We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


IPSec/PPtP with 2 BEFVP41 routers

bluepointx asked
Medium Priority
Last Modified: 2008-01-09
Hello folks.

I will start be telling you what I have and what I want. I have installed two BEFVP41 V2 VPN routers on two branches of our company. I've configured an IPSec tunnel between them and the connection works fine. However, the ability to connect to one office or another it's a must for administration purposes. The problem is that I can not connect from outside. The most convenient way to do this would be to use PPtP. But, the PPtP server would have to stay behind the router as this one doesn't have native support for this protocol. I've forwarded ports 47 and 1723 to the local machine that was configured to accept PPtP connections. Let's call that Location 2.

If I'm trying to connect from Location 1 (where I am) to Location 2 (where the PPtP server it's at) everything goes fine. It connects in an instant, when checking my public IPs it appears the public IP from Location 2, in other words it works just fine.

However, the problem is that I can not connect from outside my ISP metro network. I have used my mobile phone data service as a data carrier. After I get online, when I am trying to dial the PPtP connection to Location 2, it hangs up at "Verifying user name and password" (it's obvious that the packets reach the BEFVP41 at Location 2 then they are forwarded to the machine hosting the PPtP service), then, after 20 sec it ends up saying:

"Error 721: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for this error number."

Would it be possible that this situation might happen because the machine hosting the PPtP service is actually behind a NAT? Would it be possible to make it work if I were to buy a budget machine, and have my ISP assign it a public IP. I don't have any problem with buying a second machine that will only serve for PPtP, I just want to be sure that this will solve the problem.

Another option would be to work with IPSec, and create a tunnel on one of the routers, but I can't seem to find a decent IPSec client for Windows (that should also be free). I've read about SSH Sentinel, that was supposed to be freeware for personal use, but SafeNet is buying SSH's business and the download link it's gone.
Watch Question

Top Expert 2013

You mention this will not work outside of your ISP's network, and that you checked this using your mobile phone data service. Can you try using an ISP service? There is a very good chance that the VPN will not work with the mobile service, as there is probably to much of an end to end propagation delay. VPN's for example will not work, as a rule, with satellite services.
If, for test purposes, you were to enable ICMP (ping) requests on the router (may be called "Block WAN request") and then try pinging it using your data service, you could see what the delays are. You should have a result of 125ms or less for respectable VPN functionality, but it is probably far greater.
It is also possible the data service, or any remote location, may not support PPTP/VPN traffic. I find this is the case in about 30% of public locations.


The firewall is at the lowest security level, in other terms it doesn't filter anything, it allows ICMP requests and so on. I've tried from different ISP, the same thing, the connections stays for like 20 sec with the "Verifying user name and password" status than pops up Error 721.
Top Expert 2013

The reason I was recommending enabling ICMP requests was to do a ping from the location from which you were connecting, such as the mobile device, to see if the response time was sufficient to support the tunnel.

A 721 error usually means the GRE (protocol 47) packets are not reaching the PPTP server device. This could be due to a slow link, the router or service from which you are connecting not supporting it, or possibly the BEFVP41 router is blocking GRE? You mentioned you enabled port forwarding for port 47, actually it is protocol 47. On your router this is allowed by enabling "PPTP pass-through" on the VPN page.


All passthroughs enabled.
Top Expert 2013

Did you ever get this to work?
I stumbled on an article the other day saying, contrary to the manual, the BEFVP41 does not support PPTP pass-through, i.e. no GRE support. I laughed it off and then I stumbled on this today. Wondering if it might be the case, although in this one they talk about enabling PPTP Pass-through using port 47, which is incorrect.
PAQed with no points refunded (of 500)

Community Support Moderator

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.