Solved

VPN Error 628

Posted on 2009-07-08
27
2,111 Views
Last Modified: 2012-05-07
I have a Windows XP Pro machine and I have setup a VPN connection so people can connect to me VIA VPN. First of all I am not 100% sure this will work on XP Pro but I have the same setup that works on my Server running Server 2003. (Pro might be missing a few major things that I need but im not sure)

When people try to connect to me they get to the point where it sits on "Username and Password" then is disconnects and says ERROR 628.

I have all the correct ports open and I am sitting behind a Linksys router.

THanks
0
Comment
Question by:TheTechEase
  • 14
  • 12
27 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24809245
Correct ports? Should be just port 1723 forwarded on the Linksys and also enable "PPTP pass-through" on the Linksys. The latter allows the GRE protocol (protocol 47, not port 47).

Also make sure any software firewalls are disabled on the XP machine. Some other security software will also block PPTP VPN's like Windows One Care, some versions of Trend Micro, Symantic A/V and others.

Is the Linksys behind a basic modem or a combined modem and router unit. You cannot have 2 NAT devices so if you have a "combo" unit, it needs to be put in Bridge mode.

XP will work well, but it only allows one connection at a time, and by default does not allow routing to other devices on the LAN. The routing however can be enabled in the registry if required.
0
 
LVL 8

Expert Comment

by:Milan_Ojh
ID: 24810324
Have a view of below mentioned link it may help you out:

http://www.howtonetworking.com/vpnissues/error628.htm

cheers
0
 

Author Comment

by:TheTechEase
ID: 24810339
Yes I have port 1723 going to the XP Pro machine as well as PPTP enabled on the router.

I also have a modem and then the Linksys device. so there is no need for bridge mode.

The way the VPN works is just what I am looking for. One machine getting into one machine. Very simple.

I am going to check on the username and password that are allowed since everything else looks good. No firewalls or anything of that nature going on.

I did check out that website and it pretty much tells me what I already tried but thank you.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24810376
By the way, the password cannot be blank.
You could also test from a PC on the LAN to rule out any routing or external GRE issues.
0
 

Author Comment

by:TheTechEase
ID: 24810386
ill give that shot
0
 

Author Comment

by:TheTechEase
ID: 24810456
Works from the inside LAN. I checked and doubled check the router, it's up to date with firmware and PPTP in enabled. Port 1723 is going to the static IP of the XP machine running the VPN. Username and password are correct b/c again it worked on the LAN.

Windows firewall is off and I took off the anti-virus. The machine was loaded with Windows a few weeks ago and nothing has been done to it.
0
 

Author Comment

by:TheTechEase
ID: 24810513
Just tried to open ALL ports on the Linksys and still a no go. This is the 2nd router with the same issue.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24812128
There are  a few ISP's that block PPTP, especially on residential networks. That is a possibility. One I know of is Comcast in some area's of North Eastern US.

It is possible, but less common, that it is blocked at the client site.

I assume you are testing from off site? You cannot connect to the public IP from the same site as the host.

If it is getting to verifying username and password it sounds like port forwarding is working but that GRE may be blocked. There are a couple of tests you can do to check if port forwarding for PPTP is configured correctly and that GRE is allowed to pass.
 
To verify PPTP, port 1723, is forwarded; from the VPN server go to the following site and test for port 1723:
http://www.canyouseeme.org
 
Assuming that is working correctly, Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
0
 

Author Comment

by:TheTechEase
ID: 24817422
Ok I am going to give that a shot.

The problem I am having is I installed  the XP tools on both machines and started the "pptpsrv" on the server. On the client end I try and open "pptpclnt" from the same folder as I found "pptpsrv" . But when I click on "pptpclnt" and a dos window pops up and goes away fast.

"While running pptpclnt <server name or IP> on the VPN client." That's what it wants me to do but I can not seem to get the client end to send anything.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24817571
You need to open a DOS window (command prompt), change to the directory where PPTP is located, and run it from the command prompt. It is a DOS app.
0
 

Author Comment

by:TheTechEase
ID: 24817772
Ok got it.

On the client side it says 5 packets sent. Then it says Check server to see if the GRE packets were received successfully.

On the server side nothing changes in the DOS window. I started the server side before the client side.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24817813
Sounds then like GRE is blocked by something. Perhaps contact the ISPs and see if they block that protocol. They usually say they don't as they don't know, but sometimes they are quite helpful.
0
 

Author Comment

by:TheTechEase
ID: 24817831
**Check that**

I had to stop RRAS on the server end and that worked. On the server end it says "connectivity test to TCP port 1723 was successful"

Now what do I do??
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 24818131
This is XP is it?
Do you have multiple NIC's and or Internet Connection Sharing enabled?
0
 

Author Comment

by:TheTechEase
ID: 24818245
It is XP PRO. I do not have Internet connection sharing enabled on the client side. If I do try to enable it my IP address then matches that of my router.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24818440
You don't want to use ICS.
If that is the case is your router set to use 192.168.0.X ? The remote site cannot use the same subnet. A basic rule of VPN's is the local and remote sites must use different subnets. With a server RRAS version it will connect, but you cannot access any resources, I am not sure what would happen with XP, it might not even connect. Might the subnets be the same?
0
 

Author Comment

by:TheTechEase
ID: 24818517
Yes they are the same subnets.

I also have a Server at a different location with the same setup I am trying to do here and 3-4 people connect to that VPN with the same subnets.

So from inside the network I can connect just fine to the VPN in question . From the outside we have found out that port 1723 is working and nothing seems to be being blocked.

What else could be going on here?

Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24818593
Fact! Subnets need to be different. If the VPN client has "use remote default gateway" enabled, they will be able to connect to and access the VPN server but nothing else. This may not be the problem here, but it important and why you never use common subnets at the host end such as 192.168.0.x, 192.168.1.x, 192.168.2.x, 192.168.100.x, 192.168.111.x, 10.x.x.x, 10.10.10.x, or 172.16.1.x. Using common subnets at the host end means mobile users connecting from public sites such as hotels that use defaults, will often have problems.

The reason for this is packets are routed based on their network ID (subnet to which they belong). If a packet is sent from a remote site and it belongs to the same subnet as the local router, the router will not forward the packet. The "use remote default gateway" will usually override this for the one IP ( the VPN IP), but not always.

However, having said that, if it is getting to verifying username and password it has started the initial handshaking and routing may not be the problem. Would be worth a try changing one site or the other, and it is a recommended practice. Users often switch off the "use remote default gateway" option to allow simultaneous VPN and local network access.

The only other thought I have is  too low an MTU value for your connection:
Dropped and incomplete connections can often be caused by too high an MTU (Maximum Transmission Unit) size, especially if it is a lower than normal performance connection. It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP if using the basic client (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300, and if it improves the situation, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm

 
0
 

Author Comment

by:TheTechEase
ID: 24818672
My apologies. I do have different subnets for each location.

I have tried many different MTU sizes on the server end and also enabled and disabled "use remote default gateway"

No luck any way i configure it. this is unreal for such a simple thing.
0
 

Author Comment

by:TheTechEase
ID: 24818695
is there another software VPN that will work?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 400 total points
ID: 24818778
Hamachi is very easy to set up and works almost anywhere because it is actually two out going connections connected by a 3rd party server. It works very well, is secure, and free if for non-commercial use:
https://secure.logmein.com/products/hamachi/vpn.asp?lang=en

By the way you want to change the MTU value at the client end.
0
 

Author Comment

by:TheTechEase
ID: 24818787
That works as a server?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24818815
Hamachi is quite unique. You install it on 2 or more machines, following the wizards, and you create groups. As soon as you start the application it contacts a master 3rd party Hamachi server, which monitors your on-line presence. When another member of your group comes on line the Hamachi server looks after the handshaking between the two (or more) group members and then "sets them free" to have a private tunnel between the group members. It is actually more secure than PPTP and it's primary advantage is that they are all out going connections (like web browsing) so you don't have to worry about port forwarding and firewalls. As a matter of fact the biggest problem with Hamachi is it can breach very good security systems to allow a back door through corporate networks.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24818823
Another popular free Linux based VPN is OpenVPN
http://openvpn.net/
0
 

Author Closing Comment

by:TheTechEase
ID: 31601356
Good work around
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24819669
Thanks TheTechEase. Good luck with the project.
Cheers!
--Rob
0
 

Author Comment

by:TheTechEase
ID: 24819689
Thank U!
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now