Error 650 when trying to establish a vpn connection 3

[thierryhug]

Hello ,

When I am trying to establish a vpn connection , I can see a windows saying checking name and password . A few seconds later I get the error message 650 (the translation the french error message is : The computer you call does not answer to a network request. check the server type in connection properties).

We have a dsl router ( a flowpoint) which allows us to share dsl lines.

The VPN server is in Atlanta (USA).

Here in Paris , the client is windows 98 .

Do you have an idea of what could be wrong, the name and password are correct.

Thierry.

 

[ManagerJay]

Is there any type of NAT taking place?



Jay

 

[leighsa]

Different user, same situation and yes, I am using NAT security on the router. I'm told that MS's VPN software is not robust enough to navigate ip NAT security with static ip addressing.
I have another user on the same network that is using INfoExpress' VSclient and having no problem. I do not have the luxury of installing any enterprise VPN solution though, as several companies are sharing a T1 and router. Is there client software available (such as MS VPN) that is capable of handling it?

 

[kalyko]

I have the same problem with the "650 error". My Windows 2000 vpn server (also my domain server) has 1 network card connected to the internet via 1 port cable/dsl router (linksys). Can someone please help me setup this situation?

Thanks in advance!
Kraig (kalyko)

 

[SepMan76]

I am attempting to create a VPN b/w a Win2K pro and a Win2K server. I have RRAS enabled with a group policy to allow dialin for any user which is allowed dialin. The Pro computer and Server are at different locations BOTH using the Lucent CellPipe routers and have the default server for the router as the server. When the pro machine attempts to dial in, I get "No Answer". Someone told me to create a static route for port 1723 to forward to the server's 1723 port. After doing that, the Pro machine gets a "verify username and password" and hangs for a while then "Error 721: Remote Computer is not responding"...

How can I get these two computers to connect via VPN?

Please Help

 

[SepMan76]

Sorry... thought I was doing a new thread..

 

[tiash]

You also have to forward GRE 47 to the server.

 

[ManagerJay]

I was finally able to get this to work. The problem was I did not have specific firewall rules on mu Linux box to forward the proper ports. If anyone is interested, I will post the firewall rules I am using.



Jay

 

[Guest_imported]

Hi ManagerJay
I am very interested in hearing your solution to the VPN problem

 

[leighsa]

As you can tell from the thread - I've received no answers only more of the same question, so I can only assume that the research I did still holds: My ISP engineers said that Microsoft's VPN client software is not robust enough to navigate NAT security when using private IP addressing. My personal experience was that it could be done, but only with the assistance of third enterprise solution hardware/software. The client I worked with used InfoExpress VSClient software. His remote network incorporated the server side of the same software. We were using private IP addressing on the client side only, but it connected and authenticated on the first try. I did look at a few other products that suggested they could help at client level, but I did not have any success with them. I did also look for an upgrade to Microsoft's product, but did not find any.

So that was my experience - I would being very interested in hearing others.

Leighsa

 

[ManagerJay]

Here they are. Sorry the lines wrapped the way they did.

#!/bin/sh

########################################################################
# Home firewall rules using ppp0 as the Internet Interface
#
# Revision Log
# Original Version - 30 December, 2000 - Jay Hall
# Incorporate VPN forwarding and firewall rules into
# script - 02 February, 2001 - Jay Hall
#
# Forwarding rules and in/output rules for pptp
# 31 January, 2001 - Jerry Vonau jvonau@home.com)
#
######################################################################

# Define constants
Anywhere="0/0"
Priv_Ports="0:1024"
UnPriv_Ports="1025:"
Mail_Server="216.106.1.0/24"

# Get the Internet Interface information (ppp0)
Internet_Interface="ppp0"

# Thanks to Craig McPherson for the following scripts
Internet_Address=`ifconfig $Internet_Interface | grep inet cut -c 21-35`
Intrnet_Netmask=`ifconfig $Internet_Interface | grep Mask | cut-c 64-79`

#Get the Lan Interface information (eth0)
Lan_Interface="eth0"
Lan_Address=`ifconfig $Lan_Interface | grep inet | cut -c 21-34`
Lan_Netmask=`ifconfig $Lan_Interface | grep Mask | cut -c 61-79`
Lan_Network="10.129.10.0/24"

# VPN Information
VPNSERVER="12.13.103.254"

# Set the default policies. Do not change the forwarding rules or policy
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -P input DENY
/sbin/ipchains -P output ACCEPT

# Rules for output still need to be developed so the default output policy can
# be set to deny.

/sbin/ipchains -A input -j ACCEPT -p icmp
/sbin/ipchains -A output -j ACCEPT -p icmp

# Allow all inputs from the LAN and the loopback interface
/sbin/ipchains -A input -i $Lan_Interface -s $Lan_Network -d $Anywhere -j ACCEPT
/sbin/ipchains -A output -i $Lan_Interface -s $Anywhere -d $Anywhere -j ACCEPT
/sbin/ipchains -A input -j ACCEPT -i lo -s $Anywhere -d $Anywhere

# VPN rules. Special thanks to Jerry Vonau (jvonau@home.com)
/sbin/ipchains -A input -j ACCEPT -i $Lan_Interface -p tcp -b -s $Lan_Network -d $VPNSERVER 1723
/sbin/ipchains -A input -j ACCEPT -i $Lan_Interface -p 47 -b -s $Lan_Network -d $VPNSERVER
/sbin/ipchains -A input -j ACCEPT -i $Internet_Interface -p 6 -b -s $Lan_Network -d $VPNSERVER 1723
/sbin/ipchains -A input -j ACCEPT -i $Internet_Interface -p 6 -b -s $VPNSERVER 1723 -d $Internet_Address
/sbin/ipchains -A input -j ACCEPT -i $Internet_Interface -p 47 -b -s $VPNSERVER -d $Internet_Address

/sbin/ipchains -A input -j ACCEPT -i $Internet_Interface -p tcp -b -d $VPNSERVER 1723 -s $Lan_Network
/sbin/ipchains -A input -j ACCEPT -i $Internet_Interface -p 47 -b -s $Lan_Network -d $VPNSERVER

/sbin/ipchains -A output -j ACCEPT -i $Lan_Interface -p tcp -b -s $Lan_Network -d $VPNSERVER 1723
/sbin/ipchains -A output -j ACCEPT -i $Lan_Interface -p 47 -b -d $Lan_Network -s $VPNSERVER
/sbin/ipchains -A output -j ACCEPT -i $Internet_Interface -p tcp -b -s $Lan_Network -d $VPNSERVER 1723
/sbin/ipchains -A output -j ACCEPT -i $Internet_Interface -p 47 -b -s $Lan_Network -d $VPNSERVER
/sbin/ipchains -A output -j ACCEPT -i $Internet_Interface -p tcp -b -s $Internet_Address -d $VPNSERVER 1723
/sbin/ipchains -A output -j ACCEPT -i $Internet_Interface -p 47 -b -s $Internet_Address -d $VPNSERVER

/sbin/ipchains -I forward 1 -j MASQ -i $Internet_Interface -p 47 -s $Lan_Network -d $VPNSERVER
/sbin/ipchains -I forward 2 -j MASQ -i $Internet_Interface -p 6 -s $Lan_Network -d $VPNSERVER 1723

 

[ManagerJay]

Leighsa ---

I am using Microsoft's VPN client without any problem. We are also using a Linux server (2.2.14 kernel, with the VPN masquerading patches to take care of the address translation.

It took some time to get it up and running, but it works extremely well.

Following is the link I used to get started:

ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html



Jay

 

[leighsa]

Jay - Thanks for taking the time to respond. At the risk of sounding ignorant I'll assume your "Linux box" is the operating router for your VPN host/network? and the script is rerouting ports? That's what the client end software (RaptorMobile, among others) that I looked at did, but in my particular situation, the port rerouting would have to have taken place at the receiving router end, and the receiving parties reported that they really weren't in a position to change their ports. My router has multiple incoming VPN tranmissions (from several corporations that share a T1)) and I feared changing MY router config would cause an avalanche for everyone else. So ultimately, my "cause" ended, unresolved for the poor user.

Thanks again Jay, your response is very helpful.

Leighsa

 

[ManagerJay]

You're close to the way our network is setup.

We have a Cisco 1600 setup as a perimeter router for the Internet. Behind this is the Linux firewall/VPN. The firewall/VPN has two network cards (one with an external address and one with an internal address).

Using this setup, all traffic going to the Internet for our organization appears to come from the same IP address (the external IP address of the firewall/VPN.

Linux has masquerading modules that take care of making sure the IP address of the outgoing request is set to the external address. And, when a request comes back, the same modules make sure the correct client receives the requested information. I have no idea how this actually works, software wise, but it does.

The rules posted above are necessary to allow ports 47 and 1723 through the firewall since Linux does not automatically forward these ports.

The only clients using the VPN at this time are running Windows 98. We are using the VPN client that came with Windows 98 to access the VPN. In our case, the user establishes an Internet connection. Once the connection is established, they go back to Dial-up networking and then dial the VPN. The VPN is dialed by ip address and uses the currently established Internet connection.

I this helps.



Jay

 

[bitzz]

The Linksys has a problem with the Windows default MTU. I changed the client to 512 (576 being the the PPP max) and it helped with Windows clients