Solved

VPN Server/connection issues with VPN

Posted on 2004-04-13
15
13,090 Views
Last Modified: 2007-12-19
I've got a few issues, so I'll just rattle them all off in hopes for some help.

Running a Win 2K Server as a domain MEMBER of an NT4 domain.  Active Directory is NOT running.  The 2K Server has ONE NIC.  Our firewall is configured to allow PPTP packets (GRE AND PPTP) packets through to the Win 2K machine.  The 2K box is running RAS and it is configured (i think) properly according to all the white papers I've read.  On the NT4 PDC, I give the user account dial-in priviledges.  When I try to connect from the internet, I get an "Ërror 721" message.  From what I've read, this is probably caused by the server not being able to assign the client an IP address.  I did set up a static address pool.  I can ping the public IP address from the internet.  The VPN Client connection finds the server and asks for a user name and password.  Once those are entered, I get the error after about 20 seconds.  I know this is a relatively common problem, but I haven't found and sites with an actual solution.  Maybe I'm not configured correctly considering my situation with one NIC, no Active Directory and an NT 4 network.  My IP address pool is a group of addresses on my company's LOCAL subnet.  Is that wrong?  Should I make the VPN address pool it's own subnet?  I don't even know if that's the problem.  This configuration is a first for me, so any help is appreciated.
0
Comment
Question by:MelvinSE
  • 7
  • 3
  • 3
  • +2
15 Comments
 

Author Comment

by:MelvinSE
ID: 10832747
As a continuation...

I have read that the "721" error could be caused by the router not forwarding GRE packets properly.  However, in the router log, it says it saw and accepted the GRE protocol packets and forwarded them to the proper address (from the router IP to the VPN public IP).  The router correctly caught them when they hit the router and forwarded them to the VPN server's public address.  But, the router is running NAT, so I'm thinking that maybe the packets don't get translated properly to the INTERNAL address of the VPN server and remain unforwarded.  Is this a correct assumption?
0
 
LVL 11

Accepted Solution

by:
infotrader earned 62 total points
ID: 10834998
Yes.  721 is a very generic error response you get with VPN connectivity.

You are correct, most likely, that the problem is the packet forwarding issue.

The easiest way to test this out is to establish an INTERNAL VPN from one of the Internal machines to the Internal IP of the VPN server.  Once it is connected and do not give you a problem, then you just got your confirmation that it is a firewall issue.

Make sure that port 1721 is forwarded to the correct internal IP address, and that GRE is supported.  but it does not end there.  Sometimes, the problem could be resulting from the client side.  If your client is also behind a firewall that does not allow PPTP passthrough, you will get the same problem.  In this case, the problem isn't that you cannot get the server to authenticate, but that the server's packets cannot find its way back to the client machine.

If your client is an XP machine, make sure that the ICF (Internet Connection Firewall) feature is turned off.

- Info
0
 

Author Comment

by:MelvinSE
ID: 10843734
Would setting up a L2TP VPN work in this scenario?  The documentation on the FlowPoint firewall doesn't mention PPTP, but it does say L2TP.
0
 
LVL 11

Expert Comment

by:infotrader
ID: 10843842
Yes...  If you are using RRAS on Win2K / 2k3 server, then L2TP is also supported.  It is a little bit harder to configure, which is why I mentioned PPTP instead.

- Info
0
 

Author Comment

by:MelvinSE
ID: 10844787
As I start reading up on L2TP installs, I'm reading that using L2TP with NAT (L2TP/IPSec NAT-T) is NOT supprted on Win 2K Server.  At least, that's what one of the Microsoft White Papers said.

Now, there is an update from Microsoft reagarding L2TP/IPSec NAT-T, but it only mentions "Windows 2000" as a target operationg system.  Should I assume they mean Server versions as well, or is it just from the workstation versions.  I'm thinking it's only for workstations.  Which, of course, is a problem.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10868634
PPTP or ISPEC is the way to go here.
You are correct in using a pool from the LOCAL subnet, otherwise clients wouldn't know where to route to.
Do the events logs shed any light ?
Also, what firewall do you use, as most come with VPN functionality these days so we could hammer out a solution based around that maybe ?
0
 

Author Comment

by:MelvinSE
ID: 10870515
I'm using CheckPoint VPN-1/Firewall-1, which indicates it supports IPSec/IKE.  As long as that L2TP/IPSec NAT-T update works on Windows 2000 Server, then I think I'll be able to get it working.

When testing the PPTP/GRE VPN, I would get one inbound PPTP and one inbound GRE packet that was passed from the router interface to the external IP interface of the VPN server.  I'm pretty sure that's where it got stuck (when NAT took over to translate the packet and send it to the internal network) because there were not other PPTP packets after that.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 63 total points
ID: 10876330
Has one to one NAT been setup on the firewall for your VPN server ?
You mention IPSec NAT-T, which uses udp port 4500.  This is completely different to PPTP (tcp port 1723 and GRE).
A diagram would help here - does this look right -

Internet
|
Public IP address
Check Point firewall
Default gateway for LAN
|
VPN Server (private address)

?

An alternative would be to setup SecuRemote on the Check Point VPN box
0
 

Author Comment

by:MelvinSE
ID: 10877763
Yeah, that's right.  I'm leaning towards not setting up an IPSec VPN, though.  While it may be secure and possible through our current hardware, it needs some serious configuration time (certificate servers and the like).  Plus, the fact that I'm not running AD on the Win2K Server box that is serving the VPN may be a problem (although I'm not sure).  The PDC is still NT4 SP6.

I looked at the SecuRemote software for the CheckPoint box, but a) the software I have to work with is old (v4.1), b) I can't find the original CD since the previous IT director left and c) to get all the probable upgrades to the software, CheckPoint charges an overabundance of money.  No something the higher-ups will enjoy hearing.  I'm having such a fun time with this, can't you tell?

I'm thinking about just giving up and going with OWA at this point.  It's my third option and even though it's limited at least it will be simple for the end users and all they really want at this point is to read and send their mail.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10879055
You don't need certs for IPSEC - you can use pre-shared secrets !

If users only need email, then OWA is fine.  No need to overdo it.. and besides, opening up your network to VPN clients mean that VPN clients can back-infect or hack your core networks if they become compromised.

Only give users what they need !

0
 

Author Comment

by:MelvinSE
ID: 10880250
Of course, this means taking on the different headaches of installing IIS on the server.  Did I mention I love Microsoft?
0
 
LVL 11

Expert Comment

by:infotrader
ID: 10880591
Here's a link for you:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;240262

According to this Microsoft article, Microsoft does not openly "support" L2TP because they think IPSec is the way to go.  HOWEVER, you can do it using a preshared key for L2TP if you follow their instructions.

- Info
0
 

Author Comment

by:MelvinSE
ID: 10918348
I'm calling in the ISP consultant, but both of you guys helped.  I know quite a bit about VPNs, but with the equipment and software being so much older, it's time to get some outside help.  I split the points as evenly as possible, giving the extra to Tim for the pretty diagram.  ;-)

Thanks guys!
0
 

Expert Comment

by:stueng
ID: 11115153
Any chance you got this resolved? I am having the same problem, and have spent days searching the internet for any clues.

At home I have my test Windows 2003 server box hosting remote access services

At home I have an ADSL connection, connected via a d-link 504 router which supports IPSec and PPTP passthrough.

The router has ports
  3389 for terminal services
  1723 for PPTP
  21 for FTP
  110 for POP
  25 for SMTP
open
UPnP is enabled

Establishing a VPN connection via PPTP on the internal LAN works fine, as does connecting from the outside with the DMZ configured and pointing to my server

However, when I remove the DMZ the VPN connection only gets as far as "verifying username and password" the connection then times out

I am testing this connection from a Windows XP Pro laptop from another site, the laptop connects via a Belkin router. No ports are forwarded on the Belkin router and UPnP is enabled. enabling DMZ on the Belkin router makes no difference, it still hangs at the same place.

All of this leads me to beleive its something to do with packet routing on my home router, the router to which the windows 2003 is connected to

I am connecting from
0
 

Expert Comment

by:isaacdoku
ID: 12326887
I am also experiencing the same problem with d-likn di-604 broadband router. error 721 is return after i get verifying username and password.  i have no problem at all if i used remote desktop to that same rras server. vpn can be establised on the internal ip of the rras server easily.  i have been seeing permit ip 47 gre. how do you permit or enable it on the broadband router?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now