I want to VPN out thru BM...

[Klae]

Hello people,

I would like to allow internal clients behind BM to succesfully use a VPN connection out to another Network. Let's say the Internal workstation and BM is site A and I want to VPN out to site B. site B can handle NAT being used by other (than BM) firewall/NAT devices/products. From behind BM the clients get as far as username and password authentication before they (Win2000 clients) get error 721 VPN server not responding. I am using PPTP VPN and even after fully opening (all ports) a stateful hole to site B it still fails. What are the basics as I've never touched on VPN thru BM before? Can anyone see what I'm missing?

Klae

You're only as good as your last answer!

 

[marvhuffaker]

It may be more of a routing issue than anything else. Does the BorderManager server you are trying to go through have NAT enabled? I believe that it should be, otherwise it won't route anything through. You'll use Dynamic NAT unless you have more than one Public IP address on the BM box. Also does it have NAT implicit filtering enabled? I believe that is also something you need.

As a basic test to see if you have the routing correct (putting all filters, proxies, etc aside), you should be able to use a web browser from your workstation and go out through the BM server and hit web pages okay. If that works, then try the VPN client with the same setup and see what happens. If the web pages don't work, you still have a routing issue that needs to be resolved.

I do know that certain VPN clients do not like NAT. The BM vpn client is okay behind NAT but some others are not.


Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting

http://www.redjuju.com