Solved

Error 721 - VPN from XP desktop to Win2k/SBS Server

Posted on 2004-08-23
7
6,649 Views
Last Modified: 2007-12-19
Hi,
I just tried to set up remote access (VPN) to my server, but have not been successful. Here are the details:

I had my ISP (Megapath) open ports 1723 and 47 on my router (Netopia R7200T with all latest firmware).

From the client side, I created VPN connection to public IP of my router with all default settings.

When I try to connect, it looks like they begin to handshake, but when authenication ("Verifying Userid & Password") it times out ("Error 721 - The remote computer did not respond").

Any suggestions?

Thanks
Steve
0
Comment
Question by:smokysteve
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11875392
> ports 1723 and 47
It's not port 47, it is protocol #47, GRE that needs to be forwarded. Since GRE has no concept of ports, you can't forward it to an inside host on the low-end routers like the Netopia.

Microsoft VPN Network Server

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.


Setting up VPN server behind ICS system:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B309524


References:
http://www.labmice.net/networking/vpn.htm
http://www.microsoft.com/windows2000/technologies/communications/vpn/default.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;308208
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/intwork/inbe_vpn_hidv.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0103.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/tips/15tipsfo.asp

VPN w/ 2003 Server
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx

0
 

Author Comment

by:smokysteve
ID: 11876714
Wow, thanks. Does this mean I'm S.O.L for VPN with my current setup?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11877114
Only for PPTP VPN. You can still use L2TP/IPSEC...
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:smokysteve
ID: 11877423
Thanks -
The server is showing a bunch of available L2TP ports, and I created an L2TP connection on the client side, but it immediately comes back with an error 781 (The connection requires a certificate, and no valid certificate was found...)

Does this mean I need to set up a certificate autority on the server, and if so, will this impact the way I use my network (aside from providing VPN)?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11887799
You don't need certificate server. Setup a IPSEC policy on the client to connect to the server..
Here's a good 3-part article that explains how to set it up..

http://www.securityfocus.com/infocus/1519

0
 

Author Comment

by:smokysteve
ID: 11893331
Wow - thanks very much.

Two last questions and I'll leave you alone:
- WOuld doing a one-to-one address mapping through the current low-end router to my VPN server allow PPTP to work?
and
- Would upgrading to SBS 2003 provide PPTP access?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11893472
I'm not sure if you can do a 1-1 address mapping on your current router, but if you can, that would certainly work, but will open up the server so that you would need a software firewall on it.

It's not a restriction of the server, but a restriction of the router, so upgrading the server won't solve the problem.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now