locked
Error 806 when using public IP RRS feed

  • Question

  • I am going to create a VPN server for my company.

    The server is Win2012 and I config it as VPN + NAT. Everything is good when I testing the server.

    However, when I try to use my computer to connect to the server through PPTP, Error 806 occur.

    My server is a VM machine. As my company has a jumpier, I set the port forward to the server. For the GRE, I choose to use port 2048 to transfer IP protocol GRE.

    When I use client to connect the public IP, suppose everything so be alright because I can connect to it by using private IP.

    Now, I am not sure where is the problem.

    I tried disabling both server's and client's firewall and still occur error 806


    • Edited by Jimmy Pun Thursday, October 30, 2014 9:37 AM
    Thursday, October 30, 2014 7:47 AM

Answers

  • Hi,

    The NAT editor which I mean is the ability to translate port number of GRE packet, for RRAS of Windows Server system, it named NAT editor, for other device it may have other name and different setting.

    And we should enable this “NAT editor” function on the device/router which is configured to translate the public IP(101.30.53.99) to private IPs. In other words, the device/router which is configured with the IP address 101.30.53.99 should enable the function “NAT editor”, to translate the port number of GRE packet when it comes from Internet to private network.

    If the Jumpier router has the public IP, then enable “NAT editor” on the Jumpier router. Otherwise, if the router between Jumpier and VPN server has the public IP, then enable “NAT editor” on the router. Detailed setting steps you may ask the device’s vendor.

    Besides, you may use network monitor tools, such as Network Monitor to capture packets in different network location, before/behind the Jumpier. Check to see if the GRE packet goes through the device.

    Best Regards,           
    Eve Wang

    Tuesday, November 11, 2014 1:50 AM

All replies

  • Hi,

    The error code 806 means the VPN connection between your computer and the VPN server could not be completed. The most common cause for this failure is that at least one Internet device (for example, a firewall or a router) between your computer and the VPN server is not configured to allow Generic Routing Encapsulation (GRE) protocol packets.

    Detailed information about VPN error 806, you may reference the link below:
    http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx

    In order to allow PPTP connection to go through intermediate devices, please open the port (both inbound and outbound) as bellow:
    IP Protocol=TCP, TCP Port number=1723   <- Used by PPTP control path
    IP Protocol=GRE (value 47)   <- Used by PPTP data path

    Best Regards,           
    Eve Wang 

    Friday, October 31, 2014 8:26 AM
  • Hi Jimmy,

    How about the current status of the issue?
    Please let me know if you have any questions or concerns. I look forward to hearing from you.

    Best Regards,
    Eve Wang

    Wednesday, November 5, 2014 7:37 AM
  • Hi Jimmy,

    How about the current status of the issue?
    Please let me know if you have any questions or concerns. I look forward to hearing from you.

    Best Regards,
    Eve Wang

    Hi Eve,

    Thank you for the help. But the problem still not be solved.

    Let me introduce more. My company only has one public IP (let say 101.30.53.99). All package will go through a jumpier firewall router. My VPN server (10.68.24.2) is a VM in one of my server.

    In Jumpier, I have already setup a policy about port forwarding to the VPN server. It is ok for my Synology VPN server. As I need to expand the capacity of the VPN server, I choose not to use Synology as it only allow at most 20 users at the same time.

    So, I try to hold the VPN server on Windows Server 2012. At first, I setup the thing and the connection is ok when I connect to 10.68.24.2. However, when I want to use the Public IP for real testing. Error 806 occur.

    I tried closing the firewall or opening the port for PPTP and GRE. But I still do not know what is the problem.

    I have already set the port forward to current VPN server.

    Thank you.

    Thursday, November 6, 2014 7:33 AM
  • Hi,

    According to your description, there is only one public IP address and all packets go through the Jumpier firewall router. May I think that the company LAN using private IPs is connect to Internet through the router? If so, this router should be configured with NAT or other technology similar to NAT  in order to translate public IP(101.30.53.99) to private IPs.

    PPTP tunnel packets are encapsulated by GER, if a packet needs to go through the NAT and connect to an internal VPN server, the NAT should translate the IP address and TCP/UDP port number. With GRE encapsulated packet the NAT can’t see its TCP/UDP number. NAT in the Routing and Remote Access service in Windows Server includes a NAT editor that can accurately deal with this problem. Otherwise you need to manually edit the NAT translation table(the PPTP editor or sometimes called as application level gateway is enabled on NAT router). It is depended on the device.

    If this is not the case, please correct.

    Best Regards,           
    Eve Wang

    Friday, November 7, 2014 8:33 AM
  • Hi Eve,

    For the route from Jumpier router to VPN server, I have setup according to another article in network.

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB5471

    It is okay when I using a Synology for VPN server.

    However, it does not work on Window VPN server. For the NAT editor, I am not sure where it is, I find out a window for me to config it. Am I doing right?


    Thank you.

    Regards,

    Jimmy Pun

    Monday, November 10, 2014 6:28 AM
  • Hi,

    The NAT editor which I mean is the ability to translate port number of GRE packet, for RRAS of Windows Server system, it named NAT editor, for other device it may have other name and different setting.

    And we should enable this “NAT editor” function on the device/router which is configured to translate the public IP(101.30.53.99) to private IPs. In other words, the device/router which is configured with the IP address 101.30.53.99 should enable the function “NAT editor”, to translate the port number of GRE packet when it comes from Internet to private network.

    If the Jumpier router has the public IP, then enable “NAT editor” on the Jumpier router. Otherwise, if the router between Jumpier and VPN server has the public IP, then enable “NAT editor” on the router. Detailed setting steps you may ask the device’s vendor.

    Besides, you may use network monitor tools, such as Network Monitor to capture packets in different network location, before/behind the Jumpier. Check to see if the GRE packet goes through the device.

    Best Regards,           
    Eve Wang

    Tuesday, November 11, 2014 1:50 AM
  • Hi,

    I have not heard from you for a few days. What the state about this problem?

    Please let me know if you have any questions or concerns.

    Best Regards,           
    Eve Wang     

    Friday, November 14, 2014 9:45 AM
  • Hi,

    I am still finding a day to shutdown currently VPN server to test the new one.

    I will report it once I have further question.

    Thank you so much.

    Regards,

    Jimmy Pun

    Monday, November 17, 2014 1:40 AM
  • Hi Jimmy,

    If there is any update about this problem, please feel free to contact me.

    Best Regards,
    Eve Wang
    Monday, November 17, 2014 7:12 AM
  • Hi Eve,

    I tested last week. It still fail.

    I think it should be the NAT of window server has some wrong.

    I changed to Linux and successfully done.

    Thank you.

    Tuesday, December 2, 2014 4:39 AM