VPN on Windows Server 2003 behind a Router
-
I have a win2k3 server set up as a VPN server (Remote access server role) operating behind a D-Link router. The problem is as follows: Connecting with VPN (set up using Windows XP VPN network connection) works when the client is behind the same router as the VPN server works perfectly. Connecting from an external client does not work... it waits on "Verifying username and password" and then stops at:
Error 721: The remote computer did not respond...On the server side I find the following text in IPRouterManager.LOG right after I get the 721 error message:[1004] 22:10:19: Error adding route, Stack bit == 0 [1004] 22:10:19: ProcessDefaultRouteChanges: Not default route /32I set up the router as follows: 1) Port forward TCP 1723 to the server on the router that the server is behind. 2) Likewise for UDP 500 3) Enable PPTP and IPSec pass-through Can anyone help me out? I've tried soooo many different things.. I'm hoping a Microsoft MVP for networking can find this post and figure it out! :) Thanks in advance..r -€
-- modified at 23:50 Wednesday 14th September, 2005
-
I have a win2k3 server set up as a VPN server (Remote access server role) operating behind a D-Link router. The problem is as follows: Connecting with VPN (set up using Windows XP VPN network connection) works when the client is behind the same router as the VPN server works perfectly. Connecting from an external client does not work... it waits on "Verifying username and password" and then stops at:
Error 721: The remote computer did not respond...On the server side I find the following text in IPRouterManager.LOG right after I get the 721 error message:[1004] 22:10:19: Error adding route, Stack bit == 0 [1004] 22:10:19: ProcessDefaultRouteChanges: Not default route /32I set up the router as follows: 1) Port forward TCP 1723 to the server on the router that the server is behind. 2) Likewise for UDP 500 3) Enable PPTP and IPSec pass-through Can anyone help me out? I've tried soooo many different things.. I'm hoping a Microsoft MVP for networking can find this post and figure it out! :) Thanks in advance..r -€
-- modified at 23:50 Wednesday 14th September, 2005
This is the standard: PPTP traffic uses TCP port 1723 to create and maintain the connection and IP protocol 47 to send data. L2TP/IPSec traffic uses UDP ports 500 and 4500 to create and maintain the connection and IP protocol 50 to send data. Configure your firewall to allow these types of traffic to and from your VPN server. Why it isn't working for you is a mystery and you'll just have to make sure that rules are actually "Enabled" on your firewall. If you are unable to get it then you won't find more authority on that subject than this...VPN Windows 2000[^] Please see Appendix A. - Rex
Some assembly required. Code-frog System Architects, Inc.
-
This is the standard: PPTP traffic uses TCP port 1723 to create and maintain the connection and IP protocol 47 to send data. L2TP/IPSec traffic uses UDP ports 500 and 4500 to create and maintain the connection and IP protocol 50 to send data. Configure your firewall to allow these types of traffic to and from your VPN server. Why it isn't working for you is a mystery and you'll just have to make sure that rules are actually "Enabled" on your firewall. If you are unable to get it then you won't find more authority on that subject than this...VPN Windows 2000[^] Please see Appendix A. - Rex
Some assembly required. Code-frog System Architects, Inc.
Well, I would prefer to use PPTP since apparently L2TP requires certificates.
r -€
-
This is the standard: PPTP traffic uses TCP port 1723 to create and maintain the connection and IP protocol 47 to send data. L2TP/IPSec traffic uses UDP ports 500 and 4500 to create and maintain the connection and IP protocol 50 to send data. Configure your firewall to allow these types of traffic to and from your VPN server. Why it isn't working for you is a mystery and you'll just have to make sure that rules are actually "Enabled" on your firewall. If you are unable to get it then you won't find more authority on that subject than this...VPN Windows 2000[^] Please see Appendix A. - Rex
Some assembly required. Code-frog System Architects, Inc.
By the way, thanks for the wonderful link!!! I will print that out
r -€
-
Well, I would prefer to use PPTP since apparently L2TP requires certificates.
r -€
Open the port and then enjoy the results. ;) You'll notice that it's not an "optional" port designation. I've yet to have a problem with it.
Some assembly required. Code-frog System Architects, Inc.
-
Open the port and then enjoy the results. ;) You'll notice that it's not an "optional" port designation. I've yet to have a problem with it.
Some assembly required. Code-frog System Architects, Inc.
I opened up 500, 4500 UDP and 1723 TCP (routed to vpn server) and it still doesn't work.. anything else i can try?
r -€
-
This is the standard: PPTP traffic uses TCP port 1723 to create and maintain the connection and IP protocol 47 to send data. L2TP/IPSec traffic uses UDP ports 500 and 4500 to create and maintain the connection and IP protocol 50 to send data. Configure your firewall to allow these types of traffic to and from your VPN server. Why it isn't working for you is a mystery and you'll just have to make sure that rules are actually "Enabled" on your firewall. If you are unable to get it then you won't find more authority on that subject than this...VPN Windows 2000[^] Please see Appendix A. - Rex
Some assembly required. Code-frog System Architects, Inc.
Ditto. Thanks for the link. This will make some good bedtime reading. :) I'm on-line therefore I am. JimmyRopes
-
I opened up 500, 4500 UDP and 1723 TCP (routed to vpn server) and it still doesn't work.. anything else i can try?
r -€
Can you email me a screen shot of the rules on your D-Link? My email address is in the notification you get of reply from this thread it's also (remove the #'s) r##e##x##@##c##o##d##e##-##f##r##o##g##.##c##o##m## let me see what you have going on there. I think you can also turn logging on in the D-Link and then you can view what is going on or how the D-Link is treating your VPN requests. If you leave your WAN IP in the screen shot that's fine. You can blank it out to. I do not have the time, not even the slightest bit to try and break into your network nor do I care to. Federal Prisons look really nice from a distance and I choose to keep it that way. I'll do my very best to help you with this though but I need to know what all you have going on. Which version is your D-Link? A DI-624, DI-514, Etc??? - Rex
Some assembly required. Code-frog System Architects, Inc.
-- modified at 0:56 Thursday 15th September, 2005
-
Ditto. Thanks for the link. This will make some good bedtime reading. :) I'm on-line therefore I am. JimmyRopes
The things We do for money are this: 1.0 connect and Xp on the lan segment to the server. This means server should be able to accept incoming PPTP and other protocol. If yoy succeed this step then implement using fiewall and WAN ip adddress. So waht i am sugesting cut the Firewall business i the foirst step. 2.0 Startu sing some kind of Packet analyzer such as ether packets and capture the TCP/Udp pACKETS on the server. Try to analyze what is going on. 3.0 Make sure the vpn Service is running on the Ports at the server. 4.0 Upgrade the Firmware on the D-link Router- Youshould do this first. send me a mail if you are unable to do this. software@keencomputer.com Tapas Shome System Software Engineer Keen Computer Solutions 1408 Erin Street Winnipeg, Manitoba Canada R3E 2S8 ww.keencomputer.com
-
Can you email me a screen shot of the rules on your D-Link? My email address is in the notification you get of reply from this thread it's also (remove the #'s) r##e##x##@##c##o##d##e##-##f##r##o##g##.##c##o##m## let me see what you have going on there. I think you can also turn logging on in the D-Link and then you can view what is going on or how the D-Link is treating your VPN requests. If you leave your WAN IP in the screen shot that's fine. You can blank it out to. I do not have the time, not even the slightest bit to try and break into your network nor do I care to. Federal Prisons look really nice from a distance and I choose to keep it that way. I'll do my very best to help you with this though but I need to know what all you have going on. Which version is your D-Link? A DI-624, DI-514, Etc??? - Rex
Some assembly required. Code-frog System Architects, Inc.
-- modified at 0:56 Thursday 15th September, 2005
I sent you an e-mail with a few screenshots. It's a DI-524
r -€