• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 925
  • Last Modified:

Windows 2003 VPN Server behind broadband router - what would you suggest?

I am trying to set up our Windows 2003 Standard server as a PPTP VPN server on our small office network.  We have a Linksys WRV54G router as our gateway to the internet, so the VPN server is on our network BEHIND the router.  If I put the server in the DMZ, I can form a PPTP connection with no problems.  Needless to say, DMZ is a totally unacceptable solution.  When port 1723 is forwarded to the VPN server IP the connection does not work.  I get the following INBOUND entries in the router log from the VPN client (with sensitive IPs masked of course!):

RGFW-IN: ACCEPT (TCP 131.xxx.xxx.xxx:1257->192.168.156.10:1723 on ixp1) [200,0]
RGFW-IN: BLOCK-RULES (GRE 131.xxx.xxx.xxx->69.xxx.xxx.xxx on ixp1) [0,0]   <-- this line appears a total of 10 times for each connect attempt before client timeout

The 131 IP is the VPN client, the 192 IP the VPN server and the 69 IP the WAN IP on the router.

It would appear to me that the router is blocking the GRE (47) protocol and therefore preventing a VPN connection.  I have PPTP passthrough enabled (although its my understanding that this only matters for outbound GRE traffic).

There is a wealth of information available on the internet about how Linksys routers simply DO NOT WORK with VPN servers behind them so I don't hold much hope for a solution that involves not purchasing another router.  So that bring me to my two questions, the second of which think is more likely to be answered.

1) Has anyone made this setup work with this particular router?  If so, do you have some suggestions for me?

2) Could you recommend another brand and model of router that you KNOW will work for me?  I've seen some threads online stating that people do have such a setup working for them (i.e. VPN server behind router) but I haven't found much information as to which specific models and I don't want to do trial-and-error purchasing.

If someone can solve my problem by answering question 1, then you will be my hero and your cookie will be 500 points.  Otherwise, I'll split the points amoung those who can provide some guidance in the purchase of a replacement router that will solve this problem.  Thanks everyone, in advance.
0
miketayeb2
Asked:
miketayeb2
1 Solution
 
gpriceeeCommented:
Hello.  I never would use a Windows server as a VPN server anyway, so my suggestion might be biased.
CISCO sells the pix 501 for less than $500.  It is secure and can be setup as your firewall and VPN.
The setup is fairly quick, and if the WAN side needs DHCP, this one can handle it.
It also accepts the commands that the "big" pix's do.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.html
0
 
Leo AlexanderCommented:
miketayeb2,

Seems like you already know the answer to your first question. There are no surprises there. I agree with the cisco hardware since its obviously the best (and i believe it owns linksys). But then you are not using your win2k3 server like im assuming you want to do...
0
 
HiS_SlyneSSCommented:
>>>1) Has anyone made this setup work with this particular router?  If so, do you have some suggestions for me?

Not on this particular model.... You said you have port forwarding enabled? Did you enable 47 / 1723, both TCP and UDP port forwarding???


>>>Could you recommend another brand and model of router that you KNOW will work for me?  I've seen some threads online stating that people do have such a setup working for them (i.e. VPN server behind router) but I haven't found much information as to which specific models and I don't want to do trial-and-error purchasing.

Is your internet connection DSL???...

BTW.. is this your router?? http://www.linksys.com/products/product.asp?grid=33&scid=35&prid=681


Sly
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
miketayeb2Author Commented:
grpiceee, smarturtle - I agree, the Cisco PIX 501 would be a good solution, but at a cost of $600+ tax CDN I would like to explore some cheaper options before I resort to spending that kind of money.  I never like to have to go to the boss with requests for capital purchases if I can solve the problem without one.  However I may have to purchase one in this case.

HiS_Slyness - yes, I enabled both 1723 and 47 TCP and UDP, although I don't necessarily agree that port 47 is neccesary.  PPTP uses GRE protocol 47 which, to my understanding, is not related to a TCP or UDP port.  There seems to be conflicting information in many places online regarding this though.  In any case, the line in my router logs shows that GRE is being blocked, so I'm 99% sure that this is the problem; that this router simply does not allow GRE inbound.  I'm thinking that the PPTP passthrough is only for GRE outbound.  Also, our internet connection is 5 mbps cable, not DSL.  I've checked with our ISP and they say that they are not blocking any ports or protocols because we are on a business connection.  And yes, the link you provided is the router I am using.
0
 
miketayeb2Author Commented:
Another quick note.....I spoke to a Linksys Technical Representative via online chat last night and s/he sent me a beta-version firmware that is supposed to address this issue.  Of course, I'm not holding my breath on that one.  I will try this firmware tonight; I can't do it while there are people in the office in case it pooches the router.
0
 
miketayeb2Author Commented:
Naturally, the new Linksys firmware did nothing to fix the problem.
0
 
gpriceeeCommented:
I have no problems with my Netgear installations for lower budgets (It's still a very good solution):
http://www.netgear.com/products/details/FR114P.php

Just make sure you enable VPN pass through.
0
 
miketayeb2Author Commented:
I managed to solve the problem by purchasing a D-Link DI-524 router to replace the Linksys WRV54G.  The D-Link engineers were smart.  Although you cannot control the permeability of the firewall to GRE directly, they did add some code that automatically allows incoming GRE when you open TCP port 1723 for PPTP.  Now why couldn't the folks at Linksys think of doing that?

This is a short-term solution....maybe for 6 months or so.  At that point, I will purchase a Cisco PIX 501 as gpriceee suggested.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now