VPN - 721 error - SMC8013

[Guest]

I would appreciate anyone's suggestions on this one...
On a fairly well operating LAN with a W2K3 DC and 35 machines and an SMC8013
Cable Modem/Router life was good. But I decided to make it better. I
configured another W2K3 member server for RRAS with the intention of allowing
select users remote access from home over their broadband connection. But so
far I have only gotten the dreaded Error 721 when trying to connect from a
remote machine. I have enabled PPTP passthrough (port 1723) and IP protocol
47 on the router.
The new VPN server has 2 NICS but putting this server behind the router,
puts both NICS on the same subnet. Could this be my problem?
No Def G'way set in either NIC; can resolve machine names; can ping
everything; just can't let a remote machine in...

 

[Bill Grant]

If you are behind a router, you do not need two NICs in the RRAS server.
The router is your public interface.

Configure the RRAS server with one NIC as a remote access server. Set
its default route to be the router. Forward tcp 1723 (pptp) from the router
to the RRAS server's LAN IP. The client will connect to the router's public
IP, but the VPN connection will be established between the client and server
because of the port forwarding. Return traffic to the client will be
encrypted and encapsulated by the server, then sent to the router (by
default routing) for delivery across the Internet.

Port 47 doesn't come into this at all. What usually causes error 721 is
GRE being blocked. The VPN data has a GRE (Generic Routing Encapsulation)
header. If the router (or anything else in the path) blocks GRE, no data is
transmitted and the connection closes.

Check the router for GRE by name or by number (IP protocol 47). It may
be called PPTP passthrough mode.

 

[Guest]

Great explanation Bill. All of the KB's & White Papers don't completely
explain a "simple" RRAS application like this. Even Manasi's bibles plod past
this kind of config. I'll try your suggestion this week and post the results.
P.S. I didn't fall for the port 47 thing. I configured the SMC router to
allow proto 47. It seems you've answered that one a million times...I got it.

 

[Guest]

One question, Bill...You refer to a "default route". How do I set this?

 

[Bill Grant]

Just set the router to be the default gateway for the server. (IE put the
router's IP address in the DG box of the server NIC IP properties.)

 

[Guest]

I was afraid you were going to say that...I set it up that way and still get
the 721 error. I see log file activity like RTM.log adding destinations and
route addresses, notifying CN 0 and CN 1. But, IPRouterManager.log shows an
Error adding route, Stack bit == 0 and ProcessDefaultRouteChanges: Not
Default Route. What else should I be looking for in log files or any other
place to figure out what's gone wrong.

To summarize: VPN server set for Remote Access, one NIC used since behind
NAT/Router, GW set to IP of router, router passes PPTP and IP protocol 47.

 

[Bill Grant]

Can't think of anything else apart from a firmware upgrade of the SMC!

Does it have a straight-through port (sometimes called a DMZ port)?
If the VPN works plugged into that, it is definitely the router filters
which are killing the connection.

 

[Guest]

After questioning the server side of the VPN conncetion to the void, I
decided to look at the remote user end. It seems I did not have all of the
details on the client side. When I visited the remote site I found the client
connected through a Linksys router to a cable modem. This router does not
pass PPTP by default. I enabled PPTP and the VPN connection work fine.

It seems you can never ask enough questions when troubleshooting something
like this...

Thanks for your help...

 

[Bill Grant]

Glad you found the cause. It is easy to overlook what happens at the
client end. Even a personal firewall on the client can be a problem for VPN
connections.