[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PPTP connected but no access to resources

Posted on 2006-06-01
23
Medium Priority
?
1,304 Views
Last Modified: 2013-12-07
Have set up modem/router/vpn device (Zyxel Prestige 2602HWL-61) to connect two remote offices (same device at each end).  VPN Connection is working fine between offices. At one end is a Windows 2003 SBS server behind the modem/router/VPN device.

Modem/router/vpn  (which is the gateway 192.168.16.1) is set up to forward appropriate ports to the sbs server (192.168.16.2).  Prior to installing modem/router/vpn I could connect from remote workstation to SBS server & network resources by using microsoft pptp vpn connection.

Since installation of  modem/router/vpn I can establish a connection, but no access to resources (can't ping  192.168.16.*).  RRAS is set up to give the vpn clients an IP address in the same subnet (192.168.16.0) as the internal network.  I have forwarded GRE & TCP 1723 to 192.168.16.2. What else do I need to do to enable access via pptp?
0
Comment
Question by:realserve
  • 8
  • 7
  • 4
  • +3
22 Comments
 
LVL 4

Expert Comment

by:johanvz1
ID: 16805724
What was your VPN pptp connection setting: ie did you set the default gateway or did you not force that through?. is your dns working?. if you ping from the one side to the other ping servername do you get a reply?.

I used to have pn pptp but I did not enforce my gateway for reason that user could use their own internet access via theit dsl line. My trust was easy I had pix firewall so I just made sure the usernames and passwords match. But it seems that you want just access point. So we must get around authentication.  What protocols and ports do you have open?
0
 
LVL 4

Expert Comment

by:johanvz1
ID: 16805790
Heres a guideline of prts and their protocols

47/tcp    GRE for pptp
1723/TCP     PPTP
500/udp      IPSec
IP Protocol 50     For ESP traffic
4500/UDP     NAT Transversal
1812/UDP     Radius Authentication
1813/UDP     Radius Accounting
0
 

Author Comment

by:realserve
ID: 16805835
I have tried "use default gateway on remote network" setting on vpn client, no change.  I tried to ping the IP address of the vpn server from the client side, no response.

I have opened to the sbs server GRE, 1723, 80, 443, 53, 3389, 25.    Client VPN connects & authenticates ok, so I suspect that this might be a routing issue.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 4

Expert Comment

by:johanvz1
ID: 16805868
can you connect to devices and pull their  configs out and compare remote one to your base one and perhaps make routes the same?.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16806292
you need to open more ports:

TCP/445 for windows file sharing.
TCP/135-139  Windows RPC.

This will enable accessing shared files/folder/printer access.

0
 

Author Comment

by:realserve
ID: 16806379
Just checked and I do have 445, 135-139 open already.
0
 
LVL 4

Expert Comment

by:johanvz1
ID: 16806413
If you do a tracert to the server how far does it go?.
0
 

Author Comment

by:realserve
ID: 16806474
nowhere - request time out
0
 
LVL 1

Expert Comment

by:webquarters
ID: 16806668
make sure your router vpn is giving you a local IP that can access the resources.  Do an IPCONFIG after connection.  Make sure your IP outside is not the same subnet as the resource your trying to VPN.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16807655
As for ports, if you are/were using the standard windows PPTP VPN you only need to forward port 1723 to the VPN server and allow GRE traffic, which is protocol 47 (not port 47), GRE pass-through is usually enabled with an option such as PPTP pass-through. If this is not enabled or supported by the new router, you may be able to make a basic connection, but you will not be able to "communicate" with resources. No other ports need to be opened or forwarded. Opening 445, 135+ can actually be be a security risk.

However, when you installed the new Zyxel Prestige units, which you say are VPN router/modems, did you establish a VPN connection from router to router? If they support this I would highly recommend it. It will increase efficiency and security, and allow a proper site to site VPN connection. If you do/did so you will need to disable your PPTP Windows VPN.
0
 

Author Comment

by:realserve
ID: 16811552
IPCONFIG
Ethernet adapter Wireless Network Connection 28:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.102
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

PPP adapter vpn:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.16.11
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :


I do have site to site (router to router) vpn connection with the Prestige routers which works fine.

It is when we want to connect say from home or another location using the microsoft pptp vpn that we are having problems - will connect & authenticate - but can't ping anything.  It worked with the new Prestige modems installed before we established the site to site (router to router) vpn connection.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16811699
What protocol is the site-to-site VPN using. It would normally be IPSec, but if you chose to use PPTP you will not be able to connect to a PPTP server behind the firewall. Is that the case?

Also I notice the PPP (VPN) adapter has no gateway. If a software client it usually has it self as the gateway. Though this is usually assigned automatically I wonder if it is related to the problem.
0
 

Author Comment

by:realserve
ID: 16812003
The site to site vpn uses ipsec

the microsoft pptp vpn automatically assigns gateway - it only gives option to "use default gateway on remote network" - which makes no difference to this problem.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16812995
>>"the microsoft pptp vpn automatically assigns gateway "
Exactly, and it usually shows up with  ipconfig  and is the same as it's own IP. This is what routes the traffic to the remote site. It is not something you configure, but I am wondering why it is not there and what effect it has. I have never seen it missing. You would typically see:

PPP adapter test:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-11
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.20.151
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.20.151
        DNS Servers . . . . . . . . . . . : 24.222.x.x

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16813131
What error number do you get when you fail to connect ?

On the new router have you configured both services, as per the manual:
  PPTP(TCP-1723)
  PPTP_Tunnel(GRE 0)

There are no other routers between the Zyxel and the SBS I assume ?
0
 

Author Comment

by:realserve
ID: 16813396
I do not get an error - the vpn client successfully connects & authenticates with the vpn server (sbs 2003) -  but then no data seems to pass after that
1723 & GRE are correctly configured -  no other routers
I suspect the NAT on the Zyxel may be somehow getting in the way since we established the router to router VPN.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16813441
Almost always if you can establish the connection but not browse (at least on the VPN server) or access any files, it is a case of GRE being blocked. Port 1723 is configured and working , but GRE is being blocked by the server firewall, the router, the modem, or the ISP. Since this worked before I would assume the new router is the culprit.

In the windows resource kit there is a pair of utilities for testing GRE. I haven't had a whole lot of luck with it, but you can give it a try. They are called PPTPsrv.exe and PPTPclnt.exe. Don't use the ones from the NT resource kit, it times out for some reason. You run the PPTPsrv version on the VPN server, establish the connection from the client, and then on the client start PPTPclnt, and send some GRE encapsulated packets. It should show as received on the server.
0
 

Author Comment

by:realserve
ID: 16813707
Ran PPTPsrv.exe ...


C:\Support Tools>pptpsrv

Error 10048 binding Socket:
WSAEADDRINUSE: Address already in use

Created socket for GRE protocol test

Listening on PROTOCOL 47 for incoming GRE packets...

**Then when i connect using the remote vpn client (haven't run the client test yet) we get the following :

Total GRE packets received = 1
Total GRE packets received = 2
Total GRE packets received = 3
Total GRE packets received = 4
Total GRE packets received = 5

======================================
GRE protocol test was successful!
======================================

Closing socket

Goodbye!
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16816227
The problem I have with PPTPSRV is if the connection is running you get that output regardless. You are supposed to be able to send specific packets (a message) from the client and get a reply back saying it was received, however I have never been able to get that to work. In doing so though GRE has to be open in both directions. Still I believe your message would indicate GRE is OK.

>>"NAT on the Zyxel may be somehow getting in the way since we established the router to router VPN"
Very possible the router is not allowing something though the appropriate packets seem to be getting to the VPN server.

Sorry no other suggestions other than Windows or other software firewall could be blocking traffic on the VPN server end, but that is not likely where you had it working before. The other option might be to try to set up an IPSec VPN client that connects directly to the Zyxel units. A better solution anyway if you can get it to work. I thought Zyxel offers a VPN client but I couldn't find it, however TheGreenBow has a client that is supposed to work if you wanted to try that;
http://www.thegreenbow.com/vpn.html

0
 

Author Comment

by:realserve
ID: 16991462
Zyxel support is non existent, I sent two emails a week apart asking for assistance - still no response 2 weeks after the last one i sent.  No telephone support available here (Australia)  either.

In any case I have just worked out what was causing the problem, I had some time ago installed a trial version of wingate vpn.  I had disabled the wingate vpn service. Even with the wingate vpn services disabled it stopped my pptp connection working. I was doing some house keeping and uninstalled the wingate vpn program and now the pptp vpn connection is working.

Thanks for your help, not an easy one!
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16991513
Glad to hear you were able to resolve.
Keep that in mind for future. Many networking tools when disabled still block VPN traffic, such as Symantec's firewall, Zone Alarm, proxy tools, some other VPN clients.
0
 

Accepted Solution

by:
PAQ_Man earned 0 total points
ID: 17028258
Closed, 500 points refunded.
PAQ_Man
Community Support Moderator
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question