I'm trying to set up a VPN over a Windows Server 2003 and 1 XP Pro client. So, when the client is out of the network, it can connect on it over the VPN and be on the domain.
Here's my network configuration :::
- Static IP from ISP
- 1 router for everyone : D-Link DI-604UP
- Some switches
- Server has a static DHCP adress : 192.168.0.112
- Everyone else has dynamic IPs from the DHCP
- VPN Pass-Through is enabled on the DI-604UP
- Port 1723 is fowarded to the server at 192.168.0.112
- IP Protocol GRE 47 is open in router's firewall configuration
Here's the problem:
I receive "error 721" when I'm trying to connect with my XP client. I read a lot of forums and discovered that most of time, IP protocol GRE 47 is not correctly fowarded or opened into the router.
So, I downloaded the Support Tools from Microsoft ( pptpsrv and pptpclnt ) to check if the GRE 47 protocol was my problem. When I configure the VPN connection on the client side to connect internaly at 192.168.0.112 ( the server ), GRE packets are passing fine and the VPN connection works great. However, when I'm configuring it to connect to the public IP adress ( the static IP from my ISP ), GRE packets can't pass or are never fowarded to my server.
I tried it with an external connection , from an external physical site, and it's not working.
- Does the D-LINK DI604-UP works well for VPN ? I mean, is the VPN pass-through option suppose to open both the IP GRE protocole and the PPTP port 1723 ?
- In the DI604-UP firewall's option, when I select the protocol ( IP, UDP,ICMP,*), * stands for "all protocls". What does ICMP stands for ? Is GRE 47 an ICMP protocl ?
- Why does the VPN works internaly and not externaly ? When I connect to the internal server's IP, it works. However, when I connect to the public IP, I get error 721.
- Would I have the same problem using IPsec ? Does IPsec use GRE 47 as well ?
You have to enable VPN Pass-Through option in the router configuration. This will let GRE packets pass.
In the propreties on the VPN connection, under Networking tab, and the on TCP/IP propreties, in the middle of that window you can manualy set the adress range for you VPN. My first configuration was set on "Assign TCP/IP" adresses automatically using DHCP" and it wasnt working.
Also, you have to make sure that in the Active Directory, you have to gain acess to VPN for the wanterd users under the "Dial-in" tab in propreties.