This Netopia Quick Guide details configuration of a Netopia router as a PPTP client, or PPTP Access Concentrator (PAC), to a Windows NT or Windows 2000 PPTP Network Server (PNS). Strong data encryption, or Microsoft's 128-bit encryption, is supported in firmware version 4.6 or later. You should be running Windows NT Server 4.0 with the 40-bit encryption version of Service Pack 5 or Windows 2000 Server with Service Pack 1 and the 128-bit encryption upgrade.

Please Note: If your router is currently running Netopia Residential Firmware with a web "GUI" configuration menu, this technote is not applicable to you. Most 3300 Series Netopia Gateways can be upgraded to Enterprise level firmware. Click Here! to purchase the upgrade key.

Firmware References:

• v8.2 R1 (and up) - 3300 Enterprise Series
• v5.3.7   (and up) - 4000 Series
• v4.8.2   (and up) - R-Series

Before You Start

PLEASE READ our Notice on Configuring VPN Tunnels with Netopia Routers.

Telnet into the Netopia router's Main Menu at 192.168.1.1 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly. Click Here! for instructions on using telnet and Hyperterminal (serial connection).

Login with the user name and password. The Superuser login is required to save changes. If you are unsure of this, contact your network administrator.

Don't forget to press the Enter key to save any entries. Hitting the back space, delete or tab without first hitting enter will undo any changes.

The Esc key will take you back towards the main menu screen.

Once you have completed your configuration, you should reboot the Netopia to save and apply your changes.

The Netopia Main Menu Interface

Notice:

This document is provided to you as an added service by Netopia Technical Support. Although the configurations described below have proven successful in many instances for doing Microsoft Networking across a WAN or VPN connection, we cannot guarantee success in all circumstances due to the many variables and unpredictable behavior common to Windows OS. If the following suggestions do not provide the results you desire, please contact your MIS Department, or Microsoft Technical Support directly as Netopia cannot further support the features of Windows OS.

Network Example

The following network diagram is the configuration that is referenced in this technote. Please note the IP addresses used below are examples only. Your own IP addresses will be different. Please substitute your own information for the values used below. The Local WAN IP addresses used in the configuration are for illustrative purposes only.

(Note: The Ethernet IP Addresses used in this example can be implemented in other similar configurations. However, the Local WAN IP Addresses will change per individual configuration. The following router configurations are based on the following example configurations. Please substitute your own IP information when configuring your routers. In any case, both routers must be configured for different Ethernet IP subnets, as the example configuration illustrates.)

Your NT/2000 Server does not necessarily have to match this scenario. Your NT/2000 Server may also have a Dial Up Networking connection to the Internet or it could have a single NIC and be behind a router either with a legal, routable address or with a private address behind Network Address Translation (NAT). If your NT/2000 Server is behind a router or firewall, make sure incoming IP traffic using TCP port 1723 and protocol type 47 (GRE) are allowed.

Configuration Method A

Netopia Router Configuration connecting to the NT/2000 Server with RAS (Remote Access) enabled:

1. From the Main Menu of router console screens, go to Quick Menus, and select Add Connection Profile.
2. Under Profile Name, type a name of your choice.
3. Change Data Link Encapsulation to PPTP and select Data Link Options. The Add Connection Profile screen should appear as follows once configured:



4. Enter the PPTP Partner IP Address. (Note: This is the public IP address of your NT/2000 Server. In our example, this is the WAN Ethernet NIC.)
5. Next, select MS-CHAP for Authentication. If you set the NT/2000 Server to Require data encryption, select MPPE for Data Encryption.
6. For Send Host Name, enter the user name you entered for the Dial-In Credentials on the NT/2000 Server and enter the password as the Send Secret.

Note: If you have multiple trusted domains on your NT/2000 Server, you will need to specify the domain with which you are authenticating. This is accomplished by adding the domain name in front of the Send Host Name, separated by a forward slash (e.g., domain name\username).

7. Set Initiate Connections to Yes.
8. If you want the Netopia to initiate a PPTP connection to the NT/2000 Server whenever there is a demand for resources on the NT/2000 network, as opposed to manually establishing a connection from the router every time, set On Demand to Yes.
9. Idle Timeout is the amount of time the router will maintain the PPTP connection to the NT/2000 Server when there is no traffic. It is 300 seconds or 5 minutes by default. A value of zero disables the idle timer so the PPTP connection will never time out. The PPTP Tunnel Options screen should appear as follows once configured:



10. Escape once back to the Add Connection Profile screen.
11. IP Enabled should be set to Yes. Next, select IP Profile Parameters.
12. Set Address Translation Enabled to Yes. (Note: Use the tab key to toggle this option between Yes and No. Hit enter to save your changes).
13. Set the Remote IP Address to 10.0.0.0`- and the Remote IP Mask to 255.255.255.0. (Note: In your case, if the NT/2000 Server has different TCP/IP settings then what is used in this example, please substitute your own information.)
14. DO NOT select a Filter Set. If one is active, hit enter on Remove Filter Set to deactivate it. (Note: You can filter over a PPTP connection, however, none of the pre-set filters are suitable for this purpose. If you wish to filter traffic on your PPTP tunnel, please read Netopia Technote NIR_052: Netopia Firewall Features and Configuration.
15. Choose Rip Profile Options and set Receive RIP to Off unless you have multiple RIP-enabled routers on either network.
16. Escape once to IP Profile Parameters. The IP Profile Parameters screen should appear as follows once configured:



17. Escape once to return to the Add Connection Profile screen and select Add Profile Now or Commit (depending on firmware version).
18. Escape twice out to the Main Menu and go to Utilities and Diagnostics.
19. Select Restart System. This concludes the setup for your Netopia router.

Please be aware that connecting the Netopia to the NT/2000 Server with RAS will only allow traffic to flow from the Netopia to the network behind the NT/2000 Server. Workstations behind the NT/2000 Server will not be able to reach workstations behind the Netopia with this particular configuration.

Configuration Method B

Netopia Router Configuration connecting to an NT/2000 Server with RRAS (Routing and Remote Access Service, where the computer is enabled as a Router):

Use the same configuration as above with the exception of number 12 and 13 above.

12. Set Address Translation Enabled to No. (Note: Use the tab key to toggle this option between Yes and No. Hit enter to save your changes):



13. Set the Remote IP Address to 10.0.0.0 and the Remote IP Mask to 255.255.255.0. (Note: If your NT/2000 Server has different TCP/IP information, modify these values accordingly).

Conclusion

You should have now successfully configured your Netopia router as a PPTP client. You are now ready to initiate a VPN connection between your Netopia router and your NT/2000 Server.

Note: Since NAT is enabled in your Netopia router's Connection Profile to the NT/2000 Server, the limitations of NAT apply when trying to forward TCP and UDP applications (service ports) into your private network. This limited access applies to Windows Networking as well, since NetBIOS is a UDP protocol used to facilitate Windows browsing. Once you configure your Netopia router to forward UDP ports 137, 138, and 139 to a private host on your private network, that private host will be able to facilitate Windows Networking. For instructions on how to configure TCP and UDP port forwarding to a private host on your Netopia router's network, please see the following technote: NQG_025: Port Forwarding (Server List)