Microsoft VPN

Posted on 2003-03-23
Medium Priority
Last Modified: 2010-03-19
I have three computers in three different locations each with SDSL each with one external, static IP address, and each behind a router.  One is a fileserver (Windows 2000 Professional), and I'm trying to network the 2 outside computers (both Windows ME) over a PPTP VPN. Before beginning this project, I contacted Microsoft, whose representatives informed me that Windows 2000 Professional could accept up to 10 simultaneous incoming VPN connections.  With this information, I created an incoming connection for PPTP VPN on the Windows 2000 Pro machine and forwarded port 1723 to the internal IP address.  On each of the other two machines, I created a VPN client connection connecting to the fileserver's external IP (using the Microsoft VPN Adapter) and again configured the port forwarding.  Everything worked great except I could only connect one location at a time.  On another recommendation, I have since gotten an additional external IP address and an additional network card for the Windows 2000 pro machine.  Each external IP address now goes to each network card.  Still no luck...  : /  What am I doing wrong?
Question by:_forrest_
LVL 79

Accepted Solution

lrmoore earned 300 total points
ID: 8192739
G'day _forrest_
Your problem is not with the server limitation, it is with your router. PPTP depends not only on TCP port 1723, it also depends on GRE which has no concept of ports, so it can only handle one connection at a time. At the site with the server, you need a router that can handle multple GRE connections.

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.



Author Comment

ID: 8196654
NAT is currently turned off on the router.  Each external IP address is now going directly to each network card on the PC.  Does this still matter?  If I get a router that can accept multiple GRE connections, will I still need 2 external IP addresses and 2 network cards, or can I just use one and accept up to 10 connections like Mircosoft says?

Expert Comment

ID: 9152939
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.

Expert Comment

ID: 10088582
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: lrmoore {http:#8192739}

Please leave any comments here within the next seven days.

Julian Crawford
EE Cleanup Volunteer

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question