RE: VPN connection not passing the password auth' stage.

Dear Mark:
Thank you for posting here.

>From your description, I understand that when you try to establish a VPN
connection, the connection fails in the process of verifying the
username/password. If I am off base, please feel free to let me know.

Generally speaking, we need to enable TCP port 1723, as well as an
additional IP port 47 (GRE protocol) on all routers and firewalls between a
PPTP client and a PPTP server. The router must be able to pass Generic
Route Encapsulation (GRE) protocol 47 for PPTP traffic to connect correctly
to use VPN. When a cable/DSL router cannot map GRE protocol 47 to the
Routing and Remote Access server, you cannot connect to the server from the
Internet. To verify whether the router is the root cause, please do the
following steps:

a. Please temporarily place a client directly connected to the external NIC
of the SBS Server. You can connect the external network adapter of the SBS
Server to a simple hub and connect the client to the same hub.

b. Manually configure the TCP/IP settings on the client computer to be on
the same subnet as the external network adapter of the SBS Server.

c. Turn off the Firewall Client on the client computer.

d. Configure the VPN connection on the client and do a VPN test.

Does this problem persist?

Note: Please double check if your router has an outdated firmware. See:

319108 Error Message: VPN Connection Error 800: Unable to Establish
Connection
http://support.microsoft.com/?id=319108

If the VPN connection works, you may need to enable GRE port 47 on your
hardware router. Otherwise, we may need to make a further analysis. Please
do me a favor and collect the following information:
1. Do you have ISA installed on your SBS box? If so, ISA2k or ISA2k4?

2. Does your VPN account have the available permission to connect in?
Please try using a domain administrator account and establish the VPN
connection again, does this problem persist?

3. How do you create your VPN connection? Did you configure the SBS Server
by the Configure Remote Access in Server Management Console\Internet and
E-Mail node?

4. Please logon to an internal client computer, manually create a VPN
Connection from the Network Connections folder, and then connect to the SBS
Server to see if it works.

5. Could you tell me the detailed error information when the VPN connection
fails?

6. Please help me gather the RAS log file.

Go to SBS Server, go to command prompt and type the following command
"netsh ras set tracing * enable" (without the quotation marks).
Repro the issue and then, compress and email me with the C:\windows\debug
folder.

In addition: You can use PPTP Ping to test if 1723 port and GRE protocol
are allowed to pass through. To do so:
a. Please run Pptpsrv.exe on the server side.
b. Run Pptpclnt.exe [ServerName or IPaddress] on remote client.
c. When prompted by Pptpclnt.exe, type some text to send to Pptpsrv.exe,
and then click Enter.
d. You will see the text received at the host running Pptpsrv.exe. Then you
will see five GRE packets sent from Pptpclnt.exe and received at
Pptpsrv.exe.
Provide me with the output for reference.
NOTE: PPTP Ping tools (Pptpclnt and Pptpsrv) exist in Windows XP support
tools. For your convenience, I have attached the file within this reply.
NOTE: You should stop the Routing and Remote Access service on the RRAS
(VPN) server so that PPTPSRV can bind to port 1723
Basically, we will use PPTP Ping utility to determine whether any hardware
router or firewall is blocking GRE Protocol 47. The router must be able to
pass Generic Route Encapsulation (GRE) protocol 47 for PPTP traffic to
connect correctly to use VPN. When a cable/DSL router cannot map GRE
protocol 47 to the Routing and Remote Access server, you cannot connect to
the server from the Internet.

Hope it helps. I appreciate you taking time to perform the test. I look
forward to hearing from you. If you have anything unclear, please feel free
to let me know, I am glad to be of assistance.

Have a nice day, Mark! :)

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| User-Agent: Microsoft-Entourage/10.1.6.040913.0
| Date: Sat, 13 Aug 2005 08:53:40 -0400
| Subject: VPN connection not passing the password auth' stage.
| From: Mark Foster <mfoster1@xxxxxxxxxx>
| Message-ID: <BF236594.D8B%mfoster1@xxxxxxxxxx>
| Mime-version: 1.0
| Content-type: text/plain; charset="US-ASCII"
| Content-transfer-encoding: 7bit
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 68.33.188.115
| Lines: 1
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:143932
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I have finally set up the VPN to work with 2 NIC in the server, and the
SBS
| network connect is connecting, but it is not getting any further than the
| password verification stage (taking 30+ secs) and then the connection
fails.
| I have set up the Linksys router manually, so I am not sure if there are
| ports that need to be open in addition?
|
| Many thanks,
|
| Mark
|
|

Attachment:
PPTP-Ping.zip

Description: Binary data