PPTP questions

[crobusa]

I just installed m0n0wall, thinking it would be easy to set up a PPTP VPN with our new static IP..

The M0n0wall is 192.168.0.1
Our Lan is 192.168.0.1/16
Or red Static IP is 70.89.xxx.xxx

I've created a firewall rule: Pass PPTP TCP traffic from ANY on ANY port to ANY on ANY.

The documentation seems easy enough, I need to enter a Server address and a remote address range..

For the Server address, I've entered 192.168.1.100, 192.168.0.1 (got error). I even typed the 70.89.xxx.xxx, thinking it wants the red IP address.. still can't connect.

I've tried the XP VPN client inside the LAN, outside the LAN, and telnet to 70.89.xxx.xxx port 1723.

I've tried telneting the static IP and the internet gateway.

Help.

 

[crobusa]

Inside the network, I'm able to connect via 192.168.0.1, no other address will respond on port 1723.

From outside the network, the ISP gave me 2 addresses, one for the "static IP" one for the "internet gateway". Telnet to either does nothing either inside or outside network.

I'm now trying to set a port forwarding rule 1723, but that's nowhere in the instructions..

Please help.

 

[RebateMonger]

Can't help much....sorry....I know nothing about M0n0wall. But a quick look at its manual doesn't indicate that it is a VPN server. Is it? Assuming it isn't, then WHERE/WHAT is your VPN server?

 

[crobusa]

I just got off the phone with Comcast, and I am livid..

We "needed" to sign a 3 yr contract with them for a bloody static IP...
We then lose 9 work hours of internet because the SOBs upload the wrong configuration file, telling us to "restart every computer in the company" :roll:

Now, to the tech's shock-n-horror, we're trying to use *our* own "router/firewall/VPN", he just happens to mention I've spent the entire night troubleshooting m0n0, when I'm in a double-NAT... from the SMC "cable-modem" that is a firewall/router/cable-modem all in one.

Stupid on my end, Assanine on their end..

I'm told there's no way to turn off NAT on the SMC.. is there anything I can do to get this working before I demolish the damn thing?

 

[nightowl]

Did you make sure to allow GRE though the NAT. PPTP uses GRE in addition to port 1723.

 

[crobusa]

I can find no GRE setting in the crippled Web GUI.. The .... Comcast tech said so long as I disabled the firewall, and had m0n0 in the DMZ, *everything* is being passed through..

I quoted an expert on broadband reports, saying that there is an comcast-only interface where all this is done, and he shot back that my modem reset flushed the static-ip config file, and I'm now back to dynamic IP.

I still can't VPN through the dynamic IP. :disgust:

Am I right in my assessment, and how can I put the screws on comcast?

 

[RebateMonger]

Originally posted by: nightowl
Did you make sure to allow GRE though the NAT. PPTP uses GRE in addition to port 1723.

An "800" error happens before the "721" (GRE) errors even start. An "800" error means that you aren't even FINDING the VPN server.

 

[RebateMonger]

Originally posted by: crobusa
I still can't VPN through the dynamic IP. :disgust:

You can VPN using a dynamic IP address just fine, as long as you know the IP address or use a service like no-ip.org. I VPN to my Cox Home account, that has a dynamic IP and blocks several key ports (but not 443, for secure web sites, or 1723, for VPN.

 

[crobusa]

OK, Comcast has finally fixed their end, and got around the NAT.
I can ping the static IP and m0n0 responded great.. I could log in, but couldn't resolve DNS on our network.

I went to the m0n0 irc chat room, and someone told me that no VPN handles DNS.. and that I should be using RRA as the PPTP server if I want people to log into the domain.

Being the gullible person I am, I tell m0n0 to forward PPTP requests to our Win2003 box, and promptly install RRA.. so it looks like
Internet -- m0n0 --swtich-- all computers
I select custom setup, and select VPN. I then gave myself privledges to log in remotely..

Now the problem is I get an error that my computer doesn't have a encryption certificate.. I google for the issue, and find it's trying for IPSec, and I should tell the client to use PPTP. Only when I tell the client PPTP, it doesn't respond, even though the rule says forward 1723 and GRE.

I can't find a decent tutorial anywhere on the net for setting RRA up, much less with PPTP

 

[RebateMonger]

In Windows Server 2003, to disable L2TP and enable PPTP:

1) In the Windows RRAS Control Panel, right-click on the "Ports" section and select "Properties".
2) Examine the list of RRAS devices.
3) L2TP should say "0" in the number of ports
4) PPTP should say "xx" in the number of ports, where xx is the number of connections you want available.
If the Maximum Ports quantities are wrong, reset them in the "Configure...." dialog.