Solved

Error 721 - VPN from XP desktop to Win2k/SBS Server

Posted on 2004-08-23
7
6,647 Views
Last Modified: 2007-12-19
Hi,
I just tried to set up remote access (VPN) to my server, but have not been successful. Here are the details:

I had my ISP (Megapath) open ports 1723 and 47 on my router (Netopia R7200T with all latest firmware).

From the client side, I created VPN connection to public IP of my router with all default settings.

When I try to connect, it looks like they begin to handshake, but when authenication ("Verifying Userid & Password") it times out ("Error 721 - The remote computer did not respond").

Any suggestions?

Thanks
Steve
0
Comment
Question by:smokysteve
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11875392
> ports 1723 and 47
It's not port 47, it is protocol #47, GRE that needs to be forwarded. Since GRE has no concept of ports, you can't forward it to an inside host on the low-end routers like the Netopia.

Microsoft VPN Network Server

Microsoft's story:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable

From Cisco documentation:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.


Setting up VPN server behind ICS system:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B309524


References:
http://www.labmice.net/networking/vpn.htm
http://www.microsoft.com/windows2000/technologies/communications/vpn/default.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;308208
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/intwork/inbe_vpn_hidv.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0103.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/tips/15tipsfo.asp

VPN w/ 2003 Server
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx

0
 

Author Comment

by:smokysteve
ID: 11876714
Wow, thanks. Does this mean I'm S.O.L for VPN with my current setup?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11877114
Only for PPTP VPN. You can still use L2TP/IPSEC...
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:smokysteve
ID: 11877423
Thanks -
The server is showing a bunch of available L2TP ports, and I created an L2TP connection on the client side, but it immediately comes back with an error 781 (The connection requires a certificate, and no valid certificate was found...)

Does this mean I need to set up a certificate autority on the server, and if so, will this impact the way I use my network (aside from providing VPN)?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11887799
You don't need certificate server. Setup a IPSEC policy on the client to connect to the server..
Here's a good 3-part article that explains how to set it up..

http://www.securityfocus.com/infocus/1519

0
 

Author Comment

by:smokysteve
ID: 11893331
Wow - thanks very much.

Two last questions and I'll leave you alone:
- WOuld doing a one-to-one address mapping through the current low-end router to my VPN server allow PPTP to work?
and
- Would upgrading to SBS 2003 provide PPTP access?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11893472
I'm not sure if you can do a 1-1 address mapping on your current router, but if you can, that would certainly work, but will open up the server so that you would need a software firewall on it.

It's not a restriction of the server, but a restriction of the router, so upgrading the server won't solve the problem.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VPN Max client Connections 7 71
Selecting a VPN for speed and security 9 35
IOS for 2811 2 68
Who Should Be Radius Clients 6 27
One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now