change firewall routing for pptp after 2k sp4 ?

[scott]

Hi,

After installing sp4 for 2k i cannot connect into my 2k vpn server from 98se
of 2k clinet. In addition network clinets cannot connect out to extreanl vpn
server.

Does sp4 for win2k change the way pptp works so firewall routing must be
amended ?

If so how ?

Thanks
Scott.

 

[Marc Reynolds [MSFT]]

Hi Scott,

Grab pptpsrv.exe from the Windows 2000 Support tools folder on the Windows
2000 CD and run on the PPTP server and get pptpclnt.exe and run on the
client. These will verify TCP 1723 and GRE connectivity.

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[scott]

Thanks, thats a handy wee tool.

When listening on server nothing was detected.

PPTP on port 1723 has always been enabled from external to interal vpn
server.
GRE 0 (protocol 47) is allowed to filter via firewall.

Can underdstand what has changed, was working fine last week.

Scott.

 

[scott]

Thanks for the response.

When running PPTPSRV on ras host the following is displayed:

--------------------------------------------------------------------
error 10048 binding socket
WAEADDRINUSE: address allready in use

Created Socket for GRE protocol test
Listening on PROTOCOL 47 for incoming GRE packets
--------------------------------------------------------------------

Like when testing the incoming PPTP connections this test displays the same
results i.e somtimes it works sometimes it does not. More often it works in
the morning first thing until a windows 98 PPTP connection is established.

Testing today has shown that 2000 pptp connect, disconnect, connect works
until 98 connects and disconnets. At this point no connections can be made.

Any ideas welcome ?

Thanks
Scott.

 

[scott]

FIREWALL REPORTING GRE FOWARD.........

----------------------------------------------------------------------------
-------------------------------

No. Time Source IP Destination IP Note

1|02/10/2004 12:05:43 99.99.99.99:27511 |192.168.1.199:1723 |ACCESS FORWARD

Firewall rule match: TCP (Wan to Lan, rule:2)

 

[scott]

Got a better test:

NET
v
ROUTER
v
ROUTER > win2k clinet (WS012)
v
FIREWALL
v
RAS SERVER

- The win2k clinet (WS012) on the middle router (DMZ) can ALWAYS establish a
PPTP connection to RAS SERVER.
- This connection passes through the FIREWALL.
- Once this connection has been made all other external PPTP WIN2k clients
can connect.
- After WS012 disconnects and after several mins all external WIN2k that
attempt connection get error 721.

What the heck is going on ?

Thanks for any information at all.
Scott.

 

[scott]

futher testing showed:

win98 on external ip connect ok (firewall report PPTP 1723 + GRE)

win 98 manually disconet, reconnect (frewall report PPTP 1723 only)

Its like GRE was lost during the second connection. IE second time GRE did
not make it as far as the FIREWALL.

Im checking middle ROUTER.