VPN Server/connection issues with VPN

I've got a few issues, so I'll just rattle them all off in hopes for some help.

Running a Win 2K Server as a domain MEMBER of an NT4 domain.  Active Directory is NOT running.  The 2K Server has ONE NIC.  Our firewall is configured to allow PPTP packets (GRE AND PPTP) packets through to the Win 2K machine.  The 2K box is running RAS and it is configured (i think) properly according to all the white papers I've read.  On the NT4 PDC, I give the user account dial-in priviledges.  When I try to connect from the internet, I get an "Ërror 721" message.  From what I've read, this is probably caused by the server not being able to assign the client an IP address.  I did set up a static address pool.  I can ping the public IP address from the internet.  The VPN Client connection finds the server and asks for a user name and password.  Once those are entered, I get the error after about 20 seconds.  I know this is a relatively common problem, but I haven't found and sites with an actual solution.  Maybe I'm not configured correctly considering my situation with one NIC, no Active Directory and an NT 4 network.  My IP address pool is a group of addresses on my company's LOCAL subnet.  Is that wrong?  Should I make the VPN address pool it's own subnet?  I don't even know if that's the problem.  This configuration is a first for me, so any help is appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MelvinSEAuthor Commented:
As a continuation...

I have read that the "721" error could be caused by the router not forwarding GRE packets properly.  However, in the router log, it says it saw and accepted the GRE protocol packets and forwarded them to the proper address (from the router IP to the VPN public IP).  The router correctly caught them when they hit the router and forwarded them to the VPN server's public address.  But, the router is running NAT, so I'm thinking that maybe the packets don't get translated properly to the INTERNAL address of the VPN server and remain unforwarded.  Is this a correct assumption?
Yes.  721 is a very generic error response you get with VPN connectivity.

You are correct, most likely, that the problem is the packet forwarding issue.

The easiest way to test this out is to establish an INTERNAL VPN from one of the Internal machines to the Internal IP of the VPN server.  Once it is connected and do not give you a problem, then you just got your confirmation that it is a firewall issue.

Make sure that port 1721 is forwarded to the correct internal IP address, and that GRE is supported.  but it does not end there.  Sometimes, the problem could be resulting from the client side.  If your client is also behind a firewall that does not allow PPTP passthrough, you will get the same problem.  In this case, the problem isn't that you cannot get the server to authenticate, but that the server's packets cannot find its way back to the client machine.

If your client is an XP machine, make sure that the ICF (Internet Connection Firewall) feature is turned off.

- Info

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MelvinSEAuthor Commented:
Would setting up a L2TP VPN work in this scenario?  The documentation on the FlowPoint firewall doesn't mention PPTP, but it does say L2TP.
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Yes...  If you are using RRAS on Win2K / 2k3 server, then L2TP is also supported.  It is a little bit harder to configure, which is why I mentioned PPTP instead.

- Info
MelvinSEAuthor Commented:
As I start reading up on L2TP installs, I'm reading that using L2TP with NAT (L2TP/IPSec NAT-T) is NOT supprted on Win 2K Server.  At least, that's what one of the Microsoft White Papers said.

Now, there is an update from Microsoft reagarding L2TP/IPSec NAT-T, but it only mentions "Windows 2000" as a target operationg system.  Should I assume they mean Server versions as well, or is it just from the workstation versions.  I'm thinking it's only for workstations.  Which, of course, is a problem.
Tim HolmanCommented:
PPTP or ISPEC is the way to go here.
You are correct in using a pool from the LOCAL subnet, otherwise clients wouldn't know where to route to.
Do the events logs shed any light ?
Also, what firewall do you use, as most come with VPN functionality these days so we could hammer out a solution based around that maybe ?
MelvinSEAuthor Commented:
I'm using CheckPoint VPN-1/Firewall-1, which indicates it supports IPSec/IKE.  As long as that L2TP/IPSec NAT-T update works on Windows 2000 Server, then I think I'll be able to get it working.

When testing the PPTP/GRE VPN, I would get one inbound PPTP and one inbound GRE packet that was passed from the router interface to the external IP interface of the VPN server.  I'm pretty sure that's where it got stuck (when NAT took over to translate the packet and send it to the internal network) because there were not other PPTP packets after that.
Tim HolmanCommented:
Has one to one NAT been setup on the firewall for your VPN server ?
You mention IPSec NAT-T, which uses udp port 4500.  This is completely different to PPTP (tcp port 1723 and GRE).
A diagram would help here - does this look right -

Public IP address
Check Point firewall
Default gateway for LAN
VPN Server (private address)


An alternative would be to setup SecuRemote on the Check Point VPN box
MelvinSEAuthor Commented:
Yeah, that's right.  I'm leaning towards not setting up an IPSec VPN, though.  While it may be secure and possible through our current hardware, it needs some serious configuration time (certificate servers and the like).  Plus, the fact that I'm not running AD on the Win2K Server box that is serving the VPN may be a problem (although I'm not sure).  The PDC is still NT4 SP6.

I looked at the SecuRemote software for the CheckPoint box, but a) the software I have to work with is old (v4.1), b) I can't find the original CD since the previous IT director left and c) to get all the probable upgrades to the software, CheckPoint charges an overabundance of money.  No something the higher-ups will enjoy hearing.  I'm having such a fun time with this, can't you tell?

I'm thinking about just giving up and going with OWA at this point.  It's my third option and even though it's limited at least it will be simple for the end users and all they really want at this point is to read and send their mail.
Tim HolmanCommented:
You don't need certs for IPSEC - you can use pre-shared secrets !

If users only need email, then OWA is fine.  No need to overdo it.. and besides, opening up your network to VPN clients mean that VPN clients can back-infect or hack your core networks if they become compromised.

Only give users what they need !

MelvinSEAuthor Commented:
Of course, this means taking on the different headaches of installing IIS on the server.  Did I mention I love Microsoft?
Here's a link for you:

According to this Microsoft article, Microsoft does not openly "support" L2TP because they think IPSec is the way to go.  HOWEVER, you can do it using a preshared key for L2TP if you follow their instructions.

- Info
MelvinSEAuthor Commented:
I'm calling in the ISP consultant, but both of you guys helped.  I know quite a bit about VPNs, but with the equipment and software being so much older, it's time to get some outside help.  I split the points as evenly as possible, giving the extra to Tim for the pretty diagram.  ;-)

Thanks guys!
Any chance you got this resolved? I am having the same problem, and have spent days searching the internet for any clues.

At home I have my test Windows 2003 server box hosting remote access services

At home I have an ADSL connection, connected via a d-link 504 router which supports IPSec and PPTP passthrough.

The router has ports
  3389 for terminal services
  1723 for PPTP
  21 for FTP
  110 for POP
  25 for SMTP
UPnP is enabled

Establishing a VPN connection via PPTP on the internal LAN works fine, as does connecting from the outside with the DMZ configured and pointing to my server

However, when I remove the DMZ the VPN connection only gets as far as "verifying username and password" the connection then times out

I am testing this connection from a Windows XP Pro laptop from another site, the laptop connects via a Belkin router. No ports are forwarded on the Belkin router and UPnP is enabled. enabling DMZ on the Belkin router makes no difference, it still hangs at the same place.

All of this leads me to beleive its something to do with packet routing on my home router, the router to which the windows 2003 is connected to

I am connecting from
isaacdokuSystems AdministratorCommented:
I am also experiencing the same problem with d-likn di-604 broadband router. error 721 is return after i get verifying username and password.  i have no problem at all if i used remote desktop to that same rras server. vpn can be establised on the internal ip of the rras server easily.  i have been seeing permit ip 47 gre. how do you permit or enable it on the broadband router?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.