locked
VPN Windows Server 2008 R2 GRE Firewall

    Question

  • Hi all,

    Im trying to setup a VPN on a Windows Server 2008 server.
    And im running into some trouble when connecting from any client. When connecting to the VPN it does reply and then comes to the point when it needs to verify the username and password. This doesnt work and then gives me a 721 error on XP and a 806 error on Windows 7.
    While searching on google I found the pptpsrv and pptpclnt tools to test the connection. On the local network this does work fine and over the internet it does only work when the firewall is disabled. If its turned on it wont receive any GRE packages. The TCP port 1723 works fine (even when firewall is on). When opening the advanced windows firewall settings GRE is as well as INBOUND as as OUTBOUND accessible from any IP adressess. But still no succes.

    Ive tried all the steps that are descripted on this page http://www.howtonetworking.com/vpnissues/error806.htm
    And the router has been set as a DMZ to the server.

    I hope any of you experts know how to solve this problem,
    Thomas
    Sunday, November 01, 2009 9:53 PM

Answers

  • Hi,

     

    Thanks for the update.

     

    From the description, it seems that you can dial the PPTP VPN without any issue from internal network.

     

    As I mentioned in my last post, the Windows Server 2008 R2 RRAS service did respond the port 1723 and protocol 47 to the external VPN client. It indicates that the router has forwarded the port 1723 and protocol 47 properly. When the RRAS server respond the external VPN client and send the response to the default gateway (192.168.1.1), it seems that the router block the protocol 47 traffic to the external VPN client. Please double check whether there is any ACL (access control lines) existed on the router that may block the protocol from internal to external.

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

     

     

     

     

     

    • Marked as answer by Taxos Tuesday, November 24, 2009 11:37 PM
    Tuesday, November 10, 2009 10:09 AM

All replies

  • Hello,

     

    Thank you for your post here.

     

    From the description, the GRE traffic for PPTP VPN is blocked by the Windows firewall when the remote users try to connect from the external network.

     

    1. Yes, there is a built-in rule in Windows firewall that allow the GRE traffic in Windows Server 2008. I'd like to know how it works if you allow the edge traversal in that rule.

     

    a. Open the Windows Firewall and locate the Routing and Remote Access (GRE-in) rule.

    b. In the Routing and Remote Access (GRE-in) rule Properties dialog, enable the option "allow the edge traversal" in the Advanced tab.

     

    2. To indentify the exact the reason why GRE is discarded by Windows Firewall, I'd like to suggest you to enable the Windows Firewall audit and collect the firewall audit event log.

     

    Enable IPsec and Windows Firewall Audit Events

    http://technet.microsoft.com/en-us/library/cc754714(WS.10).aspx

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

    Monday, November 02, 2009 9:53 AM
  • Ok ive tried your solution by enabling the edge traversal option but with no succes.

    I also tried your second option and enabled the firewall audit event log.
    But when I opened it I didnt really understand what it was saying. So if you can explain it or if you know another solution please tell me.

    Thanks in advantage
    Thomas
    Monday, November 02, 2009 4:11 PM
  • Hi,

     

    Thanks for your update.

     

    For further investigation, could you please paste the audit log that block the GRE traffic? Or you can output the security audit and send  it to me at v-mileli@microsoft.com.

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

     

     

    Tuesday, November 03, 2009 10:51 AM
  • Hi,

     

    Thank you for the update.

     

     

    I have received the Firewall audit log. Could you explain where did you collect the log? Are those logs from the VPN server or the VPN client? What are 192.168.1.100 and 192.168.1.1?

     

     

     

    Information    11/3/2009 7:07:36 PM         Security-Auditing      5156   Filtering Platform Connection

    Network Information:

              Direction:                Inbound

              Source Address:       192.168.1.100

              Source Port:            1723

              Destination Address: 192.168.1.1

              Destination Port:       49398

              Protocol:                 6

     

     

     

    Information    11/3/2009 7:07:36 PM         Security-Auditing      5156   Filtering Platform Connection

    Network Information:

              Direction:                Inbound

              Source Address:       192.168.1.100

              Source Port:            0

              Destination Address: 192.168.1.1

              Destination Port:      0

              Protocol:                 47

     

     

    According to the log, it seems that 192.168.1.1 is VPN client and 192.168.1.100 is the VPN server. As the client has receive/accept the port 1723 and protocol 47 traffic back from the VPN server, I think the firewall on neither the VPN server nor VPN client block the PPTP traffic.

     

    To further narrow down the issue, I'd like to know whether there is any 3rd party firewall on the VPN server and how everything works if you perform a clean boot on the server.

     

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

    Wednesday, November 04, 2009 11:20 AM
  • Thanks for your reply,

    192.168.1.100 is indeed the servers IP because its behind a router. 192.168.1.1 is the routers IP it always takes that IP when you connect locally to the server. But even when using an external IP this error will occure.
    Clean boot didn't solved the problem and there is no 3rd party firewall installed just the windows firewall.

    When you connect locally so for example if I connect to the server using 192.168.1.100 from a other computer in the network. Will it still use the GRE protocol or does it already know that a connection is established? Because when I connect locally to the server it all works fine.

    Hope you can do something with this awnser.

    Thomas
    Wednesday, November 04, 2009 2:04 PM
  • Please do you have any other possible awnsers?
    Im still strugling with this one.

    Thanks in advantage
    Thomas
    Monday, November 09, 2009 12:12 AM
  • Hi,

     

    Thanks for the update.

     

    From the description, it seems that you can dial the PPTP VPN without any issue from internal network.

     

    As I mentioned in my last post, the Windows Server 2008 R2 RRAS service did respond the port 1723 and protocol 47 to the external VPN client. It indicates that the router has forwarded the port 1723 and protocol 47 properly. When the RRAS server respond the external VPN client and send the response to the default gateway (192.168.1.1), it seems that the router block the protocol 47 traffic to the external VPN client. Please double check whether there is any ACL (access control lines) existed on the router that may block the protocol from internal to external.

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

     

     

     

     

     

    • Marked as answer by Taxos Tuesday, November 24, 2009 11:37 PM
    Tuesday, November 10, 2009 10:09 AM
  • Thanks for your reply.
    I was unable to find anything on my router that would block any outgoing connections.
    So I mailed my router supplier for a awnser to this question.

    I will report it, if that was the awnser

    Thomas
    Wednesday, November 11, 2009 5:03 PM
  • Problem solved.
    It was the routers problem. Seemed that the firmware had errors.

    Thanks for all your help,

    Thomas
    Tuesday, November 24, 2009 11:37 PM
  • Hi,

     

    Thanks for the update.

     

    Glad to know the VPN server works again. If you have any questions or concerns in the further, please do not hesitate to let us know. Thanks.

    Friday, November 27, 2009 6:50 AM