Re: VPN/Remote Access

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Sestratton wrote:
Joe:

I'd say you are certainly on the right track. The event log on the vpn server shows the connection being established but cannot be completed and suggests the same GRE issue.

I updated the firmware on the hardware firewall to the latest version but that didn't help. I shut down the firewall on the external side of the server, and that didn't do anything.

So it certainly looks like the GRE is not making it through something along the way.

Is there any way I can determine what that is? That is, I don't want to go buy a new firewall only to learn it was something on the offsite client network that wasn't passing the GRE. The offsite client network is completely out of my control.

In fact, I don't want to buy a new firewall at all because I think I'm going to able to go back to ISA in a few months.


None of the firewalls or routers I've dealt with need any configuration
to allow GRE out of the client site, but it's possible some do. It looks
as if you might have that happening here. Those that claim 'stateful
packet filtering' should not.

Does your firewall log show anything useful? The DG834 log shows two
separate event types, the first being the PPTP connection being passed
on TCP/IP 1723, then a number of subsequent events showing PPTP data
on GRE. If you enable logging on the PPTP service, do you see any GRE
entries at all? If not, that would suggest a problem at the client end.
Unfortunately, it's not proof unless it appears on a router known to
pass VPN correctly. There could still be a firmware problem at the
server end router.

Any Windows machine can initiate a PPTP VPN, and as I say, routers
generally do not need configuration at the client end. Are you able
to try setting up the VPN from a different site, preferably through
a different ISP? If not, it still looks like a firmware problem.
.

Relevant Pages

  • Re: VPN/Remote Access
    ... passing the GRE no matter that it said it was set to "vpn passthrough". ... So I ditched it and went back to a software firewall on the server. ... the one I was really trying to fix -- allow vpn access from a client ... It now appears that the client's network is also blocking the GRE. ...
    (microsoft.public.windows.server.sbs)
  • Re: error 721 the remote computer did not respond...
    ... And ask them how can you forward GRE to a computer from your LAN. ... Here it says that it supports VPN pass-through. ... with a very basic firewall connecting from ISA to the Internet. ... routers on the user's network are also configured to allow GRE packets. ...
    (microsoft.public.isa)
  • Re: SBS 2003 RRAS
    ... Usually when it fails at verifying password, it means GRE 47 is not ... open/configure at the firewall. ... >>From an internal LAN client I can VPN connect to the server. ... I see nothing in the logs that a connection was ...
    (microsoft.public.windows.server.sbs)
  • Re: PPTP and NAT
    ... If you get an error 721 it is probably caused by GRE being blocked. ... the tunnelled data has a GRE header, ... Even a personal firewall on the client can do it. ... > forwarding from my firewall into the VPN server. ...
    (microsoft.public.windows.server.networking)
  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
    (Focus-IDS)