Solved

Setup VPN on SBS2008 with Negear DGND3300v2

Posted on 2011-09-23
12
786 Views
Last Modified: 2012-05-12
Hi,

Im having trouble setting up the vpn server on a SBS2008 box.

Ive gone through the wizard in SBS Network Console and setup the VPN Server, I opened a tcp port on the Windows Firewall (1723) and Ive also setup a rule on the firewall for PPTP to send all traffic on that port to the server but alas it dont work.

Im testing the solution by using a windows xp laptop  in a remote location. I can see it connecting and then it just hangs on Verifying Username and Password - its just sits there for a minute and then fails.

The same server is also configured for Remote Web Working which works fine so Im confused as to why the VPN wont work.

Over to you guys
D
0
Comment
Question by:daiwhyte
  • 7
  • 5
12 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36588346
If it hangs at verifying user name and password it is probably a case of blocked GRE.
On your router you need to forward port 1723, but also enable GRE pass-through. The latter is  done in different ways on different routers with options like "PPTP pass-through", specific commands, or in the case of earlier Netgear routers you did not forward a port (1723) but rather forward a service and choose PPTP. This forwarded port 1723 and enabled GRE by default.

There can be many other reasons for blocked GRE:
- the client ISP does not support (or blocks) GRE traffic. This is not common but it does occasionally happen and most often it is with residential accounts. You could call the ISP and verify, though the standard answer seems to be “we do not block any traffic”.
-the client's hardware (modem, or more likely router) does not support VPN pass-through. Most newer units are fine, but many older units and even some new units such as some D-Links do not support it. I would try another router or at least verify the specs. You could also by pass the router as a test but make sure the Windows firewall is enabled and Windows and virus updates are current
-if the user has a modem that is a combined modem and router, as well as a router you may have a dual NAT configuration. This can block GRE or have the same effect. Try by passing the router and connecting to the modem directly.
-most software firewalls on client machines allow all outgoing traffic as does the Windows firewall, but some do not
-there are some security applications that will block GRE on the client machine such as Symantec’s anti-virus with “internet worm protection” enabled, TrendMicro’s OfficeConnect (I think that is what it is called), and Windows OneCare.
0
 

Author Comment

by:daiwhyte
ID: 36588484
I have other VPN sessions setup on the xp machine which do connect so I think we can rule out the ISP

Also on the nethear router, I used a predefined rule for pptp which should also activate the gre protocol u have mentioned.

I will revisit in morning and try again.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36588560
Just for the record; there are routers that claim to support PPTP passthrough (GRE pass-through) but do not.

Just to make sure your VPN is properly configured; from the SBS LAN try connecting to the VPN using the SBS's LAN IP (not the public IP). If that works and you say the client site is OK, it pretty well narrows it down to the router's configuration or ability to pass GRE, or the SBS site's ISP blocking GRE. Most often if you have a static IP, GRE is not blocked. The ISP's that block GRE usually are trying to stop business class services on home/dynamic IP accounts.
0
 

Author Comment

by:daiwhyte
ID: 36588607
Ah right got point Rob. Maybe the ISP which the sbs box sits in may not be gre enabled but that said, it dies have a static ip.
0
 

Author Comment

by:daiwhyte
ID: 36588608
Ah right got point Rob. Maybe the ISP which the sbs box sits in may not be gre enabled but that said, it dies have a static ip.
0
 

Author Comment

by:daiwhyte
ID: 36599503
Ok, Ive connected locally using another machine in the office so that works.

Ive switched off IPv6 side of things in the Remote Access and Routing and Ive also setup the RRAS to issue IP addresses but alas still not working.

Not sure what to do next?

D
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:daiwhyte
ID: 36599530
Ok, its got to be something to do with the firewall settings.

I just moved the server into the dmz and I was able to connect to it remotely using my PPTP session.

So, something to do with the firewall not sending traffic over to the server.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36599568
Make sure you do not disable IPv6 in the SBS configuration or you will have much larger issues, and there is no need to disable in the RRAS configuration.

Sounds like you Netgear router does not properly forward GRE.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36599614
You are aware when connected to the DMZ your server is not protected?

Stumled on the following thread hat states that Netgear says the router supports PPTP but not GRE:
http://forum1.netgear.com/showthread.php?t=67746&page=2

0
 

Author Comment

by:daiwhyte
ID: 36599801
Ok, well that explains it. Can you advise on a modem/router which does support the necessary protocols?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 36600712
I usually use Cisco's like the ASA 5505 ( http://tinyurl.com/5w483lu ) or older Cisco PIX, but any commercial grade router will work. I have several sites using D-Link units that seem to work well for an inexpensive unit.
None of those however are modems, just routers. A lot of the combined modem/router units seem to have problems with GRE. You may be able to put the Netgear in bridge mode and put a standard router behind it.
0
 

Author Closing Comment

by:daiwhyte
ID: 36708343
Thanks Rob
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now