VPN Access through router

Discussion in 'Microsoft Windows 2000 RAS Routing' started by Graham Greenway, Aug 5, 2003.

  1. I have static ADSL service and am currently connecting to
    a cheap D-link Router to provide NAT conversion for my 25
    internal clients. I am trying to set up VPN access to the
    server, but keep getting stuck at verifying user name and
    password.
    I have forworded ports 1723 and 47 to the server. I have
    One Windows 2000 server, currently using one NIC assigned
    an address of 192.168.1.2. The Router uses 192.168.1.1.

    It looks like my requests are reaching the server but
    timing out. I have gone through every setting in Routing
    and remote access. I have tried no encryption, no
    authentication, setting up a RADIUS server, allowing
    unrestricted access throught the remote accress policy.
    And still I can not connect.

    Everything I read seems to point to using 2 NICs in the
    server. How would I set this up? Do I need 2 cards? Is my
    cheap router causeing the problem? How secure would W2K be
    if I connected on card directly to the modem>? and the
    other to the internal network?> I have a few more public
    IP addresses to use.

    Any help would be great.
    Thanks
    Graham
     
    Graham Greenway, Aug 5, 2003
    #1
    1. Advertisements

  2. Graham Greenway

    Bill Grant Guest

    The port 47 thing is an urban myth. It is widely believed (you will even
    see it in documents from router manufacturers), but it has nothing to do
    with VPN.

    What is required is GRE, which is IP protocol 47. The encrypted data (ie
    the tunnelled traffic) comes across the link as the payload of packets with
    GRE headers. If the router blocks GRE, no VPN traffic.

    On simple SOHO routers, allowing GRE is sometimes referred to as PPTP
    pass-through mode or VPN pass-through mode.

    "Graham Greenway" <> wrote in message
    news:085f01c35af6$8dd05040$...
    > I have static ADSL service and am currently connecting to
    > a cheap D-link Router to provide NAT conversion for my 25
    > internal clients. I am trying to set up VPN access to the
    > server, but keep getting stuck at verifying user name and
    > password.
    > I have forworded ports 1723 and 47 to the server. I have
    > One Windows 2000 server, currently using one NIC assigned
    > an address of 192.168.1.2. The Router uses 192.168.1.1.
    >
    > It looks like my requests are reaching the server but
    > timing out. I have gone through every setting in Routing
    > and remote access. I have tried no encryption, no
    > authentication, setting up a RADIUS server, allowing
    > unrestricted access throught the remote accress policy.
    > And still I can not connect.
    >
    > Everything I read seems to point to using 2 NICs in the
    > server. How would I set this up? Do I need 2 cards? Is my
    > cheap router causeing the problem? How secure would W2K be
    > if I connected on card directly to the modem>? and the
    > other to the internal network?> I have a few more public
    > IP addresses to use.
    >
    > Any help would be great.
    > Thanks
    > Graham
     
    Bill Grant, Aug 5, 2003
    #2
    1. Advertisements

  3. Hi,

    Bill is right on target here. You need to close TCP port 47 and allow IP
    Protocol 47 (GRE).

    Thanks,
    Marc Reynolds
    Microsoft Technical Support
     
    Marc Reynolds [MSFT], Aug 5, 2003
    #3
  4. Graham Greenway

    Graham Guest

    Thanks for the tips,

    I disabled port forwarding on port 47 and made sure PPTP
    pass through was enabled on my router but still get stuck
    at Verifying user name and password. Any other ideas>>??
    Thanks
    >
     
    Graham, Aug 5, 2003
    #4
  5. Hi Graham,

    Getting stuck at verify username and password is a sign that GRE (IP
    Protocol 47) is being blocked. You'll need to make sure your router is
    passing GRE traffic.

    Thanks,
    Marc Reynolds
    Microsoft Technical Support
     
    Marc Reynolds [MSFT], Aug 5, 2003
    #5

  6. >-----Original Message-----
    >Hi Graham,
    >
    >Getting stuck at verify username and password is a sign

    that GRE (IP
    >Protocol 47) is being blocked. You'll need to make sure

    your router is
    >passing GRE traffic.


    Add me to the list of people with this problem. The
    router is a linksys befrs41. I have both pptp and l2tp
    passthrough enabled, port forwarding for 1723 and 500, and
    port triggering, per linksys kb instructions. This should
    insure that GRE is not being blocked. Moreover, the
    problem persists when I put the win2k vpn server in a
    DMZ. So I cannot but assume that there is another problem
    here besides GRE being blocked.

    -Basil
     
    Basil Copeland, Aug 6, 2003
    #6
  7. "Moreover, the problem persists when I put the win2k vpn server in a DMZ.
    So I cannot but assume that there is another problem here besides GRE being
    blocked."

    You cannot make that assumption since the VPN traffic still needs to go
    through routers. It could be a server side router blocking GRE or a client
    side router blocking GRE.

    A better test would be to try to connect to your VPN server from another
    client in the DMZ or even from the client session on the VPN server itself.


    Thanks,
    Marc Reynolds
    Microsoft Technical Support
     
    Marc Reynolds [MSFT], Aug 6, 2003
    #7

  8. >You cannot make that assumption since the VPN traffic

    still needs to go
    >through routers. It could be a server side router

    blocking GRE or a client
    >side router blocking GRE.
    >


    Thanks for the reply. One "common denominator" that
    I found in doing a general google search on "vpn error
    721" is that a lot of the reports of the problems made
    some attribution to ADSL. Is there any reason to believe
    that the gateway routers used by telcos could be blocking
    GRE on outgoing traffic? FWIW, my DSL service is not
    PPPoE, but the older PPP DSL technology.

    Do you know of any way I could test whether I can
    send Port 47 traffic outbound from the LAN? I really
    don't think the problem is with the passthrough inbound.

    >A better test would be to try to connect to your VPN

    server from another
    >client in the DMZ or even from the client session on the

    VPN server itself.

    Well, there is no problem connecting from a client
    session on the VPN server itself, nor from other clients
    on the LAN. The problem is connecting from outside the
    LAN, which is the whole idea of a vpn.
    >
    >
    >Thanks,


    And thanks to you.

    -Basil
     
    Basil Copeland, Aug 6, 2003
    #8
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. karl

    Network browsing across W2K router-to-router VPN doesn't work!

    karl, Sep 8, 2003, in forum: Microsoft Windows 2000 RAS Routing
    Replies:
    1
    Views:
    565
    Bill Grant
    Sep 9, 2003
  2. Guest

    unable to go VPN router to router.

    Guest, Jan 28, 2004, in forum: Microsoft Windows 2000 RAS Routing
    Replies:
    2
    Views:
    201
    Bill Grant
    Jan 28, 2004
  3. Guest

    router-to-router VPN problem

    Guest, Mar 24, 2004, in forum: Microsoft Windows 2000 RAS Routing
    Replies:
    2
    Views:
    198
    Bill Grant
    Mar 25, 2004
  4. lill

    router-to-router VPN

    lill, Mar 30, 2004, in forum: Microsoft Windows 2000 RAS Routing
    Replies:
    3
    Views:
    232
    Bill Grant
    Apr 1, 2004
  5. scott

    authenticate clients over router to router VPN ?

    scott, Apr 20, 2004, in forum: Microsoft Windows 2000 RAS Routing
    Replies:
    3
    Views:
    502
    Bill Grant
    Apr 22, 2004
Loading...

Share This Page