VPN Help

[sonoma1993]

I have two servers setup. Windows Server 2008 standard edition which the domain controller and Windows Server 2003 Enterprise Edition that im trying to use as a remote access VPN server. On server 2003 enterprise edition. I setted up the Windows routing and remote accessing service for the VPN connections. When im on the local lan, i can establish vpn connection to the server with my laptop and desktop. But when im trying to connect from outside the lan, for example from my dad house on his att dsl connection I can't establish the vpn connection with my laptop. I get the error 800 unable to enstablish VPN connection. I portfoward port 1723 to my server 2003 internal IP address, also portfoward port 47 as well. For my router im using a linksys wrt54g with the DDWRT firmware v24 sp1. I have the ipsec, pptp and l2tp passthrough enable. Not to sure why I cant establish

also the firewall is disable on server 2003. I checked the router logs, and it showing port 1723 is being accepted. And i did double check the port foward section and it's going to the right server IP address

 

[spidey07]

You need to forward IP PROTOCOL 47, not a TCP port. This is an IP protocol number meaning it is different than tcp or udp. This is the GRE tunneling that the VPN uses.

 

[sonoma1993]

Originally posted by: spidey07
You need to forward IP PROTOCOL 47, not a TCP port. This is an IP protocol number meaning it is different than tcp or udp. This is the GRE tunneling that the VPN uses.

how do I foward IP protocol 47?

i ran the microsoft pptpsrv file on my vpn server and the pptpclnt file on my laptop. the pptpclnt file to told me connection refuse. I have the pptp passthrough enable on my router. Read up on the IP protocol 47, was told that the pptp passthrough should take care of that. I think I might have to reset my router to the defaults settings and reconfigure it again

 

[imagoon]

It depends on your firewall. In my juniper I forward prot 47 as "GRE tunnel" to make it work.

To be more technical, I put a policy in from ANY to MIP(%myip%) (mapped IP) for service GRE and PPTP. The MIP is assigned in the interface settings to an internal IP where the VPN server is.

GRE service is defined as:

GRE IP (47) any Generic Routing Encapsulation 60

In my objects configuration. Notice no mention of TCP or UDP there.

PPTP:

PPTP TCP src port 0-65535, dst port:1723

Note the TCP mentioned there.

 

[jlazzaro]

certain versions have trouble forwarding specific IP protocols...perhaps just run the security dd-wrt version and terminate the PPTP connections on the router?

 

[bobdole369]

Yup - error 800 indicates that the GRE tunnel couldn't be established. One of your routers at the endpoints are not capable of using GRE (IP Protocol 47). As it isn't TCP or UDP - sometimes really old, or consumer routers will just drop these packets. I know thats the case with a bunch of old linksys stuff.

What kind of routers do you have?

 

[sonoma1993]

Originally posted by: bobdole369
Yup - error 800 indicates that the GRE tunnel couldn't be established. One of your routers at the endpoints are not capable of using GRE (IP Protocol 47). As it isn't TCP or UDP - sometimes really old, or consumer routers will just drop these packets. I know thats the case with a bunch of old linksys stuff.

What kind of routers do you have?

Im using the linksys wrt54G with the DD-WRT v24-sp1 vpn firmware. The router used to foward all vpn request just fine, not sure why it not doing it anymore. I don't have any of router server vpn setting enable so that the router wont be the actual vpn server.

 

[RebateMonger]

Before you get too deep into it, double check making a VPN connection from INSIDE your network to make sure that you don't have a problem with Windows (or other) firewall, and to make sure that everything is working and listening properly.

SOHO routers that aren't specifically designed for VPN can be a pain. Some work, some don't, and a particular model will work with one version of firmware, but won't work with the next release of firmware. They can be a pain.

If I need a reliable and quick VPN connection, I normally either make a direct Internet connection and install ISA Server on my Windows gateway server or I use one of the $50-$100 Netgear metal-box VPN routers, which have worked well for me with Windows PPTP VPNs.

 

[sonoma1993]

Originally posted by: RebateMonger
Before you get too deep into it, double check making a VPN connection from INSIDE your network to make sure that you don't have a problem with Windows (or other) firewall, and to make sure that everything is working and listening properly.

yeah I can make VPN connections from inside my network. Server 2003 enterprise won't allow you to enable the firewall when routing and remote accessing is enable