Problem with XP VPN server

[eDgE]

I´m running Windows XP as a server at work (only for 3
users). I heard about the inbuilt VPN server and thought
it would be a great thing to use while out traveling, I
could still access my corporate files.

So I used the wizard to setup and allow incoming VPN
connections. I also opend up port 500 & 1723 and
forwarded those to the servers local IP from the Netgear
router. It works perfect to connect from outside the
router, goes fast and smooth.
On the server I have some folders shared where I have
some of the files that would be good to access during my
business trips. This is where the problems start. If I
have understood things the right way I should be able to
browse these folders on the server from my client
computer (also running XP) while having a VPN connection
established? But once I open Windows Explorer or My
Network Places on the client computer it hangs (have
tried this on several computers running XP). I have to
shut down the VPN connection to get Windows back to
normal. I simply can´t browse or access the information
in the shared VPN server folders. I am logged in as Admin
so that shouldnt be the problem.
Could it be that this service needs more ports other than
1723 and 500?

All help appreciated!

 

[Marc Reynolds [MSFT]]

Hi,

You do not need port 500, but you do need IP Protocol 47 (GRE) and TCP port
1723.
--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.


I´m running Windows XP as a server at work (only for 3
users). I heard about the inbuilt VPN server and thought
it would be a great thing to use while out traveling, I
could still access my corporate files.

So I used the wizard to setup and allow incoming VPN
connections. I also opend up port 500 & 1723 and
forwarded those to the servers local IP from the Netgear
router. It works perfect to connect from outside the
router, goes fast and smooth.
On the server I have some folders shared where I have
some of the files that would be good to access during my
business trips. This is where the problems start. If I
have understood things the right way I should be able to
browse these folders on the server from my client
computer (also running XP) while having a VPN connection
established? But once I open Windows Explorer or My
Network Places on the client computer it hangs (have
tried this on several computers running XP). I have to
shut down the VPN connection to get Windows back to
normal. I simply can´t browse or access the information
in the shared VPN server folders. I am logged in as Admin
so that shouldnt be the problem.
Could it be that this service needs more ports other than
1723 and 500?

All help appreciated!

 

[Jeffrey Randow (MVP)]

Also IP Protocol 47 is also called PPTP Passthrough with some
routers/firewalls...

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Smart Display Support - http://www.smartdisplays.net
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

 

[Bill Sanderson]

I agree with the other two posts, but don't believe that's your problem:

If you are connecting and getting authenticated, I don't think you have a
port problem--likely GRE protocol 47 is either automatic with 1723, TCP on
your router, or is already open.

What IP address are you getting for the server end of the VPN connection?

Right-click the connection icon down by the clock, and choose status,
details tab.

Try start, run, \\serverIPaddress and see if that shows you stuff shared on
the host machine.

There are some circumstances where the IP address you see can be "wierd
(technical term)--say, identical to the client IP address. If you see this,
go into properties of incoming connections, properties of IP (on the host
machine) and change from DHCP to fixed IP address. Set it to give out a
range of 4 IP addresses which are on the same subnet, but won't conflict
with, those given out by DHCP in the router.

Then retest using start, enter \\serverIPaddress.

I´m running Windows XP as a server at work (only for 3
users). I heard about the inbuilt VPN server and thought
it would be a great thing to use while out traveling, I
could still access my corporate files.

So I used the wizard to setup and allow incoming VPN
connections. I also opend up port 500 & 1723 and
forwarded those to the servers local IP from the Netgear
router. It works perfect to connect from outside the
router, goes fast and smooth.
On the server I have some folders shared where I have
some of the files that would be good to access during my
business trips. This is where the problems start. If I
have understood things the right way I should be able to
browse these folders on the server from my client
computer (also running XP) while having a VPN connection
established? But once I open Windows Explorer or My
Network Places on the client computer it hangs (have
tried this on several computers running XP). I have to
shut down the VPN connection to get Windows back to
normal. I simply can´t browse or access the information
in the shared VPN server folders. I am logged in as Admin
so that shouldnt be the problem.
Could it be that this service needs more ports other than
1723 and 500?

All help appreciated!

 

[eDgE]

Thanks alot for your answers!

I have tried all the above suggested solutions. However,
still no succes.
Bill suggested that it might be the IP addresses assigned
by the VPN, but I have those fixed to 192.168.0.140-145,
while the router uses 192.168.0.1-100.

I also did take a look at netgear.com and found some
interesting facts. We have a few year´s old Netgear RT314
and this is what Netgear says about it:

VPN Passthrough connections: 1
VPN Terminatiors: 0
Types of tunnels supported: IPSec
Port 500 open for ESP: Yes

Note that other more modern routers supports IPSec, L2TP,
PPTP VPN Passthrough according to
http://kbserver.netgear.com/kb_web_files/n101222.asp

Maybe we need to invest in a new router to get this
working?

 

[Matt Coy]

Is there a firmware update available for your model?

--
=============================================
Matt Coy, MCSE
Microsoft Aficionado
Associate Expert
Expert Zone -
=============================================

Thanks alot for your answers!

I have tried all the above suggested solutions. However,
still no succes.
Bill suggested that it might be the IP addresses assigned
by the VPN, but I have those fixed to 192.168.0.140-145,
while the router uses 192.168.0.1-100.

I also did take a look at netgear.com and found some
interesting facts. We have a few year´s old Netgear RT314
and this is what Netgear says about it:

VPN Passthrough connections: 1
VPN Terminatiors: 0
Types of tunnels supported: IPSec
Port 500 open for ESP: Yes

Note that other more modern routers supports IPSec, L2TP,
PPTP VPN Passthrough according to
http://kbserver.netgear.com/kb_web_files/n101222.asp

Maybe we need to invest in a new router to get this
working?

 

[eDgE]

Latest version is 3.25, which we have.

Just thought that since it does not say "VPN Passthrough"
for the RT314, that might be the problem?

Irritating that I can establish the connection but not
brows the server files

 

[eDgE]

Hmm,

I am getting authenticated, and if i click "status" for
the VPN icon it says:
Status: Connected
Device name: WAN miniport (PPTP)
Device type: vpn
Server type: PPP
Transports: TCP/IP
Authentication: MS CHAP V2
Encryption: MPPE 128
Compression: MPPC
PPP multilink framing: Off
Server IP: 192.168.0.113
Client IP: 192.168.0.115

Does not say anything about Subnet.

When I try "Start -> Run -> \\192.168.0.113" Windows
says "\\192.168.0.113, The network path was not found".

I also forgot to say that the client computer in this
case is behind a D-link DI-614+ router, but this model is
supposed to be VPN passthrough compatible.

Seem like i´m gonna have to rip some hair off before I
get this working

 

[Jeffrey Randow (MVP)]

What IP address scheme do you have on your local LAN? You might have
problems if your home LAN also uses 192.168.0.x IP addresses....

VPN passthrough is all you need to set up the tunnel you describe.
IPSEC does not work well over a NAT router (NAT-T will work, but this
requires some server side commitment).

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Smart Display Support - http://www.smartdisplays.net
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

 

[Bill Sanderson]

Yuck.

Can you ping 192.168.0.113?


Hmm,

I am getting authenticated, and if i click "status" for
the VPN icon it says:
Status: Connected
Device name: WAN miniport (PPTP)
Device type: vpn
Server type: PPP
Transports: TCP/IP
Authentication: MS CHAP V2
Encryption: MPPE 128
Compression: MPPC
PPP multilink framing: Off
Server IP: 192.168.0.113
Client IP: 192.168.0.115

Does not say anything about Subnet.

When I try "Start -> Run -> \\192.168.0.113" Windows
says "\\192.168.0.113, The network path was not found".

I also forgot to say that the client computer in this
case is behind a D-link DI-614+ router, but this model is
supposed to be VPN passthrough compatible.

Seem like i´m gonna have to rip some hair off before I
get this working

 

[eDgE]

Hmm, no. I get "request timed out" when I try to ping the
server, 192.168.0.113 as from the table below. Why can I
establish a connection but not even ping the host? This
is really confusing.

To answer Jeffrey´s question. Yes, the client computer is
on the same IP range (192.168.0.X).

Status: Connected
Device name: WAN miniport (PPTP)
Device type: vpn
Server type: PPP
Transports: TCP/IP
Authentication: MS CHAP V2
Encryption: MPPE 128
Compression: MPPC
PPP multilink framing: Off
Server IP: 192.168.0.113
Client IP: 192.168.0.115

 

[Bill Sanderson]

If it is easier to change things at home than at the host end, I'd suggest
picking a 10.x.y.z setting for the dhcp range given out at home, and seeing
what happens.


Hmm, no. I get "request timed out" when I try to ping the
server, 192.168.0.113 as from the table below. Why can I
establish a connection but not even ping the host? This
is really confusing.

To answer Jeffrey´s question. Yes, the client computer is
on the same IP range (192.168.0.X).

Status: Connected
Device name: WAN miniport (PPTP)
Device type: vpn
Server type: PPP
Transports: TCP/IP
Authentication: MS CHAP V2
Encryption: MPPE 128
Compression: MPPC
PPP multilink framing: Off
Server IP: 192.168.0.113
Client IP: 192.168.0.115

 

[eDgE]

Hey, that made it all work!

I changed the DHCP at work to 10.160.24.X and rebooted
the server and all workstations. I´m still using
192.168.0.X at home. Now I can connect, ping and browse
the VPN server Thanks alot for your help!!

Still one question remains. What is the maximum speed of
Windows XP VPN? Seems like i´m getting a speed of about
16-17 kb/sec. Both ends are connected with 0,5mbit DSL so
the speed should be about 60 kb/sec. This results in a
few seconds delay every time I browse any of the shared
folders on the server, especially the ones with more than
20 files.
If this is a "speed limit" in XP, would it be better to
run VPN on Windows 2000 at the server side?

 

[Bill Sanderson]

Tell me more about your DSL service--I don't see very much high-speed
symmetric DSL. Most DSL that I've seen (which is very little, actually!) is
the usual Asymmetric, where there is a much slower upload speed and a
high-speed (and highly touted) download speed.

For many applications, the download speed is what matters--for a VPN link,
it is the upload speed at the sending end of the link that will matter.

Hey, that made it all work!

I changed the DHCP at work to 10.160.24.X and rebooted
the server and all workstations. I´m still using
192.168.0.X at home. Now I can connect, ping and browse
the VPN server Thanks alot for your help!!

Still one question remains. What is the maximum speed of
Windows XP VPN? Seems like i´m getting a speed of about
16-17 kb/sec. Both ends are connected with 0,5mbit DSL so
the speed should be about 60 kb/sec. This results in a
few seconds delay every time I browse any of the shared
folders on the server, especially the ones with more than
20 files.
If this is a "speed limit" in XP, would it be better to
run VPN on Windows 2000 at the server side?

 

[eDgE]

Have the same DSL provider at the office and home
(Sweden, Telia). Their specifications is 400 kbit
upstream and 500 kbit downstream. So the VPN should get a
maximum speed of 400 kbit. That´s why I was questioning
the speed at 16-17 kb/s, should be around 40. Would it
help using less encryption, maybe 64 bit instead of 128?
How do I change that? Or prehaps some other settings
would speed things up?

Thanks alot again Bill for taking your time!

 

[Bill Sanderson]

Hmm - your reasoning seems to be correct! The encryption/decryption is a
CPU load on the endpoints--if you run taskmgr, is the CPU maxed out?

This isn't something I have any experience with at all--for comparison, I
guess you could measure throughput on a VPN connection across a 10 or 100
mbs LAN connection.

I tend to think that the performance issue might be something else besides
the VPN--MTU, perhaps--but I really don't have any clear idea.

Have the same DSL provider at the office and home
(Sweden, Telia). Their specifications is 400 kbit
upstream and 500 kbit downstream. So the VPN should get a
maximum speed of 400 kbit. That´s why I was questioning
the speed at 16-17 kb/s, should be around 40. Would it
help using less encryption, maybe 64 bit instead of 128?
How do I change that? Or prehaps some other settings
would speed things up?

Thanks alot again Bill for taking your time!

 

[eDgE]

I guess I could test it all on the local network with 100
mbit, to see if that works better. Maybe w2k as a TS
would make things runing smoother, but I have no
experience at all in TS so that would probably cause alot
of problems.

Any idea on how to change the encryption to less than 128
bit?

I will try the 100 mbit thing on monday.

 

[Jeffrey Randow (MVP)]

Nope.. There is a theoretical limit on it... I use a VPN on my
private network (don't ask - company politics) for the accounting
people to connect to the main network and there is a speed limit. I
haven't measured it to see how much of a hit it is, but it is
noticeable...

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Smart Display Support - http://www.smartdisplays.net
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

 

[eDgE]

So this is not official from MS? They don´t mention
anything about a speed limit on the XP VPN server
function. But I suspect you might be right.

Is it the same in Windows 2000?

 

[Jeffrey Randow (MVP)]

There is nothing that I can see...

But it does make sense - the overhead for a VPN transport is much
higher than using a normal TCP/IP network transport due to the
encryption... This is why some network manufacturers offload this to
hardware (see
http://www.broadcom.com/products/product.php?product_id=CryptoNetX+IPS500A&cookiecheck=1
for an example).

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Smart Display Support - http://www.smartdisplays.net
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone