Re: Error 720 connecting to server via VPN
- From: Craig Hughes <CraigHughes@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 25 Sep 2007 14:12:01 -0700
Hi Joe,
I think I understand.
I've checked the system log and found the following...
A connection between the VPN server and the VPN client XXX.110.88.173 has
been established, but the VPN connection cannot be completed. The most common
cause for this is that a firewall or router between the VPN server and the
VPN client is not configured to allow Generic Routing Encapsulation (GRE)
packets (protocol 47). Verify that the firewalls and routers between your VPN
server and the Internet allow GRE packets. Make sure the firewalls and
routers on the user's network are also configured to allow GRE packets. If
the problem persists, have the user contact the Internet service provider
(ISP) to determine whether the ISP might be blocking GRE packets.
So that clearly suggests the GRE is being blocked.
The problem is I don't know how to enable a protocol. The PPTP port is
open. Should I setup a firewall rules to allow port 47? But I think from
your last message, that's not the answer.
Thanks,
Craig
"Joe" wrote:
Craig Hughes wrote:.
Hi Russ,
Port 1723 (PPTP) is allowed in my router for any WAN users to the server.
I've not got a rule for GRE (Port 43 I think) as I read it was a IP protocol
rather than TCP or UDP. My router only allows TCP, UDP or TCP/UDP. Should
I create a rule for port 43 as TCP/UDP?
My router is Netgear. I can't see any existing rule I can select for GRE or
port 43.
It's 47, it is a protocol and therefore has no connection with TCP or
UDP ports (most protocols don't use ports) and if you selected 'PPTP
Service' or similar on a Netgear machine then TCP/1723 and GRE are both
included. If you enable logging on that rule, you'll see (when the
system finally works) an initial TCP/1723 handshake followed by numerous
GRE packets, which carry the encrypted data.
> The Client I'm trying to connect is on the same subnet as the server,
> 255.255.255.0.
No, that's the netmask. That may or may not be the same, but the network
address, which is the IP address ANDed with the netmask (in this case
the first three octets of the IP address) must be different. This is
the most common cause of your particular problem. Your SBS has one of
the most common private network addresses (192.168.0.) and there's a
fair chance that the remote router also uses it. If so, one or the other
must change, and I'd recommend using the Change IP Address wizard on the
SBS to alter the LAN network address to something much higher, like
192.168.55. so it is unlikely to conflict with any default anywhere else.
Do you get any entry in the System event log on the SBS? If the TCP
connection works but GRE is blocked, then there will be a message to
that effect. Using the same network address at both ends produces
unpredictable errors, as there is confusion in routing, and some
messages will get through, some won't. Sometimes you'll get the System
message, sometimes not. Usually the process will fail during
authentication, when several pieces of data need to be exchanged and
some get dropped.
- Follow-Ups:
- Re: Error 720 connecting to server via VPN
- From: Merv Porter [SBS-MVP]
- Re: Error 720 connecting to server via VPN
- From: Craig Hughes
- Re: Error 720 connecting to server via VPN
- References:
- Error 720 connecting to server via VPN
- From: Craig Hughes
- Re: Error 720 connecting to server via VPN
- From: Joe
- Error 720 connecting to server via VPN
- Prev by Date: Re: POP Connector- aliases
- Next by Date: Re: Terminating program that are stopping TS session from closing
- Previous by thread: Re: Error 720 connecting to server via VPN
- Next by thread: Re: Error 720 connecting to server via VPN
- Index(es):
Relevant Pages
|
