Cannot make VPN through 2 routers

  • Thread starter Thread starter huerew
  • Start date Start date
H

huerew

Hi all,
I have two computers running "Windows 2000 workstation"
One is a laptop, the other one is a desktop connected to my home LAN.
My home LAN is connected to the internet via ADSL line and an Alcatel
SpeedTouch PRO router/NAT.

I want to make a VPN so that I can access my home LAN with the laptop
when I am travelling. I don't seem able to do so.

Note that also the client (laptop) is behind a NAT and, differently from
the server-side NAT, I don't have control over this one (it's an ISP's NAT).

I have configured my desktop computer to accept VPN connections with the
Windows standard thing in My Network Places -> Make New Connections.

Basically I am following these instructions
http://asia.cnet.com/enterprise/netadmin/0,39035505,39050037,00.htm
even if they are for Windows XP: Windows 2000 looks like the same.


In the Alcatel router config I am forwarding the TCP port 1723 to the
same port of the desktop computer inside the LAN, as the comments at the
bottom of the page tell to do.

Similarly I am also forwarding protocol 47 (as port I specified
port=0... protocol 47 does not want a port but I had to write something.
Port=0 seemed to be accepted by the router) to the same desktop computer


I have noticed this:
http://asia.cnet.com/enterprise/net...w&ID=20013123&AT=39050037-39035505t-39000223c
which points to this
http://support.microsoft.com/kb/247231/EN-US/
and I tried the workaround (doesn't solve the problem).

I have downloaded this
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp
but it does not want to install on my system: it says it has not been
developed for my system??

I have installed this patch
http://support.microsoft.com/?kbid=818043
but again it doesn't solve the problem


The result is the following:

I initiate the VPN connection from the client (doubleclick, insert
username and password, etc)

Client creates a window with written: "connecting to xxx.yyy.zzz.ttt"

client (laptop) sends the tcp packet on 1723 (I can see this with a
personal firewall)

server (desktop) receives it (I can see this with a firewall again, on
the server computer)

On the client the writing changes to
"Verifying username and password..."

client sends pptp request on port 47

server DOES NOT RECEIVE this request according to the firewall installed
on the server.

After some time the writing in the client window becomes:
"Disconnected
Error 721: The remote computer is not responding."


What should I do?
Is it the NAT on the client side, the one on which I don't have control,
which is making the VPN connection impossible? Maybe the PPTP packet
(protocol 47) does not pass through that one?
Any other idea?

Thanks in advance
 
huerew said:
Hi all,
I have two computers running "Windows 2000 workstation"
One is a laptop, the other one is a desktop connected to my home LAN.
My home LAN is connected to the internet via ADSL line and an Alcatel
SpeedTouch PRO router/NAT.

I want to make a VPN so that I can access my home LAN with the laptop
when I am travelling. I don't seem able to do so.

Note that also the client (laptop) is behind a NAT and, differently from
the server-side NAT, I don't have control over this one (it's an ISP's
NAT).

I have configured my desktop computer to accept VPN connections with the
Windows standard thing in My Network Places -> Make New Connections.

Basically I am following these instructions
http://asia.cnet.com/enterprise/netadmin/0,39035505,39050037,00.htm
even if they are for Windows XP: Windows 2000 looks like the same.


In the Alcatel router config I am forwarding the TCP port 1723 to the
same port of the desktop computer inside the LAN, as the comments at the
bottom of the page tell to do.

Similarly I am also forwarding protocol 47 (as port I specified
port=0... protocol 47 does not want a port but I had to write something.
Port=0 seemed to be accepted by the router) to the same desktop computer


I have noticed this:
http://asia.cnet.com/enterprise/net...w&ID=20013123&AT=39050037-39035505t-39000223c

which points to this
http://support.microsoft.com/kb/247231/EN-US/
and I tried the workaround (doesn't solve the problem).

I have downloaded this
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp

but it does not want to install on my system: it says it has not been
developed for my system??

I have installed this patch
http://support.microsoft.com/?kbid=818043
but again it doesn't solve the problem


The result is the following:

I initiate the VPN connection from the client (doubleclick, insert
username and password, etc)

Client creates a window with written: "connecting to xxx.yyy.zzz.ttt"

client (laptop) sends the tcp packet on 1723 (I can see this with a
personal firewall)

server (desktop) receives it (I can see this with a firewall again, on
the server computer)

On the client the writing changes to
"Verifying username and password..."

client sends pptp request on port 47

server DOES NOT RECEIVE this request according to the firewall installed
on the server.

After some time the writing in the client window becomes:
"Disconnected
Error 721: The remote computer is not responding."


What should I do?
Is it the NAT on the client side, the one on which I don't have control,
which is making the VPN connection impossible? Maybe the PPTP packet
(protocol 47) does not pass through that one?
Any other idea?

Thanks in advance

Normally I would say connect the laptop between the ADSL modem and the
router but it sounds like the router and ADSL modem are the same device.

You will need to first, try connection from within your LAN. This will
make sure the connection works on your PC.

Next you will need to try it from a connection that is not behind any
NAT. Many ISP's who implement NAT on their entire network will not pass
the GRE protocol properly and will block all attempts at PPTP VPN
connections. It is hard to determine this though. I do not know of a
good way to test if an ISP can pass the GRE protocol. You can try to
use telnet to connect to your router on port 1723 to make sure that the
TCP port is open but there is no similar test for GRE. If you can make
it work from some other location but it fails on the ISP that uses NAT
then you can be sure that the ISP is blocking some traffic. If it also
fails on other ISP's that have unfiltered connections then you may have
a problem with your local setup.
 
I found the problem: my Alcatel Speed Touch Pro is not able to forward
protocol 47 correctly, notwithstanding the static route set by hand.

If I user the defserver setting to forward all unknown packets to that
host (VPN server), THEN it works (but then we have decreased security
because that host is open to internet attacks).

Browsing on the internet this seems to be an issue of all Alcatel Speed
Touch Pro modem/routers.

Thanks
 
huerew said:
I found the problem: my Alcatel Speed Touch Pro is not able to forward
protocol 47 correctly, notwithstanding the static route set by hand.

If I user the defserver setting to forward all unknown packets to that
host (VPN server), THEN it works (but then we have decreased security
because that host is open to internet attacks).

Browsing on the internet this seems to be an issue of all Alcatel Speed
Touch Pro modem/routers.

Thanks


I guess you should turn off the NAT features if possible and get a
better router. If you can setup the modem to just be a simple bridge
this should work.
 
Back
Top