VPN not working through hardware NAT

  • Thread starter Thread starter Petr Sedlak
  • Start date Start date
P

Petr Sedlak

Hi,

I have such trouble:

I have a network connected to internet by Intel 9515 router with NAT
enabled. There is a server in the LAN which provides internet services such
as email, web besed services, terminal access etc. So there are static ports
configured in the router (25,993, 445, 3398, ...).
I wanted to add VPN server so I built a machine, installed Windows 2000
server and configured the VPN server.
Everything woks fine when I connect my notebook with crossover cable to
interent interface of the server.
So I opened ports 1723 and 47 in the router and tried to connect from
outside the netwok and - it diddn't work.
I have no packet filters configured on niether the router nor the server at
the moment.
I used packet sniffer (eEye Iris) to find out what is going on the internet
interface of the server.
In both cases (notebook directly connected, connecting with modem from
outside) there is a packet comming and heading for port 1723, the only
difference is in IPv4 header (IPv4 header - identification: notebook 572,
modem 1291), addresses, TTLs, checksums and TCP header (TCP header - window
size: notebook 16384, modem 8760).
After the first packet when connecting by notebook the next packet is the
reply from server, source port 1723, dest. port 1119 etc. - at that moment
there are still no packets of other type/port/service. When connecting by
modem the next packet is the client pc repeating the first packet and the
server responding nothing.

Does anybody know what causes this behaviour and what to do to fix it?

Thank for any information

Petr
 
If it works when directly connected, the problem is probably that the
router is blocking GRE. The PPTP traffic is encrypted and then encapsulated.
The "wrapper" uses a GRE (Generic Routing Encapsulation) header. GRE is IP
protocol 47 (not a port).
 
I read the newsgroup and then examined the GRE problem but although I looked
also at RFC's I am still not sure about what it is.
GRE uses IP but it is not TCP based protocol therefore it is not possible to
configure static TCP port in NAT to let the packets get inside the LAN.
Routers have to have some special functionality in order to let the PPTP
work. Correct?
And what is the solution? Do you think that requesting another IP address
for ISP and using static mapping without port translation just for that one
IP address woud work?
 
What you say is correct. GRE is not TCP based, so you cannot use port
forwarding. GRE is a protocol, just as TCP is a protocol. TCP is IP protocol
6, UDP is IP protocol 17, GRE is IP protocol 47 .

You do not forward anything. You just need to make sure that your router
does not block it. Look at the router's filter setup and look for GRE by
name or by protocol number. Or check the router manufacturer's site for info
on how to allow GRE. The all seem to do it in a different way.
 
Unfortunately the manufacturer doesn't mention anything about GRE, not even
in the router itself.
I don't want to change the router (I need 1 x V.35 and 2 x 10/100 interfaces
and I don't like Cisco so there are not many other choices anyway) so I need
to find some workaround. Maybe I could use it just as a simple router and
add one more box just after it which would do NAT and allow GRE packets.
What do you think about this?
 
That wouldn't really solve much unless you can turn off its firewall
filtering. Anything in the path (router,firewall, even personal firewall on
client) which blocks GRE will cause a PPTP connection to fail.
 
Sure, I wouldn't use any of the router's filtering functions (I am not using
them at the moment anyway) and I would use the additional box's filtering
function.
Fine - I hope this will be the solution.
Thanks for help

Petr
 
Sure, I wouldn't use any of the router's filtering functions (I am not using
them at the moment anyway) and I would use the additional box's filtering
function.
Fine - I hope this will be the solution.
Thanks for help

Petr
 
Back
Top