VPN Error 628
I have a Windows XP Pro machine and I have setup a VPN connection so people can connect to me VIA VPN. First of all I am not 100% sure this will work on XP Pro but I have the same setup that works on my Server running Server 2003. (Pro might be missing a few major things that I need but im not sure)
When people try to connect to me they get to the point where it sits on "Username and Password" then is disconnects and says ERROR 628.
I have all the correct ports open and I am sitting behind a Linksys router.
THanks
When people try to connect to me they get to the point where it sits on "Username and Password" then is disconnects and says ERROR 628.
I have all the correct ports open and I am sitting behind a Linksys router.
THanks
Have a view of below mentioned link it may help you out:
http://www.howtonetworking.com/vpnissues/error628.htm
cheers
http://www.howtonetworking.com/vpnissues/error628.htm
cheers
ASKER
Yes I have port 1723 going to the XP Pro machine as well as PPTP enabled on the router.
I also have a modem and then the Linksys device. so there is no need for bridge mode.
The way the VPN works is just what I am looking for. One machine getting into one machine. Very simple.
I am going to check on the username and password that are allowed since everything else looks good. No firewalls or anything of that nature going on.
I did check out that website and it pretty much tells me what I already tried but thank you.
I also have a modem and then the Linksys device. so there is no need for bridge mode.
The way the VPN works is just what I am looking for. One machine getting into one machine. Very simple.
I am going to check on the username and password that are allowed since everything else looks good. No firewalls or anything of that nature going on.
I did check out that website and it pretty much tells me what I already tried but thank you.
By the way, the password cannot be blank.
You could also test from a PC on the LAN to rule out any routing or external GRE issues.
You could also test from a PC on the LAN to rule out any routing or external GRE issues.
ASKER
ill give that shot
ASKER
Works from the inside LAN. I checked and doubled check the router, it's up to date with firmware and PPTP in enabled. Port 1723 is going to the static IP of the XP machine running the VPN. Username and password are correct b/c again it worked on the LAN.
Windows firewall is off and I took off the anti-virus. The machine was loaded with Windows a few weeks ago and nothing has been done to it.
Windows firewall is off and I took off the anti-virus. The machine was loaded with Windows a few weeks ago and nothing has been done to it.
ASKER
Just tried to open ALL ports on the Linksys and still a no go. This is the 2nd router with the same issue.
There are a few ISP's that block PPTP, especially on residential networks. That is a possibility. One I know of is Comcast in some area's of North Eastern US.
It is possible, but less common, that it is blocked at the client site.
I assume you are testing from off site? You cannot connect to the public IP from the same site as the host.
If it is getting to verifying username and password it sounds like port forwarding is working but that GRE may be blocked. There are a couple of tests you can do to check if port forwarding for PPTP is configured correctly and that GRE is allowed to pass.
To verify PPTP, port 1723, is forwarded; from the VPN server go to the following site and test for port 1723:
http://www.canyouseeme.org
Assuming that is working correctly, Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en
Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.
Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
It is possible, but less common, that it is blocked at the client site.
I assume you are testing from off site? You cannot connect to the public IP from the same site as the host.
If it is getting to verifying username and password it sounds like port forwarding is working but that GRE may be blocked. There are a couple of tests you can do to check if port forwarding for PPTP is configured correctly and that GRE is allowed to pass.
To verify PPTP, port 1723, is forwarded; from the VPN server go to the following site and test for port 1723:
http://www.canyouseeme.org
Assuming that is working correctly, Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en
Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.
Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
ASKER
Ok I am going to give that a shot.
The problem I am having is I installed the XP tools on both machines and started the "pptpsrv" on the server. On the client end I try and open "pptpclnt" from the same folder as I found "pptpsrv" . But when I click on "pptpclnt" and a dos window pops up and goes away fast.
"While running pptpclnt <server name or IP> on the VPN client." That's what it wants me to do but I can not seem to get the client end to send anything.
The problem I am having is I installed the XP tools on both machines and started the "pptpsrv" on the server. On the client end I try and open "pptpclnt" from the same folder as I found "pptpsrv" . But when I click on "pptpclnt" and a dos window pops up and goes away fast.
"While running pptpclnt <server name or IP> on the VPN client." That's what it wants me to do but I can not seem to get the client end to send anything.
You need to open a DOS window (command prompt), change to the directory where PPTP is located, and run it from the command prompt. It is a DOS app.
ASKER
Ok got it.
On the client side it says 5 packets sent. Then it says Check server to see if the GRE packets were received successfully.
On the server side nothing changes in the DOS window. I started the server side before the client side.
On the client side it says 5 packets sent. Then it says Check server to see if the GRE packets were received successfully.
On the server side nothing changes in the DOS window. I started the server side before the client side.
Sounds then like GRE is blocked by something. Perhaps contact the ISPs and see if they block that protocol. They usually say they don't as they don't know, but sometimes they are quite helpful.
ASKER
**Check that**
I had to stop RRAS on the server end and that worked. On the server end it says "connectivity test to TCP port 1723 was successful"
Now what do I do??
I had to stop RRAS on the server end and that worked. On the server end it says "connectivity test to TCP port 1723 was successful"
Now what do I do??
This is XP is it?
Do you have multiple NIC's and or Internet Connection Sharing enabled?
Do you have multiple NIC's and or Internet Connection Sharing enabled?
ASKER
It is XP PRO. I do not have Internet connection sharing enabled on the client side. If I do try to enable it my IP address then matches that of my router.
You don't want to use ICS.
If that is the case is your router set to use 192.168.0.X ? The remote site cannot use the same subnet. A basic rule of VPN's is the local and remote sites must use different subnets. With a server RRAS version it will connect, but you cannot access any resources, I am not sure what would happen with XP, it might not even connect. Might the subnets be the same?
If that is the case is your router set to use 192.168.0.X ? The remote site cannot use the same subnet. A basic rule of VPN's is the local and remote sites must use different subnets. With a server RRAS version it will connect, but you cannot access any resources, I am not sure what would happen with XP, it might not even connect. Might the subnets be the same?
ASKER
Yes they are the same subnets.
I also have a Server at a different location with the same setup I am trying to do here and 3-4 people connect to that VPN with the same subnets.
So from inside the network I can connect just fine to the VPN in question . From the outside we have found out that port 1723 is working and nothing seems to be being blocked.
What else could be going on here?
Thanks
I also have a Server at a different location with the same setup I am trying to do here and 3-4 people connect to that VPN with the same subnets.
So from inside the network I can connect just fine to the VPN in question . From the outside we have found out that port 1723 is working and nothing seems to be being blocked.
What else could be going on here?
Thanks
Fact! Subnets need to be different. If the VPN client has "use remote default gateway" enabled, they will be able to connect to and access the VPN server but nothing else. This may not be the problem here, but it important and why you never use common subnets at the host end such as 192.168.0.x, 192.168.1.x, 192.168.2.x, 192.168.100.x, 192.168.111.x, 10.x.x.x, 10.10.10.x, or 172.16.1.x. Using common subnets at the host end means mobile users connecting from public sites such as hotels that use defaults, will often have problems.
The reason for this is packets are routed based on their network ID (subnet to which they belong). If a packet is sent from a remote site and it belongs to the same subnet as the local router, the router will not forward the packet. The "use remote default gateway" will usually override this for the one IP ( the VPN IP), but not always.
However, having said that, if it is getting to verifying username and password it has started the initial handshaking and routing may not be the problem. Would be worth a try changing one site or the other, and it is a recommended practice. Users often switch off the "use remote default gateway" option to allow simultaneous VPN and local network access.
The only other thought I have is too low an MTU value for your connection:
Dropped and incomplete connections can often be caused by too high an MTU (Maximum Transmission Unit) size, especially if it is a lower than normal performance connection. It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP if using the basic client (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300, and if it improves the situation, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
The reason for this is packets are routed based on their network ID (subnet to which they belong). If a packet is sent from a remote site and it belongs to the same subnet as the local router, the router will not forward the packet. The "use remote default gateway" will usually override this for the one IP ( the VPN IP), but not always.
However, having said that, if it is getting to verifying username and password it has started the initial handshaking and routing may not be the problem. Would be worth a try changing one site or the other, and it is a recommended practice. Users often switch off the "use remote default gateway" option to allow simultaneous VPN and local network access.
The only other thought I have is too low an MTU value for your connection:
Dropped and incomplete connections can often be caused by too high an MTU (Maximum Transmission Unit) size, especially if it is a lower than normal performance connection. It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP if using the basic client (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300, and if it improves the situation, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
ASKER
My apologies. I do have different subnets for each location.
I have tried many different MTU sizes on the server end and also enabled and disabled "use remote default gateway"
No luck any way i configure it. this is unreal for such a simple thing.
I have tried many different MTU sizes on the server end and also enabled and disabled "use remote default gateway"
No luck any way i configure it. this is unreal for such a simple thing.
ASKER
is there another software VPN that will work?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That works as a server?
Hamachi is quite unique. You install it on 2 or more machines, following the wizards, and you create groups. As soon as you start the application it contacts a master 3rd party Hamachi server, which monitors your on-line presence. When another member of your group comes on line the Hamachi server looks after the handshaking between the two (or more) group members and then "sets them free" to have a private tunnel between the group members. It is actually more secure than PPTP and it's primary advantage is that they are all out going connections (like web browsing) so you don't have to worry about port forwarding and firewalls. As a matter of fact the biggest problem with Hamachi is it can breach very good security systems to allow a back door through corporate networks.
Another popular free Linux based VPN is OpenVPN
http://openvpn.net/
http://openvpn.net/
ASKER
Good work around
Thanks TheTechEase. Good luck with the project.
Cheers!
--Rob
Cheers!
--Rob
ASKER
Thank U!
Also make sure any software firewalls are disabled on the XP machine. Some other security software will also block PPTP VPN's like Windows One Care, some versions of Trend Micro, Symantic A/V and others.
Is the Linksys behind a basic modem or a combined modem and router unit. You cannot have 2 NAT devices so if you have a "combo" unit, it needs to be put in Bridge mode.
XP will work well, but it only allows one connection at a time, and by default does not allow routing to other devices on the LAN. The routing however can be enabled in the registry if required.