Home VPN PPTP

[Nuwave]

Hello,

First off let me introduce myself, I'm Mike. I have been lurking on the anandtech forums since 2005. Recently I've been more focused on the networking sub-category. I've diagnosed, and recreated issues, and come up with resolutions of my own for many of the issues brought up here, sometimes they actually work! But most are hypothetical solutions, as the answer to a lot of the problems doesn?t make it back on here from the OP's. I've also learned quite a bit, and have found valuable resources. Thanks for that!

Anyways today I made an account, and logged in for the first time! And now need help from some of you!

This is my goal.

Make a VPN connection from Computer A to Computer B via the internet. Simple network diagram is as follows


(Computer A) - (Router A) ? (Modem A) ---{{INTERNETS}}--- (Modem B) - (Router B) - (Computer B)


Computer A is a Windows XP Home Machine
Router A is a WRT54G Linksys

Computer B is a Windows Vista home Machine
Router B is a Dlink (not sure of model number)

I?ve followed these instructions to the letter.

http://www.onecomputerguy.com/...king/xp_vpn_server.htm
http://www.onecomputerguy.com/networking/xp_vpn.htm

http://www.onecomputerguy.com/...g/vista_vpn_server.htm
http://www.onecomputerguy.com/...g/vista_vpn_client.htm

From Xp machine(Client) to Vista Machine(Server) the Connection fails at authenticating username/password Error 628*.

From Vista(Server) to XP(Client) the connection fails before it even begins. Says the VPN server is not responding or something similar. Error 809**. Although, sometimes the connection fails at username/password. Error 628*.

Error 628 doesn?t refer to the credentials being invalid but rather the Server closing the connection. ?The port is disconnected or the connection was terminated by the remote computer before it could be completed. This is most likely a modem or phone line noise issue or blocking port issue.?

** Error 809 ?The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g., firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.?


I?ve looked into error 809 on both machines, and routers. I?ve check and double checked and triple checked my port forwarding and IPSec PPTP and L2TP pass-through settings.

Port 50-51, 500, 1723 are forwarded to the VPN Server machine.
My understanding tcp port 1723 establishes a GRE session which is related to the PPTP pass-through. 50-51 has something to do with IPSec (which I?m not 100% certain I need for just PPTP) and port 500 has something to do with sharing, which I?m also not certain I need.

Things I have yet to try:

Putting the VPN Server in a DMZ.
Running EasyLink_Connect.exe and LinksysUpgrade.exe
Calling my ISP to confirm they support VPN. I?m sure Shaw does.
Making sure Dlink router has latest firmware.

Other info
WRT54G does have latest firmware.
[Edit]Windows Firewall is turned off on both machines
[Edit]Any other software firewall is turned off/non existant on both machines.

So my question: is there something else I am missing? Do the routers actually handle vpn traffic properly? A little guidance in the right direction is what I?m really asking I guess.

 

[spidey07]

It's most likely the routers not handling the tunneling correctly. Try to eliminate the NAT and port forwarding that is probably causing the problem buy setting up your forwarding on an IP to IP basis. For example your external IP address is NATd to a single IP address regardless of what tcp or udp port it's using. Do this on both ends.

PPTP uses GRE which is IP PROTOCOL 47. Notice I didn't say a port number, it is actually it's own protocol at the IP layer and doesn't use tcp or udp.

 

[RebateMonger]

For PPTP, the only TCP Port that needs to be open is 1723. And GRE (Protocol 47) needs to be forwarded through any intermediate routers. Note that it's NOT uncommon to have PPTP VPN passthrough problems with SOHO routers. VPN passthrough ability can change from one particular brand/model/firmware version to the next firmware version.

 

[Nuwave]

Originally posted by: spidey07

PPTP uses GRE which is IP PROTOCOL 47. Notice I didn't say a port number, it is actually it's own protocol at the IP layer and doesn't use tcp or udp.

Which i've come to understand as the PPTP passthrough that linksys uses.

I looked up on Jack's ezlan I found

http://www.ezlan.net/vpn.html

He speaks of software vpn servers being incredibly slow.

I wonder if it is slow enough to be causing time out errors and closing connections. Possible I guess.

Try to eliminate the NAT and port forwarding that is probably causing the problem buy setting up your forwarding on an IP to IP basis. For example your external IP address is NATd to a single IP address regardless of what tcp or udp port it's using. Do this on both ends.

What is the process? I think I know what you mean but I'm missing something there.

However if it is this slowness issue that's causing me problems. I will probably end up going with a router vpn endpoint. Sounds like it could be the magical cure for this.

 

[nightowl]

The pass-through settings are for connections being sent outbound. On one of the routers you are going to need to allow the PPTP traffic in through the router. This is where Spidey said that you need to allow IP protocol 47 in. This may or may not be possible with consumer grade PAT devices as I have never seen it as an option.

 

[spidey07]

Originally posted by: nightowl
The pass-through settings are for connections being sent outbound. On one of the routers you are going to need to allow the PPTP traffic in through the router. This is where Spidey said that you need to allow IP protocol 47 in. This may or may not be possible with consumer grade PAT devices as I have never seen it as an option.

Yep. Nuwave - dealing with address and port translation (without getting too technical what your SOHO "routers" are doing) with VPNs can be really frustrating and difficult. Packet traces on both ends of the VPN and both ends of each router would go a long way to see what is really going on.

The single outside address = single inside address that I was talking about is network address translation. Only layer3 is modified and mapped, one outside address to one inside address at the IP layer, layer3.

Nightowl has it nailed - the receiver/server of the VPN connection needs this mapping at layer3 and with IP protocol 47. I can't articulate it in a forum post but there are many phases of a VPN/PPTP call setup and if the NAT/PAT devices don't do what you need them to do then it will fail. It's not that SOHO devices are more difficult, it's that you don't have the tools/features necessary to do what is required.

 

[Nuwave]

Originally posted by: spidey07

Originally posted by: nightowl
The pass-through settings are for connections being sent outbound. On one of the routers you are going to need to allow the PPTP traffic in through the router. This is where Spidey said that you need to allow IP protocol 47 in. This may or may not be possible with consumer grade PAT devices as I have never seen it as an option.

Yep. Nuwave - dealing with address and port translation (without getting too technical what your SOHO "routers" are doing) with VPNs can be really frustrating and difficult. Packet traces on both ends of the VPN and both ends of each router would go a long way to see what is really going on.

The single outside address = single inside address that I was talking about is network address translation. Only layer3 is modified and mapped, one outside address to one inside address at the IP layer, layer3.

Nightowl has it nailed - the receiver/server of the VPN connection needs this mapping at layer3 and with IP protocol 47. I can't articulate it in a forum post but there are many phases of a VPN/PPTP call setup and if the NAT/PAT devices don't do what you need them to do then it will fail. It's not that SOHO devices are more difficult, it's that you don't have the tools/features necessary to do what is required.

Okay I understand, thanks for all the replies.

One last question; would putting the vpn server machine in a DMZ allow the GRE in on a SOHO router?

 

[dawks]

Hmm I didn't read all the posts but providing you only need VPN from computer to computer and not full LAN routing, just use Hamachi. You can also add multiple computers.

Its super simple. Install, create a network (just name it and give it a password), then install on the on the other computer, and join the first computers network.

You have a fully encrypted tunnel. I use it often for file transfers (where you'd do something like \\computername\share\)

 

[Goosemaster]

Originally posted by: dawks
Hmm I didn't read all the posts but providing you only need VPN from computer to computer and not full LAN routing, just use Hamachi. You can also add multiple computers.

Its super simple. Install, create a network (just name it and give it a password), then install on the on the other computer, and join the first computers network.

You have a fully encrypted tunnel. I use it often for file transfers (where you'd do something like \\computername\share\)

another vote for Hamchi.