?
Solved

Error 721 - VPN from XP desktop to Win2k/SBS Server

Posted on 2004-08-23
7
Medium Priority
?
6,659 Views
Last Modified: 2007-12-19
Hi,
I just tried to set up remote access (VPN) to my server, but have not been successful. Here are the details:

I had my ISP (Megapath) open ports 1723 and 47 on my router (Netopia R7200T with all latest firmware).

From the client side, I created VPN connection to public IP of my router with all default settings.

When I try to connect, it looks like they begin to handshake, but when authenication ("Verifying Userid & Password") it times out ("Error 721 - The remote computer did not respond").

Any suggestions?

Thanks
Steve
0
Comment
Question by:smokysteve
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 11875392
> ports 1723 and 47
It's not port 47, it is protocol #47, GRE that needs to be forwarded. Since GRE has no concept of ports, you can't forward it to an inside host on the low-end routers like the Netopia.

Microsoft VPN Network Server

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.


Setting up VPN server behind ICS system:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B309524


References:
http://www.labmice.net/networking/vpn.htm
http://www.microsoft.com/windows2000/technologies/communications/vpn/default.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;308208
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/intwork/inbe_vpn_hidv.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0103.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/tips/15tipsfo.asp

VPN w/ 2003 Server
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx

0
 

Author Comment

by:smokysteve
ID: 11876714
Wow, thanks. Does this mean I'm S.O.L for VPN with my current setup?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11877114
Only for PPTP VPN. You can still use L2TP/IPSEC...
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 

Author Comment

by:smokysteve
ID: 11877423
Thanks -
The server is showing a bunch of available L2TP ports, and I created an L2TP connection on the client side, but it immediately comes back with an error 781 (The connection requires a certificate, and no valid certificate was found...)

Does this mean I need to set up a certificate autority on the server, and if so, will this impact the way I use my network (aside from providing VPN)?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11887799
You don't need certificate server. Setup a IPSEC policy on the client to connect to the server..
Here's a good 3-part article that explains how to set it up..

http://www.securityfocus.com/infocus/1519

0
 

Author Comment

by:smokysteve
ID: 11893331
Wow - thanks very much.

Two last questions and I'll leave you alone:
- WOuld doing a one-to-one address mapping through the current low-end router to my VPN server allow PPTP to work?
and
- Would upgrading to SBS 2003 provide PPTP access?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11893472
I'm not sure if you can do a 1-1 address mapping on your current router, but if you can, that would certainly work, but will open up the server so that you would need a software firewall on it.

It's not a restriction of the server, but a restriction of the router, so upgrading the server won't solve the problem.
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month11 days, 15 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question