RE: VPN woes
- From: ph7 <ph7@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 28 Sep 2005 12:39:02 -0700
Hi Edward,
Thanks for your response. It was very informative.
First of all, I can confirm that you were right in your description of the
problem.
I was able connect to a VPN from the external side of the server of the
server. I was also able to run the pptpsrv/pptpclnt programs and prove that
the GRE packets were able to be received by the server from a client
immediately next to the server, but not from a client on the other side of
the router. Therefore, I can only assume that the router is the problem.
I have spoken to Linksys and they say that the router should pass the GRE
packets through if port 47 is forwarded for TCP and UDP traffic,
unfortunately, this doesn't appear to be the case.
I am now gonig to try exposing the 'external network' server adaptor as a
public IP address so that I don't need to use the port forwarding capability
of the router. Do you think this is good solution? I think it should bypass
the router issue.
"Edward Tian" wrote:
> Hi:
> Thank you for posting here.
>
> From your description, I understand that when you try to establish a VPN
> connection, the connection terminated in the process of verifying the
> password and you received an error 721. If I am off base, please feel free
> to let me know.
>
> Based on my research, error 721 is usually caused by GRE packet not
> properly being allowed on a router.
>
> You receive an "Error 721" error message when you try to establish a VPN
> connection through your Windows Server-based remote access server
> http://support.microsoft.com/default.aspx?scid=KB;EN-US;888201
>
> To verify whether the router is the root cause, please do the following
> steps:
>
> a. Please temporarily place a client directly connected to the external NIC
> of the SBS Server. You can connect the external network adapter of the SBS
> Server to a simple hub and connect the client to the same hub.
>
> b. Manually configure the TCP/IP settings on the client computer to be on
> the same subnet as the external network adapter of the SBS Server.
>
> c. Turn off the Firewall Client on the client computer.
>
> d. Configure the VPN connection on the client and do a VPN test.
>
> Does this problem persist?
>
> If the above test works fine, it reveals that the traffic is blocked by the
> hardware router.
>
> As you mentioned, we can use the PPTP Ping utility to test if 1723 port and
> GRE protocol are allowed to pass through. To do so:
> a. Please run Pptpsrv.exe on the server side.
> b. Run Pptpclnt.exe [ServerName or IPaddress] on remote client.
> c. When prompted by Pptpclnt.exe, type some text to send to Pptpsrv.exe,
> and then click Enter.
> d. You will see the text received at the host running Pptpsrv.exe. Then you
> will see five GRE packets sent from Pptpclnt.exe and received at
> Pptpsrv.exe.
> Provide me with the output for reference.
>
> NOTE: PPTP Ping tools (Pptpclnt and Pptpsrv) exist in Windows XP support
> tools. For your convenience, I have attached the file within this reply.
> NOTE: You should stop the Routing and Remote Access service on the RRAS
> (VPN) server so that PPTPSRV can bind to port 1723.
>
> Basically, we will use PPTP Ping utility to determine whether any hardware
> router or firewall is blocking GRE Protocol 47. The router must be able to
> pass Generic Route Encapsulation (GRE) protocol 47 for PPTP traffic to
> connect correctly to use VPN. When a cable/DSL router cannot map GRE
> protocol 47 to the Routing and Remote Access server, you cannot connect to
> the server from the Internet.
>
> For your information:
> In some cases, forwarding TCP/UDP port 47 is a workaround for the hardware
> router which is not supporting PPTP connection. Some routers may still not
> work after we perform the port forwarding. GRE was designed to provide a
> simple, general purpose mechanism for encapsulating data sent over IP
> networks. GRE is a client protocol of IP using IP protocol 47. Compared
> with TCP/UCP protocol, the IP protocol is definitely a different layer
> protocol. That is why forwarding TCP/UDP port 47 is just a WORKAROUND in
> some cases.
>
> More information about GRE 47:
> GRE Protocol 47 Packet Description and Use
> http://support.microsoft.com/default.aspx?scid=KB;[LN];241251
>
> Hope the above information helps. I appreciate you taking time to perform
> the test. Please feel free to let me know if you have any questions or
> concerns.
>
> Have a nice day! :)
>
> Best Regards
> Edward Tian(MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> | Thread-Topic: VPN woes
> | thread-index: AcXAE0SAS5ApkVvyRN6CmloEKtBxBw==
> | X-WBNR-Posting-Host: 82.33.27.113
> | From: =?Utf-8?B?cGg3?= <ph7@xxxxxxxxxxxxxxxxxxxxxxxxx>
> | Subject: VPN woes
> | Date: Fri, 23 Sep 2005 00:49:03 -0700
> | Lines: 27
> | Message-ID: <6AC722F4-6E26-4CE0-9395-B4CC710C5D71@xxxxxxxxxxxxx>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155805
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hello,
> |
> | I am having a problem connecting to my SBS remotely from a VPN client
> | connection created with the SBS connection manager. The error that is
> | displayed is as follows :-
> | "The remote computer did not respond. (Error 721)"
> |
> | Server side as follows :-
> | SBS 2003 Standard - VPN enabled,
> | Connect to Internet via ADSL2 gateway - Linksys AG241
> | Port forwarding of 1723 & 47 (TCP and UDP)
> | (I added 47 after seeing Linksys KB article related to allowing GRE
> | packets thru)
> | PPTP passthrough
> |
> | Client side as follows :-
> | Windows XP SP2 - logeed in as a mobile user
> | Connect to Internet via broadband router - Linksys WRT54G
> | PPTP pass through
> |
> | Connection dialog appear to show a connection established but then gets
> | stuck in verifying password.
> | Would the utilities ptppsrv/pptpclnt be useful in diagnosing this problem?
> |
> | Any suggestions about what might be wrong would be appreciated. I tried
> | Linksys support but were pretty useless
.
- Follow-Ups:
- RE: VPN woes
- From: Edward Tian
- RE: VPN woes
- Prev by Date: Re: upgrading workstations in SBS 2003 network
- Next by Date: Re: No virus detected but C: storage is slowing going from 20gb to
- Previous by thread: RE: VPN woes
- Next by thread: RE: VPN woes
- Index(es):
Relevant Pages
|
Loading
