VPN Stopped functionning: no PPP LCP response when connecting from remote LAN

  • Thread starter Thread starter Sacha
  • Start date Start date
S

Sacha

Hello,

I have a Windows 2000sp4 server acting as a VPN server (PPTP) behind a
firewall. Until now, I never had any problem to connect to this server
(Windows 2000/XP clients). Suddenly, I cannot recontact anymore and
the changes I remember to have done on this server are:
- transformed in a Active Directory Master
- applied sp4
- applied all hotfixes

Since then:
- remote clients (behind the FW) cannot connect: error 721 from DUN
- clients on the same LAN *can* connect

I've used a network scanner and what is strange is that when the
remote client tries to connect, after the initial PPTP handshake over
port 1723, the client sends a few PPP LCP requests (GRE) BUT THE
SERVER never sends any packet back i.e. the server NEVER sends any GRE
packet, only TCP-1723 (behaviour scanned from the FW and the server
itself)

I have absolutely no FW or IP filtering rule set on this server. Is it
possible that the change to an Active Directory controller/domain made
it consider non-subnet-local clients as forbidden?

The sequence is as follow:
- Client: Start-Control-Connection-Request (PPTP)
- Server: Start-Control-Connection-Reply (PPTP)
- Client: Outgoing-Call-Request (PPTP)
- Server: Outgoing-Call-Reply (PPTP)
- Client: Outgoing-Call-Request (PPTP) (identical to previous)
- Server: Outgoing-Call-Reply (PPTP)
- Client: Set-Link-Info (PPTP)
- Client: PPP LCP Configuration Request (PPP LCP, 47)
- Client: PPP LCP Configuration Request (PPP LCP, 47)
- Client: PPP LCP Configuration Request (PPP LCP, 47)
- Client: PPP LCP Configuration Request (PPP LCP, 47)
- Client: PPP LCP Configuration Request (PPP LCP, 47)
- Client: PPP LCP Configuration Request (PPP LCP, 47)
- Client: PPP LCP Configuration Request (PPP LCP, 47)
- Client: PPP LCP Configuration Request (PPP LCP, 47)
- Client: Call-Clear-Request (PPTP)
- Server: Call-Disconnect-Notify (PPTP)
- Client: Stop-Control-Connection-Request (PPTP)
- Server: Stop-Control-Connection-Reply (PPTP)

ONE THING HOWEVER: when doing TCP communication (PPTP), the Windows
VPN server sees the distant client IP as being the REAL one (public
IP) whereas when it starts the PPP LCP (47) communication, it sees the
masquerade address of the firewall (private IP): is it possible that a
recent MS hotfix for the VPN has made such IP conformity checks
stronger and now refuse to responde to any PPP LCP packet which
originates from an IP address which is different from the one used for
the PPTP negociation?

Thank you for any help.

Cheers,


sacha
 
OK, I found the solution. It seems that a recent MS patch has changed
the way PPTP is handled: when the PPTP server receives protocol 47
packets that originate from a different IP as the one used for the TCP
communication (1723), the server simply discard them and do not send
any response packet back.

I simply changed the way the protocol forwarder was configured on the
FW so that it rewrites the source IP of the Protocol 47 packets and
put the client IP (and note the FW IP address) and everything works
fine now.
 
Back
Top