Re: VPN not working when client behind another firewall

From: Mark Richards (mark.richards_at_expw.co.uk)
Date: 08/06/04

• Next message: steven: "reinstall SBS 2003"
• Previous message: anonymous_at_discussions.microsoft.com: "RE: Possible DNS Issue?"
• In reply to: Franz Leu: "Re: VPN not working when client behind another firewall"
• Next in thread: Joe: "Re: VPN not working when client behind another firewall"
• Messages sorted by: [ date ] [ thread ]

Date: Fri, 6 Aug 2004 00:33:14 -0700

Thanks folks. I'll take a look at the ideas you've
mentioned.

The latest is that we have tested the ports and GRE
protocol using pptpping and it work's ok.

>-----Original Message-----
>Got the picture ...mmmhhhm
>
>To be honest, I am a not real help now, but maybe this is
something:
>
>[from SBS 2003 Best Practices]
>be advised there is an issue with respect to having VPN
connections
>when you
>place a hardwarebased firewall router out in front of SBS
2003 and want
>to
>tunnel into the SBS network (especially if you're
adhering to the best
>practice
>of a dual firewall). This area is NAT-T over IPSec across
the firewall.
>Technically speaking, IPSec NAT Traversal (NAT-T) allows
IPSec clients
>and
>server to work when behind a NAT. To use NAT-T, both the
remote access
>VPN
>client and the remote access server must be IPSec NAT-T-
capable. IPSec
>NAT-T
>provides UDP encapsulation of IPSec packets to enable
Internet Key
>Exchange
>(IKE) and Encapsulating Security Payload (ESP)-protected
traffic to
>pass through
>a NAT. IKE automatically detects that a NAT is present
and uses User
>Datagram
>Protocol- Encapsulating Security Payload (UDP-ESP)
encapsulation to
>enable
>ESPprotected IPSec traffic to pass through the NAT. IPSec
NAT-T is
>supported by
>the Windows Server 2003 family. As such, it's supported
in SBS 2003.
>Your next
>step might be to delve deeper into the issue with the
Microsoft Press
>Windows
>Server 2003 Resource Kit or look up some
>articles on TechNet.
>[thanks Harry]
>
>
>I'll get back if some new ideas hit me.
>Maybe someone of the real "pro's" can jump in.
>
>Bye, Franz
>
>"Mark Richards" <mark.richards@expw.co.uk> schrieb im
Newsbeitrag
>news:0a5001c47af2$e4d560c0$a601280a@phx.gbl...
>> Please excuse my ignorance Franz!
>>
>> We have a Thomson / Speedtouch 510 and a Symantec 200
>> Firewall Appliance. I believe that these are configured
>> correctly as we have used VPN successfully before. The
>> difference now is that we have guys trying to VPN from
>> behind another firewall. However, other guys (not from
>> our company) are able to VPN into their own server from
>> behind this same firewall. So it would seem that the
>> other firewall is also configured correctly.
>>
>> Regards
>> Mark
>>
>> >-----Original Message-----
>> >Mark,
>> >
>> >It's not "port 47". It's "GRE-protocol 47".
>> >Your router need to pass it through. You can close port
>> 47. Maybe there
>> >is setting which enables VPM pass-thru in general.
>> >What type of router is it?
>> >
>> >Franz
>> >
>> >
>> >"Mark Richards" <mark.richards@expw.co.uk> schrieb im
>> Newsbeitrag
>> >news:07bf01c47acd$82f5d5d0$a401280a@phx.gbl...
>> >> Hi Marina,
>> >>
>> >> OK - so our VPN is working fine when the client is
NOT
>> >> behind another firewall - and our port 47 is
definately
>> >> open on our firewall.
>> >>
>> >> Do we need to make sure that the other firewall has
port
>> >> 47 open too?
>> >>
>> >> Regards
>> >> Mark
>> >>
>> >>
>> >>
>> >> >-----Original Message-----
>> >> >Hi Mark,
>> >> >
>> >> >Error 721 means that the router is not passing
through
>> >> the GRE-protocol 47,
>> >> >which is needed for VPN.
>> >> >Check the documentation of the router/firewall or
the
>> >> website for firmware
>> >> >upgrade or even downgrade.
>> >> >
>> >> >--
>> >> >Regards,
>> >> >
>> >> >Marina
>> >> >Microsoft SBS-MVP
>> >> >
>> >> >"Mark Richards" <mark.richards@expw.co.uk> schreef
in
>> >> bericht
>> >> >news:c1da01c47a30$9def6fb0$a301280a@phx.gbl...
>> >> >> Hi,
>> >> >>
>> >> >> VPN is not working for our client PCs currently
>> trying
>> >> to
>> >> >> connect from behind another firewall. The
>> >> administrators
>> >> >> of the "other" firewall have opened up ports 1721,
>> 1723
>> >> >> and 500, 1701, but our PCs get the following error
>> after
>> >> >> the dialog box says "Checking password":
>> >> >>
>> >> >> "The remote computer did not respond. For further
>> >> >> assistance, click More Info or search Help and
>> Support
>> >> >> Center for this error number. (Error 721) For
>> customized
>> >> >> troubleshooting information for this connection,
>> click
>> >> >> Help.
>> >> >> Pausing before reconnecting (3 seconds)..."
>> >> >>
>> >> >> We've tried opening ALL ports on our firewall but
to
>> no
>> >> >> avail. I am also unable to telnet to any of the
>> ports,
>> >> >> although I may be attempting to do this
incorrectly.
>> >> >>
>> >> >> Any thoughts / help would be much appreciated.
>> >> >>
>> >> >> Regards
>> >> >>
>> >> >> Mark
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >.
>> >
>
>.
>

• Next message: steven: "reinstall SBS 2003"
• Previous message: anonymous_at_discussions.microsoft.com: "RE: Possible DNS Issue?"
• In reply to: Franz Leu: "Re: VPN not working when client behind another firewall"
• Next in thread: Joe: "Re: VPN not working when client behind another firewall"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint