VPN behind Cable/DSL router - why does not work?

G

Guest

Hi,
I posted this question here some time ago, but my question was ignored by
Micorosoft employees. Hope this time I'll have more luck.

I am trying to build VPN between small office and my home. Our setup is like
that:

Office:
Server is WIndows 2003 and VPN server enabled.
Router is LinkSys BEFSR41, Firmeware version: 1.45.7 (latest)
Router is Linksys with "PPTP Pass Through" enabled and port 1723 is
forwarded to this Windows 2003 server with VPN server.
IP address for local network is : 192.168.1.*, gateway: 192.168.1.1, DNS
server: 192.168.1.100

Clinet:
Windows XP machine that is placed in DMZ zone (this is initial setup i am
trying to make work).
IP address for local network is : 192.168.0.*, gateway: 192.168.0.1, DNS
form ISP

When I start connection from Client - I am reaching point "Veryfiny user
name and password" and then that is it. No extra info in logs or traces (I
enable all loging
and tracing). In the file rasman.log I found following line, not sure if
disconnect reason 1 means anyting:
[5648] 03-31 22:30:43:135: *****
DisconnectReason=1,pConn=0x0,cbports=0,signaled=0,hEvent=0xffffffff,fRedial=
0
I could post here more logs if that would help.
I noticed that server adds client IP address to its routing table, so some
sort of connection is established, but then nothing happens.


I can establish VPN from inside office, but not from home, so I know that
remote access policies are setup properly.
Where should I look next?

Thanks in advance.
 
W

William Wang[MSFT]

Hi,

If you use a personal firewall or broadband router,
or if there are routers or firewalls between the VPN
client and the VPN server, the following ports and
protocol must be enabled for PPTP on all firewalls
and routers that are between the VPN client and the
VPN server:

Client ports Server port Protocol
1024-65535/TCP 1723/TCP PPTP

Additionally, you must enable IP PROTOCOL 47 (GRE).

Therefore, Linksys router needed to be configured to
forward PPTP port 1723 and GRE 47 traffic to the VPN
server. As far as I know, the latest firmware
revision 1.45.7 did not pass GRE. You may want to
downgrade the firmware on the router to version
1.44.2z to see if this issue can be resolved. Since
this issue appears to be related to the router, I'd
also recommend that you contact LinkSys for further
assistance.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties,
and confers no rights.
--------------------
From: "NoSpam" <[email protected]>
Subject: VPN behind Cable/DSL router - why does not work?
Date: Wed, 7 Apr 2004 11:32:12 -0400
Lines: 45
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
NNTP-Posting-Host:
hse-montreal-ppp127309.qc.sympatico.ca 64.231.227.254
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13
.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11842
X-Tomcat-NG: microsoft.public.win2000.ras_routing

Hi,
I posted this question here some time ago, but my question was ignored by
Micorosoft employees. Hope this time I'll have more luck.

I am trying to build VPN between small office and my home. Our setup is like
that:

Office:
Server is WIndows 2003 and VPN server enabled.
Router is LinkSys BEFSR41, Firmeware version: 1.45.7 (latest)
Router is Linksys with "PPTP Pass Through" enabled and port 1723 is
forwarded to this Windows 2003 server with VPN server.
IP address for local network is : 192.168.1.*, gateway: 192.168.1.1, DNS
server: 192.168.1.100

Clinet:
Windows XP machine that is placed in DMZ zone (this is initial setup i am
trying to make work).
IP address for local network is : 192.168.0.*, gateway: 192.168.0.1, DNS
form ISP

When I start connection from Client - I am reaching point "Veryfiny user
name and password" and then that is it. No extra info in logs or traces (I
enable all loging
and tracing). In the file rasman.log I found following line, not sure if
disconnect reason 1 means anyting:
[5648] 03-31 22:30:43:135: *****
DisconnectReason=1,pConn=0x0,cbports=0,signaled=0,hEv ent=0xffffffff,fRedial=
0
I could post here more logs if that would help.
I noticed that server adds client IP address to its routing table, so some
sort of connection is established, but then nothing happens.


I can establish VPN from inside office, but not from home, so I know that
remote access policies are setup properly.
Where should I look next?

Thanks in advance.
 
G

Guest

WIlliam,

Thank you very much for your response. Problem was with LinkSys router - I
downgraded firemeware to 1.44.2z and it started to work instantly.

Thanks for your help


William Wang said:
Hi,

If you use a personal firewall or broadband router,
or if there are routers or firewalls between the VPN
client and the VPN server, the following ports and
protocol must be enabled for PPTP on all firewalls
and routers that are between the VPN client and the
VPN server:

Client ports Server port Protocol
1024-65535/TCP 1723/TCP PPTP

Additionally, you must enable IP PROTOCOL 47 (GRE).

Therefore, Linksys router needed to be configured to
forward PPTP port 1723 and GRE 47 traffic to the VPN
server. As far as I know, the latest firmware
revision 1.45.7 did not pass GRE. You may want to
downgrade the firmware on the router to version
1.44.2z to see if this issue can be resolved. Since
this issue appears to be related to the router, I'd
also recommend that you contact LinkSys for further
assistance.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties,
and confers no rights.
--------------------
From: "NoSpam" <[email protected]>
Subject: VPN behind Cable/DSL router - why does not work?
Date: Wed, 7 Apr 2004 11:32:12 -0400
Lines: 45
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
NNTP-Posting-Host:
hse-montreal-ppp127309.qc.sympatico.ca 64.231.227.254
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13
phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11842
X-Tomcat-NG: microsoft.public.win2000.ras_routing

Hi,
I posted this question here some time ago, but my question was ignored by
Micorosoft employees. Hope this time I'll have more luck.

I am trying to build VPN between small office and my home. Our setup is like
that:

Office:
Server is WIndows 2003 and VPN server enabled.
Router is LinkSys BEFSR41, Firmeware version: 1.45.7 (latest)
Router is Linksys with "PPTP Pass Through" enabled and port 1723 is
forwarded to this Windows 2003 server with VPN server.
IP address for local network is : 192.168.1.*, gateway: 192.168.1.1, DNS
server: 192.168.1.100

Clinet:
Windows XP machine that is placed in DMZ zone (this is initial setup i am
trying to make work).
IP address for local network is : 192.168.0.*, gateway: 192.168.0.1, DNS
form ISP

When I start connection from Client - I am reaching point "Veryfiny user
name and password" and then that is it. No extra info in logs or traces (I
enable all loging
and tracing). In the file rasman.log I found following line, not sure if
disconnect reason 1 means anyting:
[5648] 03-31 22:30:43:135: *****
DisconnectReason=1,pConn=0x0,cbports=0,signaled=0,hEv ent=0xffffffff,fRedial=
0
I could post here more logs if that would help.
I noticed that server adds client IP address to its routing table, so some
sort of connection is established, but then nothing happens.


I can establish VPN from inside office, but not from home, so I know that
remote access policies are setup properly.
Where should I look next?

Thanks in advance.
 
W

William Wang[MSFT]

We are glad to help. If you have any questions at any
time, please don't hesitate to let us know.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties,
and confers no rights.
--------------------
Subject: Re: VPN behind Cable/DSL router - why does not work?
Date: Mon, 12 Apr 2004 08:21:52 -0400
Lines: 136
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
NNTP-Posting-Host:
hse-montreal-ppp127151.qc.sympatico.ca 64.231.227.96
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA06.phx.gbl!TK2MSFTNGXA
05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11903
X-Tomcat-NG: microsoft.public.win2000.ras_routing

WIlliam,

Thank you very much for your response. Problem was with LinkSys router - I
downgraded firemeware to 1.44.2z and it started to work instantly.

Thanks for your help


Hi,

If you use a personal firewall or broadband router,
or if there are routers or firewalls between the VPN
client and the VPN server, the following ports and
protocol must be enabled for PPTP on all firewalls
and routers that are between the VPN client and the
VPN server:

Client ports Server port Protocol
1024-65535/TCP 1723/TCP PPTP

Additionally, you must enable IP PROTOCOL 47 (GRE).

Therefore, Linksys router needed to be configured to
forward PPTP port 1723 and GRE 47 traffic to the VPN
server. As far as I know, the latest firmware
revision 1.45.7 did not pass GRE. You may want to
downgrade the firmware on the router to version
1.44.2z to see if this issue can be resolved. Since
this issue appears to be related to the router, I'd
also recommend that you contact LinkSys for further
assistance.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties,
and confers no rights.
--------------------
From: "NoSpam" <[email protected]>
Subject: VPN behind Cable/DSL router - why does
not
work?
Date: Wed, 7 Apr 2004 11:32:12 -0400
Lines: 45
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
NNTP-Posting-Host:
hse-montreal-ppp127309.qc.sympatico.ca 64.231.227.254
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13
phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11842
X-Tomcat-NG: microsoft.public.win2000.ras_routing

Hi,
I posted this question here some time ago, but my question was ignored by
Micorosoft employees. Hope this time I'll have
more
luck.
I am trying to build VPN between small office and
my
home. Our setup is like
that:

Office:
Server is WIndows 2003 and VPN server enabled.
Router is LinkSys BEFSR41, Firmeware version:
1.45.7
(latest)
Router is Linksys with "PPTP Pass Through"
enabled
and port 1723 is
forwarded to this Windows 2003 server with VPN server.
IP address for local network is : 192.168.1.*, gateway: 192.168.1.1, DNS
server: 192.168.1.100

Clinet:
Windows XP machine that is placed in DMZ zone
(this
is initial setup i am
trying to make work).
IP address for local network is : 192.168.0.*, gateway: 192.168.0.1, DNS
form ISP

When I start connection from Client - I am
reaching
point "Veryfiny user
name and password" and then that is it. No extra info in logs or traces (I
enable all loging
and tracing). In the file rasman.log I found following line, not sure if
disconnect reason 1 means anyting:
[5648] 03-31 22:30:43:135: *****
DisconnectReason=1,pConn=0x0,cbports=0,signaled=0,hEv
ent=0xffffffff,fRedial=
0
I could post here more logs if that would help.
I noticed that server adds client IP address to
its
routing table, so some
sort of connection is established, but then
nothing
happens.
I can establish VPN from inside office, but not
from
home, so I know that
remote access policies are setup properly.
Where should I look next?

Thanks in advance.
 
C

CKlemm

This fixed my issue as well! You are the best (too bad I cant say th
same for Linksys support...


-
CKlem
 
M

MattDo

I have a similar problem - I am trying to connect from a branch office
to my small business' main server.

Mysteriously, the VPN connection did actually originally work, although
I was unable to browse the company network. All I could do was ping the
server. When I browsed the internet (www.whatsmyipaddress.com), the IP
address was indeed the address of our main internet connection, so I
know that the VPN was working (no other way for the IP address to be
correct, right?).

The new mystery is that next time I tried to connect, the VPN
connection failed at the "Verifying username and password..." stage,
finally giving "Error 721: The remote computer did not respond."

While logged in on the server, I used "netstat -a" at a MSDOS prompt
and could see the incoming VPN connection attempt (using PPTP). It
just failed to authenticate. Trouble is I can't find anything useful
in the logs, as per the original post in this thread.

RASMAN.LOG contains the following

[5988] 03-12 12:28:03:015: WorkerThread: Disconnect event signaled on
port: VPN4-127
[5988] 03-12 12:28:03:015: OVEVT_DEV_STATECHANGE. pOverlapped =
0x9e44790
[5988] 03-12 12:28:03:015:
d:\srv03rtm\net\rras\ras\rasman\rasman\worker.c, 1908: Disconnecting
port 135, connection 0x0, reason 1
[5988] 03-12 12:28:03:015: Disconnecting Port 0xVPN4-127, reason 1
[5988] 03-12 12:28:03:015: DisconnectPort: Saving Bundle stats for port
VPN4-127
[5988] 03-12 12:28:03:015: 10. Throwing away handle 0x0!
[5988] 03-12 12:28:03:015:
d:\srv03rtm\net\rras\ras\rasman\rasman\util.c 1992: Disconnected Port
135, reason 1. rc=0x0
[5988] 03-12 12:28:03:015: FreeBundle: freeing pBundle=0x78e5fd8
[5988] 03-12 12:28:03:015:
d:\srv03rtm\net\rras\ras\rasman\rasman\util.c: 2213: port 135 state
chg: prev=2, new=3
[5988] 03-12 12:28:03:015:
d:\srv03rtm\net\rras\ras\rasman\rasman\util.c: 2229: port 135 state
chg: prev=3, new=4
[5988] 03-12 12:28:03:015: 5. Notifying of disconnect on port 135
[5988] 03-12 12:28:03:015:
d:\srv03rtm\net\rras\ras\rasman\rasman\util.c: 2340: port 135 async
reqtype chg: prev=26, new=0
[5988] 03-12 12:28:03:015: *****
DisconnectReason=1,pConn=0x0,cbports=0,signaled=0,hEvent=0xffffffff,fRedial=0
[5988] 03-12 12:28:03:015: DisconnectPort Complete
[5988] 03-12 12:28:03:015:
d:\srv03rtm\net\rras\ras\rasman\rasman\worker.c: 1946: port 135 state
chg: prev=4, new=4
[5988] 03-12 12:28:03:015:
d:\srv03rtm\net\rras\ras\rasman\rasman\worker.c: 1950: port 135 async
reqtype chg: prev=0, new=0
[6804] 03-12 12:28:03:015: DeviceListenRequest: Clearing Autoclose flag
on port VPN4-127
[6804] 03-12 12:28:03:015:
d:\srv03rtm\net\rras\ras\rasman\rasman\util.c: 2547: port 135 state
chg: prev=4, new=1
[6804] 03-12 12:28:03:015:
d:\srv03rtm\net\rras\ras\rasman\rasman\util.c: 2578: port 135 async
reqtype chg: prev=0, new=27
[6804] 03-12 12:28:03:015: Listen posted on port: VPN4-127, error code
600


PPP.log shows

[2444] 03-12 12:41:03:890: Recv timeout event received for
portid=62,Id=8,Protocol=c021,fAuth=0
[2444] 03-12 12:41:03:890: <PPP packet sent at 03/12/2005 12:41:03:890
[2444] 03-12 12:41:03:890: <Protocol = LCP, Type = Configure-Req,
Length = 0x3a, Id = 0x9, Port = 135
[2444] 12:41:03:890: <C0 21 01 09 00 38 01 04 05 78 03 04 C2 27 05 06
|.!...8...x...'..|
[2444] 12:41:03:890: <0B FB 7A 50 07 02 08 02 0D 03 06 11 04 06 4E 13
|..zP..........N.|
[2444] 12:41:03:890: <17 01 92 A6 B2 55 37 ED 45 CE 9A D1 F7 BE 2B 36
|.....U7.E.....+6|
[2444] 12:41:03:890: <2F 2E 00 00 00 00 17 04 00 1F 00 00 00 00 00 00
|/...............|
[2444] 03-12 12:41:03:890:
[2444] 03-12 12:41:03:890: InsertInTimerQ called
portid=62,Id=9,Protocol=c021,EventType=0,fAuth=0
[2444] 03-12 12:41:07:890: Recv timeout event received for
portid=62,Id=9,Protocol=c021,fAuth=0
[2444] 03-12 12:41:07:890: Request retry exceeded
[2444] 03-12 12:41:07:890: FsmThisLayerFinished called for protocol =
c021, port = 135
[2444] 03-12 12:41:07:890: NotifyCaller(hPort=135, dwMsgId=18)
[5988] 03-12 12:41:07:984: PPPEMSG_LineDown recvd, hPort=135

[2444] 03-12 12:41:07:984: Line down event occurred on port 135
[2444] 03-12 12:41:07:984: FsmDown event received for protocol c021 on
port 135
[2444] 03-12 12:41:07:984: RemoveFromTimerQ called
portid=62,Id=9,Protocol=c021,EventType=0,fAuth=0
[2444] 03-12 12:41:07:984: FsmReset called for protocol = c021, port =
135
[2444] 03-12 12:41:07:984: RemoveFromTimerQ called
portid=62,Id=0,Protocol=0,EventType=3,fAuth=0
[2444] 03-12 12:41:07:984: RemoveFromTimerQ called
portid=62,Id=0,Protocol=0,EventType=7,fAuth=0
[2444] 03-12 12:41:07:984: RemoveFromTimerQ called
portid=62,Id=0,Protocol=0,EventType=2,fAuth=0
[2444] 03-12 12:41:07:984: RemoveFromTimerQ called
portid=62,Id=0,Protocol=0,EventType=1,fAuth=0
[2444] 03-12 12:41:07:984: RemoveFromTimerQ called
portid=62,Id=0,Protocol=0,EventType=4,fAuth=0
[2444] 03-12 12:41:07:984: RemoveFromTimerQ called
portid=62,Id=0,Protocol=c029,EventType=0,fAuth=0
[2444] 03-12 12:41:07:984: LcpEnd
[2444] 03-12 12:41:07:984: Post line down event occurred on port 135
[2444] 03-12 12:41:07:984: NotifyCaller(hPort=135, dwMsgId=23)

The IP address of my client machine appears correctly in the other
logs; I guess it's just a problem of authentication/negotiation, but I
can't for the life of me figure out what setting needs changing.

Can anyone suggest anything?

Thanks to anyone who knows the answer!

Matt
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top