Error 678 when attempting to VPN through Speedtouch pro ADSL modem/router to SBS2003

Hi all,

I have got a really tight timeframe on getting this resolved (as I'm leaving on a plane this week and must be able to VPN back in!) so any immediate help will be most appreciated!!

PROBLEM: When attempting to VPN from a notebook PC through to a SBS 2003 server I am getting "Error 678: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for the error number".

A brief overview of my setup includes:
SBS Server 2003 with RAS VPN setup using the inbuilt wizards. The server has two network cards. The external card for the internet is set at The default gateway is set to the Alcatel Speed Touch Pro ADSL router which is at The Speed Touch also has an external static IP of The internal network on the other NIC is set to with all local workstations on this subnet who get their IP's and DNS through automatic DHCP assigment. The DNS gets set to

For testing purposes I took a notebook and configured it with a static IP of with a default gateway of and a DNS that points to bigpond (external ISP)'s DNS server. I then plugged it directly into the Speedtouch pro so that it would be "on the external side of the network" just as it would if I was physically remote. I confirmed that I was able to access the internet direct through the speedtouch and not through my SBS 2003 server. I setup a VPN connection on the notebook (Win XP Pro) pointing to and checked the additional box under properties, options for "Include Windows login domain" in accordance with Microsoft's knowledge base (I also tried without this with no difference in result). When attempting to connect i get the Error 678.

My thoughts were that the problem was probably with the Speedtouch ADSL router so I turned my attention and research into that. AFter researching many threads around the net I realised that I needed to punch a few holes in the router through NAT to be properly setup for VPN.

I telnetted into the speed touch pro (through and did a NAT LIST. I found that neither port 1723 was setup nor protocol 47 for GRE. I added both to the NAT successfully and saved. There was no change to the error however.

I checked the SBS2003 server RAS VPN settings and all looked OK. Three policies were setup as default and I deleted two of them which I don't need. The other one related to users being in the remote security group to gain access via VPN. I checked to make sure that my user was part of that group which it was. Therefore there were no other policies to restrict access so I could rule out a policy causing the problem.

Even though I have SBS 2003 Premium I do not have Internet Security Installed and further have the basic Firewall in SBS turned off for the purpose of testing this issue. I further disabled the firewall in the Speed touch adsl router (although this was a command that I found on the internet but made no sense to me as NAT is still setup and functioning?) and also disabled the Trend firewall on the client notebook PC to ensure that from all accounts that there was no firewall issues causing the error. However even with all this protection turned off the problem still remains.

I thought I would try setting up https web access to exchange and remote services however when attempting to put in both (https://) URL's for these they also failed. (I had already punched more holes in the firewall for these servies including port 80, 443 and 4125).

I find it suspicious that web access doesn't work either. It's almost like the Speedtouch is simply refusing to reroute these ports and the protocol 47 correctly. I read up on a technique of turning the speed touch into a transparent bridge and then setting up SBS2003 to do the ADSL dialing however I'd rather not go down this route as I'd like to keep the firewall features of the speedtouch in place (although I appreciate that through an 'IP' command I 'apparently' have the firewall off on the Speedtouch at present).

By the way normal pinging to is successful but again this is just to the Speedtouch ADSL router so I feel like the forwarding to the SBS2003 box is not happening for some reason.

Here is the detailed setup of the Speedtouch which I believe to be the issue here although I'm open to suggestions!!!

Alcatel Speedtouch Pro setup as follows (From Web interface):

Initial Setup:
IP address:

Bigpond  VPI:8 VCI:35 Type:PPP Usage:Confirmed

PPP Dial-in Connections:

Intf          Address             Netmask           Type     Transl    
BigPond          Auto      pat  
eth0      User      none  
loop           Auto      none  

Destination                  Source          Gateway         Intf                eth0          any       BigPond                 any              eth0               any            loop     any             eth0                 any              eth0  
default               BigPond  

Name       Encap    Mode         State    Status  
BigPond    vc-mux  always-on   up       on        

 User :   (myname@static.bigpond)
 Password :  *******
 Connection Sharing:  Everybody
 Destination networks All networks
 Specific network  (Blank)
 Address translation (NAT-PAT)  (checked)
 Primary DNS   Secondary DNS  (none)
 Local IP:   none
 Remote IP:  none
 Mode : always-on
 Idle time limit : (none)
 LCP echo(currently enabled)
 PAP(currently disabled)
 ACCOMP(currently enabled)

 CIP Interfaces:

CIP Connections:

PPTP Connections:

Bridging Ports:
 Aging: 300 seconds


DNS Server Configuration
Server active (Checked)
Domain Name (My internal domain)

DNS hostname table:
[Hostname]        [address]
SpeedTouch       own address

Active software version : GV8BAA3.290 (1007669)
Passive software version : GV8BAA3.290 (1007669)

When telnetting in to the SPeed touch router and doing a NAT LIST you get the following:
Indx   Prot   Inside-address:Port     Outside-address:Port    Foreign-address:Port    Flgs        Expir   State    Control
   1    6                          instance
   2    6                        instance
   3    17                        instance
   4    6                       instance
   5   6                       instance
   6   6                     instance
   7  17             1             20      10
   8   6                      instance
   9  17                    instance
  10   6               1           1        6
  11  47                            instance
  12  17                       template
  13   6                  template
  14   6            template
  15  17           template
  16   6          template
  17   6           template
  18  47                    template
  19   6         template
  20   6            template

That's it. I don't know what else I can tell you. So far this problem has got me stumped - so much that I joined up to experts exchange when normally i would persevere searching on the net! So here goes let's hope my membership purchase was money well spent!


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In my opinion, you are testing your setup incorrectly. From your description, I gather your topology looks something
like this:


From the SBS's perspective, your notebook is external. But from the router's perspective,
its still internal. To test, you should connect the VPN to and not,
Right now, you are trying to do a U turn on the packet.

a) Test laptop initiate a VPN connection, source IP: ; destination IP:
b) Router receives the packet and do a PAT and add all the IP header, source IP: ; destination IP:

So as you can see, you are using the same IP for source and destination, its like connecting to yourself. The router is probably dropping it.

All the other test that you are doing such as HTTPS, remote services etc on the SBS from your test laptop should point to using the topology above and not to the public IP.

I have the same setup as you are, except that the hardware I use is different.

( 2004--(

I have a static NAt on the PIX and I can connect from both externally (internet) using the Public IP assigned to the
ISA 2004 and from the 192.168.100.x network using the address.

I would say that you try the connection first to, then if it doesnt work then that means we need to look
more on the SBS config. Once that works, then the real test would be from the internet or from a test laptop connected
on the external interface of your ADSL router.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Having been to many forums for a similar problem (error 678), I ultimately found this rather obscure fix which helped many folk. Hope it does for yours. It may be that your connection is timing out due to the following change in Win XP SP2:

"By default, computers that run Windows XP with Service Pack 2 and that initiate IPsec-secured communications ... no longer support using IPsec NAT-T to remote computers that respond to requests for IPsec-secured communication ... that are located behind a network address translator. This is to avoid potential security issues as discussed in the following Microsoft Knowledge Base article:
885348 ( IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators"

The fix... add the following registry value on the client;
     - Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
     - Add a new DWORD Value "AssumeUDPEncapsulationContextOnSendRule" (case sensitive)
          - A value of 0 (zero/default) configures Windows XP SP2 so that it cannot initiate IPsec-secured
         communications with responders that are located behind network address translators
          - A value of 1 configures Windows XP SP2 so that it can initiate IPsec-secured communications
          with responders that are located behind network address translators.
          - A value of 2 configures Windows XP SP2 so that it can initiate IPsec-secured communications
         when both the initiators and the responders are behind network address translators.

"After you configure AssumeUDPEncapsulationContextOnSendRule with a value of 1 or a value of 2, Windows XP SP2 can connect to a responder that is located behind a network address translator. This behavior applies to connections to a VPN server that is running Windows Server 2003."

KB885407 - The default behavior of IPsec NAT traversal (NAT-T) is changed in Windows XP Service Pack 2

Good luck...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.