Question : VPN with LinkSys BEFSR11-CA ver.2

A network that I support has a number of WindowsXP Pro clients connecting to a Windows 2000 Server using a VPN connection and running Terminal Services.  The server has 2 network cards. One for the LAN and the 2nd to connect to the Internet and provide the external IP for the remote connections. It uses ICS to share the external connection for the LAN.
I want to replace the 2nd card with a router and I have a single port LinkSys BEFSR11-CA router. I cloned the MAC address of the 2nd network card and moved the modem cable from the 2nd NIC to the router.  I was able to do a release and renew and get an IP address and internet connection for the LAN PC's through the router but I can't get a connection coming in.  Also I can send email but can't receive any (server not found error).
 
The router configuration changes were:
   I forewarded port 3387 to the Terminal server IP
   I Disabled 'Block WAN requests'.
   Enabled 'PPTP Pass Through'
then forewarded ports 1723 and 47 for the VPN connection.

What else do I need to do to get the external clients to connect into the server through the existing Microsoft VPN and the run Terminal Server (RDT) software.

Any help would be greatly appreciated.

 

Answer : VPN with LinkSys BEFSR11-CA ver.2

Most cheap routers support PPTP and IPSEC pass-through only for outgoing connections.  What this means is that you will be able to create an outgoing VPN connection from inside your LAN, but won't be able to connect to your server from outside in the way you are trying.  You may be able to if you declare your server as the DMZ, though this does mean that you are losing the benefit of the firewall, etc. on the router.

One of the problems with incoming VPN is the random assignment of the port after the initial negotiation.  The ports you have forwarded are correct, but are only used for establishing the VPN.  If you look on the server when a VPN is established, you would see it is actually using a completely different port.  The cheaper routers just aren't designed to cope with this.

Pretty much the only options available are the DMZ (as described above), or the purchase of a new router that fully supports VPN.