Establish VPN under CMD
1. Premises
Windows Firewall stop in service (or trouble spots can be router protocol, port 1723 to go with)
The Remote Registry service must be open
The server service must be turned on
Router routing service must be turned on
Two or more network card Win2000 VPN is very convenient, after adding NAT protocol, client dial-in, can use remote network to connect to the Internet. So that some clients can improve the speed of the network, and to achieve the role of agents.
The winxp,win2003 of a network card is still very convenient to do similar VPN, after the NAT protocol is added, add two additional interfaces, one is local connection, one is internal, set local connection is full forwarding, internal is private mode, can let the user with permission to dial in.
A network card Win2000, do a similar VPN is inconvenient, Nat protocol added, and then add interface, can only add on the local connection, the interior does not allow the addition of graphical interface, see the netsh dump >c:\1.txt after the attempt in the Netsh command to add an internal interface, through. command is: Netsh routing ip nat add interface internal private
here are some common commands:
Copy Code code as follows:
netsh ras set user username permit//Set user authorization, the user cannot be TsInternetUser support_388945a0 etc.
netsh ras ip set addrassign pool//Set static address pool mode
netsh ras ip add range 10.0.0.1 10.0.0.100//Set the static pool scope to use a standard LAN address to avoid future address forwarding errors when accessing the Internet.
netsh routing ip NAT install//Add NAT protocol
netsh routing ip nat add interface local connection full//Add NAT interface local connection all forwarding
netsh routing ip nat add interface internal private//Add NAT excuse for internal proprietary mode
IGMP can also be configured in netsh with a long command line:
Copy Code code as follows:
netsh routing ip igmp install
netsh routing ip igmp add interface internal IGMPPROTOTYPE=IGMPRTRV2 ifenabled=enable robustvar=2 startupquerycount=2 startupqu eryinterval=31 genqueryinterval=125 genqueryresptime=10 lastmemquerycount=2 lastmemqueryinterval=1000 Accnonrtralertpkts=yes
netsh routing ip igmp add interface name= "Local Area Connection" Igmpprototype=igmpproxy ifenabled=enable
If you already have an interface before you configure it, you must first remove:
netsh routing ip IGMP delete interface internal//similar
The Routing and Remote Access service records a lot of information in the system, security journal, such as IPSec, login information.
Modify the registry to avoid:
Copy Code code as follows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
ProhibitIpSec "=dword:00000001
Hkey_local_machine\system\currentcontrolset\services\remoteaccess\parameters
Loggingflags "=dword:00000000
Now in addition to login information, ipsec,remoteaccess warning, has not been recorded.
There is also worth mentioning is the establishment of a good VPN, usually using the PPTP protocol, tcp1723 Port, if we are in the IP policy of the network card added tcp1723 of the allowable entry, can basically dial in. Why is it basic, because PPTP has a ip47 protocol in addition to tcp1723, and unlike TCP, which is different from UDP, this protocol is important for authentication. If the firewall on the network is cut off, there will be a problem that dial-up-> user authentication-> not be disconnected by authentication.
When the VPN is configured, it also needs the support of the Remoteregister service, which can be turned off after establishment.
Workstation, SERVER,RPC is also required at the time of configuration.
After the test, the entire command line establishes the VPN, the Rrasmgmt.msc does not appear the concrete configuration information. In other words, only look at the network Connection folder to see a dial-in connection