locked
VPN - PPTP and/or ipsec L2TP RRS feed

  • Question

  • SBS2008 std, Linksys wired router, Symantec endpoint firewall

    I am trying to configure VPN access. I punched through firewall 1723 & 47. VPN wizard completed successfully.  While trying to access, I get 800 error. Do I need to punch ipsec & L2TP ports as well? If so, what port numbers.



    John Lenz
    mercredi 16 mars 2011 20:20

Réponses

  • Rob, Thanks. It is up and working. My problem was the Linksys Router. When I port forwarded 1723, I forgot to "save". Once done & saved, VPN is active.

     

     Now I go on to how to map a server file while in VPN mode.


    John Lenz
    • Marqué comme réponse JohnLenz dimanche 20 mars 2011 20:18
    dimanche 20 mars 2011 20:17

Toutes les réponses

  • PPTP uses port 1723 and requires GRE pass-through. GRE is protocol 47, not port 47, so you cannot 'forward' it. On Linksys routers GRE pass-through is configured under the firewall section by enableing "PPTP pass-through".

    Assuming you are using the SBS VPN, there is no need for IPsec or L2TP. SBS uses only PPTP.

    An 800 error means no handshaking is taking place at all, therefore you are pointing to the incorect site or something is blocking the PPTP/port 1723 traffic. My bet would be on Symantec. You will also have to set it's firewall to allow the PPTP traffic.

    I am assuming also that your Linksys router has a public IP for its WAn interface and you do not have a modem that is a combined modem/router that is also performing NAT. If a combined modem it needs to be in Bridge mode.


    Rob Williams
    mercredi 16 mars 2011 20:36
  • Rob, Thanks. It is up and working. My problem was the Linksys Router. When I port forwarded 1723, I forgot to "save". Once done & saved, VPN is active.

     

     Now I go on to how to map a server file while in VPN mode.


    John Lenz
    • Marqué comme réponse JohnLenz dimanche 20 mars 2011 20:18
    dimanche 20 mars 2011 20:17
  • 2 options on the drive mapping.

    1) If the machine is domain joined, at logon there should be a "connect using dial-up" or similar check box. If you select this it will automatically connect the VPN before logon, and run any server based logon scripts.

    2) if not domain joined the option will not appear. In that case best to place a batch file on the desktop mapping the drive using

    net use X: \\192.168.123.123\ShareName 

    you can add logon credentials as well if you do not want the user prompted, but keep in mind the password is stored in clear text.

    net use x: \\192.168.123.123\ShareNAme password  /USER:DomainName\UserName


    Rob Williams
    mercredi 23 mars 2011 15:26
  • Rob,

     

     This solution presumes that the local network and the VPN are separate sub-nets, correct? If my local is 192.168.1.x and my server VPN is 192.168.1.2, won't there be a potential conflict?

    In SBS2003 I just use windows explorer to map the drive. In SBS2008, it does not allow that, why?


    John Lenz
    samedi 26 mars 2011 17:20
  • >>" If my local is 192.168.1.x and my server VPN is 192.168.1.2, won't there be a potential conflict?"

    Absolutely. All network segments between client and host must use different subnets for routing to take place.

    >>"In SBS2003 I just use windows explorer to map the drive. In SBS2008, it does not allow that, why?"

    You can from the menu bar, but not by right clicking on a share.


    Rob Williams
    samedi 26 mars 2011 18:13
  • Though a 691 technically is a result of an incorrect user name or password, it can be as a result of blocked GRE disallowing the second phase of the authentication process.

    Rob Williams

    dimanche 6 janvier 2013 03:54