Watchguard X500 - MS RRAS Server

[denrobare]

I have a Watchguard X500 and would like to have my mobile users connect to a new RRAS Server. I have setup the following policies and am currently connecting from my XP laptop to the Firebox. The VPN connects, but not to the server, it is connecting at the Firebox for some reason.

I have NAT setup to allow port tcp 1723 to forward from any to RRAS ip.

I have ports ip 50, udp 500, udp 4500 for ipsec open from any to RRAS ip and to any from RRAS ip.

I have tcp 1723 and ip 47 open from any to RRAS ip and from RRAS ip to any.

I have viewed the following thread and got some info, but not a solution. thread872-1258993

Any help would be appreciated. I believe it could be just an auth issue, since the firebox is authenticating and not forwarding to the RRAS.

I have the Firebox Authentication set at default, which is Firebox Auth.

 

[gavm99]

Hi,

Do you connect using PPTP or IPSEC?

Thanks.


Gavin Moorhouse

http://www.lucidcomputersolutions.co.uk

 

[denrobare]

PPTP

 

[gavm99]

Well all you should need is 1 rule then.

You just need to forward 1723 to the Servers IP.

500 and 4500 are for IPSEC.

You could also keeping it straight forward by using Windows authentication.

Gavin Moorhouse

http://www.lucidcomputersolutions.co.uk

 

[denrobare]

I have NAT redirecting tcp 1723 traffic to servers ip address. I have removed the other rules since they were unneccessary. I have set the firebox to use my Win2003 server for authentication. I am no longer connecting to the firebox, which is good, but still unable to connect to RRAS server. I received the following in my traffic monitor:

06/05/08 08:22 kernel: ip_masq_pptp(): Clear call request PPTP sess 10.x.x.x-> 192.168.xxx.xxx Call ID 100 -> 8020.

06/05/08 08:22 kernel: ip_masq_pptp(): Lost GRE masq table entry (DISCONNECT_NOTIFY)

 

[unclerico]

try allowing GRE (IP Protocol 47) outbound.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[gavm99]

Ok, on the X500 I thought it already does this when you allow PPTP but it would appear yours is blocking the GRE protocol. You need to allow GRE through, this is not a port number, it is a Protocol.

My only other thought is to check that the local Windows firewall is not blocking the traffic.

Gavin Moorhouse

http://www.lucidcomputersolutions.co.uk

 

[denrobare]

This is what i received. I have opened a PPTP(ports tcp 1723 and ip 47) rule that allows any to/from. Still no connection. However, I not only recieve the following in the firebox logs. I now receive a error message on the RRAS server.

kernel: ip_masq_pptp(): Req outcall PPTP sess 10.x.xx.40 -> 192.168.xxx.x Call ID 100 -> 81A2.

kernel: ip_masq_pptp(): Estab outcall PPTP sess 10.x.xx.40 -> 192.168.xxx.x Call ID 81A2 -> 100.

firewalld[124]: deny in eth0 78 udp 20 128 10.x.xx.40 10.x.xx.255 137 137 (default)

kernel: ip_masq_pptp(): Clear call request PPTP sess 10.x.xx.40 -> 192.168.xxx.x Call ID 100 -> 81A2.

kernel: ip_masq_pptp(): Lost GRE masq table entry (DISCONNECT_NOTIFY)

Server Error:

Event Type: Warning
Event Source: Rasman
Event Category: None
Event ID: 20209
Date: 6/5/2008
Time: 9:47:16 AM
User: N/A
Computer: RRAS1
Description:
A connection between the VPN server and the VPN client 192.168.xxx.x(THIS IS THE FIREBOX'S IP) has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.