Re: VPN PPTP problem

Hello David,

Thank you for update.

I'm glad you found the root cause of this issue.

For you concern: Why the PPTP and GRE packets receive the SBS but the PPTP
VPN cannot establish? I want to explain that one or two packets receive SBS
do not means you can establish VPN connection. The connection need to
establish the 'session'. If the firebox do not support PPTP VPN pass
through, it will not mark the packets will proper session mark. The PPTP
VPN connection cannot establish the session on the firebox. So the VPN
connecting fail. For example, after the PPTP and GRE packets receive SBS,
the SBS response the request, when the response packet go through the
firebox, the firebox does not know which session the response packets
belong to. The firebox may drop the packets.

Note: In fact, different firewalls have different methods to process the
network packets. For detail reasons, you still need to contact the firebox
support.

By the way, the PPTP Ping is the better way to test the PPTP VPN link
session, but not the wireShark.

Please do not hesitate to post in SBS newsgroup if you need any assistance
in the future. I look forward to working with you again.

Thank you and have a nice day,

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: david.monticelli@xxxxxxxxx
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: VPN PPTP problem
| Date: Wed, 5 Dec 2007 04:53:03 -0800 (PST)
| Organization: http://groups.google.com
| Lines: 168
| Message-ID:
<6ce92eda-4ba4-4e9b-b1ad-b2fa79c77ed6@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <e8s6UDbLIHA.4200@xxxxxxxxxxxxxxxxxxxxxx>
<PJn0AJbLIHA.6908@xxxxxxxxxxxxxxxxxxxxxx>
| <0c41d6d7-f12b-41d8-be6e-a292fbe51147@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <vhZvESzMIHA.6264@xxxxxxxxxxxxxxxxxxxxxx>
<kCrG4YzMIHA.4380@xxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 81.83.0.31
| Mime-Version: 1.0
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
| X-Trace: posting.google.com 1196859183 13527 127.0.0.1 (5 Dec 2007
12:53:03 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Wed, 5 Dec 2007 12:53:03 +0000 (UTC)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: d27g2000prf.googlegroups.com; posting-host=81.83.0.31;
| posting-account=2Q43wAoAAABaRldeisn2qGTOfTD7t6VD
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr;
rv:1.8.1.11)
| Gecko/20071127 Firefox/2.0.0.11,gzip(gfe),gzip(gfe)
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!d27g2000prf
..googlegroups.com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80167
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| On 30 nov, 10:37, v-ter...@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
| wrote:
| > Hello David,
| >
| > Thank you for your email.
| >
| > The ISA Info which I gathered from you before including all ISA
| > configuration. So I had checked your ISA configuration at the
beginning. I
| > did not find any issue in your ISA configuration.
| >
| > From your description "But for GRE, I choose protocol IP, level 47 ->
and
| > for that there is NOT a "NAT" button, so I just allow the traffic to all
| > destination", I think you did not properly set the GRE 47 on the
firebox. I
| > suppose the firebox will show you a PPTP service to publish. The PPTP
| > service will include TCP 1723 and GRE 47. I strongly suggest you contact
| > your firebox support to confirm how to publish internal PPTP service to
| > Internet.
| >
| > To confirm whether the SBS is configured properly for VPN, we can do the
| > following test:
| >
| > a. On one internal XP client, click Start , click Control Panel , click
| > Network and Internet Connections , and then click Network Connections .
| > b. Click Create a new connection , and then click Next .
| > c. Click Connect to the network at my workplace , and then click Next .
| > d. Click Virtual Private Network connection , and then click Next .
| > e. Type a descriptive name for your company, and then click Next .
| > f. Click Do not dial the initial connection , and then click Next.
| > g. Type the SBS internal IP address, and then click Next .
| > h. Use one of the following methods:
| >
| > a) Click Anyone's use if you want to share the connection with all
users.
| > b) Click My use only if you do not want to share the connection.
| >
| > i. Click Next , and then click Finish .
| > j. The dial in window will appear after you click Finish. Input the
domain
| > user name and password, click Connect button.
| >
| > Does the VPN establish success? If yes, the SBS is configured properly.
| >
| > Hope the steps will help you to narrow down this issue.
| >
| > Thanks and have a nice day.
| >
| > Best regards,
| >
| > Terence Liu(MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! -www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup
here:http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > checkhttp://support.microsoft.comfor regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | From: v-ter...@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
| > | Organization: Microsoft
| > | Date: Fri, 30 Nov 2007 09:36:42 GMT
| > | Subject: Re: VPN PPTP problem
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | MIME-Version: 1.0
| > | Content-Type: text/plain
| > | Content-Transfer-Encoding: 7bit
| > |
| > | Email from customer:
| > | ======================
| > |
| > | Hello Terence,
| > |
| > | to answer to your questions of your last forum post,
| > | yes, after turned the PPTP filter OFF, I also tested a VPN connection,
| > and
| > | I recevied the error message 721.
| > |
| > | And during the "check username and password" step, into ISA 2004
Session
| > | table, I can see a SecureNAT session with the public IP of the client
who
| > | tried a VPN connection.
| > |
| > | So for me, packets can reach the server, but there is a problem to
| > "allow"
| > | the connection, or authenticate the user, I don't know...
| > |
| > |
| > | In my last post, did you see that GRE packets are still NOT received
on
| > the
| > | server, when I make a PPTP ping test.
| > | That's very strange !
| > |
| > | On firebox I created a forward rule to protocol 1723 to 192.168.9.10
| > | (external server nic) -> to do that with firebox parameters, there a
| > "NAT"
| > | button for that service, which allows me to fill the destination IP of
| > the
| > | forward.
| > |
| > | But for GRE, I choose protocol IP, level 47 -> and for that there is
NOT
| > a
| > | "NAT" button, so I just allow the traffic to all destination.
| > |
| > |
| > |
| > | You will find in attachment an export file of my ISA configuration,
maybe
| > | there is something wrong on it.
| > | the password to load it is : "terence1".
| > |
| > |
| > | I really want to find a solution for this issue to my own satisfaction
| > and
| > | to learn something, and I really appreciate your help, this makes my
| > | Microsoft opinion better !
| > | But like I said, we already use a lot of time for this problem, so if
| > with
| > | the single NIC solution i can use the firebox VPN, so maybe that's we
| > have
| > | to do.
| > |
| > |
| > | Thank you for your help,
| > |
| > |
| > | David
| > |
|
| Hello Terrence,
|
| A technical consultant came here, and he told that our firebox was not
| PPTP passthrough.
|
| So we decided to turn back to a single nic server configuration,
| without ISA.
| Like that, we are using the VPN of the firebox and it's at least
| working!
|
| Thanks for your help!
|
| At the end, for me there are still un-clear points about this issue,
| even if our firebox seems to not be "PPTP passthrough", i don't
| understant why when i tested SBS VPN i was able to see pptp packets
| and gre packets on server's interface, when i captured packets with
| famous wireShark software.
|
| Regards,
|
| David
|

.