Windows XP PRO VPN Server behind Linksys BEFSR41


I'm having troubles setting up a VPN Server on a Windows XP Pro machine.  I have the machine that is setup to act as the VPN server with a static IP address of  I also have set as a DMZ in the Linksys browser configuration tab.  I also have tried to use port triggering on the Linksys BEFSR41 router using the trigger port range of 47 to 47 and the incoming port range of 1723 to 1723.  I also have another trigger port range of 50 to 50 and the incoming port range of 500 to 500.  I also have the VPN server on the Windows XP Pro machine set to give static IP's from to  If I connect locally to the VPN server within the network behind the router everything works fine and I am assigned the proper IP within the range of to 10.  However, if I try to connect to the VPN server outside of my network I get a 800 error when I try to connect to the VPN server.  On the client machines trying to connect to the VPN server I have them setup to connect to and setup a user account for VPN clients to use.  Once again this works fine on machines behind the router, but it doesn't work on machine outside of the router.  ANY help at all would be greatly appreciated.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You have to setup the clients to connect to the public IP of the linksys, not the private IP of
Impulse0022Author Commented:
Thanks for the help.  However, it's still not working correctly.  Now I'm getting error 628 instead of 800 though.  Just so you know I'm not using DCHP with the linksys router.  I have all client machines set up with static IP's.  One again any help is greatly appreciated.

Impulse0022Author Commented:
In addition to the above I should mention that I get error 628 if I try to connect internally and error 721 if I try to connect outside the router.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Internal clients still connect to ?
Only external clients connect to the public IP
What are the clients behind? Broadband router? dialup?
Impulse0022Author Commented:
The internal network is sitting behind a Linksys BEFSR41 using a Static Broadband IP.  On the computers that I'm trying to connect to outside the network they are sitting behind no firewall or router using a broadband connection, not dialup.  I now understand that the internal connections use the static ip of to connect the the VPN server.   I also understand that the clients outside the network connect to the static ip of my router.  This is where I get the error 721 when I try to connect.  It connects and everything then it hangs for 10 seconds or so on "validating user name and password" and pops up error 721.  Is this an issure of my router not being set up correctly.  If so what am I missing?  Thanks for sticking in there with me Irmoore.

If your router is setup with as the DMZ host, then it is setup right.
What kind of client are you using?
How do you have the XPPro system set up as a VPN server?

Is it a DSL connection using a PPPoE dialer?
Impulse0022Author Commented:
Yes, I have the router setup with as the DMZ host.  I also have the latest and greatest firmware for the router.  I'm also using the Windows XP Pro system as the VPN server.  The computer that I'm trying to connect on outside the network is also a Windows XP Pro system.  I have it currently setup as "Automatic" should I specify? If so, which one?  Also, if I have the router setup with the DMZ host do I still need to worry about port forwarding, etc.  I know using the DMZ way isn't the most secure, but at this moment I just want it to work.  Thanks.

If you set a DMZ host, ALL ports are forwarded to that host, so there is nothing else to set up on the router.

I still don't know how you are setting up the client.
Looks like you might be out of luck setting up XP as a VPN server. It simply does not work behind NAT with a private IP address

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Impulse0022Author Commented:
Ok, I was coming to the same conclusion.  Thanks for giving it a shot though.

I have the same setup and I was able to do it without DMZ.
You need 3 things:
1. Static IP for the vpn server
2. IP fowarding in the router for the port 1723 to the static IP (not port trggering)
3. Enable PPTP for protocol 47 in the router (VPN passthrough)

In addition to Yinces comments you might be able to solve your problem with a registry alteration on the client.

You may need to configure the XP PPTP client to allow responses from non validated PPTP servers.

When the PPTP server sends PPTP clients packets, it calculates a checksum and includes this checksum in the packet. If the server is behind NAT, the server thinks it is comuncating with the IP of the router and responds to the routers address (rather than 'knowing' it is comuncating with the public internet IP of the PPTP client). As the checksum is calculated on the whole packet, the IP header effects the checksum. The NAT gateway then alters the IP header of these outbound packets (as it should!) and fowards them to the clients IP. The client recives the packet, calculates the checksum (again, on the whole packet, including the IP header) and compares it with what the server said the checksum should be. As the NAT gateway has altered the packet (by altering the IP header) the checksums differ. So the client rejects the packet!

You can alter a Dword in the reg to allow connections from non-validated IP's (bypassing the checksuming)


Hope this helps

Did you ever get this working?  I am having the same problem.  You must be able to use a VPN server behind a router.  I am going to try the above suggestion tonight, I tried it on my local network and used the WAN IP but it still timed out with a 721 error
Yes, I got it to work.  What Vince described above should be enough to get you going.  Please note I had to allow TCP 1723 on my firewall which was installed on the Windows XP Pro version. I missed that and it drove me insane for a few days.  
As far as I can tell, I have got our server configured correctly.  But is it possible to make a VPN connection using a Windows XP Home client?  What is the public internet IP address of my XP Home client if it is connected to the internet via a dial up connection?  I realise it has one, but presumably it is assigned dynamically, so there is no way of telling the server what the internet IP address will be.
start-->Run-->Type "cmd"-->Type ipconfig /all

This will show you your IP address.
I use Win XP Pro SP1, setup a Incoming Connection allow VPN connection from Other. But when I make a connection to the Server, it respone that "the client do not have permission to dial-in" or something like that, I don't remember exactly. With Windows 2003 Server, I can fix it in Remote Access Policy in RRAS, but in Windows XP, I don't know where it is.
I will just add this tid bit... I had everything matching this but if I right clicked on the VPN network account then go to the network tab. I set the VPN type to PPTP and it worked.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.