Sign in with
Sign up | Sign in
Your question

xp vpn connection problem

Tags:
  • Connection
  • VPN
  • Windows XP
Last response: in Windows XP
Share
Anonymous
March 1, 2005 2:02:59 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Greetings from Australia.

I am designated IT manager for small company but am an ignoramus and
need help. Hope my Aussie accent and phrasiology doesn't confuse.

Trying to set up VPN connection to office LAN using xp VPN
capabilities.

Office LAN has 10 or more users with designated machine running xp pro
which has been setup as vpn server (allows incoming connections) and
remote user identities have been setup. The LAN accesses the internet
via d-link dsl-500 modem/router (which is supposed to have VPN pass
through capabilities). The router has port tcp 1723 redirected to
local ip address of the xp machine acting as vpn server.

At remote end is laptop running xp home, setup to connect to vpn
server at office LAN. Internet access is established and trying to
establish vpn connection to static ip address of router (issued by
isp) which is theoretically passed through to vpn server at local ip
address through tcp port 1723.

Problem is that i'm not getting through and error 800 is displayed.

I contacted the router supplier tech support who explained that NAT is
enabled on the router to allow multiple internet users on the LAN from
a single public ip address and that with NAT enabled effectively a
firewall stopping all else from entering?? They gave several ideas to
rectify problem or to allow VPN traffic to pass through router with
NAT enabled:
1) enable "pptp" or "IPSec" - however, there is nowhere in the router
configuration menu to do this??
2) Redirect port tcp 1723 or udp 500 to the local ip address of the
vpn server - which i have.
3) and enable and redirect DMZ to the local ip address of the vpn
server - now when i did this i was able to make it through the
connection and authentication process without error but was not able
to view any files present on the vpn server. Also, all local users
lost contact with the designated server machine and their internet
access. Once DMZ disabled my remote connection terminated and local
users were restored.

Result - i'm still screwed and unable to connect to the designated
server machine.

I suspect that the router config is my downfall but i may be missing
something else in the vpn server setup, client connection setup, or
some other obscure issue i have no idea about??

please help if you can.

More about : vpn connection problem

Anonymous
March 1, 2005 8:30:30 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Well it boils down to whether or not you can forward TCP Port 1723 and pass GRE Protocol 47 traffic
through the modem/router to the VPN server PC. I just looked at the DSL-500 FAQ...

http://www.dlink.com.au/tech/drivers/files/routers/dsl5...

....and D-Link claims that the latest firmware does this. Now, I have found that with these consumer
grade routers firmware version support for GRE Protocol 47 traffic is kind of spotty...So...

The good news is you can test this...

1. Make sure your running the latest firmware in the device.
2. Make sure you have TCP Port 1723 forwarded to the local private *STATIC* LAN IP of the PPTP VPN
server machine. Look at Page 28, ie. the "IP Masquerade Pass Through" section, of the User's Manual
and make sure the PPTP checkbox is CHECKED in your device...

http://www.dlink.com.au/tech/drivers/files/routers/dsl5...

3. Run the test detailed in the "VPN Traffic" section on this page from another XP PC at a remote
site connected to the internet via a dialup link...

http://www.microsoft.com/technet/community/columns/cabl...

....Get the tools for XP from this link...

http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

That test will tell you if you have TCP Port 1723 forwarded correctly and if GRE Protocol 47 traffic
is being passed through the router...

I recommend *NOT* using the DMZ since that exposes the PC to the public internet fully. That is a
potential and probable security risk...

One other note is that if you get this working you will only be able to have one incoming PPTP VPN
connection at a time. This is a limitation of Windows XP. If you need additional VPN incoming
connections then you need to look at a server grade OS like Windows 2003 Server or a dedicated VPN
end-point router...

Good luck...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

"jollydingo" <craig@hughbgage.com.au> wrote in message
news:ba081713.0502282302.48ca02aa@posting.google.com...
> Greetings from Australia.
>
> I am designated IT manager for small company but am an ignoramus and
> need help. Hope my Aussie accent and phrasiology doesn't confuse.
>
> Trying to set up VPN connection to office LAN using xp VPN
> capabilities.
>
> Office LAN has 10 or more users with designated machine running xp pro
> which has been setup as vpn server (allows incoming connections) and
> remote user identities have been setup. The LAN accesses the internet
> via d-link dsl-500 modem/router (which is supposed to have VPN pass
> through capabilities). The router has port tcp 1723 redirected to
> local ip address of the xp machine acting as vpn server.
>
> At remote end is laptop running xp home, setup to connect to vpn
> server at office LAN. Internet access is established and trying to
> establish vpn connection to static ip address of router (issued by
> isp) which is theoretically passed through to vpn server at local ip
> address through tcp port 1723.
>
> Problem is that i'm not getting through and error 800 is displayed.
>
> I contacted the router supplier tech support who explained that NAT is
> enabled on the router to allow multiple internet users on the LAN from
> a single public ip address and that with NAT enabled effectively a
> firewall stopping all else from entering?? They gave several ideas to
> rectify problem or to allow VPN traffic to pass through router with
> NAT enabled:
> 1) enable "pptp" or "IPSec" - however, there is nowhere in the router
> configuration menu to do this??
> 2) Redirect port tcp 1723 or udp 500 to the local ip address of the
> vpn server - which i have.
> 3) and enable and redirect DMZ to the local ip address of the vpn
> server - now when i did this i was able to make it through the
> connection and authentication process without error but was not able
> to view any files present on the vpn server. Also, all local users
> lost contact with the designated server machine and their internet
> access. Once DMZ disabled my remote connection terminated and local
> users were restored.
>
> Result - i'm still screwed and unable to connect to the designated
> server machine.
>
> I suspect that the router config is my downfall but i may be missing
> something else in the vpn server setup, client connection setup, or
> some other obscure issue i have no idea about??
>
> please help if you can.
March 2, 2005 7:03:07 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Firstly, thanx for your help.

Gaaw Crickey...this problem is a real bewdy mate...becoming a real
humm-dinger (and other stereotypical slang you might expect from an
Ossie).

Unfortunately i was not able to update the firmware for the router. it
timed out. the update readme file suggests: "If you are experiencing
time-out problems when updtating the firmware please ensure that the
default SNMP community string is present on the router. You can set it
up by issuing the
following commands at the Command Line Interface of your router:

snmp access write private
config save


In order to access Command Line Interface connect to the router using
serial cable (using COM
ports on your computer and router).

Run Hyperterminal (you can find this program in Windows under Start >
Programms > Accessories >
Communication). Create new conection using COM1 or COM2 (whichever port
you connected the cable
to). Use the following settings: 9600 baud, 8 bit data word, 1 stop
bit, No parity and
Hardware (CTS/RTS) handshaking.

Press enter and you should get a prompt like
192.168.0.1>


In order to access Command Line Interface you can use also use Telnet.
In Windows click on Start > Run... and type
telnet 192.168.0.1 (where 192.168.0.1 is router/modem's IP address.
DSL-300 has 192.168.1.1
address). Click on OK. You will be prompted to enter password. Default
password is "private"."...

I tried the telnet option but nothing happened (no password request or
anything) so i resigned to the fact that this is beyond my
capabilities. SNMP?? what does that stand for Simple-minded Not Meant
to Pass??

So i proceeded without updating firmware...with the hollow hope of
being successful.

tcp port 1723 redirected to static private ip of pc within LAN.

Now here is a recurring problem. You instruct to in the "IP Masquerade
Pass Through" section, make sure the PPTP checkbox is CHECKED in your
device... . There is no "IP Masquerade Pass Through" section in my
router. In consultation with the dlink tech support they suggested the
same thing...but when question why no releveant section in my router an
answer was not forthcoming. Perhaps the updated firmware will make
this section available?? So without pptp enabled to pass through it is
not going to work right??

i performed the pptp ping test anyway and as expected...no go. error
10061 connection refused.

So we have established that i am not passing through the router?? where
to from here??

also, windows firewall won't be causing a problem will it??

further, when doing the test the remote client was connected to the
internet via adsl (as opposed to dial-up link sugested in your
instructions) is this a problem?

Sorry, i know it is frustrating dealing with someone who is ignorant of
even the basics.

again, please help if you can.
Related resources
March 2, 2005 8:03:54 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Firstly, thanx for your help.

Gaaw Crickey...this problem is a real bewdy mate...becoming a real
humm-dinger (and other stereotypical slang you might expect from an
Ossie).

Unfortunately i was not able to update the firmware for the router. it
timed out. the update readme file suggests: "If you are experiencing
time-out problems when updtating the firmware please ensure that the
default SNMP community string is present on the router. You can set it
up by issuing the
following commands at the Command Line Interface of your router:

snmp access write private
config save

In order to access Command Line Interface connect to the router using
serial cable (using COM
ports on your computer and router).
Run Hyperterminal (you can find this program in Windows under Start >
Programms > Accessories >
Communication). Create new conection using COM1 or COM2 (whichever port

you connected the cable
to). Use the following settings: 9600 baud, 8 bit data word, 1 stop
bit, No parity and
Hardware (CTS/RTS) handshaking.
Press enter and you should get a prompt like
192.168.0.1>

In order to access Command Line Interface you can use also use Telnet.
In Windows click on Start > Run... and type
telnet 192.168.0.1 (where 192.168.0.1 is router/modem's IP address.
DSL-300 has 192.168.1.1
address). Click on OK. You will be prompted to enter password. Default
password is "private"."...

I tried the telnet option but nothing happened (no password request or
anything) so i resigned to the fact that this is beyond my
capabilities. SNMP?? what does that stand for Simple-minded Not Meant

to Pass??

So i proceeded without updating firmware...with the hollow hope of
being successful.

tcp port 1723 redirected to static private ip of pc within LAN.

Now here is a recurring problem. You instruct to in the "IP Masquerade

Pass Through" section, make sure the PPTP checkbox is CHECKED in your
device... . There is no "IP Masquerade Pass Through" section in my
router. In consultation with the dlink tech support they suggested the

same thing...but when question why no releveant section in my router an

answer was not forthcoming. Perhaps the updated firmware will make
this section available?? So without pptp enabled to pass through it is

not going to work right??

i performed the pptp ping test anyway and as expected...no go. error
10061 connection refused. i turned around and did it from LAN pc to
remote (swapping srv and clnt) and the text was passed however...no
mention of the gre packets arriving??

so i tried to establish vpn connection from LAN pc to remote laptop
setup as vpn server...no go.

So we have established that i am not passing in through the router??
where
to from here??

also, windows firewall won't be causing a problem will it??

further, when doing the test the remote client was connected to the
internet via adsl (as opposed to dial-up link sugested in your
instructions) is this a problem?

finally, i was reading how some isp don't pass gre for some (disuted)
reason...could this be the prob??

Sorry, i know it is frustrating dealing with someone who is ignorant of

even the basics.

again, please help if you can.
Anonymous
March 3, 2005 8:30:45 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

As far as the VPN Traffic test is concerned...I meant to say the remote test client can either dial
into the public internet (ie. a laptop with modem sitting on your desk) or be at another location...

You can also test to make sure you have TCP Port 1723 forwarded through the router correctly by
going to this site while sitting at the PPTP VPN server PC and using IE...

http://www.canyouseeme.org/

If that works then again it comes down to the GRE Protocol 47 issue...

Yes, the SP2 Windows Firewall could be blocking incoming PPTP connections. Open the Windows Firewall
and go to the "Advanced -> Settings" page and make sure the checkbox for "Incoming connection VPN
(PPTP)" is checked. You can also highlight the entry and click on "Edit" to make sure the correct PC
is selected...

Your correct that if you can't get GRE Protocol 47 traffic (PPTP Pass Through) enabled/configured
and working through the router then incoming PPTP VPN from a remote client will never work.

I am not familiar with or have your particular router so the best I can say is to go back to D-Link
for help or look into using a dedicated VPN end-point router...You might want to lurk/post over on
the Broadband Reports VPN forums for some help with the later...

http://www.dslreports.com/forum/vpn

SNMP = Simple Network Management Protocol...

Good luck...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

<craig@hughbgage.com.au> wrote in message
news:1109811834.138498.181390@z14g2000cwz.googlegroups.com...
> Firstly, thanx for your help.
>
> Gaaw Crickey...this problem is a real bewdy mate...becoming a real
> humm-dinger (and other stereotypical slang you might expect from an
> Ossie).
>
> Unfortunately i was not able to update the firmware for the router. it
> timed out. the update readme file suggests: "If you are experiencing
> time-out problems when updtating the firmware please ensure that the
> default SNMP community string is present on the router. You can set it
> up by issuing the
> following commands at the Command Line Interface of your router:
>
> snmp access write private
> config save
>
> In order to access Command Line Interface connect to the router using
> serial cable (using COM
> ports on your computer and router).
> Run Hyperterminal (you can find this program in Windows under Start >
> Programms > Accessories >
> Communication). Create new conection using COM1 or COM2 (whichever port
>
> you connected the cable
> to). Use the following settings: 9600 baud, 8 bit data word, 1 stop
> bit, No parity and
> Hardware (CTS/RTS) handshaking.
> Press enter and you should get a prompt like
> 192.168.0.1>
>
> In order to access Command Line Interface you can use also use Telnet.
> In Windows click on Start > Run... and type
> telnet 192.168.0.1 (where 192.168.0.1 is router/modem's IP address.
> DSL-300 has 192.168.1.1
> address). Click on OK. You will be prompted to enter password. Default
> password is "private"."...
>
> I tried the telnet option but nothing happened (no password request or
> anything) so i resigned to the fact that this is beyond my
> capabilities. SNMP?? what does that stand for Simple-minded Not Meant
>
> to Pass??
>
> So i proceeded without updating firmware...with the hollow hope of
> being successful.
>
> tcp port 1723 redirected to static private ip of pc within LAN.
>
> Now here is a recurring problem. You instruct to in the "IP Masquerade
>
> Pass Through" section, make sure the PPTP checkbox is CHECKED in your
> device... . There is no "IP Masquerade Pass Through" section in my
> router. In consultation with the dlink tech support they suggested the
>
> same thing...but when question why no releveant section in my router an
>
> answer was not forthcoming. Perhaps the updated firmware will make
> this section available?? So without pptp enabled to pass through it is
>
> not going to work right??
>
> i performed the pptp ping test anyway and as expected...no go. error
> 10061 connection refused. i turned around and did it from LAN pc to
> remote (swapping srv and clnt) and the text was passed however...no
> mention of the gre packets arriving??
>
> so i tried to establish vpn connection from LAN pc to remote laptop
> setup as vpn server...no go.
>
> So we have established that i am not passing in through the router??
> where
> to from here??
>
> also, windows firewall won't be causing a problem will it??
>
> further, when doing the test the remote client was connected to the
> internet via adsl (as opposed to dial-up link sugested in your
> instructions) is this a problem?
>
> finally, i was reading how some isp don't pass gre for some (disuted)
> reason...could this be the prob??
>
> Sorry, i know it is frustrating dealing with someone who is ignorant of
>
> even the basics.
>
> again, please help if you can.
>
March 3, 2005 3:29:52 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

thanx al,

i thought about getting a new router that has vpn endpoint but my fear
is that my isp may not be passing GRE protocol 47 traffic...trying to
confirm with them if they do or not.

others have suggested installing pc anywhere or the like but i suspect
that this will not be any different as they utilise GRE protocol 47 as
well don't they??

another tangent thought...this protocol is used for vpn to trafic data
transported over the net, right?? what about for remote desktop??
same protocol used?? also, what are the limitiations of remote
dsktop...can i open, amend, create and copy files (to be left on the
host)...is the work visible to others in the great wide net while i
work on it?? what about print or use the other shared peripherals like
cd-rw? because this might be sufficient in the short-term while i am
sorting out the vpn woes. i am just desperate to get to the files and
work on them...wasted a few days already on this.

again probably very basic questions but no-one else to ask.

thanx for your help
Anonymous
March 3, 2005 7:35:17 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Neither PC Anywhere or XP Remote Desktop (RDP) use GRE Protocol 47.

In both of those cases you only need to forward/open the appropriate ports through the router to the
PC your trying to reach. In the case of Remote Desktop that is TCP Port 3389. It looks like PC
Anywhere uses TCP Port 5631 and UDP Port 5632.

http://www.portforward.com/cports.htm

The downside to using Remote Desktop is that the desktop is *NOT* useable/viewable at the office end
when a remote user is logged on remotely with RDP. If the PC your connecting to is a specific
workers normal desktop and they happen to be working from home or another remote site *AND* no one
else will be working or trying to use that specific office PC, then RDP is a good alternative. Here
is the definitive article that describes this behavior...

http://support.microsoft.com/?kbid=280828

So, if you can work within those parameters your good to go. I don't use PC Anywhere so I can't help
you with that...

For help getting RDP working in a workgroup environment, which you seem to be in, see this page...

http://theillustratednetwork.mvps.org/RemoteDesktop/Rem...

If you want to access multiple RDP desktop sessions through a firewall/NAT/router see this page for
examples of how to do this...

http://theillustratednetwork.mvps.org/RemoteDesktop/Mul...

The Remote Desktop data stream is encrypted. If you use Remote desktop you might consider using a
Group Policy on the RDP host change the required encryption to "High". I also recommend you always
"Prompt for a password" *AND* use a STRONG password. Use the Group Policy editor to configure
this...

http://www.microsoft.com/resources/documentation/Window...
http://www.microsoft.com/resources/documentation/Window...

With Remote Desktop the remote user can access local and remote disc drives, print either locally or
remotely and copy or cut-n-paste files, etc. A slightly dated article but good information anyway.

http://www.microsoft.com/windowsxp/using/mobility/getst...

If you want to use PC Anywhere I suggest you visit the PC Anywhere support pages for help...

If you have a lot of users needing to access your network a VPN end-point router may also be an
option. Others, more knowledgeable than I, will need to speak to that issue since I am only a home
user and have no direct experience using such a device. I will say, however, an end-point router
that allows multiple IPSec/L2TP VPN connections is desirable from a security standpoint if you go
that route. I doubt your ISP blocks incoming VPN connections, but its good to check anyway...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

<craig@hughbgage.com.au> wrote in message
news:1109881792.413815.226950@l41g2000cwc.googlegroups.com...
> thanx al,
>
> i thought about getting a new router that has vpn endpoint but my fear
> is that my isp may not be passing GRE protocol 47 traffic...trying to
> confirm with them if they do or not.
>
> others have suggested installing pc anywhere or the like but i suspect
> that this will not be any different as they utilise GRE protocol 47 as
> well don't they??
>
> another tangent thought...this protocol is used for vpn to trafic data
> transported over the net, right?? what about for remote desktop??
> same protocol used?? also, what are the limitiations of remote
> dsktop...can i open, amend, create and copy files (to be left on the
> host)...is the work visible to others in the great wide net while i
> work on it?? what about print or use the other shared peripherals like
> cd-rw? because this might be sufficient in the short-term while i am
> sorting out the vpn woes. i am just desperate to get to the files and
> work on them...wasted a few days already on this.
>
> again probably very basic questions but no-one else to ask.
>
> thanx for your help
>
!