Error 721 on Win2K VPN (Yes 47 IP enabled!!) 3

[Seeruk]

Here we go this might be lengthy but I want to provide all information needed!!!

Basically I have a Standalone Win2k server in a NT4 domain which I am setting up as the VPN server.

Two nics installed - I dont use a firewall, instead I use TCP filters to stop unwanted stuff.
I have TCP/UDP ports 80, 1489, and 1723 enabled along with IP Protocol 47 on both cards.
Our ISP provides us with static IP which is mapped to NIC2 and NIC1 is the internal lan card.
Yes the test user has diallin access both in the domain account in the NT arena and on a local account on the win2k server.
The server can be pinged through from the client and the normal funtionality of browsing etc is there at the client.
The server also can access the net

I'm out of ideas totally and it seems every bboard on the net can only suggest enabling IP Protocol 47 as a solution but it is enabled.
i am thinking its possibly a routing thing as I had a friend who solved it through routing but I dont know much on this subject

Please for the love of god tell me something to get this darn thing working as I am going crazy having spent 2 weeks working on it!!

 

[Seeruk]

Sorry to bump this so early by my boss is on my back lol!!!!

 

[Seeruk]

ANYONE!!!!!!!!!!????????

 

[Seeruk]

Someone must have had this problem???????

 

[Guest_imported]

Have you tried enabling protocol 47?

 

[Guest_imported]

LOL!

 

[Dmasch]

try and see if you can create a vpn across your local lan. Let me know if you can do that first and we can go from there.

 

[Seeruk]

Bobo-rific - I hope that response was a joke!!!

Dmasch and everyone else - I have solved it. I was right in the fact that a route did need creating but as I had/have no knowledge of routing I was stuck. However by total accident I stumbled across a solution.

I removed the network cable for the internal lan from the rear of the server and then attempted a connection. It worked!!!! Then I put the internal lan back in again and it still worked!!! So I guess it forced Windows 2000 to create a route (as i heard was possible and thus the experiment).

Only trouble is if you reboot the server sometimes you need to repeat the process but as this doesnt happen very often its no big pain.

I can do everything, browse network, exchange/pop3/imap email on another server, run apps on several servers, etc etc works a treat!!!

 

[Guest_imported]

Just a bit extra that might help - when you setup the VPN on your server, you probably used the Wizard - try using the Manual option next time - i had this issue when i only used 1 NIC and the wizard seemed to setup routes as though there were 2 NICs
steve

 

[Seeruk]

I agree - the wizard seems to screw up most things and as such seems to be completely useless.

 

[Izzygz]

Its a documented fact (Microsoft) that, there is a problem with the wizard and that you should only use the manual configuration.

 

[DCbell]

I have a similar problem, I am attempting to run a VPN connection via ADSL:

Internet ----> Cisco 827 ----> PIX 501 ----> Win2k server

I can connect internally, but once beyond the firewall I get stuck at the verifying username and password message. I have tcp/udp port 1723 set up using static and conduit commands:

static (inside,outside) 192.62.25.2 192.62.24.1 netmask 255.255.255.255

conduit permit tcp/udp 192.62.25.2 255.255.255.255 eq 1723 0 0

but cannot get a conduit command to work for IP protocol 47. Any ideas??

Also how do you enable a card for IP 47?

Thanks for any suggestions

DCbell

 

[bradsm]

I am experiencing the same problems with Verifying Username and Password message.

Again, it works fine internally and it also works fine externally if I disconnect my Router and plug an ADSL modem directly into the Server.

Therefore the problem must be with the Router, I have set up port forwarding for port 1723.

It's a netgear dg814 adsl router, it has the adsl modem built into it. It does say in the documentation that it support VPN passthrough.

Using Netmon I have analysed the packets that are sent to and from the server. On a successfull connection either by using the LAN or the ADSL modem directly attached to the server, the communication goes as follows:

Client sends TCP packets to VPN Server on port 1723.
Server responds to Client.
Client sends TCP packers to VPN Server on port 1723.
Server responds to Client.

This is the stage where Verifying UserName and Password is displayed.

Client sends IP packets to VPN Server on Protocol 47.

Server responds to Client

There is more communication like this and the connection is successfull.

When using the Router to forward Port 1723 to the VPN server the communication goes like this.

Client sends TCP packets to VPN Server on port 1723.
Server responds to Client.
Client sends TCP packers to VPN Server on port 1723.
Server responds to Client.

This is the stage where Verifying UserName and Password is displayed.

Client sends IP packets to VPN Server on Protocol 47.

They never arrive

The client keeps sending the packets, but they never arrive and eventually the connection times-out.

I spoke to Netgear, they were no help just advised of a Firmware update, made no difference. I have seen postings on the Net that say even though Routers may say they allow VPN Passthrough, some only let VPN sessions out of the LAN and not IN.

I still have not got it working

5 days now.

 

[00010111]

I just tried my VPN internal and it worked. OUtwards it dosent...what is this IP 47 protocol? How do you enable it?@@@@?@!!!

Thanks.

 

[aidand]

bradsm.

I'm getting exactly the same effect as you are.
I'm using pptpclnt and pptpsrv from the windows 2000 support pack to verify it (does the same thing as a Win 2K VPN server but at a more comms based level so it removes all the extra hassle of user verificvation etc.)
I too get communication on port 1723, but no response to my client's protocol 47 transmissions.
Have you had anyone else experience this problem or have you solved it now ?
(Please e-mail me as well as post if you have !)
AidanD@Atlanticwharf.net

 

[bradsm]

I've got a new router trial, a Intertex. It seems to have a few more features than the Netgear, I'm going to try it this weekend to see if it solves the problem,

I let you all know if it does.

 

[Guest_imported]

I'm having the same difficulty as most of you. I CAN make a connection across my internal network but get a 721 or 769 when I try it outside my network. I've opened ports 47,1489, and 1723. I'm using MS windows 2000 server. Need any more info? Any ideas?

 

[solomon21]

Have any of you considered that your router may not support IP Security Protocol (IPsec) which allows the IPsec protocol to go through the router to the server? I have a Linksys router that I had to upgrade to the latest firmware before it would support IPsec Passthru. This is a common problem. Some routers don't support IPsec at all. Check to see if your router either has IPsec support or if the manufacturer has an upgrade that will allow it to do so.

 

[bradsm]

I spec of my Netgear DG814 router says it supports VPN passthrough, is this the samething.

I spoke to netgear and have installed the lastest firmware available.

 

[mistos]

I have had the same problem and after speaking with microsoft support for 7 hours we discovered that the two network cards were the issue. You will need to find which boots up first. Then go to network properties, right click on the card and then click disable. Right click on the same card again and click enable. This works great. Keep in mind though that after you reboo the server you will have to do this again as it defaults back to the original settings.