xp vpn connection problem

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Greetings from Australia.

I am designated IT manager for small company but am an ignoramus and
need help. Hope my Aussie accent and phrasiology doesn't confuse.

Trying to set up VPN connection to office LAN using xp VPN
capabilities.

Office LAN has 10 or more users with designated machine running xp pro
which has been setup as vpn server (allows incoming connections) and
remote user identities have been setup. The LAN accesses the internet
via d-link dsl-500 modem/router (which is supposed to have VPN pass
through capabilities). The router has port tcp 1723 redirected to
local ip address of the xp machine acting as vpn server.

At remote end is laptop running xp home, setup to connect to vpn
server at office LAN. Internet access is established and trying to
establish vpn connection to static ip address of router (issued by
isp) which is theoretically passed through to vpn server at local ip
address through tcp port 1723.

Problem is that i'm not getting through and error 800 is displayed.

I contacted the router supplier tech support who explained that NAT is
enabled on the router to allow multiple internet users on the LAN from
a single public ip address and that with NAT enabled effectively a
firewall stopping all else from entering?? They gave several ideas to
rectify problem or to allow VPN traffic to pass through router with
NAT enabled:
1) enable "pptp" or "IPSec" - however, there is nowhere in the router
configuration menu to do this??
2) Redirect port tcp 1723 or udp 500 to the local ip address of the
vpn server - which i have.
3) and enable and redirect DMZ to the local ip address of the vpn
server - now when i did this i was able to make it through the
connection and authentication process without error but was not able
to view any files present on the vpn server. Also, all local users
lost contact with the designated server machine and their internet
access. Once DMZ disabled my remote connection terminated and local
users were restored.

Result - i'm still screwed and unable to connect to the designated
server machine.

I suspect that the router config is my downfall but i may be missing
something else in the vpn server setup, client connection setup, or
some other obscure issue i have no idea about??

please help if you can.
6 answers Last reply
More about connection problem
  1. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Well it boils down to whether or not you can forward TCP Port 1723 and pass GRE Protocol 47 traffic
    through the modem/router to the VPN server PC. I just looked at the DSL-500 FAQ...

    http://www.dlink.com.au/tech/drivers/files/routers/dsl500.htm

    ....and D-Link claims that the latest firmware does this. Now, I have found that with these consumer
    grade routers firmware version support for GRE Protocol 47 traffic is kind of spotty...So...

    The good news is you can test this...

    1. Make sure your running the latest firmware in the device.
    2. Make sure you have TCP Port 1723 forwarded to the local private *STATIC* LAN IP of the PPTP VPN
    server machine. Look at Page 28, ie. the "IP Masquerade Pass Through" section, of the User's Manual
    and make sure the PPTP checkbox is CHECKED in your device...

    http://www.dlink.com.au/tech/drivers/files/routers/dsl500.htm

    3. Run the test detailed in the "VPN Traffic" section on this page from another XP PC at a remote
    site connected to the internet via a dialup link...

    http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx

    ....Get the tools for XP from this link...

    http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

    That test will tell you if you have TCP Port 1723 forwarded correctly and if GRE Protocol 47 traffic
    is being passed through the router...

    I recommend *NOT* using the DMZ since that exposes the PC to the public internet fully. That is a
    potential and probable security risk...

    One other note is that if you get this working you will only be able to have one incoming PPTP VPN
    connection at a time. This is a limitation of Windows XP. If you need additional VPN incoming
    connections then you need to look at a server grade OS like Windows 2003 Server or a dedicated VPN
    end-point router...

    Good luck...

    --
    Al Jarvi (MS-MVP Windows Networking)

    Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
    The MS-MVP Program - http://mvp.support.microsoft.com
    This posting is provided "AS IS" with no warranties, and confers no rights...

    "jollydingo" <craig@hughbgage.com.au> wrote in message
    news:ba081713.0502282302.48ca02aa@posting.google.com...
    > Greetings from Australia.
    >
    > I am designated IT manager for small company but am an ignoramus and
    > need help. Hope my Aussie accent and phrasiology doesn't confuse.
    >
    > Trying to set up VPN connection to office LAN using xp VPN
    > capabilities.
    >
    > Office LAN has 10 or more users with designated machine running xp pro
    > which has been setup as vpn server (allows incoming connections) and
    > remote user identities have been setup. The LAN accesses the internet
    > via d-link dsl-500 modem/router (which is supposed to have VPN pass
    > through capabilities). The router has port tcp 1723 redirected to
    > local ip address of the xp machine acting as vpn server.
    >
    > At remote end is laptop running xp home, setup to connect to vpn
    > server at office LAN. Internet access is established and trying to
    > establish vpn connection to static ip address of router (issued by
    > isp) which is theoretically passed through to vpn server at local ip
    > address through tcp port 1723.
    >
    > Problem is that i'm not getting through and error 800 is displayed.
    >
    > I contacted the router supplier tech support who explained that NAT is
    > enabled on the router to allow multiple internet users on the LAN from
    > a single public ip address and that with NAT enabled effectively a
    > firewall stopping all else from entering?? They gave several ideas to
    > rectify problem or to allow VPN traffic to pass through router with
    > NAT enabled:
    > 1) enable "pptp" or "IPSec" - however, there is nowhere in the router
    > configuration menu to do this??
    > 2) Redirect port tcp 1723 or udp 500 to the local ip address of the
    > vpn server - which i have.
    > 3) and enable and redirect DMZ to the local ip address of the vpn
    > server - now when i did this i was able to make it through the
    > connection and authentication process without error but was not able
    > to view any files present on the vpn server. Also, all local users
    > lost contact with the designated server machine and their internet
    > access. Once DMZ disabled my remote connection terminated and local
    > users were restored.
    >
    > Result - i'm still screwed and unable to connect to the designated
    > server machine.
    >
    > I suspect that the router config is my downfall but i may be missing
    > something else in the vpn server setup, client connection setup, or
    > some other obscure issue i have no idea about??
    >
    > please help if you can.
  2. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Firstly, thanx for your help.

    Gaaw Crickey...this problem is a real bewdy mate...becoming a real
    humm-dinger (and other stereotypical slang you might expect from an
    Ossie).

    Unfortunately i was not able to update the firmware for the router. it
    timed out. the update readme file suggests: "If you are experiencing
    time-out problems when updtating the firmware please ensure that the
    default SNMP community string is present on the router. You can set it
    up by issuing the
    following commands at the Command Line Interface of your router:

    snmp access write private
    config save


    In order to access Command Line Interface connect to the router using
    serial cable (using COM
    ports on your computer and router).

    Run Hyperterminal (you can find this program in Windows under Start >
    Programms > Accessories >
    Communication). Create new conection using COM1 or COM2 (whichever port
    you connected the cable
    to). Use the following settings: 9600 baud, 8 bit data word, 1 stop
    bit, No parity and
    Hardware (CTS/RTS) handshaking.

    Press enter and you should get a prompt like
    192.168.0.1>


    In order to access Command Line Interface you can use also use Telnet.
    In Windows click on Start > Run... and type
    telnet 192.168.0.1 (where 192.168.0.1 is router/modem's IP address.
    DSL-300 has 192.168.1.1
    address). Click on OK. You will be prompted to enter password. Default
    password is "private"."...

    I tried the telnet option but nothing happened (no password request or
    anything) so i resigned to the fact that this is beyond my
    capabilities. SNMP?? what does that stand for Simple-minded Not Meant
    to Pass??

    So i proceeded without updating firmware...with the hollow hope of
    being successful.

    tcp port 1723 redirected to static private ip of pc within LAN.

    Now here is a recurring problem. You instruct to in the "IP Masquerade
    Pass Through" section, make sure the PPTP checkbox is CHECKED in your
    device... . There is no "IP Masquerade Pass Through" section in my
    router. In consultation with the dlink tech support they suggested the
    same thing...but when question why no releveant section in my router an
    answer was not forthcoming. Perhaps the updated firmware will make
    this section available?? So without pptp enabled to pass through it is
    not going to work right??

    i performed the pptp ping test anyway and as expected...no go. error
    10061 connection refused.

    So we have established that i am not passing through the router?? where
    to from here??

    also, windows firewall won't be causing a problem will it??

    further, when doing the test the remote client was connected to the
    internet via adsl (as opposed to dial-up link sugested in your
    instructions) is this a problem?

    Sorry, i know it is frustrating dealing with someone who is ignorant of
    even the basics.

    again, please help if you can.
  3. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Firstly, thanx for your help.

    Gaaw Crickey...this problem is a real bewdy mate...becoming a real
    humm-dinger (and other stereotypical slang you might expect from an
    Ossie).

    Unfortunately i was not able to update the firmware for the router. it
    timed out. the update readme file suggests: "If you are experiencing
    time-out problems when updtating the firmware please ensure that the
    default SNMP community string is present on the router. You can set it
    up by issuing the
    following commands at the Command Line Interface of your router:

    snmp access write private
    config save

    In order to access Command Line Interface connect to the router using
    serial cable (using COM
    ports on your computer and router).
    Run Hyperterminal (you can find this program in Windows under Start >
    Programms > Accessories >
    Communication). Create new conection using COM1 or COM2 (whichever port

    you connected the cable
    to). Use the following settings: 9600 baud, 8 bit data word, 1 stop
    bit, No parity and
    Hardware (CTS/RTS) handshaking.
    Press enter and you should get a prompt like
    192.168.0.1>

    In order to access Command Line Interface you can use also use Telnet.
    In Windows click on Start > Run... and type
    telnet 192.168.0.1 (where 192.168.0.1 is router/modem's IP address.
    DSL-300 has 192.168.1.1
    address). Click on OK. You will be prompted to enter password. Default
    password is "private"."...

    I tried the telnet option but nothing happened (no password request or
    anything) so i resigned to the fact that this is beyond my
    capabilities. SNMP?? what does that stand for Simple-minded Not Meant

    to Pass??

    So i proceeded without updating firmware...with the hollow hope of
    being successful.

    tcp port 1723 redirected to static private ip of pc within LAN.

    Now here is a recurring problem. You instruct to in the "IP Masquerade

    Pass Through" section, make sure the PPTP checkbox is CHECKED in your
    device... . There is no "IP Masquerade Pass Through" section in my
    router. In consultation with the dlink tech support they suggested the

    same thing...but when question why no releveant section in my router an

    answer was not forthcoming. Perhaps the updated firmware will make
    this section available?? So without pptp enabled to pass through it is

    not going to work right??

    i performed the pptp ping test anyway and as expected...no go. error
    10061 connection refused. i turned around and did it from LAN pc to
    remote (swapping srv and clnt) and the text was passed however...no
    mention of the gre packets arriving??

    so i tried to establish vpn connection from LAN pc to remote laptop
    setup as vpn server...no go.

    So we have established that i am not passing in through the router??
    where
    to from here??

    also, windows firewall won't be causing a problem will it??

    further, when doing the test the remote client was connected to the
    internet via adsl (as opposed to dial-up link sugested in your
    instructions) is this a problem?

    finally, i was reading how some isp don't pass gre for some (disuted)
    reason...could this be the prob??

    Sorry, i know it is frustrating dealing with someone who is ignorant of

    even the basics.

    again, please help if you can.
  4. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    As far as the VPN Traffic test is concerned...I meant to say the remote test client can either dial
    into the public internet (ie. a laptop with modem sitting on your desk) or be at another location...

    You can also test to make sure you have TCP Port 1723 forwarded through the router correctly by
    going to this site while sitting at the PPTP VPN server PC and using IE...

    http://www.canyouseeme.org/

    If that works then again it comes down to the GRE Protocol 47 issue...

    Yes, the SP2 Windows Firewall could be blocking incoming PPTP connections. Open the Windows Firewall
    and go to the "Advanced -> Settings" page and make sure the checkbox for "Incoming connection VPN
    (PPTP)" is checked. You can also highlight the entry and click on "Edit" to make sure the correct PC
    is selected...

    Your correct that if you can't get GRE Protocol 47 traffic (PPTP Pass Through) enabled/configured
    and working through the router then incoming PPTP VPN from a remote client will never work.

    I am not familiar with or have your particular router so the best I can say is to go back to D-Link
    for help or look into using a dedicated VPN end-point router...You might want to lurk/post over on
    the Broadband Reports VPN forums for some help with the later...

    http://www.dslreports.com/forum/vpn

    SNMP = Simple Network Management Protocol...

    Good luck...

    --
    Al Jarvi (MS-MVP Windows Networking)

    Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
    The MS-MVP Program - http://mvp.support.microsoft.com
    This posting is provided "AS IS" with no warranties, and confers no rights...

    <craig@hughbgage.com.au> wrote in message
    news:1109811834.138498.181390@z14g2000cwz.googlegroups.com...
    > Firstly, thanx for your help.
    >
    > Gaaw Crickey...this problem is a real bewdy mate...becoming a real
    > humm-dinger (and other stereotypical slang you might expect from an
    > Ossie).
    >
    > Unfortunately i was not able to update the firmware for the router. it
    > timed out. the update readme file suggests: "If you are experiencing
    > time-out problems when updtating the firmware please ensure that the
    > default SNMP community string is present on the router. You can set it
    > up by issuing the
    > following commands at the Command Line Interface of your router:
    >
    > snmp access write private
    > config save
    >
    > In order to access Command Line Interface connect to the router using
    > serial cable (using COM
    > ports on your computer and router).
    > Run Hyperterminal (you can find this program in Windows under Start >
    > Programms > Accessories >
    > Communication). Create new conection using COM1 or COM2 (whichever port
    >
    > you connected the cable
    > to). Use the following settings: 9600 baud, 8 bit data word, 1 stop
    > bit, No parity and
    > Hardware (CTS/RTS) handshaking.
    > Press enter and you should get a prompt like
    > 192.168.0.1>
    >
    > In order to access Command Line Interface you can use also use Telnet.
    > In Windows click on Start > Run... and type
    > telnet 192.168.0.1 (where 192.168.0.1 is router/modem's IP address.
    > DSL-300 has 192.168.1.1
    > address). Click on OK. You will be prompted to enter password. Default
    > password is "private"."...
    >
    > I tried the telnet option but nothing happened (no password request or
    > anything) so i resigned to the fact that this is beyond my
    > capabilities. SNMP?? what does that stand for Simple-minded Not Meant
    >
    > to Pass??
    >
    > So i proceeded without updating firmware...with the hollow hope of
    > being successful.
    >
    > tcp port 1723 redirected to static private ip of pc within LAN.
    >
    > Now here is a recurring problem. You instruct to in the "IP Masquerade
    >
    > Pass Through" section, make sure the PPTP checkbox is CHECKED in your
    > device... . There is no "IP Masquerade Pass Through" section in my
    > router. In consultation with the dlink tech support they suggested the
    >
    > same thing...but when question why no releveant section in my router an
    >
    > answer was not forthcoming. Perhaps the updated firmware will make
    > this section available?? So without pptp enabled to pass through it is
    >
    > not going to work right??
    >
    > i performed the pptp ping test anyway and as expected...no go. error
    > 10061 connection refused. i turned around and did it from LAN pc to
    > remote (swapping srv and clnt) and the text was passed however...no
    > mention of the gre packets arriving??
    >
    > so i tried to establish vpn connection from LAN pc to remote laptop
    > setup as vpn server...no go.
    >
    > So we have established that i am not passing in through the router??
    > where
    > to from here??
    >
    > also, windows firewall won't be causing a problem will it??
    >
    > further, when doing the test the remote client was connected to the
    > internet via adsl (as opposed to dial-up link sugested in your
    > instructions) is this a problem?
    >
    > finally, i was reading how some isp don't pass gre for some (disuted)
    > reason...could this be the prob??
    >
    > Sorry, i know it is frustrating dealing with someone who is ignorant of
    >
    > even the basics.
    >
    > again, please help if you can.
    >
  5. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    thanx al,

    i thought about getting a new router that has vpn endpoint but my fear
    is that my isp may not be passing GRE protocol 47 traffic...trying to
    confirm with them if they do or not.

    others have suggested installing pc anywhere or the like but i suspect
    that this will not be any different as they utilise GRE protocol 47 as
    well don't they??

    another tangent thought...this protocol is used for vpn to trafic data
    transported over the net, right?? what about for remote desktop??
    same protocol used?? also, what are the limitiations of remote
    dsktop...can i open, amend, create and copy files (to be left on the
    host)...is the work visible to others in the great wide net while i
    work on it?? what about print or use the other shared peripherals like
    cd-rw? because this might be sufficient in the short-term while i am
    sorting out the vpn woes. i am just desperate to get to the files and
    work on them...wasted a few days already on this.

    again probably very basic questions but no-one else to ask.

    thanx for your help
  6. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Neither PC Anywhere or XP Remote Desktop (RDP) use GRE Protocol 47.

    In both of those cases you only need to forward/open the appropriate ports through the router to the
    PC your trying to reach. In the case of Remote Desktop that is TCP Port 3389. It looks like PC
    Anywhere uses TCP Port 5631 and UDP Port 5632.

    http://www.portforward.com/cports.htm

    The downside to using Remote Desktop is that the desktop is *NOT* useable/viewable at the office end
    when a remote user is logged on remotely with RDP. If the PC your connecting to is a specific
    workers normal desktop and they happen to be working from home or another remote site *AND* no one
    else will be working or trying to use that specific office PC, then RDP is a good alternative. Here
    is the definitive article that describes this behavior...

    http://support.microsoft.com/?kbid=280828

    So, if you can work within those parameters your good to go. I don't use PC Anywhere so I can't help
    you with that...

    For help getting RDP working in a workgroup environment, which you seem to be in, see this page...

    http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.html

    If you want to access multiple RDP desktop sessions through a firewall/NAT/router see this page for
    examples of how to do this...

    http://theillustratednetwork.mvps.org/RemoteDesktop/Multiple_PC_RD.html

    The Remote Desktop data stream is encrypted. If you use Remote desktop you might consider using a
    Group Policy on the RDP host change the required encryption to "High". I also recommend you always
    "Prompt for a password" *AND* use a STRONG password. Use the Group Policy editor to configure
    this...

    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/pree_rem_uvnl.asp
    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/pree_rem_quaq.asp

    With Remote Desktop the remote user can access local and remote disc drives, print either locally or
    remotely and copy or cut-n-paste files, etc. A slightly dated article but good information anyway.

    http://www.microsoft.com/windowsxp/using/mobility/getstarted/russel_may18.mspx

    If you want to use PC Anywhere I suggest you visit the PC Anywhere support pages for help...

    If you have a lot of users needing to access your network a VPN end-point router may also be an
    option. Others, more knowledgeable than I, will need to speak to that issue since I am only a home
    user and have no direct experience using such a device. I will say, however, an end-point router
    that allows multiple IPSec/L2TP VPN connections is desirable from a security standpoint if you go
    that route. I doubt your ISP blocks incoming VPN connections, but its good to check anyway...

    --
    Al Jarvi (MS-MVP Windows Networking)

    Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
    The MS-MVP Program - http://mvp.support.microsoft.com
    This posting is provided "AS IS" with no warranties, and confers no rights...

    <craig@hughbgage.com.au> wrote in message
    news:1109881792.413815.226950@l41g2000cwc.googlegroups.com...
    > thanx al,
    >
    > i thought about getting a new router that has vpn endpoint but my fear
    > is that my isp may not be passing GRE protocol 47 traffic...trying to
    > confirm with them if they do or not.
    >
    > others have suggested installing pc anywhere or the like but i suspect
    > that this will not be any different as they utilise GRE protocol 47 as
    > well don't they??
    >
    > another tangent thought...this protocol is used for vpn to trafic data
    > transported over the net, right?? what about for remote desktop??
    > same protocol used?? also, what are the limitiations of remote
    > dsktop...can i open, amend, create and copy files (to be left on the
    > host)...is the work visible to others in the great wide net while i
    > work on it?? what about print or use the other shared peripherals like
    > cd-rw? because this might be sufficient in the short-term while i am
    > sorting out the vpn woes. i am just desperate to get to the files and
    > work on them...wasted a few days already on this.
    >
    > again probably very basic questions but no-one else to ask.
    >
    > thanx for your help
    >
Ask a new question

Read More

Connection VPN Windows XP