Setup VPN - HELP!

I been trying to set up my office VPN connection quite some time and till now, i still cannot make it. I need your help to guide me. thank you. My intention is to allow remote user access to my office network via dial-up internet access.
Here is my setup info:
I'm using Linksys befsx41 router (firmware: 1.45.3, Sep 26 2003). My server is Windows 2000 professional. The server is behind the linksys befsx41. Befsx41 is configured with a fixed IP address and the client is using dynamic IP. I already configured the router to forward the port 1723 to my server's IP address.
Then, when the client login to the VPN server, it verify the username and password. After that, a pop-up message said Error 628 the connection was closed.
I already refer to to understand more about VPN setup.  
Can you pls help me to setup my VPN successfully?
thank you.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Did you also setup your router to forward IP protocol 47 (GRE) to your server ?

reading the page at:

It says this towards the bottom:

Which ports need to be opened for running VPN

A: PPTP VPN uses TCP Port 1723, IP Protocol 47 (GRE); L2TP: UDP Port 1701; IPSec: Pass  IP protocol 50 and 51. Note: 47 is a protocol number and not TCP port. The protocol name is GRE. It'll make a big difference when configuring your firewall or router.
william43Author Commented:
Yes, i did setup my linksys router to forward IP protocol 47 to my server. I did it at Forwarding page. I enabled both application:
App   Ext. Port    protocol TCP UDP    IP Address  Enabled
VPN   47 - 47        Yes    Yes            192.168.0.x  Yes
VPNApp  1723 - 1723        Yes    Yes            192.168.0.x  Yes

pls advise.
The problem is that you are using TCP port 47. It is IP protocol 47 you need to forward, which is different to TCP port 47. This is different to TCP & UDP ports altogether.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

william43Author Commented:
Sorry. i do not understand. can you pls explain a bit in details.
Have you turned off DHCP server on the linksys? There is a one-liner in the user manual that states that if you are using port-forwarding, turn off dhcp.
Have you tried with the server IP as the DMZ host?

GRE has no concept of ports, so you can't use it as either a trigger, or forward it.

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

GRE (Generic Routing Encapsulation) is at the same level as UDP & TCP, it is NOT a TCP or UDP port. A packet might be a TCP packet or it might be a GRE packet (or one of many other), but it can't be both a GRE AND TCP packet at the same time.

Some links for reading:

Essentially the header of every IP packet has a field in it to identify what type of packet it is. This is called the "protocol" field. This field will specify whether the packet is ICMP, TCP, UDP, GRE (amongst others).

It's a bit hard to explain without delving into a full explanation of the IP ptotocol and packet headers/etc, maybe someone else can better explain it...
william43Author Commented:
I didn't set the DCHP. I'm using a static LAN IP. and also i have a static public IP. I have tried the DMZ to point to my server IP. it doens't work as well. By the way, do i need to setup a DMZ server? how?

I just found a message in my VPN server(W2k Pro):
Remote Access Event ID: 20049
The user connected to VPN3-1 has been disconnected because the authentication process did not completed within a required amount of time.

I feel that the client able to connect to VPN serverbut failt to verify their username and password.

Do you have any suggestion?
Before you go any further, try to connect to the vpn server from WITHIN the network. Before troubleshooting external connectivity, make sure you're not barking up the wrong tree.

Did you ever get a solution to this problem.  I'm getting the same error.

william43Author Commented:
Hi rforneris,
I still not yet get the solution.  still figure it out!
feel like want to give up!
Simple fact of the matter is there is no solution. You cannot pass GRE traffic from the outside to your network so you cannot authenticate. Linksys removed this capability shortl after they were acquired by Cisco. If you want it to work, return the Linksys and get a Netgear. FYI, D-Link has the same issue.
william43Author Commented:
Hi All,
the Linksys is work actually. I just tested and found a solution to solve my problem!
Upgrade/degrade the linksys befsx41 firmware to Version 1.43.3.

After that, i managed to VPN login via PPTP connection.
I also need to thank linksys technical support to assist me on this.
Try it now guys!
Try this. It worked for me. Download the SSH Sentinel VPN Client from

Then use this forum download and follow it's instructions to the letter. I was up and running in a few minutes.
PAQed, with points refunded (500)

E-E Admin

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Have  you tried setting up the DMZ host your w2k and allow incoming connections to it from the internet?
I am having the exact same problem... but I Have tried everything on this page... and nothing... any ideas?
Try different firmware for your linksys router: like alchemy

Most of them contain have protocol 47 (GRE) openend. and can even function as vpn router.

google search:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.