DSL routers, PPTP pass through

[mtphoenix]

I've been reading a lot on this board tonight. I hope my experience may help some of you.

I run a number of VPN servers. NT 4.0 RAS and Win2k RRAS.

I have seen a number of errors when my remote users are coming in through their own NAT based DSL routers.

It has been my experience that a number of the DSL routers that claim to support PPTP pass through do not. I went through 3 Linksys DSL routers once and found that there was a buffer overflow problem. It would connect, but drop after a few minutes. This was only connecting to a Win 4.0 box, and not when connecting to a 2k box.

I have used the SpeedStream DSL routers. They work. However in many cases, I've had to re-set the router 2 or 3 times before the PPYP passthrough would work.

For what it's worth- whenever you're having a problem connecting and get the password error, try removing the DSL router and plug a cross-over cable directly into the nic on your workstation. See if you can open your VPN then.

Marc

 

[ecm]

Marc,

Not exactly the same issue, but perhaps your experience can shed some light on the VPN problem I'm having -- not DSL but cable. It's your last sentence about seeing if the VPN connection works by cabling directly to the modem thereby bypassing the router.

My VPN connection (Windows 2000 Pro using Microsoft software, no third party VPN like Nortel, etc.) works just fine over a dial-up ISP or when connected directly via Ethernet cable to my cable modem.

However, when I connect that PC to my D-Link DI-614+ router and then that router to the cable modem I get Error 619. I've tried powering off modem, router, PC, etc., Can't seem to get by the error. D-Link says they're PPTP VPN passthrough works. I've got that enabled and still no luck.

Any hints? Thanks, Marc.

Ed

 

[mtphoenix]

Ed,

See if you can open up port 1723 on your router. That's the port MS uses for PPTP. If everything else works when the router is out of the picture, it might be time to take it back. You might also try to re-set the router. I still have to do that with one of the SpeedStream DSL routers I manage. Everytime I make a change in it.

Good luck,

Marc

 

[ecm]

Marc,

Thanks for the reply. I don't think it's a "bad" router; this is the second one I've had. Started with LinkSys and had the same trouble, but got so frustrated with support that I returned it and got a D-Link. It's doing the same thing.

I'll try opening that port as you suggested.

Ed

 

[mtphoenix]

Ed,

I had the same problem with Linksys. Try using a port scanner, and see if that ort is even open by default, as it should be. There's a free port scanner called netlab. I have posted a copy for you here:

http://www.marctamarin.com/netlab.zip

Try scanning the private IP of the router. If you would like, I can scan your public IP, and tell you if that port is open from the outside.

 

[ecm]

Marc,

Thanks. I've downloaded the NETLAB stuff, but not sure what to do with it until after I read the help file.

Sure, try the scan. Do you need information from me to do that?

Ed

 

[mtphoenix]

Ed,

Just unzip it, then run it. There's a "scanner" tab. Put in the private IP of the DSL router, and scan for port 1723.

If you can post your public IP address, I can scan that for you.
Marc

 

[ecm]

Marc,

Thanks for hanging with me on this. I entered the private IP address of my D-Link DI-614+ router on the SCANNER tab. Looks like it might support a range of IP addresses, so I just put the last "." address in two places. Then, checked Scan Ports and entered 1723 for both starting and ending port numbers. When I click SCAN, I see "Looking for Hosts", then something flashes by too quickly to read, and then finally a "Done" In the empty area at the bottom of that screen it just shows my private IP address, but under the Ports column, nothing shows up.

I'm not sure how to interpret what I see. I'd sure be more comfortable if there were a message like Port 1723 Failed or Port 1723 Passed.

Is that what I should have seen?

Thanks,

Ed

 

[havanajoe]

Is there anyway for you to check the logs on the VPN server to see if the client is actually hitting the VPN server? What I have done in the passed to verify that things were working the way they should was to take the cable/dsl router into the office, and hooked it up to the external network and then hooked a laptop up to it and watched the logs on the VPN server to verify that my client was actually hitting it. The other thing that would work really well was if you have access to a sniffer product to capture the packets. That always helps quite a bit to determine where the problems lie. I have never had any problems with Linksys routers hooking up to a Windows 2k VPN server, or a Cisco PIX VPN. Both were running PPTP as well. I would also check (you have probably already done this, so forgive me if its repeating) but check that the firmware on the router, especially Linksys is up-to-date. I did have a lot of problems with their earlier versions of firmware. The one last thing that I would suggest trying would be to set up your clients ip address as a DMZ client on the router. That way it is completely open to all ports. I hope that one of these would help.

Dave

 

[ecm]

Marc and Dave,

First let me thank you both for your suggestions and help.

Problem is "solved" but I don't know what the solution was. I tried using a different VPN server IP address and it works just fine through the D-Link router. The other VPN server address that I was using works just fine when going directly through the cable modem, but fails when connected to the router.

As long as I can get my work done using VPN from home, I'm happy. I reported the problem/findings/solutions to the server site. They are investigating to see what the difference is in configuration on the VPN server for the two different IP addresses that I've used.

When I find what the configuration difference is that causes that Error 619, I'll post it here to "close the loop." Thanks again for your help.

Ed

 

[Identcc]

OK, here's where I am: I have a small business with a DSL line in to a Netopia router (which is passing everything through). This router is plugged in to a Linksys VPN router which provides DHCP addresses to my internal network. I need two things: first I need people to be able to VPN in to the network from home, and second, I need one particular remote office (also with DSL) to VPN into the corporate office to replicate W2K servers and share files. I am aware that the remote office also needs a Linksys VPN router (which I have), but for some reason, none of my efforts have worked thus far. Does anyone know, step by step, how to do this?