VPN Incoming Connection Help

[Carl Muffoletto]

I'm using both a WinXP and W2K Pro (on separate machines) and set up a
network connection for Incoming Connection VPN according to instructions on
MS knowlwdge base. I and using W2k (on my laptop via a dialup internet
connection) to VPN to either of the machines set up with incoming
connections.

I am able to connect to either machine but cannot authenticate. I have
identical users (username/password) on all three machines.

I've searched MS Knowledge base and any other source I can think of but
can't seem to find out what's wrong.

Any help or advise is appreciated.

Carl

 

[Kurt]

If your VPN servers have public IP addresses, you should authenticate if you
selected windows authentication as the method. If you are behind a NAT
(broadband) router, you'll need to open a port and enable GRE. A good way to
trouble shoot is first get the VPN running on the LAN. Otherwise you don't
know whether it's a connection problem or a server setup problem. Once you
can authenticate locally, go for the outside. Repost if it works inside but
not over the web.

 

[Carl Muffoletto]

Thanks for the advice Kurt. I can authenticate locally, no problem.
I removed my personal firewal software, ZoneAlarm Pro 4, and moved the boxes
with the VPN incoming connection interface to the DMZ of my Linksys router.

I would suspect my ISP (Comcast cable) of blocking VPN traffic, except I am
able to to connect, but not authenticate. I can even telnet to port 1723
which I believe is the TCP port used by PPTP.

Any ideas?

Carl

 

[Bill Sanderson]

On the filters page of the Linksys router, have you enabled PPTP
passthrough?

 

[Kurt]

I second Bill's question. You may have a TCP connection to port 1723 (thanks
for reminding me of the port), but not passing through unmutilated. Be sure
you have pptp pass-thru (GRE protocol 47) enabled. On some routers its
enabled by default. On others, you must specify. NAT can interfere with the
AH header, making the authentication checksum of the packet fail, and so the
packet is rejected as non-authentic.

 

[Carl Muffoletto]

Bill - I hadn't checked until you asked but PPTP Pass Through is enabled
(along with IPSec and Multicast pass through) on my Linksys router.

I can authenticate locally so the setup and ZoneAlarm - both of which are
involved in a local connection - are not the problem.

I have the VPN incoming connection server connected to a Linksys router and
that to a Motorola Surfboard cable modem to Comcast internet. The Linksys
router has PPTP passthru enabled and TCP port forwarding for port 1723
enabled, And for good measure, the machine is in the Linksys DMZ.

So the problem must be with the Linksys router, (something we are not aware
of) the cable modem, or Comcast. I guess the next thing to try is connecting
the computer directly to the cable modem bypassint the Linksys router. Not
something I'm looking forward to since it involves running cable and digging
thru the spaghetti mess under my desk.

Any one have a suggestion before I forced to get down and dirty

 

[Sooner Al]

What Linksys router do you have? You might look at this persons experiences with various firmware
versions for the BEFSR41 and VPN, if that is the router your using...

http://groups.google.com/[email protected]#link3

By the way, I would move the PC out of the DMZ host mode....I am not sure if port forwarding and DMZ
actually work together at the same time...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

 

[Carl Muffoletto]

Thank you for the info and google group link. I really thought you were on
to something. I do have a BEFSR41 router, but my firmware is 1.43 9/4/02
which according to the poster to the google group is one of the older
firmware versions that support GRE and should work with a PPTP VPN.

Looks like it is under the desk for me.

Carl

What Linksys router do you have? You might look at this persons

experiences with various firmware

 

[Sooner Al]

If that's the case you might look at another version then. I used the 1.42.7 release on my old
BEFSR41 and incoming PPTP VPN worked for me. Its worth a try...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

 

[Bill Sanderson]

Thought 1 without reading rest of responses:

take it out of the DMZ.

The forwarding really does work, and experience makes me feel that the DMZ
setting can be problematic (as well as insecure.)

 

[Bill Sanderson]

Incoming PPTP VPN should work with any version of the firmware. We did just
have a user resolve an RD disconnection issue with the very newest firmware
version--so that might be worth a shot, but preserve the ability to go back
to the current version.

 

[Carl Muffoletto]

I did upgrade to the latest firmware 1.45.7. Also got machine out of the
DMZ. No authentication.

From the Linksys knowledge base I tried port triggering and changing the LAN
ip address. Still no authentication.

I have not tried firmware 1.42.7 which would be a step back from 1.43 that I
had and 1.45.7 that's on there now. I guess I give 1.42.7 a try. After that
I am out of options.

BTW the Linksys incoming log shows connections from my dial-up IP address
and port 1723.

 

[Carl Muffoletto]

Firmware 1.42.7 didn't help. I don't know what to try next. Maybe I give
Linksys a call, but their help is pretty helpless. Maybe Cisco improved
things. Cisco's tech support is unparalled.

 

[Bill Sanderson]

I don't think it is the Linksys, at this point. The firmware mumbo-jumbo in
my experience resolves RDP disconnects--I haven't seen problems with VPN's
through Linksys boxes, but it seemed worth trying.

Lets all go back and re-read the thread and see what we might have missed.

If you ever had a third-party firewall installed, have you checked that all
services from that firewall manufacturer are, in fact, gone?

 

[Sooner Al]

With the 1.42.7 firmware make sure "SPI" is *DISABLED* for port forwarding to work correctly.

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

 

[Carl Muffoletto]

Bill - The Linksys router is the problem. I move my pc with the incoming
connection to the cable modem (the wan side of the router) and I connect and
authenticate immediately.

Move it back to the lan side, without making any changes to the pc and I get
a connection but no authentication.

I reset the router to all default settings, then enabled PPTP pass thru and
port forwarding 1723. Same problem. BTW I have reloaded firmware 1.45.7.
After trying four different firmware versions, I figured the latest should
be the best choice.

I have nothing left to try, except calling Linksys on Monday. I'm making
sandwiches, a big pot of coffee, and a couple of energy bars in preparation
for a long time on hold and talking to help desk idiots

 

[Mr Guest]

Carl Muffoletto wrote (apparently) in alt.os.windows2000 on Sat 10
Jan 2004 23:49:01:

Bill - The Linksys router is the problem. I move my pc with the
incoming connection to the cable modem (the wan side of the
router) and I connect and authenticate immediately.

Move it back to the lan side, without making any changes to the
pc and I get a connection but no authentication.

I reset the router to all default settings, then enabled PPTP
pass thru and port forwarding 1723. Same problem. BTW I have
reloaded firmware 1.45.7. After trying four different firmware
versions, I figured the latest should be the best choice.

I have nothing left to try, except calling Linksys on Monday. I'm
making sandwiches, a big pot of coffee, and a couple of energy
bars in preparation for a long time on hold and talking to help
desk idiots

Have been fiddling with this on my home and work networks, now
forwarding port 43 as well as 1723 and the connections now work where
they didn't before, got them set up both ways as well. Worth a try, I
suppose.

 

[Carl Muffoletto]

I can't imagine what port 43 (the well known port for Whois) would have to
do with VPN, but I tried it anyway and that didn't help. Thanks for the
reply Mr Guest.

 

[Bill Sanderson]

Yeah-- that does seem like a fair test!

I've seen an issue on a different Linksys device (a wireless AP) where
resetting to default settings BEFORE updating firmware versions--was
necessary for things to work right in the new firmware version. I can
recall having seen this issue posted with bios updates in PC's before, as
well. Settings get changed from default, update the firmware, and the UI
for that setting is gone, but the setting remains! Hope nothing like that
is involved.