VPN Pass through with Avaya SG200 router

Hello,
I have a network with a static IP that has an Avaya SG200 router.  I need to establish a VPN connection to my Windows 2003 SBS on the private side of the avaya.  I've "redirected" port 1723 to the private IP of the server and opened the GRE 47 service with still no luck.  After it connects, it says verifying user name and password then times out "error 721".

Inside the network, my server accepts the VPN connection with ease.  
LVL 1
jshefferAsked:
Who is Participating?
 
scrathcyboyConnect With a Mentor Commented:
If you will look back at the link I posted in my first comment, you will see all the ports to open up.  So open them and get it working, then close off the ones you dont need, and as I said, go to IPSec it is much better.
0
 
Rob WilliamsCommented:
A 721 error is most often caused by GRE traffic being blocked. This can be caused by a software firewall on the PC/Server you are connecting to, such as the Windows firewall, or the router itself. You mentioned you "opened the GRE 47 service", I didn't see any options in the on-line manual I looked at for this, at least not as a predefined service. GRE is protocol 47, not port 47. Are you sure the router supports PPTP pass-through, there is no mention of it in the manual.
It does appear there is the ability to change the firewall security level, some routers such as Vigors require lowering the security level slightly to allow GRE traffic.
It does appear the router will support an IPSec client directly without the need of a Windows VPN server. Have you looked at that as an option? If it is feasible, it will give you slightly better performance and more security.
0
 
scrathcyboyCommented:
You cant just forward prot 1723, generally at least 3 ports are needed for VPN, and it depends on whether you use PPPOE or IPSec as to which ports.  It also varies depending on if the VPN endpoint is a router or a windows box.  See here for example --

http://technet2.microsoft.com/WindowsServer/en/Library/62da7e09-a5bf-44e0-879d-44fe0002c4531033.mspx?mfr=true
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Rob WilliamsCommented:
Actually scrathcyboy, assuming a PPTP VPN, which is the standard Windows VPN, requires only port 1723, and GRE pass-through. L2TP and IPSec have different requirements.
0
 
scrathcyboyCommented:
Yes I know, but he didnt state which protocol.  You would think 2003 would have moved up to IPSec.

JSheffer, why not try changing to IPSec, it is more secure, better encryption.  The only reason you would not want to is if people login from motels and such, where the protocol is always defaulted to PPTP.
0
 
Rob WilliamsCommented:
scrathcyboy, L2TP with IPSec has been available since WinNT but is much more elaborate to configure with a Windows server, fine if using a router. As for hotels "defaulting" to PPTP, I'm not quite sure why you would say that.
0
 
scrathcyboyCommented:
Only from many comments on expert exchange, people say when they travel they can only do PPTP VPN.  I use only IPSec on Hardware VPN router, it is much better, so I will not judge those frequent comments.  I said "moved" to IPSec, not supported it, there is a big difference.  VPN on a windows box is too difficult for many people, so they give up on IPSec.  "moved" implies that MS should get their act in gear and make it easy, but I dont think they can, they are too bogged down in making it complex, whereas routers are easy.

Anyway, back to the question, these kinds of problems are usually in the SBS setup, once again MS makes it far too complex to let VPN traffic through SBS.  JSheffer, I would look to the SBS setup for changes there.
0
 
jshefferAuthor Commented:
RobWill / Scrathcyboy,
Thanks for the suggestions.  I am using the pptp protocol.  One of you mention that 47 isd a protocol not a port.  I'm not sure I know how to handle that.  What do I open in that case.  I've opened port 47.

My SBS server is 192.168.0.8.  Again the setup of my SBS server is in question.  It works great inside the network.  Accepts connections all day long.  Doesn't that imply that it is set up correctly?

Here are my port redirections on the avaya SG200.

---- Row # 1 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.254
From Port = 6129
To Port = 6129

---- Row # 2 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 25
To Port = 25

---- Row # 3 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 80
To Port = 80

---- Row # 4 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.3
From Port = 6130
To Port = 6130

---- Row # 5 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 6131
To Port = 6131

---- Row # 6 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 443
To Port = 443

---- Row # 7 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 21
To Port = 21

---- Row # 8 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 3389
To Port = 3389

---- Row # 9 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 1024
To Port = 1024

---- Row # 10 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 1024
To Port = 1024

---- Row # 11 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 1723
To Port = 1723

---- Row # 12 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 47
To Port = 47

---- Row # 13 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 47
To Port = 47

---- Row # 14 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 500
To Port = 500

---- Row # 15 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 50
To Port = 50

---- Row # 16 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 51
To Port = 51

0
 
Rob WilliamsCommented:
Hi jsheffer,
>>"47 isd a protocol not a port.  I'm not sure I know how to handle that.  What do I open in that case."
It has to be handled differently and it varies from router to router. I could find no reference to GRE/PPTP pass-through in the manual, such that I wonder if it supports PPTP pass through, some routers do not. Might be worth contacting Avaya. Unlike some other manufactures, they have good support services.
However, on most routers there is a check box  option of GRE pass-through, PPTP pass-through, or VPN pass-through and on some such as Cisco's there are command lines to be entered. Forwarding port 47 will not resolve. A few routers such as Netgear when you forward the built in port 1723 service (not custom service) configures GRE at the same time. You do not need ports 500, 50 and 51 forwarded. That would be if using an IPSec VPN.
0
 
jshefferAuthor Commented:
This config has several other Avaya routers connect via VPN(s).  The companies VOip works across these routers.  So I'm thinking they are using the 500, 50 and 51 ports.  If it were not for all the other Avayas, I'd replace this thing.  Too hard to find support for it.  Can't find a knowledge base or anything.  I'm told Avaya tech support will cost an arm and a leg so I'm hesitant about calling them.
0
 
Rob WilliamsCommented:
The VoIP system probably uses IPSec as you say, but the Avaya router itself is probably the VPN end point, rather than a server behind the router. This requires no port forwarding. With Avaya VoIP systems there is usually a hardware to hardware VPN tunnel and the phone system and voice mail boxes are behind the router. IPSec traffic is just between the 2 VPN routers/end points.
0
 
jshefferAuthor Commented:
I believe you are correct.
0
 
Rob WilliamsConnect With a Mentor Commented:
>>"I believe you are correct."
Gee that has a nice ring to it  :-)
That is why I was suggesting earlier you might be able to get an IPSec software VPN client to connect directly to the router. Sorry but I don't have any info on what is available, but according to the manual it does seem possible.
0
 
Rob WilliamsCommented:
Thanks jsheffer,
-Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.