VPN through Watchguard Firebox for Win2K to Win2K VPN

[tconn]

I'm trying to setup a VPN to a static NATd Win2K server (the VPN host - PPTP) using Win2k or XP clients. The firewall is setup with public addresses externally and RFC1918 (10.10.10.x) on the private interface. I snagged an unused public IP from the trusted interface which is statically NATd to the Win2K server. I basically opened up the policy so that any packet from my test-client will be allowed by the firewall (including IP proto GRE). Although I'm not getting any denys in the logs, its still not working. Is this possibly in the scenario I am describing, or should I move the Win2K server to a real/public IP in the trusted interface so no NAT takes place ? If that also doesn't work, I may just dual NIC the box and span the FW altogether, which defeats the purpose, but would prove the server-client configs....

Oh, and to add fuel to the fire.. This is my first Watchguard, I'm more of a PIX/Checkpoint-Nokia man...

 

[stiles123]

What SP is the Windows 2000 server running?

There's a little documented problem with Windows 2000 server prior to SP 3. Something to do with the MTU size.

Sorry if I'm sounding a little vague. I don't have the relevant article to hand and they are well hidden, if you catch my drift

 

[tconn]

SP3 plus all the other updates (minus DirectX and Windows Media)