Re: Unable to make VPN connection to ISA 2006 Standard

No, I wrote that there may be a problem if there is a NAT device between the
VPN client and the ISA.
The PPTP filter will drop PPTP connections *any time* the PPTP VPN protocol
is violated (as should any *real* firewall).
Make the connection from the other side of the NAT device if possible.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Thomas Hofmann" <ThomasHofmann@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:454D6A2E-55F2-4698-8BB3-C44ADBE1DCD3@xxxxxxxxxxxxxxxx
Hello Mike,
have you any new comments for this problem? I have allready the same
problem, but no idea to solve this problem.

Jim wrote that it is a pro´blem of the firewall rule. But is there any way
to configure a rule to accept pptp connections?

It's very important for me. May be you can help.

Thank you very much.

Thomas Hofmann

"Mike Iles" wrote:

After todays work I conclude this has to be an ISA problem. I removed ISA
server and used the same ADSL connection, router, client etc and was able
to
make an incoming connection direct to RRAS on this machine with absolutely
no
problem. When I reinstalled ISA it also worked and I even got site to site
working after a fashion - until I had to reboot the machine - after which
it
exhibited exctly the same problems as before - unable to make an incoming
PPTP connection etc

I now have NET monitor 3.1 installed and will see if this tells me
anything
though it woudl help to know what I'm looking for

"Jim Harrison (ISA SE)" wrote:

"the ADSL provision is blocking GRE somewhere" - this isn't a guarantee.
If you search through the NG archives, you'll find several instances
where a
NAT device in the way was playing silly buggers with the PPTP session
setup
process.
Only a network capture can tell for sure.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Mike Iles" <MikeIles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CA713F44-63E6-4BB4-86F6-A4D0B5B6E5BC@xxxxxxxxxxxxxxxx
Many thanks for your reply. I understand about GRE. I don't believe the
routers in question are blocking this. In fact I know with the end that
works
fine that they can't be blocking it. The configs are trully identical at
each
end, even down to the IOS configs in the routers apart from the IP
addresses
being used of course and at the failing end I have even tried another
router!

This weekend I am going to remove ISA and see if I can make a PPTP
connection direct to RRAS. This will eliminate my only outstanding
suspicion
- that the ADSL provision is blocking GRE somewhere. I am lead to
believe by
the client that this can't be the case however because the existing
system
being replaced used to provide VPN access to clients terminating at the
router at this site.
What I'm really trying to do here is a site to site VPN. If I can't get
this
end working then another option open to me is to form an IPSEC tunnel
router
to router, and thats another thing I'll do this weekend but I had my
heart
set on ISA-to-ISA. I've used it before for several clients
Thanks for your pointer about the AUtomatic client setting trying LT2P -
I
thought I had set the dial up connection at the clients I have used for
testing to be PPTP specifically but perhaps in one instance I didn't
I'd really appreciate some assistance with where to go next on
troubleshooting this. I've looked through the many RRAS logs to try and
understand where things are breaking down - but there are so many with
so
much in them. If it were a GRE problem, for example, where would I see
this
or do I have to get NETMON running to crunch the packets?

Mike Iles

"Jim Harrison (ISA SE)" wrote:

PPTP is not just "port 1723"; it's also IP:47 (NOT "port 47"), also
known
as
GRE.
If the routers in question don't allow IP:47, then PPTP can never
succeed.
If the VPN clients are configured for "automatic" VPN protocol,
they'll
try
IPSec when PPTP fails and that's probably why you see IKE.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Mike Iles" <MikeIles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6EBB2558-67BE-4F9A-8867-CC27D7A28A5A@xxxxxxxxxxxxxxxx
I'm tearing my hair out trying to get VPN client access to work on a
particular system. Its Server 2003 R2 with ISA 2006 Standard and I
have
followed all the guidelines for providing VPN access (and I have done
this
many times before).
The symptom is that the client times out trying to connect with the
error
indicating the VPN server didn't respond. Monitoring at the ISA server
you
see the PPTP connection established and a subsequent disconnection.
VPN is set to use DHCP and RRAS has successfully acquired a block of
addresses on starting. When the connection is initiated however, it
doesn't
get as far as assigning an IP address to the internal interface. No
events
logged and no other problems with ISA.

This is one of a pair of identical systems at two different sites and
the
other works fine (using the same client pc too). They have the same
routers,
identifically configured to ensure that port 1723 is passed.

Sometimes, but not always, between the PPTP connect and disconnect the
ISA
log shows a failed access from External to Local host with the IKE
client
(port 500). The source IP address is similar, but not the same as the
client
PC. Adding a rule to pass this traffic still doesn't get a connection.

Any further troubleshooting tips welcome



.