Unable to connect to PPTP connection Setup by Vendor

Ugh...PPTP is a horrible, awful, no good VPN protocol. It's only slightly better than sending data in the clear at this point. If you can't talk the vendor into using a better VPN protocol (IPSec, IKEv2, VPN over SSH), I'd personally start warning the client off of using that vendor.

That said, you'll need to check the firewall rules on your end to make sure PPTP traffic is allowed through the firewall and that there are no application level settings that are set to disallow PPTP VPNs (many firewalls will do this by default now, due to the age and vulnerabilities associated with PPTP).

PPTP is considered very insecure, I highly recommend against a PPTP VPN.

That being said, PPTP connects using a 2 step process for which GRE is required for the second part.  Most common problem is GRE is blocked somewhere between client and host. GRE is not enabled by forwarding a port.

PS- when the connection fails do you get an error number like 791, 800, 807, etc.?

I agree with the above.

We use IPsec Hardware Boxes at all clients and NCP Secure Entry (Universal) as the VPN application. Bombproof in Windows 7 and 10.

Gents I just found out there is a new firewall that was put in place that we just got access to.   Its a watchguard firewall.   It is most likely those ports are not open for the PPTP To go through.   The vendor is looking at the logs but does anyone know.

1. What ports are blocked
2. Where in the WatchGuard firewall rules would that string need to be entered?
3. I have not opened ports on the watchguard prior but if I can get access to it I may be able to do it if someone can direct me.

new firewall …  watchguard firewall.  

Check and see if it does IPsec.  Many new ones do.

Going to beat the dead horse, PPTP is HORRIBLE and very insecure. That being said, did this vender RADIUS to secure this connection? My thoughts are if you are getting to the username and pw prompt then it is very likely a problem with authentication. Check any 3rd party authentication mechanisms that may be in place for this connection.

If this is using RADIUS then you can find out the information in the VPN configuration on the EndPoint.

To allow PPTP traffic, open TCP port 1723.
To allow L2TP w/ IPSec traffic, open UDP ports 500, 1701 & 4500.

@ITGuy he told me he went home set it up on his windows 10 machine and it connected just fine same settings which leads me to think its the firewall in place that may not have open ports.

Where in the watchguard do I do this?  I just logged into it.

Configuration Instructions for watchguard PPTP:
http://systemadministratorrecipes.blogspot.com/2013/05/configure-mobile-vpn-with-point-to.html

Configure Mobile VPN with Point to Point Tunneling Protocol (PPTP) in WatchGuard XTM 25 and 26 Firebox

This article covers the steps to configure a "WatchGuard XTM 25 and 26" Mobile VPN with Point to Point Tunneling Protocol (PPTP) to move data safely between two private networks across an unprotected network.

Mobile VPN with PPTP supports as many as 50 users at the same time. To use Mobile VPN with PPTP you must configure the Firebox and the remote client computers of the remote users.

To set up VPN with PPTP in a WatchGuard XTM 25 and 26 Firebox follow the next steps:

     
     1.  Configure Mobile VPN with PPTP.
Log on in  WatchGuard System Manager, and go to Policy Manager to activate Mobile VPN with PPTP
In "Policy Manager" window, click to expand VPN < Mobile VPN < PPTP...
In "Mobile VPN with PPTP Configuration" window, click to check box *Activate Mobile VPN with PPTP.
Below in Encryption Settings be sure *Require 128-bit encryption is check.
In the "IP Address Pool" click to Add button to add the "Host Range". (Remember this are maximum 50 users allowed).
Click OK to save the configuration.
   
     2.  Add a New Policy.
Click in " + " sign to add new policy.
In "Add Policies" window, click to expand "Packet Filter".
Click to select "Any" and click "Add".
In "Name:" type the name of the new Policy. e.g "VPN with PPTP".
On the "Policy" tab, in the "From" section click Add.
In "Selected Members and Address" section, select "Any-trusted" and click Remove.
Click Add User.
In the "Add Authorized Users or Groups" windows, in the first "Type" drop-down list and select "PPTP".
In the "Add Authorized Users or Groups" windows, in the second "Type" drop-down list and select "Group".
In the "Add Address" window select "PPTP-Users" and click Select. Then click OK to close the "Add Address" window.
On the "Policy" tab, in the "To" section, click Add.
In "Selected Members and Address" section, select "Any-External" and click Remove.
Click Add.
In the "Add Address" windows, in the list select "Any-Trusted" and click Add. Then click OK to close the "Add Address" window.
Click OK to close the "New Policy Properties".

     3.  Add new Users.
In "Policy Manager" window, Click Setup < Authentication < Authentication Servers...
In the "Authentication Servers" window, in the "Users" section, click on Add button.
In the "Setup Firebox User" window, fill "Name, Passphrase, and Confirmation" lines.
In the "Firebox Authentication Groups" section, click to select "PPTP-Users" in the Available list and click on " << "   to move "PPTP-Users" to the Member list.
Click OK to close and save the change in "Setup Firebox User".
Click OK to close and save the change in "Authentication Servers".
*** To add more users repeat the above steps.
*** Don't forget save all change in the WatchGuard XTM 25 and 26 Firebox.

Before I proceed here is the make and model of the watchguard.


Model
T35
Version
12.0.2.B546738
Serial Number
D02005906F71D
System Time
14:13 US/Eastern
System Date
2019-04-23
Uptime
25 days 18:35

Here is a video that will show you :

https://www.youtube.com/watch?v=rZHebyMU2T8

I wish I could help with that, but I don't have a watchguard in my possession we are all cisco

https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_0_2/Fireware_Release-Notes_v12_0_2.pdf

That box does IPsec VPN and I recommend that instead of PPTP

In all reality though. you would be better off setting up an IPSEC VPN as others above have said.

Unfortunately we have no control over what the vendor uses, so we are physically having to adjust to what they setup.

I agree with John. Your WatchGuard supports an IPSec VPN.  It is FAR more secure, and even more so in that authentication is at the network perimeter.  Not using it is like taking a skateboard to work when you have a Mercedes in the garage.

I just confirmed with the vendor I was given the wrong info.  They are using Layer 2 IPSEC Does this require different authentication in the firewall or different settings?

Here is what you are dealing with PPTP:

The protocol itself is no longer secure, as cracking the initial MS-CHAPv2 authentication can be reduced to the difficulty of cracking a single DES 56-bit key, which with current computers can be brute-forced in a very short time (making a strong password largely irrelevant to the security of PPTP as the entire 56-bit keyspace can be searched within practical time constraints).

The attacker can do a MITM to capture the handshake (and any PPTP traffic after that), do an offline crack of the handshake and derive the RC4 key. Then, the attacker will be able to decrypt and analyse the traffic carried in the PPTP VPN. PPTP does not provide forward secrecy, so just cracking one PPTP session is sufficient to crack all previous PPTP sessions using the same credentials.

Additionally, PPTP provides weak protection to the integrity of the data being tunneled. The RC4 cipher, while providing encryption, does not verify the integrity of the data as it is not an Authenticated Encryption with Associated Data (AEAD) cipher. PPTP also doesn't do additional integrity checks on its traffic (such as HMAC), and is hence vulnerable to bit-flipping attacks, ie. the attacker can modify PPTP packets with little possibility of detection. Various discovered attacks on the RC4 cipher (such as the Royal Holloway attack) make RC4 a bad choice for securing large amounts of transmitted data, and VPNs are a prime candidate for such attacks as they by nature usually transmit sensitive and large amounts of data.

If you want to, you can actually try cracking a PPTP session yourself. For a Wi-Fi user, it involves ARP poisoning your target such that the target sends the MSCHAPv2 handshake through you (which you can capture with Wireshark or any other packet capture tool). You can then crack the handshake with tools like Chap2Asleap, or if you have a few hundred dollars to spare submit the captured handshake to online cracking services. The recovered username, hash, password and encryption keys can then be used to impersonate logins to the VPN as that user, or to retroactively decrypt the target's traffic. Obviously, please do not do this without proper authorisation and outside a controlled environment.

In short, please avoid using PPTP where possible.
For more information, see http://www.computerworld.com/s/article/9229757/Tools_released_at_Defcon_can_crack_widely_used_PPTP_encryption_in_under_a_day and

How can I tell if a PPTP tunnel is secure?.
Issues discovered with RC4 (resulting in real world security issues in protocols like TLS) can be found in http://www.isg.rhul.ac.uk/tls/RC4mustdie.html and https://www.rc4nomore.com/

For the cracking portion, refer to https://www.rastating.com/cracking-pptp-ms-chapv2-with-chapcrack-cloudcracker/ and https://samsclass.info/124/proj14/p10-pptp.htm.

That being said, if you still want to use it, we will assist, but it is not the best method as outlined in this article.

Different ports for sure, see my post above.

To allow PPTP traffic, open TCP port 1723.
To allow L2TP w/ IPSec traffic, open UDP ports 500, 1701 & 4500.

Yeah that information was amazing I will see if I can get those policies setup as I am not too familiar with WatchGuard itself.   But again they are doing level 2 ipsec for sure that's confirmed.

Ask your vendor about setting up IPsec and then what client app they recommend. We use NCP Secure Entry and it is fairly easy to set up

@ITGuy should I follow the video and setup a SNAT for IPSEC or no?

That would be good to follow the video and keep your vendor informed.

The video I posted above was to open the ports for PPTP. You should be able to follow it, but please note the ports are different for L2TP.

Yeah I have the SNAT setup but its asking me to enter an IP I just can tell it the port what IP do I use the one from the machine?

I attached a screen shot.
tcp.JPG

IPsec should just need the IP address as it will pick its standard port. We do not need to bother with this.

@John the screen is requiring me to put something in for an IP.   Do I use the IP of the machine or the source external IP of the tunnel?

Normal setup for the home (office) end is:

External IP address (static External).
Internal Subnet (e.g.  192.168.75.x)
Subnet Mask (255.255.255.0)

And then address what you want inside.

Do make sure the vendor is included in your discussions as they should know

ok opened 3 ports but got this error maybe I need to get 1701 and 1723 just cant find how to edit it under policys.
Untitled_edited.jpg

You need to ask your vendor. Any L2TP settings are not part of the main setup in Juniper or some Cisco boxes.

I would check my connection log on the watchguard. See where it failed in the authentication process.. Usually firewall's and Routers have the ability to filter out events just to VPN events.

Here is what came with the default IPSEC policy in the watchguard.   How do I add the additional 2 ports for TCP/UDP 1701 and 1723
fwcap.JPG

I do not usually see it this way (different gear).

From (client) is Any Any and Office is a subnet setup.

Any Trusted to Any External? Not sure I would do that. Now Any Trusted to "Remote VPN Gateway" that might be a better way to go.

Looking closer at the policies looks like these are already open.

[3:34 PM] Andrew Kowtalo
   

      
            
                  L2TP
                  L2TP
                  Any-Trusted
                  Any-External
                  udp:1701
            
      



​[3:34 PM] Andrew Kowtalo
   

      
            
                  WatchGuard IPSec
                  IPSec
                  Any-Trusted, Any
                  Any
                  udp:4500 ESP AH udp:500
            
      



​[3:34 PM] Andrew Kowtalo
   

      
            
                  PPTP to Circuit
                  PPTP
                  Any
                  72.43.38.196 --> 172.16.30.3
                  tcp:1723 GRE
            
      



Now what lol

Glad you found it.. Sorry couldn't be of more help with that brand firewall.

Fantastic support.   These guys always come through when I get put in situations I have never seen.   Keep up the good work gents.

Thanks for the update. Happy to assist

Based on screen shots and ports it looks like you enabled PPTP?  I.e. you have a VPN to the PC not using the WatchGuard VPN service?  If so, we have advised of security issues but also if you have done so you need to edit local group policy to enforce complex passwords and account lock outs after 'X' wrong guesses, for at least 15 minutes.  Hackers use port scanners and when they see an open port they will hit it endlessly. Account lockouts slow them down and they tend to go away.

it looks like you enabled PPTP?

I thought that might be the case, but the business need would have been to get connected.  

Andrew - over time, consider moving to IPsec - much better, more secure and indeed more flexible.

Again, agree 100% with John !!!

John it was Layer 2 IPSEC I was given the wrong information originally.