windows 2K server VPN setup help needed

[Michael]

Help! I'm completely stumped on getting a Win 2K server
set up with VPN behind a firewall/router (Belkin if it
matters). What I am trying to do is properly configure a
Win2k server that sits behind a firewall/router to accept
incoming VPN requests. I've done alot of research but so
far I can't get it to even be recognized by an external
VPN client. Here's a quick overview:

I have a DSL modem which connects to a Belkin router. The
router has the static IP address and the internal network
uses the routers DHCP for internal addresses. The router
is set up to port forward TCP 1723 to the VPN server (as
well as trying UDP 1723, since there was some confusion in
various as to whether port 1723 was needing UDP or TCP).
The server has two network cards, one for the VPN and one
for internal network. The server has been configured for
VPN and in RRAS admin it is green to go. An account has
been created for the VPN client with dialin permissions
set correctly. The client machine is set up correctly for
a VPN connection, but whenever it tries to connect it says
it cannot find the VPN server. (A ping test is positive)

Does anyone have any pointers on how to troubleshoot
this? Any help would be greatly appreciated!
thanks.

 

[jazz]

you sure vpn doesn't use 3128 for the port? i thought that was pretty much
universal but i could be wrong

 

[Marc Reynolds [MSFT]]

Hi,

PPTP requires TCP port 1723 and IP Protocol 47 (GRE).

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Trislam]

Hello Michael,

Double check my thoughts . . .

What error are you receiving when attempting to connect to your internal VPN
server? Is the error something to the effect "server not responding?" Are
you running a software firewall along with the HD firewall (NAT)?

1. Belkin Router may need DMZ, not port forwarding. I came across an
account that wanted the same. I tried port forwarding on a Belkin Router in
the past and could only get an incoming VPN to connect using DMZ.

2. Also, port 1723 is for outgoing VPN . Port 1724 is for incoming VPN!

Hope this was helpful.

Trislam

 

[Trislam]

Forgot to mention, using DMZ (or Belkin named equivalent) will cause said
computer to be wide open to the net.

 

[Steven L Umbach]

Since you are behind a nat router you don't need two nics in the rras
server - mine works fine with one on the same network as the lan. Be sure to
forward port 1723 TCP for pptp to the rras router and that you are allowing
protocol 47 GRE which may be referred to as "pptp passthrough". If you can
disable SPI on the router [assuming it has it] try that also as some
implementations have problems allowing vpn connections. I also suggest you
try to connect to your vpn server from the lan first [enter lan ip address
of rras server in client connectoid] , to make sure it is indeed configured
correctly before trying to troubleshoot the wan connection. Sometimes it
also seems to help to configure the rras server to hand out ip addresses via
"static address pool" of at least a dozen addresses to make sure ip
addresses are available for vpn clients. When trying to connect from the
wan, be sure you are using the correct current ip address assigned from your
ISP to access your router's wan side. --- Steve