to the destination host, listing the hops other gateway routers along the way. On Windows 9598 and Windows NT systems, Traceroute is named TRACERT. The only problem you might have with using Traceroute is that it sends UDP packets on an invalid and high port, and some ISPs or companies block incoming UDP packets for security reasons. If Traceroute doesnt trace past a certain ISPs router and onto their internal network, it doesnt necessarily mean that the network or machine is down.5.7 Using PPTP with Other Security Measures
What weve covered so far are the basic steps for setting up a VPN using PPTP. The viability of VPNs is directly affected by security measures implemented on the destination LAN. PPTP is a protocol like any other, and must be allowed to pass through or bypass a firewall or proxy server in order to work successfully.5.7.1 How to Allow PPTP Through Firewalls
Like most IP-based tunneling protocols, PPTP operates on a specific IP port—in this case, TCP port 1723. On your firewall or filter, youll want to allow IP access to and from that port for your RAS server. If your firewall also filters by protocol, youll need to allow GRE IP protocol 47 to pass through. Its a good idea to block every other port off on your RAS server, especially the nefarious NetBIOS name service, datagram, and session ports of 137, 138, and 139. These ports can be used to browse the NetBIOS names and shares of the machines on your network.5.7.1.1 Fixed IP addresses
Since remote PPTP users will be dialing in through ISPs, they may not always have the same IP address. This eliminates the possibility of host-based filtering and means that a PPTP VPN will rely strictly on its user-based authentication system. A fixed IP address, where a user will be assigned the same IP address every time they dial in, is a way around this problem. Some ISPs offer a fixed IP address as an account add-on for a nominal monthly fee. If available, this is a great way to enhance security by allowing only hosts with one of those IP addresses to pass through port 1723 of the firewall and connect to the RAS server.Parts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more