VPN error 721

[ADB S.p.A.]

Dear All,

I've read so much literature about "how to create VPN server and client" but
I can't get any connection.
Details are:

ISP does not filter any protocol so PPTP, GRE and things like that can get
acces to the LAN

same story for router , CISCO 2621

I have opened port 1723 and port for GRE protocol, but just for trying I
have opened all ports without any results

VPN server is a win2000AS SP4 all fix applied
The server is not a DC but it is a part of a domain where users authorized
to get VPN access, belong to
I supply some static IP in order to give them to clients
I edit policy in order to grant access to users (they have dial-in
permission enabled)

Please, could anyone of you give me an idea to make my VPN up and running?


Regards

Alberto
Brivio

 

[Guest]

Alberto

Your problems are not uncommon, in my experience. The most common reason for them is incorrect settings at some point in the chain regarding the filtering of UDP/TCP packets

PPTP tunnels use BOTH TCP port 1723 and UDP port 47 (for GRE). Often, one of two errors is made at one or more routers in the connection path

- TCP port 1723 is enabled, BUT UDP port 47 is NOT enabled; and/o
- TCP port 47 is enabled incorrectly instead of the correct UDP port 47

Either error will cause timeouts and failed connections

To troubleshoot the problem, I find the following steps useful
- try establishing a connection using a dailin to the Windows 2000 server. This allows accounts, passwords, and other settings to be verified
- try establishing the VPN connectioin from a client located on the same LAN as the Windows 2000 server (also ensure that the Windows 2000 server does not have any of the internal filtering rules set)
- If that works, try establishing a connection from a point between the ISP and the CISCO. If this fails, the CISCO is set incorrectly
- If all three of the above (dialin, local LAN, and outside the CISCO) work, the problem is likely your ISP (or the network
at your client's sites). Many networks have set their filtering rules to block PPTP connections, and it is common for many organizations (including many ISPs) to be very unaware of what their filtering rules are set to

While I do carry a network analyzer with me, I have rarely found it necvessary to resort to decding the packets (smile). Normally the problem is far easier addressed by these three simple checks

I hope that the above is helpful

- Bob Gezelter <[email protected]> http://www.rlgsc.com

 

[Marc Reynolds [MSFT]]

Hi Bob,

One correction to your post, GRE does not use UDP port 47 or TCP port 47.
GRE is IP Protocol 47. No TCP or UDP port is used for GRE traffic. Routers
and firewalls must be configured to pass IP Protocol 47 for PPTP connections
to succeed.
--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

Alberto,

Your problems are not uncommon, in my experience. The most common reason

for them is incorrect settings at some point in the chain regarding the
filtering of UDP/TCP packets.

PPTP tunnels use BOTH TCP port 1723 and UDP port 47 (for GRE). Often, one

of two errors is made at one or more routers in the connection path:

- TCP port 1723 is enabled, BUT UDP port 47 is NOT enabled; and/or
- TCP port 47 is enabled incorrectly instead of the correct UDP port 47.

Either error will cause timeouts and failed connections.

To troubleshoot the problem, I find the following steps useful:
- try establishing a connection using a dailin to the Windows 2000

server. This allows accounts, passwords, and other settings to be verified.

- try establishing the VPN connectioin from a client located on the same

LAN as the Windows 2000 server (also ensure that the Windows 2000 server
does not have any of the internal filtering rules set).

- If that works, try establishing a connection from a point between the

ISP and the CISCO. If this fails, the CISCO is set incorrectly.

- If all three of the above (dialin, local LAN, and outside the CISCO)

work, the problem is likely your ISP (or the networks

at your client's sites). Many networks have set their filtering rules to

block PPTP connections, and it is common for many organizations (including
many ISPs) to be very unaware of what their filtering rules are set to.

While I do carry a network analyzer with me, I have rarely found it

necvessary to resort to decding the packets (smile). Normally the problem is
far easier addressed by these three simple checks.

 

[Alberto Brivio]

Bob,

I have fix the problem.
My mistake was:

I have opened 1723 port and GRE protocol to get access from outside
(internet) to inside (LAN) but I had to open the same rules
from inside to outside too.
Thanks for your support



Regards


Alberto Brivio

 

[Guest]

Marc

My apologies. I mis-spoke when entering the message for the 5th time (had problems with the web connection failing and losing my typing)

- Bob

 

[Bill Grant]

That is correct. You must allow GRE on the traffic going out as well,
because the encrypted data going in either direction (client to server or
server to client) is inside a packet with a GRE header.