IPSec/PPtP with 2 BEFVP41 routers

Hello folks.

I will start be telling you what I have and what I want. I have installed two BEFVP41 V2 VPN routers on two branches of our company. I've configured an IPSec tunnel between them and the connection works fine. However, the ability to connect to one office or another it's a must for administration purposes. The problem is that I can not connect from outside. The most convenient way to do this would be to use PPtP. But, the PPtP server would have to stay behind the router as this one doesn't have native support for this protocol. I've forwarded ports 47 and 1723 to the local machine that was configured to accept PPtP connections. Let's call that Location 2.

If I'm trying to connect from Location 1 (where I am) to Location 2 (where the PPtP server it's at) everything goes fine. It connects in an instant, when checking my public IPs it appears the public IP from Location 2, in other words it works just fine.

However, the problem is that I can not connect from outside my ISP metro network. I have used my mobile phone data service as a data carrier. After I get online, when I am trying to dial the PPtP connection to Location 2, it hangs up at "Verifying user name and password" (it's obvious that the packets reach the BEFVP41 at Location 2 then they are forwarded to the machine hosting the PPtP service), then, after 20 sec it ends up saying:

"Error 721: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for this error number."

Would it be possible that this situation might happen because the machine hosting the PPtP service is actually behind a NAT? Would it be possible to make it work if I were to buy a budget machine, and have my ISP assign it a public IP. I don't have any problem with buying a second machine that will only serve for PPtP, I just want to be sure that this will solve the problem.

Another option would be to work with IPSec, and create a tunnel on one of the routers, but I can't seem to find a decent IPSec client for Windows (that should also be free). I've read about SSH Sentinel, that was supposed to be freeware for personal use, but SafeNet is buying SSH's business and the download link it's gone.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
You mention this will not work outside of your ISP's network, and that you checked this using your mobile phone data service. Can you try using an ISP service? There is a very good chance that the VPN will not work with the mobile service, as there is probably to much of an end to end propagation delay. VPN's for example will not work, as a rule, with satellite services.
If, for test purposes, you were to enable ICMP (ping) requests on the router (may be called "Block WAN request") and then try pinging it using your data service, you could see what the delays are. You should have a result of 125ms or less for respectable VPN functionality, but it is probably far greater.
It is also possible the data service, or any remote location, may not support PPTP/VPN traffic. I find this is the case in about 30% of public locations.
bluepointxAuthor Commented:
The firewall is at the lowest security level, in other terms it doesn't filter anything, it allows ICMP requests and so on. I've tried from different ISP, the same thing, the connections stays for like 20 sec with the "Verifying user name and password" status than pops up Error 721.
Rob WilliamsCommented:
The reason I was recommending enabling ICMP requests was to do a ping from the location from which you were connecting, such as the mobile device, to see if the response time was sufficient to support the tunnel.

A 721 error usually means the GRE (protocol 47) packets are not reaching the PPTP server device. This could be due to a slow link, the router or service from which you are connecting not supporting it, or possibly the BEFVP41 router is blocking GRE? You mentioned you enabled port forwarding for port 47, actually it is protocol 47. On your router this is allowed by enabling "PPTP pass-through" on the VPN page.
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

bluepointxAuthor Commented:
All passthroughs enabled.
Rob WilliamsCommented:
Did you ever get this to work?
I stumbled on an article the other day saying, contrary to the manual, the BEFVP41 does not support PPTP pass-through, i.e. no GRE support. I laughed it off and then I stumbled on this today. Wondering if it might be the case, although in this one they talk about enabling PPTP Pass-through using port 47, which is incorrect.
PAQed with no points refunded (of 500)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.