• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3334
  • Last Modified:

watchguard firewall and vpn port fwding 1723 and 47? not working, help!

i setup a microsoft IAS and VPN server.  I have a watchguard firebox1000 firewall and with a specific external ip address on it that i want to use just for vpn purposes. i need to forward the ports 1723 and 47 to my internal ip of the server.
my problem is i get the following errors on the vpn server
Event Type:      Warning
Event Source:      RemoteAccess
Event Category:      None
Event ID:      20049
Date:            10/17/2007
Time:            10:36:35 AM
User:            N/A
Computer:      IT-SERVER
Description:
The user connected to port VPN7-127 has been disconnected because the authentication process did not complete within the required amount of time.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


and

Event Type:      Warning
Event Source:      Rasman
Event Category:      None
Event ID:      20209
Date:            10/17/2007
Time:            10:38:33 AM
User:            N/A
Computer:      IT-SERVER
Description:
A connection between the VPN server and the VPN client 75.201.222.4 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


i have a policy setup in watchguard to allow traffic from the external base ip to the real base and also a pptp policy to allow any to the external ip address but i am still getting those errors on teh server and the client cannot connect.
please help!
0
yalemort
Asked:
yalemort
  • 23
  • 18
1 Solution
 
dpk_walCommented:
Make sure that you are able to make a PPTP session on the internal network when you use the private IP of the firebox; if not then you need to check your server configuration.

You must have configured 1-1 NAT for your server to allow incoming PPTP traffic; make sure you have added 1-1 NAT exceptions and that the public IP is not added as alias on the external interface. If you have not configured 1-1 NAT then you need to configure that for allowing incoming PPTP traffic [use the filtered PPTP service rather than using custom service].

You would need to configure the service as below:
Incoming connections are enabled and allowed; from specific remote client IP or subnet or ANY; to public IP [which you have used in 1-1 NAT]

If you need help with 1-1 NAT configuration, please let me know the WSM/WFS version and I would send the steps.

Please update.

Thank you.
0
 
yalemortAuthor Commented:
dpk wal,

without giving away my external ip lets say the external ip that im trying to use for the vpn is 205.1.10.300, this ip is in a range of external ips that i got from my internet provider.
the firewalls interface is configured with
205.1.10.295.
I have the external ip address 205.1.10.300 added as a secondary network on the firewall not as an alias.  for the vpn I am not using the actualy interface ip of the firewall(205.1.10.295), but one of the other ip's in my external range(205.1.10.300), this should be ok right?

i have configured a 1 to1 nat for the natbase of 205.1.10.300 and to the real base(the vpn server internal ip which is 192.168.1.18),

i also created the filtered pptp service to do the following
INCOMING: enabled and allowed
from: ANY
to: 205.1.10.300

OUTGOING: enabled and allowed
from: any
to: any

PROPERTIES:
1723 tcp client
47     ip   client

when i have it setup like this and i try to connect to the 205.1.10.300 using the microsoft vpn client on a comptuer outside my network i see the traffice on the firewall using the PPTP policy and its green saying its letting me come in to desitination port 1723, but i dont get any packets on the vpn server.  its like its not passing the packets on to my internal ip correctly.

but, i setup a custom policy using the 205.1.10.295 ip and forwarded ports 1723 to the vpn server internal ip of 192.168.1.10 and named it MSVPN
the policy is setup as follows
INCOMING: ENABLED AND ALLOWED
from: ANY
to: 205.1.10.295 -> 10.0.0.18  ( i used the ADD NAT to add this entry)

OUTGOING: ENABLED AND ALLOWED
from: ANY
to: ANY

PROPERTIES:
1723 tcp client

then when i use the computer outside the network to try to vpn connect to 205.1.10.295 i see errors on the vpn server(the ones i first posted in this question) so its tryign to authenticate because the vpn server is actually getting packets this time.
but on the firewall i see the following entry(note that the 75.202.200.55 is the laptop of the pc im trying to connect with)
Temporarily blocking host 75.202.200.55
DEN in eth0 57 gr 20 75.202.200.55  205.1.10.295 (default)

its not even saying its using the MSVPN policy i set up, but somehow some of the packets are getting to the vpn server because the errors i posted up top are happening.

its totally frustrating, and watchguard is not much help because they are saying that when im trying to connect to the .300 its green in the log so the packets are allowed in, but my vpn server is not getting them. and i think its becasue its not being forwarded correctly because why when i try to connect to the .295 ip i get errors on the vpn server and i see it trying to connect?

wooosh..that was a lot of typing! any help would be appreciated greatly!

thank you!
0
 
dpk_walCommented:
Well you have an option to add network on the external interface, but I would like to ask is this actually what you want to do; I mean is this needed?

The way I understand your network is:

                                   ________PPTP server(.300)
Internet---SWITCH-----|---------------------------Ext Interface of WG----Trusted Interface

If you have added secondary network on external interface this means you do not wish to have NAT implemented for the servers which would connect on the same switch as external interface of WG; further there is no need to configure 1-1 NAT in such a situation.

If your server is sitting on the trusted or DMZ (optional) interface then you either would need to configure subnet mask on external secondary network to exclude the IP and then add 1-1 NAT or remove secondary network from external interface altogether.

Please advice how would you like to proceed.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
yalemortAuthor Commented:
hmm i think you have it a little skewed.
the network is like this
internet -> WG -> internal switch -> vpn server

the WG only has 1 connection to the internet(.295 has been assigned to that interface)
but i have a range of external ips - .295 to .310, so per watchguard technicians instructions i added the .300 ip in the secondary networks tab with the interface set to EXTERNAL.
they also instructed me to do a 1 to 1 NAT with nat base of 205.1.10.300 and the real base ip 192.168.1.18, and also configured that pptp policy as shown  in the prior comment.

the vpn server is not connected directly to the WG, it is on a switch and the switch is connected to the WG.
The vpn server has 2 nics, both nics have internal ip addresses, nicA has 192.168.1.17 and nicB has 192.168.1.18, when i setup the vpn service on the server i configured the 192.168.1.18 as the "internet" nic, and 192.168.1.17 as the internal network NIC.
0
 
yalemortAuthor Commented:
the only thing i can thing is somehow get a packet capture on the por that the watchguard is connected to on teh internal switch. its a 3com managed switch.
is there a way i can see traffic coming from that firewall on the inside of the network? the firewall doesnt have a web interface, i access it from a client on a server. im sure your familier with how it works.
i dunno what else to do, it just seems weird how some packets reach the vpn server when using the .295 address but none reach it when using the .300 address
0
 
dpk_walCommented:
As you have all the machines on the trusted interface of WG; there is no need for secondary network on external interface; remove it; also remove MSVPN Service; just have the PPTP (in0built) service with 1-1 NAT configured.

After this the 1-1 NAT would work.

The reason the packets are not coming to the server on .300 IP is because the FB should have .300 on external interface and then there are NAT rules forwarding that IP's traffic to internal machines which is incorect; further with the MSVPN service some packets would go to the internal server but they would not come back properly.

Also, if there is no specific reason to have two NICs on the same subnet for the VPN server; disable one of the NICs; and make sure that the default gateway on the NIC is the trusted IP address of WG interface. Sometimes there would be problems with a multi-homed machine connected behind WG.

Please implement and update.

Thank you.
0
 
yalemortAuthor Commented:
i see what your saying but dont i need to have 2 nics to have the vpn server running?
1 for the vpn packets to be forwarded to, and the other to authenticate to the radius server and connect the people coming from the outside to the internal network?
and your saying to take the .300 external ip, off of the secondary network. if i do this, how is my firewall going to know to handle traffic for that ip?
0
 
dpk_walCommented:
By default WG FB would do proxy ARP for aliases and IP addresses added as 1-1 NAT. Also, for communicating with the RADIUS Server your server would utilize the same NIC it uses for incoming connections. Please note the server is behind FB and both the RADIUS server and VPN server are on the same subnet so communication would happen.

I am not sure if I made myself clear.

Please advice.
0
 
yalemortAuthor Commented:
i understand the first part about the arp'ing for aliases. but when im setting up the vpn server in routing and remote access it ask me to select
NETWORK INTERFACE THAT CONNECTS THIS SERVER TO THE INTERNET
so i choose the one nic i have the ip address of 192.168.1.18 on
then the next screen it asks me to
VPN CLIENTS MUST BE ASSIGNED TO ONE NETWORK FOR ADDRESS
and it doesnt let me choose teh same nice, i have to choose a different one. so i choose the otehr nic which i have configured with192.168.0.13
0
 
dpk_walCommented:
Well I am not an expert on SBS but what I know is Routing and remote access is for NAT implementation; please note we don't want the server to do any NAT at all; all we want the server to do is to act as PPTP server only.

Thank you.
0
 
yalemortAuthor Commented:
dpk,
to setup a microsoft vpn server with radius you have to have 2 nics, one for the internal network and one for the external.
let me ask you a question, can i place my vpn server on a dmz on the firewall? can i connect one of the nice directly to my watchguard firewall? I see that there are 4 extre ethernet ports in the front of it, is this to plug servers into? also is that is so what woudl i have to do to the policy to make it work.

thank you
0
 
dpk_walCommented:
If you place your PPTP server on optional interface, there would be some complications, the remote clients would get IP address in the IP interface range and then they would need to go to trusted from optional to access any shared network resources.

If you just wish to have PPTP with RADIUS authentication. you can configure your WG FB itself to act as a PPTP server and configure RADIUS authentication.

In this case you would be saved the task of configuring and maintenance of PPTP server on the server and the WG FB would talk to your pre-configured RADIUS server for PPTP authentication.

I am listing steps as per WSM/WFS version 9.0 (for others the process remains same but the steps might differ):
To configure PPTP users, in Policy Manager->VPN->Remote Users->PPTP; click "Activate Remote User VPN with PPTP"; select "Use RADIUS authentication to authenticate remote users" [this would automatically prompt to configure RADIUS server if not already done so]; then click ADD and add virtual IP address (which would be assigned to remote users when they connect; these IP address should not be used by any other device on the network).

You would need to add the user/group (already created on RADIUS) on WG, go to Policy Manager->Setup->Authentication->Authorized Users/Groups; ADD; specify user/group name and select Auth Server as RADUS.

Finally you would need to add a specific service or ANY server to allow traffic from remote users to WG and back. Configure service as:
Connections are enabled and allowed; from: User/group added above; to: trusted

To view/configure, authentication server details, go to Policy Manager->Setup->Authentication->Authentication Server->RADIUS; configure IP address; secret and other details.

Please look at the link below from WG website for more help (please note you would need a valid WG website login to view the articles):
https://www.watchguard.com/support/advancedfaqs/pptp_main.asp
https://www.watchguard.com/help/wsm/83/authentication11.html

Please let me know how would you like to proceed.

Thank you.
0
 
dpk_walCommented:
Any updates.
0
 
yalemortAuthor Commented:
just got back , i will test it out and let you know asap.
0
 
yalemortAuthor Commented:
dpk,

at this step,
You would need to add the user/group (already created on RADIUS) on WG, go to Policy Manager->Setup->Authentication->Authorized Users/Groups; ADD; specify user/group name and select Auth Server as RADUS.

when you say add the user/group already created on radius, what do you mean? and i dont see any Auth server as radius option.
0
 
yalemortAuthor Commented:
im confused, i thoguth the whole point of radius is so i dont have to create users on the firebox for each user iw ant to connect to the vpn. can you please explain to me
thank you
0
 
dpk_walCommented:
When you configure RADIUS server in Policy Manager you would see RADIUS as an option in Auth server when adding users/group.

WG would communicate with the RADIUS Server to get user/group details; WG needs to know the name; so if you define a group on RADIUS Server, for eg, ppp_users_for_wg and then define the same on WG that would do.

You can add users in this specific group on-need basis. Wg needs to have some base before it would contact the RADIUS server for authentication. Please note they are different vendors.

Please let me know if you need more information.

Thank you.
0
 
yalemortAuthor Commented:
You would need to add the user/group (already created on RADIUS) on WG, go to Policy Manager->Setup->Authentication->Authorized Users/Groups; ADD; specify user/group name and select Auth Server as RADUS.
when you say "and selet Auth Server as Radius"
i dont see that option anywhere on the firebox.

i am using a microsoft IAS. and i created a remote access policy.
im stil a bit confused.
0
 
dpk_walCommented:
Just to make sure have you added RADIUS server, under Policy Manager-> Setup-> Authentication-> Authentication Servers->RADIUS; make sure you have selected "Enable RADIUS Server" and the server details present.

Once the authentication server is added, you would have an option to select Auth Server as RADIUS.

Please check and udpate.

Thank you.
0
 
yalemortAuthor Commented:
its not, does ti have anything to do with the fact that the firewall is set to use the firebox for authentication?
if i go to the SETUP > FIREWALL AUTHENTICATION, firebox is checked?
0
 
dpk_walCommented:
It appears you do not have WFS/WSM version 9.0 as I had thought; you are right, if you have version 8.3.1 or lower you need to set Authentication via RADIUS server; further there is no need to add users/group in WG FB as I was mentioning earlier.

Sorry for the confusion.

Thank you.
0
 
yalemortAuthor Commented:
if i set radius for authentication, is this going to change the way i connect to myfirewal internally? like right now i connect to it via a software intall ont ehcomputer, i dont want to not be able to connect to it.

0
 
yalemortAuthor Commented:
here is a screenshot of my firewall log.
do you see where it says "not a memebr ofpptp_users"
im lost,
i did waht you said and i set it to use radius authentication, and my radius server shows it connected.
but i dont konw if i have to create a new policy or what?
i get back on my machien im trying to cnnect with that the "user is not setup for dial up"
which is incorrect because that user is setup to use the remote access policy.
www.staticimage.com/f1.gif
www.staticimage.com/f2.jpg
0
 
dpk_walCommented:
Please add ANY policy for remote user as below, you can later remove ANY service and open only the requred traffic once things start working:
Incoming Connections are Enabled and Allowed; from RADIUS-group [Click Add; Add Other and you should be able to see the group listed]; to trusted

If you do not see the group listed then add group on WG exactly as it appears on RADIUS server.

For checking if RADIUS authentication is happening or not, open any browser and go to:
http://wg-internal-ip-address:4100
you would be prompted for username/password; put RADIUS user/group and check if you get successfully logged in; further see if you can then ping anything or access shared resources.

Please implement and update.
0
 
yalemortAuthor Commented:
dpk,
do you have msn or yahoo messenger? if so maybe you can help me over this if you have a chance, because i dont see what you mean to at the group to wg exactly as it is on th radius server?
my msn username is rduque41@bellsouth.net
and aim is smashing69
thank you!
0
 
yalemortAuthor Commented:
and that test you had me try, it says authrization failed.
0
 
hstilesCommented:
You do not NEED to have 2 NICs to have a Windows 2003 Server RRAS VPN Server.   However, if you want to use the Wizards to set up a VPN Policy, then it will always complain if you do not have 2 NICs.

So, you have two options

1) Set up the VPNPolicy manually.  There are plenty of instructions on doing this on the net
2) Use the Wizard to set up the policy, but then disable or team the second NIC and then reconfigure the wizard-generatedpolicy to reflect the change of interface.

I have gotten RRAS working a treat this way.  It was ages ago though, so some details are sketchy.
0
 
dpk_walCommented:
As you are getting authentication failed, the communication between WG and RADIUS server is not happening properly. Please take a look at the articles from WG website (please note you would need to have WG website login to view articles [please use article as it applies per your WG software version]):

https://www.watchguard.com/support/faqs/fireware/91/radius.htm
https://www.watchguard.com/support/faqs/fireware/90/howto_radius.htm
https://www.watchguard.com/support/advancedfaqs/auth_javaradius.asp

Please see if they help.

Thank you.
0
 
yalemortAuthor Commented:
dpk wal,

i got it to connect! finally!
i found this article on the watchguard website, its what i was missing in the IAS group properties
https://www.watchguard.com/support/advancedfaqs/pptp_radius.asp
a filter_id.

i have 1 question now. when i connect, and i try to ping servers by name, it resolves the ip but i cant ping them. i cant unc to them or anything.
it has the correct dns server information in the ip settings when i do an ipconfig /all.
but i cant browse out to the network or ping any servers. any ideas?
0
 
yalemortAuthor Commented:
the ipconfiguration my comptuer gets is:
ip: 192.168.1.155
subnet mask: 255.255.255.255
default gateway: 192.168.1.155
dns server: 192.168.1.2

the dns server and the ip configuration are correct,
but shouldnt the subnet mask be 255.255.255.0?
and is it correct for the default gateway to be the same as the ip address?
thats the ip address i configured in the firewall NETWORK > REMOTE USER > PPTP tab
i dont know where it gets the rest of the ip info from?
0
 
yalemortAuthor Commented:
i think i see whats blocking it, look at the firewall log
www.staticimage.com/f3.jpg
the 10.0.0.55 is the ip my laptop connected to the vpn got, the 10.0.0.4 is the ip im trying to ping.
is there a policy im missing ?
0
 
dpk_walCommented:
you are correct, a firewall policy allowing the traffic from remote user/group is missing causing the problem; the log clearly shows that the firebox has no policy for the traffic and is denied by the default policy DENY [last rule which is hit if no policy matches a given traffic].

Please create specific policy/rule to allow traffic or the generic ANY [caution: ANY service allows traffic on all ports and all protocols], configure the service as below:
Incoming Enabled and Allowed; from group/users; to Trusted [this woudl grant access to trusted network only]
Outgoing Enabled and Allowed; from Trusted; to group/users

This should get the traffic to pass through.

The links which I sent also talk about filter_id, sorry, I missed telling you that earlier.

Please implement and update.

Thank you.
0
 
yalemortAuthor Commented:
when you say from group/users who is this?
0
 
dpk_walCommented:
In the From box; click Add; Add Other; then select the user/group which is on the RADIUS server.

Than you.
0
 
yalemortAuthor Commented:
which user/group on the radius server? i have a remote access policy? but thats about it
0
 
dpk_walCommented:
The user/group is the one which needs to access the shared resources remotely. The one which is getting authenticated through the PPTP server using RADIUS authentication.
0
 
yalemortAuthor Commented:
ya its pptp_users, that must be like the defautl watchguard group.
now i can ping by ip address, but the name resolution is still not working. any ideas?
0
 
dpk_walCommented:
For name resolution please make sure that the remote machines get the DNS and/or WINS server as your server hosted behind WG; if you are not using any mail client, then you also have an option to configure the IP/name mapping in the hosts files [%windir%/system32/drivers/etc/hosts] as:
ip-address name
However, this is a tedious option as you would need to do this on every client machine.

Please note you can specify DNS setting for remote users in Policy Manager->Network->Configuration->WINS/DNS.

Please implement and update.

Thank you.
0
 
yalemortAuthor Commented:
they are getting the following information, the dns server is correct
ip: 192.168.1.155
subnet mask: 255.255.255.255
default gateway: 192.168.1.155
dns server: 192.168.1.2

the dns server and the ip configuration are correct,
but shouldnt the subnet mask be 255.255.255.0?
and is it correct for the default gateway to be the same as the ip address?
0
 
dpk_walCommented:
Yes, the remote users would get /32 bit mask for IP address, and the gateway would be same as the IP address; if you use hostname.yourdomain can you then ping the machines by name; if yes, then you need to add DNS suffix in the virtual adapter, TCP/IP->Advanced->DNS settings which would solve the issue.

Please check and update.
0
 
yalemortAuthor Commented:
ok i will try it and let you know. thank you.
0
 
dpk_walCommented:
You are welcome, please let me know, I would be happy to help! :)
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 23
  • 18
Tackle projects and never again get stuck behind a technical roadblock.
Join Now