Solved

Error 721 - VPN from XP desktop to Win2k/SBS Server

Posted on 2004-08-23
7
6,652 Views
Last Modified: 2007-12-19
Hi,
I just tried to set up remote access (VPN) to my server, but have not been successful. Here are the details:

I had my ISP (Megapath) open ports 1723 and 47 on my router (Netopia R7200T with all latest firmware).

From the client side, I created VPN connection to public IP of my router with all default settings.

When I try to connect, it looks like they begin to handshake, but when authenication ("Verifying Userid & Password") it times out ("Error 721 - The remote computer did not respond").

Any suggestions?

Thanks
Steve
0
Comment
Question by:smokysteve
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11875392
> ports 1723 and 47
It's not port 47, it is protocol #47, GRE that needs to be forwarded. Since GRE has no concept of ports, you can't forward it to an inside host on the low-end routers like the Netopia.

Microsoft VPN Network Server

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.


Setting up VPN server behind ICS system:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B309524


References:
http://www.labmice.net/networking/vpn.htm
http://www.microsoft.com/windows2000/technologies/communications/vpn/default.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;308208
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/intwork/inbe_vpn_hidv.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0103.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/tips/15tipsfo.asp

VPN w/ 2003 Server
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx

0
 

Author Comment

by:smokysteve
ID: 11876714
Wow, thanks. Does this mean I'm S.O.L for VPN with my current setup?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11877114
Only for PPTP VPN. You can still use L2TP/IPSEC...
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:smokysteve
ID: 11877423
Thanks -
The server is showing a bunch of available L2TP ports, and I created an L2TP connection on the client side, but it immediately comes back with an error 781 (The connection requires a certificate, and no valid certificate was found...)

Does this mean I need to set up a certificate autority on the server, and if so, will this impact the way I use my network (aside from providing VPN)?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11887799
You don't need certificate server. Setup a IPSEC policy on the client to connect to the server..
Here's a good 3-part article that explains how to set it up..

http://www.securityfocus.com/infocus/1519

0
 

Author Comment

by:smokysteve
ID: 11893331
Wow - thanks very much.

Two last questions and I'll leave you alone:
- WOuld doing a one-to-one address mapping through the current low-end router to my VPN server allow PPTP to work?
and
- Would upgrading to SBS 2003 provide PPTP access?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11893472
I'm not sure if you can do a 1-1 address mapping on your current router, but if you can, that would certainly work, but will open up the server so that you would need a software firewall on it.

It's not a restriction of the server, but a restriction of the router, so upgrading the server won't solve the problem.
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question