Solved

Can't connect through VPN PPTP but can connect through VPN IKEv2?

Posted on 2011-02-18
16
1,271 Views
Last Modified: 2012-05-11
I have a basic setup of a vpn server with windows server 2008 r2. I can connect through IKEv2 just fine but when I try to connect to PPTP it give me: Error 628: The connection was terminated by the remote computer before it could be completed.

I have google everything. I have port 1723 open on the server and the router. All settings seem to be correct. I can even see the connection come into my router and say accepted.

What could be the problem?

Tony
0
Comment
Question by:askurat1
  • 8
  • 8
16 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
When you say IKEv2 I assume it is with IPSec?

IPSec uses protocols 50 and 51 (NOT ports, like TCP is protocol 6 and UDP is protocol 17 and within these protocols you use port numbers).
That being said. IPSec uses TCP/port 500 and protocol 50/51. PPTP uses TCP/port 1723 and protocol 47 (GRE). I think GRE is not being passed either on the router or the server.
0
 
LVL 8

Author Comment

by:askurat1
Comment Utility
Not from my knowledge. In Windows 7 is shows thes options: Automatic, PPTP L2TP/IPSec, SSTP, and IKEv2.

On the router I have the firewall turned off and VPN passthrough enabled for IPSec, PPTP, and L2TP.
On the server I have GRE anebled and to allow connections.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, if you check the logs on the router and/or the eventlogs on the server does anything show up?
0
 
LVL 8

Author Comment

by:askurat1
Comment Utility
Not really. On my router it says port 1723 is coming in just fine and on the server I can't find any log pertaining to my situation. Is there any log I should look at specifically?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Have a look at this link: http://technet.microsoft.com/en-us/library/cc754714(WS.10).aspx It should help you set that up.
0
 
LVL 8

Author Comment

by:askurat1
Comment Utility
Thanks for that. On my server it is giving me this:
The Windows Filtering Platform has blocked a packet.

Application Information:
	Process ID:		916
	Application Name:	\device\harddiskvolume3\windows\system32\svchost.exe

Network Information:
	Direction:		Inbound
	Source Address:		97.87.86.66
	Source Port:		0
	Destination Address:	192.168.0.1
	Destination Port:		0
	Protocol:		47

Filter Information:
	Filter Run-Time ID:	105017
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

Open in new window


How would I unblock this?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, so this looks like GRE (protocol 47) is being blocked. Though you said GRE was enabled it looks like it is still being stopped........

You might want to have a look at that again.

And taken the risk I underestimate you: GRE is protocol number 47 NOT port 47 on TCP/UDP (which have protocol number 6 and 17).
0
 
LVL 8

Author Comment

by:askurat1
Comment Utility
Here is my firewall setup:
Routing and Remote Access (GRE-In): It is enabled and set to allow connections
set to all ports and protocol 47

Routing and Remote Access (GRE-Out): It is enabled and set to allow connections
set to all ports and protocol 47

Routing and Remote Access (PPTP-In): It is enabled and set to allow connections
set TCP and protocol 6. Local port: 1723  remote port: all ports

Routing and Remote Access (PPTP-Out): It is enabled and set to allow connections
set TCP and protocol 6. remote port: 1723  local port: all ports

0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 8

Author Comment

by:askurat1
Comment Utility
I have attached my RASMAN log below if that helps. RASMAN.LOG
0
 
LVL 8

Author Comment

by:askurat1
Comment Utility
Any other logs?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Not yet.

I've noticed one thing:

In the server log it shows
Source Address:            97.87.86.66
Destination Address:      192.168.0.1


In the RASMAN log it shows
DwSaveIpAddressInfo: Remote Address=97.87.86.66
DwSaveIpAddressInfo: Source Address=192.168.0.5


There is a discrepancy there (192.168.0.1 vs 192.168.0.5)
0
 
LVL 8

Author Comment

by:askurat1
Comment Utility
Sorry about that. My server has two ip's and I must have changed the router to forward to a different ip during troubleshooting.

I think I might have found the problem. I have been trying to do this from work and we must have something setup to block VPN. When trying from another network that isn't blocking anything it seems to connect just fine, though I have only tried this on one computer.

Could this be the issue?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
It certainly could be. Not necessarily blocking, it could also be not passing something (like the GRE protocol). So you might have something worth while investigating there.
0
 
LVL 8

Author Comment

by:askurat1
Comment Utility
Yea I am thinking it isn't passing the protocol. I am gonna check some other computers on different networks but if it worked on the other network I mentioned above that means it doesn't have anything to do with my VPN setup or security, correct?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
Correct. Then is has to do with the network you're connecting from.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
So it seems I lead you to the solution but now it's going to be closed?
As I read this, you checked it and the assumptions we came to where right which means #34953848 is the correct answer.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now