RRAS + NAT + VPN == 721 error...Yikes!

[Dave Roth]

The configuration:
I have a win2k server configured with RRAS to use its
routing, NAT and VPN capabilities. Routing works great
between 3 interfaces (one private wired [192.168.1.x],
one private 802.11b wireless [192.168.2.x] and one public
[bound to 5 Internet IP addresses]). VPN is configured to
use remote IAS to my Win2k3 Server AD machine.

The problem:
If one of my machines on the private wired net makes a
VPN connection to the VPN server via IP 192.168.1.1 I
successfully obtain a VPN connection and all is groovy.
If, however, the same machine tries a VPN connection to
one of the public IP addresses (the request would have to
be routed via the Win2k server to its public interface
since it is also acting as a router) then the connection
fails with a 721 error (it never gets passed "verifying
username and password").
The same error occurs if I have a machine on the Internet
tries a VPN connection to the public interface (in this
case the call is not traversing the win2k box as a
router).

Can someone shed some light on this?? Thanks!

dave roth

 

[Bill Grant]

Error 721 usually indicates that GRE is being blocked. Is your RRAS
server directly connected to the Internet or does it go via a
firewll/router?

A PPTP VPN connection uses packets with GRE headers for its data. If
anything in the path blocks GRE (Generic Routing Encapsulation, IP protocol
47) the connection will fail.