Solved

Error 721 - VPN from XP desktop to Win2k/SBS Server

Posted on 2004-08-23
7
6,653 Views
Last Modified: 2007-12-19
Hi,
I just tried to set up remote access (VPN) to my server, but have not been successful. Here are the details:

I had my ISP (Megapath) open ports 1723 and 47 on my router (Netopia R7200T with all latest firmware).

From the client side, I created VPN connection to public IP of my router with all default settings.

When I try to connect, it looks like they begin to handshake, but when authenication ("Verifying Userid & Password") it times out ("Error 721 - The remote computer did not respond").

Any suggestions?

Thanks
Steve
0
Comment
Question by:smokysteve
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11875392
> ports 1723 and 47
It's not port 47, it is protocol #47, GRE that needs to be forwarded. Since GRE has no concept of ports, you can't forward it to an inside host on the low-end routers like the Netopia.

Microsoft VPN Network Server

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.


Setting up VPN server behind ICS system:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B309524


References:
http://www.labmice.net/networking/vpn.htm
http://www.microsoft.com/windows2000/technologies/communications/vpn/default.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;308208
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/intwork/inbe_vpn_hidv.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0103.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/tips/15tipsfo.asp

VPN w/ 2003 Server
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx

0
 

Author Comment

by:smokysteve
ID: 11876714
Wow, thanks. Does this mean I'm S.O.L for VPN with my current setup?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11877114
Only for PPTP VPN. You can still use L2TP/IPSEC...
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:smokysteve
ID: 11877423
Thanks -
The server is showing a bunch of available L2TP ports, and I created an L2TP connection on the client side, but it immediately comes back with an error 781 (The connection requires a certificate, and no valid certificate was found...)

Does this mean I need to set up a certificate autority on the server, and if so, will this impact the way I use my network (aside from providing VPN)?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11887799
You don't need certificate server. Setup a IPSEC policy on the client to connect to the server..
Here's a good 3-part article that explains how to set it up..

http://www.securityfocus.com/infocus/1519

0
 

Author Comment

by:smokysteve
ID: 11893331
Wow - thanks very much.

Two last questions and I'll leave you alone:
- WOuld doing a one-to-one address mapping through the current low-end router to my VPN server allow PPTP to work?
and
- Would upgrading to SBS 2003 provide PPTP access?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11893472
I'm not sure if you can do a 1-1 address mapping on your current router, but if you can, that would certainly work, but will open up the server so that you would need a software firewall on it.

It's not a restriction of the server, but a restriction of the router, so upgrading the server won't solve the problem.
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question