Solved

Windows XP PRO VPN Server behind Linksys BEFSR41

Posted on 2003-11-13
17
76,039 Views
Last Modified: 2012-06-21
Hello,

I'm having troubles setting up a VPN Server on a Windows XP Pro machine.  I have the machine that is setup to act as the VPN server with a static IP address of 192.168.1.99  I also have 192.168.1.99 set as a DMZ in the Linksys browser configuration tab.  I also have tried to use port triggering on the Linksys BEFSR41 router using the trigger port range of 47 to 47 and the incoming port range of 1723 to 1723.  I also have another trigger port range of 50 to 50 and the incoming port range of 500 to 500.  I also have the VPN server on the Windows XP Pro machine set to give static IP's from 192.168.1.2 to 192.168.1.10.  If I connect locally to the VPN server within the network behind the router everything works fine and I am assigned the proper IP within the range of 192.168.1.2 to 10.  However, if I try to connect to the VPN server outside of my network I get a 800 error when I try to connect to the VPN server.  On the client machines trying to connect to the VPN server I have them setup to connect to 192.168.1.99 and setup a user account for VPN clients to use.  Once again this works fine on machines behind the router, but it doesn't work on machine outside of the router.  ANY help at all would be greatly appreciated.

-Matt
0
Comment
Question by:Impulse0022
17 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9744399
You have to setup the clients to connect to the public IP of the linksys, not the private IP of 192.168.1.99
0
 

Author Comment

by:Impulse0022
ID: 9744586
Thanks for the help.  However, it's still not working correctly.  Now I'm getting error 628 instead of 800 though.  Just so you know I'm not using DCHP with the linksys router.  I have all client machines set up with static IP's.  One again any help is greatly appreciated.

-Matt
0
 

Author Comment

by:Impulse0022
ID: 9744720
In addition to the above I should mention that I get error 628 if I try to connect internally and error 721 if I try to connect outside the router.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9744806
Internal clients still connect to 192.168.1.99 ?
Only external clients connect to the public IP
What are the clients behind? Broadband router? dialup?
0
 

Author Comment

by:Impulse0022
ID: 9744935
The internal network is sitting behind a Linksys BEFSR41 using a Static Broadband IP.  On the computers that I'm trying to connect to outside the network they are sitting behind no firewall or router using a broadband connection, not dialup.  I now understand that the internal connections use the static ip of 192.168.1.99 to connect the the VPN server.   I also understand that the clients outside the network connect to the static ip of my router.  This is where I get the error 721 when I try to connect.  It connects and everything then it hangs for 10 seconds or so on "validating user name and password" and pops up error 721.  Is this an issure of my router not being set up correctly.  If so what am I missing?  Thanks for sticking in there with me Irmoore.

-Matt  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9744956
If your router is setup with 192.168.1.99 as the DMZ host, then it is setup right.
What kind of client are you using?
How do you have the XPPro system set up as a VPN server?

Is it a DSL connection using a PPPoE dialer?
0
 

Author Comment

by:Impulse0022
ID: 9745023
Yes, I have the router setup with 192.168.1.99 as the DMZ host.  I also have the latest and greatest firmware for the router.  I'm also using the Windows XP Pro system as the VPN server.  The computer that I'm trying to connect on outside the network is also a Windows XP Pro system.  I have it currently setup as "Automatic" should I specify? If so, which one?  Also, if I have the router setup with the DMZ host do I still need to worry about port forwarding, etc.  I know using the DMZ way isn't the most secure, but at this moment I just want it to work.  Thanks.

-Matt
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9745097
If you set a DMZ host, ALL ports are forwarded to that host, so there is nothing else to set up on the router.

I still don't know how you are setting up the client.
Looks like you might be out of luck setting up XP as a VPN server. It simply does not work behind NAT with a private IP address
http://www.wown.com/j_helmig/xpvpnsrv.htm

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:Impulse0022
ID: 9745114
Ok, I was coming to the same conclusion.  Thanks for giving it a shot though.

-Matt
0
 

Expert Comment

by:Yince
ID: 10413238
I have the same setup and I was able to do it without DMZ.
You need 3 things:
1. Static IP for the vpn server
2. IP fowarding in the router for the port 1723 to the static IP (not port trggering)
3. Enable PPTP for protocol 47 in the router (VPN passthrough)

-Vince
0
 

Expert Comment

by:samcadby
ID: 10616037
In addition to Yinces comments you might be able to solve your problem with a registry alteration on the client.

You may need to configure the XP PPTP client to allow responses from non validated PPTP servers.

When the PPTP server sends PPTP clients packets, it calculates a checksum and includes this checksum in the packet. If the server is behind NAT, the server thinks it is comuncating with the IP of the router and responds to the routers address (rather than 'knowing' it is comuncating with the public internet IP of the PPTP client). As the checksum is calculated on the whole packet, the IP header effects the checksum. The NAT gateway then alters the IP header of these outbound packets (as it should!) and fowards them to the clients IP. The client recives the packet, calculates the checksum (again, on the whole packet, including the IP header) and compares it with what the server said the checksum should be. As the NAT gateway has altered the packet (by altering the IP header) the checksums differ. So the client rejects the packet!

You can alter a Dword in the reg to allow connections from non-validated IP's (bypassing the checksuming)

see: http://support.microsoft.com/default.aspx?scid=kb;en-us;271731

Hope this helps

0
 

Expert Comment

by:Scouser007
ID: 10942471
Did you ever get this working?  I am having the same problem.  You must be able to use a VPN server behind a router.  I am going to try the above suggestion tonight, I tried it on my local network and used the WAN IP but it still timed out with a 721 error
0
 

Expert Comment

by:thirdroute
ID: 11103425
Yes, I got it to work.  What Vince described above should be enough to get you going.  Please note I had to allow TCP 1723 on my firewall which was installed on the Windows XP Pro version. I missed that and it drove me insane for a few days.  
0
 

Expert Comment

by:amlockwood
ID: 11105705
As far as I can tell, I have got our server configured correctly.  But is it possible to make a VPN connection using a Windows XP Home client?  What is the public internet IP address of my XP Home client if it is connected to the internet via a dial up connection?  I realise it has one, but presumably it is assigned dynamically, so there is no way of telling the server what the internet IP address will be.
0
 

Expert Comment

by:slmhc
ID: 12174353
start-->Run-->Type "cmd"-->Type ipconfig /all

This will show you your IP address.
0
 

Expert Comment

by:zero_kid
ID: 13660131
I use Win XP Pro SP1, setup a Incoming Connection allow VPN connection from Other. But when I make a connection to the Server, it respone that "the client do not have permission to dial-in" or something like that, I don't remember exactly. With Windows 2003 Server, I can fix it in Remote Access Policy in RRAS, but in Windows XP, I don't know where it is.
0
 

Expert Comment

by:himistu22
ID: 13797305
I will just add this tid bit... I had everything matching this but if I right clicked on the VPN network account then go to the network tab. I set the VPN type to PPTP and it worked.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now