VPN Connection in different countries

Hi,

I have users traveling around the world that require to use VPN connection to access company file server.

However users reported that in certain countries, they are able to connect to VPN without any problem. But in some other countries, they are not able to connect to VPN.

The more recent reported case is having Error 721 which says the remote computer is not responding. The VPN connection get disconnected when the login reach the Verify user and password screen.

Our Server is Windows Server 2008 Standard R2 and using the built in VPN service provided by the Windows 2008.
The port open for VPN is only PPTP.
I have allowed Port TCP Port 47 and TCP Port 1723 NAT in my Firewall.

Does any one have this problem and how do you solve it?

Regards,
BK
hlmarineAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DamjanCommented:
Try to use SSTP. PPTP traffic can have problems with firewalls, NATs, and proxies.

Error 721: This issue may occur if the network firewall does not permit Generic Routing Encapsulation (GRE) protocol traffic. GRE is IP Protocol 47. PPTP uses GRE for tunneled data.

Secure Socket Tunneling Protocol (SSTP) is a tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol.

More info:
- VPN Tunneling Protocols
- PPTP problems and solutions
- how to enable SSTP VPN server in Windows 2008
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hlmarineAuthor Commented:
Dear damjanholsedl,

Thanks for your advise. Will try it and revert back soon. Your explaination make sense.
0
hlmarineAuthor Commented:
Hi damjanholsedl,

Just realise XP don't support SSTP. So I can't try whether or not SSTP VPN can work for my user XP machine. Is there any other idea which you can think of ?
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
L2TP/IPsec is available on XP, but might be blocked.
Another option is to use the free OpenVPN (http://www.openvpn.net/index.php/open-source/overview.html) on both sides, and optionally use the HTTPS port 443.
0
DamjanCommented:
Hello, hlmarine,

you are going to need either Windows Vista SP1 or Windows 7 to use SSTP. If you don't plan to upgrade your XP machine, then this option is not available to you.

Any other idea? Maybe OpenVPN (third-party sw)  The availability of clients for OpenVPN is more wide than that of SSTP. Here is a comparison.
0
hlmarineAuthor Commented:
The thing puzzle me is how come some countries my PPTP VPN can work but some countries cannot work.

Is it because the firewall over that particular country block port 47?

For my basic knowledge, I thought I only need to allow port 47 and 1723 (NAT) from outside to my server for PPTP to work? Correct me if I am wrong. Is there a need for that countries ISP to open their firewall port 47 and 1723 for my user as well?

Is there is no other suggestion, I will have to try the openvpn. = (
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
GRE is protocol 47, not port 47. I have not spotted that before, since it was working already. Maybe setting up "PPTP PassThru" or "VPN PassThru" on your router is enough to get it working all times; GRE isn't very robust, so it might even work without forwarding, but then only under certain circumstances. PPTP connection negotiation is working first with the PPTP protocol on port 1723 (that is, btw, not "NAT", it is "PPTP"); the encrypted packets are sent via GRE, and might work without port forwarding, depending on the direction the packets take.
0
hlmarineAuthor Commented:
Hi Qlemo,

I have checked my router. PPTP is permitted pass throughout with both 1723 (TCP) and GRE as shown in the print screen. Does the GRE has default protocol 47 or I have to set it manually?
router.jpg
0
hlmarineAuthor Commented:
Is there any possibility that some countries might block "PPTP - VPN" access to certain range of IP addresses in another country ?
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
That setting looks good, so that shouldn't be the reason.
Some countries do not allow for VPN of any kind, and some ISPs block the common ports intentionally. But blocking is always done on "the other side"; your ISP does not decide whether to block ports depending on IP address ranges. Each country and ISP might decide different.
0
hlmarineAuthor Commented:
Hi Qlemo,

What do you mean by "blocking is always done on "the other side"?

Does it mean the ISP block some incoming or out going port of all IP address?
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Any ISP on the way might do the blocking. Imagine a country border gateway, like for China, where all traffic has to pass thru from and to China. That gateway could then block any (known) VPN ports. In the US it is common that non-business accounts do not have the ability to host well-known services, like http or VPN ports. In that case the ISP of the target filters ports.
ISPs either allow or restrict VPN (and other) traffic as a whole. They do not make individual decisions in regard of which IP target you address.
0
hlmarineAuthor Commented:
Hi Qlemo,

Thanks for your advise. Will do more research on this.
0
hlmarineAuthor Commented:
Problem not completely solved.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.