Error 721 on Win2K VPN (Yes 47 IP enabled!!) 3

[Seeruk]

Here we go this might be lengthy but I want to provide all information needed!!!

Basically I have a Standalone Win2k server in a NT4 domain which I am setting up as the VPN server.

Two nics installed - I dont use a firewall, instead I use TCP filters to stop unwanted stuff.
I have TCP/UDP ports 80, 1489, and 1723 enabled along with IP Protocol 47 on both cards.
Our ISP provides us with static IP which is mapped to NIC2 and NIC1 is the internal lan card.
Yes the test user has diallin access both in the domain account in the NT arena and on a local account on the win2k server.
The server can be pinged through from the client and the normal funtionality of browsing etc is there at the client.
The server also can access the net

I'm out of ideas totally and it seems every bboard on the net can only suggest enabling IP Protocol 47 as a solution but it is enabled.
i am thinking its possibly a routing thing as I had a friend who solved it through routing but I dont know much on this subject

Please for the love of god tell me something to get this darn thing working as I am going crazy having spent 2 weeks working on it!!

 

[ehartley]

bwilliams, how would you explain a 'DMZ' setup on the VPN client and server side not authenticating (721)?

Setup:
Site 1. Win2k Server behind Netopia R3200 IDSL router with public/static IP routed directly to internal IP on server NIC with no filter.

Site 2. Win2k pro with Win2k VPN client behind Netgear FVS318 (firmware 1.2) with public/static IP pointing to router and DMZ passing through to Win2k pro workstation.

* Works fine when Netgear taken out of architecture.
** Have tried various IPSec policies on client and server. Does not work with or without IPSec policies.

 

[Skadaddle]

OK, here is what I have.

VPN server is Windows 2000 server. I manually set it up because I heard the wizard messes things up. I have a ATT&T Cable modem connected to a LinkSys router which has port forwarding. I have port 1723 forwarded to my VPN NIC card ( Netgear FA310TX).
When I attemped to VPN in It gets to varifying username & password and then timesout with an error 721 no response from the remote computer. If I use the IP address of the computer from a workstation with-in the network it connects just fine. So, The problem has to do with coming through the Linksys router or the settings of the VPN server. I have another network with a Linksys router handling the VPN conection and it works fine. Both are setup exactly the same so what am I missing.

 

[bwilliam13]

IPSec has nothing to do with GRE. You might as well just forget about AH, ESP, and IPSec for the time being because they have nothing to do with Microsoft's PPTP VPN solution. They (PPTP and IPSec) are two completely different principles in VPN technology...and IPSec isn't even for VPN's really...it's just for encrypting a complete TCP/IP session from beginning to end; handshake to transmission to end-of-transmission.

Skadaddle, remove your firewalls from the equation and use a process of elimination. Take all components out of the mix that could be blocking packets by default and try to get the connection work (your firewalls and all filtering routers). Other than that, I cannot tell you what to do because I don't have specifics of your architecture (hardware model #'s, etc).

EricHartley, I'm pretty confident your problem is the Netgear router/firewall. That router/firewall does not support GRE (IP protocol 47) from the 170 pages of documentation that I looked over. It only supports IPSec. IPSec doesn't need any additional protocols to work...although it does appear to use AH and ESP (protocols 50 and 51) in this implementation.

To get PPTP/GRE to work (which is what you need for a Microsoft VPN solution), you need to have that router forward EVERYTHING unabated just to see if it will work. From reading the documentation, the only things you can forward are TCP and UDP ports...and only pre-defined ones on the router...which means it won't even let you redirect GRE, nor will it let you correctly NAT GRE. I'd get a new router/firewall if I were you. One that supports the whole IP protocol stack...not just TCP/UDP.

 

[ehartley]

BWilliam13, thanks for the response. I suspected you would answer this way. I have little faith in the netgear equipment. From your experience, which router would you suggest we switch to given the price point of the netgear (~$119.)?? Don't need anything fancy. Something that works and can handle GRE as well as other VPN systems (IPSec to other boxes ,etc.). Also need to have something that will eventually be capable of VPN to a 26xx model Cisco.

Skadaddle, which model linksys is installed? And you have it working in a full Win2k VPN network (with client and server)?? I have used linksys a while back for non-VPN networks and telecommuters (decent price point and stability even as a temporary solution in a commercial satellite installation running Citrix terminals) but was not impressed with firmware features at that time. Please advise your experience with your particular model.

Thank you both.

 

[Skadaddle]

Thanks for your quick response. my hardware setup is this.

My Cable modem is an RCA Broadband supplied by AT&T. The LinkSys router is officially called Etherfast cable/DSL router Model Number BEFSR11 I have all W2K machines Servers & Clients. My cable modem has a dynamic IP address and I use DTDNS to automatically update my DNS records when it changes.
I do not know anything about a Protocal 47 GRE (do I need to enable this?)

I have an internal IP scope handled by the Linksys Router. I have port fowarding on for ports 80 (web) 25(email) 21(FTP) and 1723 (VPN) All servers recevied and send traffic except the VPN server. I can't remove the Linksys because I wouldn't be able to do Port forwarding and that deffeats the whole purpose. Do you suggest I buy a newer Linksys router and see if that helps?

Someone in this thread mention W2K had problems routinh the VPN traffic and there might be ways to fake it out or trick it into working?

Thanks for all your help!

 

[ehartley]

Skadaddle, from research I have done, the BEFSR11 will not allow proper authentication with a Win2k Serv VPN box on the outside. Seems it a GRE/Prot 47 issue per Bwilliam13. We had one we tested and arrived at the same results as your current problem.

Did you say you had a seperate VPN network with indentical setup which authenticating properly??

 

[bwilliam13]

I suggest anything Cisco. There are many Cisco routers that can act as limited firewalls given their applications. For VPN purposes, anything off-the-shelf ala Best Buy or Circuit City you shouldn't be using in a corporate setting just because they do not support very many things the corporate setting requires...GRE, AH, ESP, and IPSec being just a few of those things.

In my home as well as in my company's corporate dial-in/VPN setup, we utilize one Pentium III-class PC with two network cards running Redhat Linux 7.2 or higher to do ALL of our firewalling/VPN filtering. Aside from Linux' IPTables filtering and Cisco's latest version 6.2 firewall IOS, there isn't a more capable option on the planet in my opinion.

If you're looking for a cheaper solution (rather than buying a Cisco PIX or taking the time/energy to load a PC up with Linux), I suggest a smaller router like the Cisco 1600 and 1700 series, or an off-the-shelf model like a Netopia that WILL support PPTP/GRE as well as IPSec/AH/ESP out of the box. Note: A lot of the Netopia routers will only support creating VPN (PPTP) tunnels from themselves to a Win2k/Winnt VPN server...they will not support pass-thru to allow a server on the inside network to act as a VPN server. For that to happen, I think you need something more industrial like a Cisco router. Again, I suggest the Cisco 1600 series. They are more expensive ($300-$400 refurbished or used), but they get the job done better than anything else you're going to find.

I will look into some other devices we have onsite here and see if they support GRE as a filterable protocol. If so, I will post their makes/models.

 

[ehartley]

Bwilliam13, any thoughts on the Cisco 806 and 827 models versus the 1600 series? 806 & 827 pass GRE tunnels in and out. Only a few Netopia models in the sub $500 range pass GRE.

 

[bwilliam13]

Yes. Both models will work. We've got an 827 on a development network at my company and I just tested the functionality. Works like a charm. I think if you go that route you will have minimal problems...if any.

 

[zalex]

In terms of which routers will work, I've been using the Linksys BEFSR81 successfully with the Windows2000 VPN Client to logon to a Windows2000 VPN server. I can't imagine it being any different for the BEFSR11 as long as you have a recent firmware verson.

 

[ehartley]

Zalex, thanks for the input. You're correct, the BEFSR81 works fine with Win2k VPN CLient/Server. Are yo forwarding specific ports or are you using DMZ feature for client location? I've seen it work with DMZ.

 

[ehartley]

... that is, DMZ with PPTP pass-though enabled.

 

[GregScott]

bwilliam13 is mostly but not completely correct. This is wrong:

> Linux IPTables firewalls will automatically NAT
> correctly any outgoing packets (TCP port 1723)
> and will automatically accept GRE back in if
> there was a request originating from inside the
> network, but that is the only firewall that I know
> will NAT TCP port 1723 and GRE correctly without
> having to have explicit rules to allow both
> incoming and outgoing.

Using Linux based firewall systems, you need rules to pass these packets back and forth, along with appropriate NAT entries. You need at least a 2.4.9 kernel (which shipped with Red Hat Linux 7.2), and at the server end, you need a special patch to make Linux handle the stuff properly. See the VPN Masquerade howto for details.

I have several Linux based firewall systems up and running, and I routinely do PPTP VPNs to various Win2K servers.

In order to do Microsoft PPTP VPNs, with whatever firewall implementation you choose, you must have some set of rules that set up NAT entries for:

TCP Port 1723
IP Protocol 47 (also called GRE)

Let's make a couple facts absolutely, crystal clear:
IP Protocol 47 (also called GRE) is not TCP, it's not UDP, it's not ICMP. It is its own IP protocol. The Microsoft application that uses GRE packets is called PPTP. This has absolutely nothing whatsover to do with IPSEC. IPSEC and PPTP are completely different - and unrelated - technologies. IPSEC uses IP Protocols 50 and 51, along with UDP port 500.

There are many ways to build VPNs. It is possible to build a VPN using IPSEC technology and many vendors claim to implement some or all of IPSEC. When your router vendor says they pass thru VPN traffic, ask them to explain specifically what that means. If they say they know how to handle GRE packets, then you can feel good the router has a way to support Microsoft PPTP. If they say they can do IPSEC, then keep pushing for an answer about GRE.

Oh - and I read all the Microsoft stuff about needing two NICs in your PPTP server. This is pure hogwash - you do not need 2 NICs. In fact, you don't want 2 NICs because having 2 NICs in the same network creates lots of routing problems - as some people in this forum learned the hard way.

Here is what you need on the side where your PPTP server lives:

Have your firewall or router respond to inbound requests for these packets and NAT them to a private IP Address inside your LAN. Similarly, when the PPTP server inside your LAN responds, the firewall or router should masquerade these back to the public IP address and forward them along.

On the side where your PPTP client lives, you also need a router or firewall that will send out and accept back GRE packets. This router will likely need appropriate NAT entries to masquerade your clients from the Internet.

In lots of cases, what probably happens is, the TCP port 1723 stuff pass back and forth just fine. Most of the low cost DSL routers are OK with TCP and UDP and ICMP. But then, when you start moving GRE packets back and forth, some older/cheaper routers have no clue what's going on.

I am a vendor. I build Linux based firewalls for a living. I have the battle scars to prove it.

- Greg Scott
GregScott@InfraSupportEtc.com

 

[bwilliam13]

GregScott, thanks for the info.

However, you wrote:

"Using Linux based firewall systems, you need rules to pass these packets back and forth, along with appropriate NAT entries. You need at least a 2.4.9 kernel (which shipped with Red Hat Linux 7.2), and at the server end, you need a special patch to make Linux handle the stuff properly. See the VPN Masquerade howto for details."

You do NOT need the patch if all you're running is a single SERVER behind the Linux firewall. You only need the patch if you've got more than one client or server behind a single Linux firewall...so let's not make this more complicated than it is. Kernel 2.4.9 w/IPTables will handle a single host trying to NAT GRE and PPTP correctly with just a regular ol masquerade rule. Always has.

I think this has been a point of confusion in the community for some time, and still is. To accept multiple incoming clients to a single Microsoft PPTP VPN server behind a Linux firewall, you can use IPTable as-is (kernel 2.4.9 or later like you said) out of the box. If you want to masquerade more than one host on the inside network (be it client or server...or both), only then do you need the patch(es).

 

[JeffreyOyler]

I have not read all the posts in this thread, as it seems to have strayed a bit from the original topic, but I have a thought:

Seeruk, do you have a default gateway entered for both NICs in the PPTP server box? The only only NIC that should have a default gateway address in the one connected to (or towards, as the case may be) the Internet. The internal NIC should be left with a blank gateway address. If you have multiple internal subnets that you need to route to, then you should use the "ROUTE -p ADD" command from the command line to add the internal routes.

 

[dlb99]

Just wanted to relay my experience with the Netgear DG814 ADSL Modem/Router:

Even though the DMZ points to the VPN Server, Authentication times out with error 721.

Background:
Netgear DG814 firmware version 4.10, VPN Client Windows XP, VPN Server Windows 2003

Problem:
Can establish VPN to this server over LAN, Can establish VPN connections to other Servers on Internet, Cannot establish VPN connection to server via DG814. Don't want to spend any money on a new router.

Solution:
Add port map from drop down list in DG814 menu for PPTP to the VPN server IP address.

Question:
Isn't this the same as what the DMZ pointing to the VPN server should be doing?

Theory:
?DMZ is a lie AND/OR PPTP port map adds not only TCP 1743 but also IP47/GRE passthrough inbound??.

Outcome:
Stupid Netgear unless I misunderstand what DMZ should be doing, but saved myself having to buy a new router.

PS:
Also so sick of the DG814 locking-up on a daily basis (cos of NAT table overloading) that I demoted it to its deserved role of being soley an ADSL modem : I do all NAT/firewall on P3 WinXP with Kerio WinRoute or Win2k3 RRAS - have not needed to reset the DG814 in months.

 

[dlb99]

1743 should be 1723

 

[VaticNZ]

Hi all,

I was having the 721 error as per the other messages, and following bwilliam13's posts, have resolved the problem at our site.
We use a SnapGearPro (v1.6.1) firewall.
To enable PPTP passthrough (for GRE) I found a knowledge base reference here (

http://www.cyberguard.info/snapgear/cgi-bin/fom?_recurse=1&file=34#file_109)

which directed me to add custom rules. (I'm glad I found it - coz I wouldn't have come up with those rules by myself!)

Once the rules were added, everything fell into place.

Thanks all for the discussion, and thanks bwilliam13 for sharing your knowledge. I learned something new and I resolved our issue. It's a good day!

Rich

 

[edcoder]

Hello all, I am having the same exact issues but...I found out something interesting. I have tested the connection using PPTP Ping and it worked without issues. I was able to sent a message back in forth from server to client using GRE. It must be in my configuration of the RRAS. The way I have it setup is this:

Windows 2003 Server Running:
RRAS & a Domain Controller
1 NIC installed with local private IP range(10.0.1.9).
RRAS Setup:
Router-->LAN & Demand Dial Routing
Remote Access Server
Security-->Windows Authentication
IP Routing-->Enabled via static routes(10.0.1.30-10.0.1.35)...I have tried (192.168.1.30-192.168.1.35)

Any help would be greatly appreciated!

 

[rickbeare]

Hello, I have network A and network B

Network A Cisco 2611 with version 12.2

Network B Cisco 2621 with version 12.1

Network A has no problems with clients vpn into any of the 2000 or 2003 servers.

Network B hangs at the username and password and logs the protocal 47 thing

the forwarding is as follows for network B
ip nat inside source static tcp 192.168.30.2 1723 66.150.47.180 1723 extendable

If I DMZ it, it works fine, Also there is not anything in my access list that seems to be preventing it as well, do you have any Ideas ?