Showing posts with label local network. Show all posts
Showing posts with label local network. Show all posts

Tuesday, August 3, 2010

Windows XP VPN (PPTP)

Windows XP VPN (PPTP)

Setting up the VPN server

To setup the server end of the VPN connection, we need to create a new connection, and then check the firewall/router settings.
Firstly bring up the control panel by clicking on Start -> Control Panel. If the control panel is in Classic View as shown below, then click in Category View to see the simplified panel.
clip_image002
From the Category View click on Network and Internet Connections
clip_image004
Now click on Network Connections from the or pick a control panel icon section
clip_image006
Select the Create a new connection from the menu on the left of the screen
clip_image008
You should now see the New Connection Wizard click next to start.
clip_image010
Select Set up an advanced connection and click next to continue.
clip_image012
Select Accept incoming connections and click next to continue.
clip_image014
Leave the boxes unticked on this next screen and just click next to continue.
clip_image016
Select Allow virtual private connections and click next to continue.
clip_image018
You now need to pick which users are going to be allowed to vpn in. If you created a user earlier, then ensure that just that user is ticked, else pick which user you want to use - remember they need a secure password. Then click next to continue.
clip_image020
You can just click next to continue on this Networking Software screen, as you should already have everything you need installed, as you must already have either a modem or network card in the pc.
clip_image022
In the Incoming TCP/IP Properties dialog box (see below), place a check mark in the Allow Callers To Access My Local Area Network check box. This will allow VPN callers to connect to other computers on the LAN. If this check box isn’t selected, VPN callers will only be able to connect to resources on the Windows XP VPN server itself. Click OK to return to the Networking Software page and then click Next.
clip_image023
Granting LAN access to callers
Congratulations, you've now completed the second step in creating a VPN connection. Click Finish to close the wizard.
clip_image025
You should now see your new incoming connection in the Network ConnectionsWindow.
clip_image027
The last step is to ensure that all incoming connections use encryption (otherwise all this was for nothing !), so right click on the Incoming connections icon and select properties, then go to the second tab Users and tick the Require all users to secure their passwords and data checkbox, and then click the OK button to close the dialog
clip_image029

Setting up the VPN client

Now that the Server end of the VPN is set up, you need to create a vpn connection on your laptop to use whenever you are using an insecure wireless network.
Firstly bring up the control panel by clicking on Start -> Control Panel. If the control panel is in Classic View as shown below, then click in Category View to see the simplified panel.
clip_image002[1]
From the Category View click on Network and Internet Connections
clip_image004[1]
Now click on Network Connections from the or pick a control panel icon section
clip_image006[1]
Select the Create a new connection from the menu on the left of the screen
clip_image008[1]
You should now see the New Connection Wizard click next to start.
clip_image010[1]
Select Connect to the workplace at my work and click next to continue.
clip_image031
Select Virtual Private Network as the connection type and click next to continue.
clip_image033
Give the new VPN connection a name and click next to continue.
clip_image035
If you already have a dialup or VPN connection setup on your laptop you will now be asked if you want to always dial one of these existing connections before you make the VPN connection. Because we are going to be using a wireless link to get internet connectivity select Do not dial the initial connection and click next to continue. If you don't already have a dialup or VPN connection setup then this screen will not appear, and you will go straight to the next screen.
clip_image037
Now enter either the hostname your ISP has given you, or the IP address they've given you and click next to continue. If you don't have a static IP address, then it may be easier to use Dynamic DNS such as from dyndns.com to give you a static hostname for your dynamic address.
clip_image039
Now click finish and your new VPN connection will be ready to use.
clip_image041

Note: If you wish to connect to this VPN server from Internet by going through the router, then you need to enable port forwarding and allowPPTP passthrough options on the router.
Note: Since PPTP VPN uses port TCP-1723, you need to do port forwarding on TCP-1723. If you have problem to do port forwarding, then take a look on this port forwarding how to article. In this example, my VPN server IP is 192.168.1.99, so I do port forwarding to this computer’s port TCP-1723 on router.
clip_image042
Here is how I enabled PPTP Passthrough on Linksys router. Just go to your router management page to locate this option.
clip_image043

Testing the VPN Setup

Now the client and server are setup, we just need to make a few final checks before testing the setup.
If you use a modem on your home pc to share your internet connection, then you should be ready to start testing, as setting up the XP VPN Server will automatically update XP's built-in firewall with the rules necessary to allow incoming VPN connections, also you must already have Internet Connection Sharing setup in order to share your internet access.
If you use a router to access the internet and share your connection between computers then you will need to poke a hole in its firewall to the VPN connection through. You will probably need to look at the manual for your router to see how this is done, but you will most likely need to setup port-forwarding on the router to forward TCP connections on port 1723 to your home computer. This should be enough for most home routers.
Instead of going to the nearest internet cafe to test your vpn connection, the easiest way is to test it from home. Use the modem in your laptop to dial your dialup ISP ( most ISPs offer a dialup service with no monthly fees ) and then dial your VPN connection to connect through to your home PC.
clip_image045
Once successfully connected, you should see the new incoming connection shown in the Network Connections control panel of your home pc
clip_image047
If it has connected ok, you should now be able to surf all your regular sites and check your email from your laptop, all through this secure connection.
Once you are happy that it is working over a dialup link, you need to go to your regular wireless internet cafe and test the connection from there. It should obviously be much faster than over a dialup, while keeping all of your web and email traffic safe from prying eyes.

For other windows versions like windows 7 it should be similiar.
Based On:
http://wireless.gumph.org/content/6/4/011-howto-xp-pptp-vpn-user.html
http://www.zdnetasia.com/configure-windows-xp-professional-to-be-a-vpn-server-39050037.htm
http://www.home-network-help.com/pptp-vpn-server.html
Publicada por em 1 comment:

Tuesday, July 7, 2009

Setting up a dial-up VPN on the Juniper NetScreen Remote (client)

Note: I tried the tutorial on a Juniper SSG350M, with FW 6.0.0r4.0, and it worked althoug it's not the equipement on the tutorial


Note: To see the pictures at full quality just click on them.


This article was graciously contributed by mwdmeyer which was originally posted on his site here.

I've been getting lots of hits to the post about a site to site VPN setup with a netscreen. So I've decided to do one for a dial-up VPN user connecting to a netscreen.

A dial-up user is anyone who needs access into the network and has a dynamic ip address. We don't wish to be able to access them (the dial-up user) from within the network. This is how we setup most connections at work. This allows people to access file shares and outlook (without the need to setup RPC over HTTP).

Background

  • Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
  • Netscreen Remote 8.7 (The Windows VPN client)
  • Local Network (the one in which the vpn users want to access) of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
  • External Address of 59.167.253.89

Setting up the Netscreen

1) First we need to create a user. This can be found in Objects -> Users -> Local (Note: Follow the screen shot below, you don't need a password here, you do need the IKE User info though)




















So we have our user, Test.User

2) Create Phase 1 of the VPN tunnel. This can be found in VPNs -> AutoKey Advanced -> Gateway (Note: Security level is set to custom, password for VPN is entered here, Outgoing interface is your untrust interface).














3) Now we'll modify the advanced settings. Click Advanced (Note: We're using DES and MD5 here. Mode is set to Aggressive)




















Now click return and okay to save your settings.

4) Now we'll create the Phase 2 information. This can be found in VPNs -> AutoKey IKE (Note: Security level is set to custom, Remote Gateway is set to "Test.UserP1")













5) Now we'll modify the advanced settings. Click Advanced (Note: We're using DES and MD5 here. Replay Protection is on)




















Now click return and okay to save your settings.

6) Now we'll need to create a policy. This will go from untrust to trust. This can be found in Policies.






Click new (Note: Source Address is Any-IPv4 or just Any if IPv6 is disabled, Destination Address is your local subnet, tunnel the connection though the VPN user "Test.UserP2")





















Now the Netscreen has been setup.

Setting up Netscreen Remote

1) Open the policy editor in Netscreen Remote

NetScreen Remote 1

2) Create a new connection (Note: Type in the remote subnet details and set the secure gateway to your netscreens external address)

















3) Now we'll setup the login details (Note: The Certificate is None, The ID Type is Domain Name and the value is "Test.User")

















4) Now click Pre-Shared Key (Note: Type in the password you used when setting up the connection in the netscreen)

















5) Now we'll set the connection to aggressive (Note: Enable PFS, DH is Group 2 and Enable Replay Dection)

















6) Now we'll setup the Phase 1 details (Note: We're using DES and MD5 here. SA Life is 28800 seconds)

















7) Now we'll setup the Phase 2 details (Note: The SA Life here is 3600 Seconds)

















8) Save the settings and Test!

That should be all you need to do.

Notes

  • The VPN may not work behind some NAT routers. You can try turning on NAT-T within the netscreen, although I find it doesn't normally work.
  • Make sure the details in the Netscreen and Netscreen Remote Match (i.e Phase 1 policies etc)
  • You can check the logs from both Netscreen and Netscreen Remote
  • You cannot connect to the VPN while within the local subnet
  • Netscreen Remote should be disabled when you're directly connected to the network
  • Only traffic for the subnet is passed over the VPN.



Taken From: http://www.juniperforum.com/index.php?page=20
Added minor correction in te policy source that has to be "Dial Up"
Publicada por em 10 comments:

Wednesday, July 23, 2008

Backups With Rsync Using SSH and Cron

Sincronize Folders With Rsync Using SSH and Cron

Looking for how to set up RSync over SSH so that you can run it in a cron job, or without entering a password?

It's actually very simple. Just follow these few steps:


Step 1
As the user you are going to be running rsync as, and on the machine you will be running rsync on, type:

  # ssh-keygen -t rsa

Follow the prompts and use the defaults for the filenames it gives you. Don't enter in a passphrase, otherwise you will still be prompted for a password when trying to connect.

You should then have two new files in path_to_user_home/.ssh, id_rsa and id_rsa.pub.


Step 2
Open path_to_user_home/.ssh/id_rsa.pub and copy the text to the end of path_to_user_home/.ssh/authorized_keys file on the host you will be connecting to as the user you will be logging in as.

ex:in bash you can do it like this:
cat id_dsa.pub >> .ssh/authorized_keys

Note: if /.ssh/ or authorized_keys dont exist create them, this hapened to me in cygwin,
where i had to create .ssh/ and inside it i created the authorized_keys


Step 3
Now try it out. Try ssh'ing from the host you created the id_rsa* files on to the one you added a text to the end of the authorized_keys file. You won't be prompted for a password any more.


Step 4
Now you can use, cron (see Configuring a Cron Task below) to schedule rsync tasks using ssh, because you don't need to prompt the password



Configuring a Cron Task

The main configuration file for cron, /etc/crontab, contains the following lines:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/


# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

The first four lines are variables used to configure the environment in which the cron tasks are run. The value of the SHELL variable tells the system which shell environment to use (in this example the bash shell), and the PATH variable defines the path used to execute commands. The output of the cron tasks are emailed to the username defined with the MAILTO variable. If the MAILTO variable is defined as an empty string (MAILTO=""), email will not be sent. The HOME variable can be used to set the home directory to use when executing commands or scripts.

Each line in the /etc/crontab file has the format:

    *minute   *hour    *day    *month    *dayofweek   *command


minute — any integer from 0 to 59
hour — any integer from 0 to 23
day — any integer from 1 to 31 (must be a valid day if a month is specified)
month — any integer from 1 to 12 (or the short name of the month such as jan, feb, and so on)
dayofweek — any integer from 0 to 7 where 0 or 7 represents Sunday (or the short name of the week such as sun, mon, and so on)
command — the command to execute. The command can either be a command such as ls /proc >> /tmp/proc or the commandcustom script that you wrote.

For any of the above values, an asterisk (*) can be used to specify all valid values. For example, an asterisk for the month value means execute the command every month within the constraints of the other values.

A hyphen (-) between integers specifies a range of integers. For example, 1-4 means the integers 1, 2, 3, and 4.

A list of values separated by commas (,) specifies a list. For example, 3, 4, 6, 8 indicates those four specific integers.

The forward slash (/) can be used to specify step values. The value of an integer can be skipped within a range by following the range with /. For example, 0-59/2 can be used to define every other minute in the minute field. Step values can also be used with an asterisk. For instance, the value */3 can be used in the month field to run the task every third month.

Any lines that begin with a hash mark (#) are comments and are not processed.


crontab
---------------------------------------------------------------

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run custom script the first day of every month at 4:10AM
10 4 1 * * /



your_scripts_dir



/backup.sh


# run-parts
01 * * * * root run-parts /etc/cron.hourly
31 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly










backup.sh
---------------------------------------------------------------

echo "+================================+"  >> /root/.rsync.log
echo "Syncrhonization Attempt Started At:" >> /root/.rsync.log
date >> /your_log_dir/.rsync.log

rsync --delete -avz "/source_dir/"  -e ssh username@remote_machine_ip_or_dns_name:/destination_dir

echo "---------------------------------" >> /root/.rsync.log
echo "Syncrhonization Attempt Ended At" >> /root/.rsync.log



date >> /root/.rsync.log


As you can see from the /etc/crontab file, it uses the run-parts script to execute the scripts in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly files on an hourly, daily, weekly, or monthly basis respectively. The files in these directory should be shell scripts.

If a cron tasks needs to be executed on a schedule other than hourly, daily, weekly, or monthly, it can be added to the /etc/cron.d directory. All files in this directory use the same syntax as /etc/crontab.

The cron daemon checks the etc/crontab file, the etc/cron.d/ directory, and the /var/spool/cron directory every minute for any changes. If any changes are found, they are loaded into memory. Thus, the daemon does not need to be restarted if a crontab file is changed.

Users other than root can configure cron tasks by using the crontab utility. All user-defined crontabs are stored in the /var/spool/cron directory and are executed using the usernames of the users that created them. To create a crontab as a user, login as that user and type the command crontab -e to edit the user's crontab using the editor specified by the VISUAL or EDITOR environment variable. The file uses the same format as /etc/crontab. When the changes to the crontab are saved, the crontab is stored according to username and written to the file /var/spool/cron/username.
Starting and Stopping the Service

To start the cron service, use the command /sbin/service crond start. To stop the service, use the command /sbin/service






Publicada por em 1 comment:
Subscribe to: Posts (Atom)