VPN with W2K client and XP Pro host

[Geoff Pigott]

I am trying to set up a VPN with a W2K client dialling in via a modem
to a XP Pro host that is connected to the internet via a Solwise
SAR110 router.

I have set up VPN client and Incoming connections host on the
respective machines, with the user accounts properly set up, and using
TCP/IP. The router has been configured to allow TCP and GRE (protocol
47) on port 1723 - for the local IP address I have used the private IP
address of the NIC that is connected to the router, and the global IP
address is the static IP address assigned by my ISP.

However, when I try to connect from the W2K PC I get "Error 721 - the
remote computer is not responding". On the XP the connection icon (2
blue computers) flashes, but that is all.

The result is the same if the XP's firewall is on or off. Also, the XP
has Norton Internet Security, but I get the same result even after
turning Security off.

Any suggestions?
Thank you in advance.
Geoff Pigott

 

[Jeffrey Randow (MVP)]

Type in "netstat -an" from the command line... Do you see an entry
listening on TCP Port 1723?
---
Jeffrey Randow (Windows Networking MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows Network Technology Community -
http://www.microsoft.com/windowsserver2003/community/centers/networking/default.mspx
Windows Home Networking Community -
http://www.microsoft.com/windowsxp/expertzone/communities/wireless.mspx

 

[Guest]

if you figured out the problem, can u share the solution please

 

[Geoff Pigott]

This is what I get when I type netstat -an on the XP Pro VPN Host :-

C:\Documents and Settings\Geoff>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1035 0.0.0.0:0 LISTENING
TCP 192.168.7.2:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1036 *:*
UDP 0.0.0.0:1701 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1029 *:*
UDP 127.0.0.1:1030 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.7.2:123 *:*
UDP 192.168.7.2:137 *:*
UDP 192.168.7.2:138 *:*
UDP 192.168.7.2:1900 *:*

Does this tell you anything?
Thanks for replying.
Geoff

 

[Robin Walker]

This is what I get when I type netstat -an on the XP Pro VPN Host :-

Does this tell you anything?

It tells us that this PC has both PPTP and L2TP VPN servers waiting for
incoming connections, but there are no incoming connections.

Does your router actually support PPTP pass-through? (for the GRE protocol).

What brand and model is the router?

 

[Geoff Pigott]

That is a good question, because I have searched in the router's
configuration for the PPTP Passthrough, to no avail - probably because
I don't know what ports/protocols/interfaces etc. it might be
masquerading as!

The router is a Solwise SAR110, which overall I am very pleased with -
fairly easy to configure, and copious help pages.

Do you know what I should be looking for re PPTP Passthrough?

Thank you for your help.
Geoff Pigott

 

[Robin Walker]

That is a good question, because I have searched in the router's
configuration for the PPTP Passthrough, to no avail - probably because
I don't know what ports/protocols/interfaces etc. it might be
masquerading as!

The router is a Solwise SAR110, which overall I am very pleased with -
fairly easy to configure, and copious help pages.

Do you know what I should be looking for re PPTP Passthrough?

I am not familar with this model of router. If its configuration does not
explicitly support PPTP, then the possibnility is that you will not be able
to use PPTP through it. PPTP does not use TCP or UDP ports, so normal
port-forwarding will not work. PPTP uses a special IP protocol called GRE,
which requires special custom treatment in a NAT router.

 

[Sooner Al]

I would...

Look at the section starting on page 63, which deals with NAT, in the Quick Start Guide...

http://www.solwise.co.uk/downloads/adsl.htm

Apparently you can manually add a Protocol number in the Protocol field. See page 72 to start the
process.

Otherwise you might post to the Solwise support forums...

http://www.solwiseforum.co.uk/

Its very possible, as Robin mentioned, the device does not support PPTP VPN at all inbound...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

 

[Geoff Pigott]

I looked in the SetUp guide for the SAR110, but find very little
relating to PPPTP Passthrough.
So I phoned Solwise Tech.Support who were helpful - they said that the
SAR110 does support PPTP Passthrough - you need to set up the GRE
protocol on port 1723.
However, they feel that the global ip address should be 0.0.0.0,
whereas I had entered the static ip address assigned by PlusNet. Even
so, regardless of which IP address I enter, I still get "Error 721 -
the remote computer is not responding". The connection icon on the XP
server's taskbar flashes during the connection attempt, so something
is getting through.

The GRE NAT Rule in the router is as follows :-
Rule flavor RDR
Interface name ppp-0
Protocol GRE
Local address from 192.168.7.2
Local address to 192.168.7.2
Global address from 0.0.0.0 (or 84.92.64.155)
Global address to 0.0.0.0 (or 84.92.64.155)
Destination port from 1723
Destination port to 1723
Local port 1723

I will also post this on the Solwise forum, but if I can't solve this
problem, can anyone recommend a reasonably priced router that does
support PPPTP Passthrough on incoming traffic?

I am grateful for your help.
Geoff Pigott

 

[Robin Walker]

So I phoned Solwise Tech.Support who were helpful - they said that the
SAR110 does support PPTP Passthrough - you need to set up the GRE
protocol on port 1723.

This does not make sense. GRE does not have ports: only TCP and UDP
protocols have ports. GRE is IP protocol number 47.
You need to port-forward both:
a) TCP port 1723 (for PPTP)
b) GRE, which is IP protocol number 47.
They will be separate NAT rules: you will need two rules in all.

The GRE NAT Rule in the router is as follows :-
Rule flavor RDR
Interface name ppp-0
Protocol GRE
Local address from 192.168.7.2
Local address to 192.168.7.2
Global address from 0.0.0.0 (or 84.92.64.155)
Global address to 0.0.0.0 (or 84.92.64.155)
Destination port from 1723
Destination port to 1723
Local port 1723

There is something wrong here. GRE does not have ports. This appears to be
a configuration for TCP port 1723 (PPTP). How did you get the text "GRE"
into the field called Protocol? Was it already there as an option, or is it
something you have typed in?

To forward GRE, you must set the Protocol field to 47, unless the text "GRE"
was pre-defined to mean 47. The "ports" fields are meaningless for protocol
47, so they should not really be there.

 

[Geoff Pigott]

To add the GRE Rule I clicked "Add a NAT Rule", then in the Protocol
field I selected no. 47 from a listbox which contains ANY, TCP, UDP,
ICMP then nos. 1 to 255. Once the Rule has been saved, the Protocol
is then shown as "GRE".

I now have the 2 NAT Rules set-up in the router as you suggested, one
for TCP on Port 1723, with my XP machine's IP address as the Local IP
address, and my external static IP address as the Global IP address.
The second NAT Rule is GRE, where the only non-default entry is the
Local IP address (192.168.7.2). The Global IP address range is 0.0.0.0
to 0.0.0.0 and the ports range is 0 to 65535

However, I am still getting "Error 721 - remote computer is not
responding", even though as soon as I try to connect from the VPN
client, the connection icon on the VPN host flashes (so it is
detecting something!).

I would like to crack this problem, but I am aware that I may need to
seek a different router.

Everything on the PC side is in order - the workgroup name is the
same, the local IP addresses are both in the range 192.168.7.* (but
not the same!), the subnets are 255.255.255.0, the user is defined on
both machines with the same password, the client is trying to connect
to the correct static IP address, and the VPN client/host wizards have
been run (several times!) on the respective machines.

Again, many thanks for your help.
Geoff Pigott

 

[Leythos]

To add the GRE Rule I clicked "Add a NAT Rule", then in the Protocol
field I selected no. 47 from a listbox which contains ANY, TCP, UDP,
ICMP then nos. 1 to 255. Once the Rule has been saved, the Protocol
is then shown as "GRE".

Some of the NAT routers I've used for PPTP sessions (inbound) require
the user to setup TCP/47 inbound to the server in order for it to work.
I know that 47 is not a port, but some of the NAT devices have to have
TCP/47 mapped for GRE to work.

 

[Jeffrey Randow (MVP)]

Make two seperate rules.. One like the one you show below, but with
TCP instead of GRE. Then make a second rule that has IP Protocol 47,
but leave the Destination and Local Ports blank (or 0 if it won't take
it).
---
Jeffrey Randow (Windows Networking MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows Network Technology Community -
http://www.microsoft.com/windowsserver2003/community/centers/networking/default.mspx
Windows Home Networking Community -
http://www.microsoft.com/windowsxp/expertzone/communities/wireless.mspx

 

[Robin Walker]

Everything on the PC side is in order - the workgroup name is the
same, the local IP addresses are both in the range 192.168.7.* (but
not the same!)

Do you mean by this that you are using the same IP subnet range at both ends
of the VPN link? If so, this is an error. You *must* use different
sub-nets at each end of the link. If one end uses 192.168.7.*, the other
end must use something different.

 

[Geoff Pigott]

I have the NAT Rules set-up as suggested - one for TCP and one for
GRE, but I still get Error 721.

I am now somewhat confused about the IP addresses. Both machines (VPN
server and client) had IP addresses in the 192.168.7.x range, with a
SubNet of 255.255.255.0 I have now changed the client to be
192.168.0.1 - Please note that although the 2 PC's are currently
side-by-side for set-up purposes, they are NOT connected via a LAN.

However, my confusion stems from which component do the IP addresses
relate to in a VPN connection? On the XP server side is it the NIC
that the router is connected to, or is it Incoming Connections - they
both have TCP/IP Properties. On the W2K client side, is it the VPN
connection or the resident NIC (which is theoretically unused in this
scenario, as I am dialling-in).

Is it better to specify the IP addresses, or to have them assigned
automatically by DHCP? The VPN server has an option in Incoming
Connections to assign TCP/IP Addresses automatically, and similarly on
the VPN client you can opt to "Obtain an IP address automatically".

I feel that I now need to get this part right before worrying any
further about the router.

Many thanks.
Geoff Pigott

 

[Robin Walker]

I am now somewhat confused about the IP addresses. Both machines (VPN
server and client) had IP addresses in the 192.168.7.x range, with a
SubNet of 255.255.255.0 I have now changed the client to be
192.168.0.1 - Please note that although the 2 PC's are currently
side-by-side for set-up purposes, they are NOT connected via a LAN.

How are they connected, then? This is relevant to the issue in hand.

However, my confusion stems from which component do the IP addresses
relate to in a VPN connection? On the XP server side is it the NIC
that the router is connected to, or is it Incoming Connections - they
both have TCP/IP Properties. On the W2K client side, is it the VPN
connection or the resident NIC (which is theoretically unused in this
scenario, as I am dialling-in).

Once the VPN is set up, there will be two new IP addresses in play: one for
the virtual NIC in the client, and one for the server end of the VPN
connection. Give names to the various IP addresses as follows:

SW stands for the WAN IP address of the router in front of the PPTP server.
SL stands for the LAN IP address of the PPTP server in its router's LAN.
SV stands for the IP address of the server end of the VPN link.

CW stands for the WAN IP address of the router in front of the PPTP client.
CL stands for the LAN IP address of the PPTP client in its router's LAN.
CV stands for the IP address of the client end of the VPN link.

You discover SW and CW by inspecting the router status pages.

You discover SL by using ipconfig on the server, and you discover CL by
using ipconfig on the client (or you preset them manually to known addresses
in the relevant router's subnet but outside its DHCP pool range).

You discover SV and CV after the VPN conenction has been established by
right-clicking on the VPN connection object, selecting Status, and clicking
tab Details.

When you initially make a VPN call, you specify SW.
The router at SW port-forwards the call to SL.

When the VPN link is up and running:

- In the client, if you wish to make network calls to the server, you use
SL. Astonishing, but true, and verified by me in practice. Using SV does
not work. There is of course, no way you can discover SL at the time of
connection other than by knowing it anyway.

- In the server, if you wish to make network calls to the client, you use
CV, which is logical.

Is it better to specify the IP addresses, or to have them assigned
automatically by DHCP? The VPN server has an option in Incoming
Connections to assign TCP/IP Addresses automatically,

This depends on the nature of your local computing environment, whether a
DHCP server is available, and whether it issues addresses which work. In
your case, the server is behind a NAT router, so allowing it to issue DHCP
addresses to the VPN llink is viable. Alternatively you may if you wish,
preconfigure static IP addresses to the VPN link: if you do, they must be
within the subnet range of the server's router LAN, but outside its DHCP
allocation pool range.

and similarly on
the VPN client you can opt to "Obtain an IP address automatically".

Leave the client like this.

 

[Geoff Pigott]

How are they connected, then? This is relevant to the issue in hand.

As I am currently in the process of trying to set-up the VPN locally
before using it for real, I have the 2 PC's side-by-side. The XP
server is connected to the Broadband line via the Solwise router, and
the W2K client dials-in using the analog line via a 56K modem.

Thank you for your detailed description of IP addresses etc. I'll work
through these and get back to you.
Thanks again.
Geoff Pigott

 

[Robin Walker]

As I am currently in the process of trying to set-up the VPN locally
before using it for real, I have the 2 PC's side-by-side. The XP
server is connected to the Broadband line via the Solwise router, and
the W2K client dials-in using the analog line via a 56K modem.

That makes all previous replies invalid, as we thought you were trying to
set up a VPN, not a dial-up RAS connection. These are different things.
With dial-up, there is no need to configure the routers to do anything.

 

[Geoff Pigott]

Sorry for any confusion, but I was (and still am) under the impression
that RAS involves the remote user dialling-in via a modem or ISDN to
an incoming port on a remote server, whereas a VPN involves using the
internet to connect to a remote server. On a VPN the initial client
connection is to your ISP, and this can be via dial-up modem, ISDN or
Broadband. Once connected to your ISP, you then dial-in to your VPN
server, usually using its static IP address.

If the above is true, then a VPN is what I wish to set-up, as I want
my VPN server to be connected to broadband, listening out for incoming
connections from remote clients.

Given the above, should my test VPN scenario of a W2K client
dialling-in (via an ISP) to an XP server on broadband be achievable?

I feel that I am probably not alone in wanting to get to grips with
VPN, not necessarily for financial gain, but to give more people in
more SME's more opportunities to work from home a bit more, resulting
in less miles driven, less pollution and less stress

Thank you,
Geoff Pigott

 

[geoff]

I have finally come to a sort of conclusion on this problem.

I was labouring under the impression that there was a problem with the
modem/router (Solwise SAR110), but I have now determined that the
problem lay in the fact that the VPN client was running W2K Pro. As an
experiment I tried using a WinXP PC as the VPN client, still with a
WinXP Pro PC as the VPN server, and hey presto! - it worked straight
away. The Solwise modem/router (with port 1723 (TCP) and protocol 47
(GRE) configured to pass-through the firewall) works perfectly.

My only question now is :- does anyone know how to set-up a W2K Pro
machine as a VPN client connecting to a VPN server running WinXP Pro?

Thank you in anticipation.
Geoff Pigott

Sorry for any confusion, but I was (and still am) under the impression
that RAS involves the remote user dialling-in via a modem or ISDN to
an incoming port on a remote server, whereas a VPN involves using the
internet to connect to a remote server. On a VPN the initial client
connection is to your ISP, and this can be via dial-up modem, ISDN or
Broadband. Once connected to your ISP, you then dial-in to your VPN
server, usually using its static IP address.

If the above is true, then a VPN is what I wish to set-up, as I want
my VPN server to be connected to broadband, listening out for incoming
connections from remote clients.

Given the above, should my test VPN scenario of a W2K client
dialling-in (via an ISP) to an XP server on broadband be achievable?

I feel that I am probably not alone in wanting to get to grips with
VPN, not necessarily for financial gain, but to give more people in
more SME's more opportunities to work from home a bit more, resulting
in less miles driven, less pollution and less stress

Thank you,
Geoff Pigott




"Robin Walker" <[email protected]> wrote in message

anything.