?
Solved

VPN Pass through with Avaya SG200 router

Posted on 2006-06-05
14
Medium Priority
?
1,120 Views
Last Modified: 2013-11-29
Hello,
I have a network with a static IP that has an Avaya SG200 router.  I need to establish a VPN connection to my Windows 2003 SBS on the private side of the avaya.  I've "redirected" port 1723 to the private IP of the server and opened the GRE 47 service with still no luck.  After it connects, it says verifying user name and password then times out "error 721".

Inside the network, my server accepts the VPN connection with ease.  
0
Comment
Question by:jsheffer
  • 7
  • 4
  • 3
14 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16837684
A 721 error is most often caused by GRE traffic being blocked. This can be caused by a software firewall on the PC/Server you are connecting to, such as the Windows firewall, or the router itself. You mentioned you "opened the GRE 47 service", I didn't see any options in the on-line manual I looked at for this, at least not as a predefined service. GRE is protocol 47, not port 47. Are you sure the router supports PPTP pass-through, there is no mention of it in the manual.
It does appear there is the ability to change the firewall security level, some routers such as Vigors require lowering the security level slightly to allow GRE traffic.
It does appear the router will support an IPSec client directly without the need of a Windows VPN server. Have you looked at that as an option? If it is feasible, it will give you slightly better performance and more security.
0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 16837807
You cant just forward prot 1723, generally at least 3 ports are needed for VPN, and it depends on whether you use PPPOE or IPSec as to which ports.  It also varies depending on if the VPN endpoint is a router or a windows box.  See here for example --

http://technet2.microsoft.com/WindowsServer/en/Library/62da7e09-a5bf-44e0-879d-44fe0002c4531033.mspx?mfr=true
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16837847
Actually scrathcyboy, assuming a PPTP VPN, which is the standard Windows VPN, requires only port 1723, and GRE pass-through. L2TP and IPSec have different requirements.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 44

Expert Comment

by:scrathcyboy
ID: 16838204
Yes I know, but he didnt state which protocol.  You would think 2003 would have moved up to IPSec.

JSheffer, why not try changing to IPSec, it is more secure, better encryption.  The only reason you would not want to is if people login from motels and such, where the protocol is always defaulted to PPTP.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16838326
scrathcyboy, L2TP with IPSec has been available since WinNT but is much more elaborate to configure with a Windows server, fine if using a router. As for hotels "defaulting" to PPTP, I'm not quite sure why you would say that.
0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 16838908
Only from many comments on expert exchange, people say when they travel they can only do PPTP VPN.  I use only IPSec on Hardware VPN router, it is much better, so I will not judge those frequent comments.  I said "moved" to IPSec, not supported it, there is a big difference.  VPN on a windows box is too difficult for many people, so they give up on IPSec.  "moved" implies that MS should get their act in gear and make it easy, but I dont think they can, they are too bogged down in making it complex, whereas routers are easy.

Anyway, back to the question, these kinds of problems are usually in the SBS setup, once again MS makes it far too complex to let VPN traffic through SBS.  JSheffer, I would look to the SBS setup for changes there.
0
 
LVL 1

Author Comment

by:jsheffer
ID: 16842013
RobWill / Scrathcyboy,
Thanks for the suggestions.  I am using the pptp protocol.  One of you mention that 47 isd a protocol not a port.  I'm not sure I know how to handle that.  What do I open in that case.  I've opened port 47.

My SBS server is 192.168.0.8.  Again the setup of my SBS server is in question.  It works great inside the network.  Accepts connections all day long.  Doesn't that imply that it is set up correctly?

Here are my port redirections on the avaya SG200.

---- Row # 1 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.254
From Port = 6129
To Port = 6129

---- Row # 2 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 25
To Port = 25

---- Row # 3 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 80
To Port = 80

---- Row # 4 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.3
From Port = 6130
To Port = 6130

---- Row # 5 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 6131
To Port = 6131

---- Row # 6 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 443
To Port = 443

---- Row # 7 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 21
To Port = 21

---- Row # 8 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 3389
To Port = 3389

---- Row # 9 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 1024
To Port = 1024

---- Row # 10 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 1024
To Port = 1024

---- Row # 11 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 1723
To Port = 1723

---- Row # 12 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 47
To Port = 47

---- Row # 13 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 47
To Port = 47

---- Row # 14 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 500
To Port = 500

---- Row # 15 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 50
To Port = 50

---- Row # 16 Data -------
Type = redirection
Zone = public
Enabled = YES
Protocol = TCP
From IP = public
To IP = 192.168.0.8
From Port = 51
To Port = 51

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16842211
Hi jsheffer,
>>"47 isd a protocol not a port.  I'm not sure I know how to handle that.  What do I open in that case."
It has to be handled differently and it varies from router to router. I could find no reference to GRE/PPTP pass-through in the manual, such that I wonder if it supports PPTP pass through, some routers do not. Might be worth contacting Avaya. Unlike some other manufactures, they have good support services.
However, on most routers there is a check box  option of GRE pass-through, PPTP pass-through, or VPN pass-through and on some such as Cisco's there are command lines to be entered. Forwarding port 47 will not resolve. A few routers such as Netgear when you forward the built in port 1723 service (not custom service) configures GRE at the same time. You do not need ports 500, 50 and 51 forwarded. That would be if using an IPSec VPN.
0
 
LVL 1

Author Comment

by:jsheffer
ID: 16842315
This config has several other Avaya routers connect via VPN(s).  The companies VOip works across these routers.  So I'm thinking they are using the 500, 50 and 51 ports.  If it were not for all the other Avayas, I'd replace this thing.  Too hard to find support for it.  Can't find a knowledge base or anything.  I'm told Avaya tech support will cost an arm and a leg so I'm hesitant about calling them.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16842396
The VoIP system probably uses IPSec as you say, but the Avaya router itself is probably the VPN end point, rather than a server behind the router. This requires no port forwarding. With Avaya VoIP systems there is usually a hardware to hardware VPN tunnel and the phone system and voice mail boxes are behind the router. IPSec traffic is just between the 2 VPN routers/end points.
0
 
LVL 1

Author Comment

by:jsheffer
ID: 16842476
I believe you are correct.
0
 
LVL 78

Assisted Solution

by:Rob Williams
Rob Williams earned 750 total points
ID: 16842513
>>"I believe you are correct."
Gee that has a nice ring to it  :-)
That is why I was suggesting earlier you might be able to get an IPSec software VPN client to connect directly to the router. Sorry but I don't have any info on what is available, but according to the manual it does seem possible.
0
 
LVL 44

Accepted Solution

by:
scrathcyboy earned 750 total points
ID: 16845475
If you will look back at the link I posted in my first comment, you will see all the ports to open up.  So open them and get it working, then close off the ones you dont need, and as I said, go to IPSec it is much better.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16920948
Thanks jsheffer,
-Rob
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question