1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV042 and GRE

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Toot4fun, Jul 28, 2007.

  1. Toot4fun

    Toot4fun Network Guru Member

    I have an RV042 at the office and I'm trying to configure it to allow my Windows VPN connections through to my SBS machine (behind the RV042). I'm able to connect from a PC in the office to the server (rules out the server), but from home, it gets stuck on "Verifying username and password" and I see GRE policy violations in my log.

    What do I need to do to get the GRE protocol through the RV042??

    Thanks,
    Brian
     
  2. Toxic

    Toxic Administrator Staff Member

    I take it your using PPTP? port foward 1723 TCP/UDP to your IP address of the SBS.
     
  3. Toot4fun

    Toot4fun Network Guru Member

    Sorry for the lack of more details, but yes, I'm using PPTP and yes, 1723 TCP/UDP are forwarded to my SBS. I do get the following messages in the System log of my SBS:

    1.) A connection between the VPN server and the VPN client [My Home IP] has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

    2.) The user connected to port VPN5-3 has been disconnected because the authentication process did not complete within the required amount of time.
     
  4. ifican

    ifican Network Guru Member

    Yeah i dont know if you can go trhough the rv042 from the outside as you are trying to do. The issue is just like it states, GRE (protocol 47) is getting blocked because you have no way to tell the RV where to send that traffic.

    Have you thought about connecting (pptp) to the RV then connecting through the tunnel to the server?
     
  5. Toot4fun

    Toot4fun Network Guru Member

    This used to work when I ran everything through a WRT54G, so I figured that a VPN router such as the RV would be able to handle such a configuration. Even when I put the SBS in the DMZ, it still doesn't work.

    While I'd prefer to VPN directly to the SBS (through the RV - less administration), I'm not against going the route that you suggest. Is there documentation somewhere on how to accomplish this?
     
  6. Toxic

    Toxic Administrator Staff Member

    do you have PPTP Server enabled in the RV042 Firmware? pptp behind an rv042 does work. me and DocLarge have proved this.
     
  7. Toot4fun

    Toot4fun Network Guru Member

    No, PPTP is not enabled on the RV. I was told that this was supposed to be disabled so that the requests would pass through the RV and be handled by my SBS. Is this correct?
     
  8. Toxic

    Toxic Administrator Staff Member

    yep that is correct, and the reason I ask if it was. can you confirm that PPTP Pass Through is enabled as well on the rv042?
     
  9. Toot4fun

    Toot4fun Network Guru Member

    Yes - IPSec, PPTP and L2TP Pass Through are all enabled.
     
  10. DocLarge

    DocLarge Super Moderator Staff Member Member

    The issue sounds like it's stemming from the remote access policy on the SBS. Is the account you're trying to use from home included in the remote access group on the server?
     
  11. Toot4fun

    Toot4fun Network Guru Member

    Please correct me if I'm wrong, but I really don't think that's it for a number of reasons.

    1.) I'm able to connect via VPN from a PC on the office network. This eliminates the RV and proves that the SBS is properly configured to handle the VPN requests.

    2.) I can see the GRE drops in my RV log.

    3.) There are entries in my SBS System log basically saying that GRE is being blocked and that's why it can't complete the connection.

    4.) This all used to work before we moved offices and went from a WRT54G to the RV042. Nothing on the SBS or remote clients was changed, just the router (which as I mentioned was a WRT54G and is now a RV042).
     
  12. DocLarge

    DocLarge Super Moderator Staff Member Member

    Hmmm....

    I'm only asking because you said you were able to connect from a pc "on the office" network which is "not" reliable because you're still "inside" of the network. Basically, you haven't proven your vpn is reliable because you never connected from "outside," therefore connecting for the inside is not a valid marker. Based on re-reading your post and what you've just mentioned, I believe the culprit is your RV042, or at least, a configuration error "on the RV042." :(

    I personally would have thought the RV series routers were GRE enabled being their functionality set is above the WRV54G/WRV200 models. It stands to reason that if you were able to connect from the outside with a WRT54G (I'll go out on a limb it was a "pre" version 5 with third party firmware), the issue then becomes what you're currently using (RV042) to handle the routing...

    I'd say for giggles, find yourself a GRE enabled router (i.e., buy a wrv200, put it in place) and run the same scenario. Short of that, take a look at the "IP Based Policy" section, if there is one on that RV042 router (I'm just about positive there is) and configure an access-rule that allows traffic from the requesting workstation's WAN address "into" the RV042. If then you can access your vpn from "outside" of your network, then the RV was the problem (as far as access configuration goes). If you still can't, then you've got a configuration error somewhere, to include, maybe the router "just doesn't do GRE" which a few us would find to be highly unprobable...

    Jay

    P.S.,

    if the RV router is the problem, then you can either keep the wrv200 to run your vpn or take it back and say you don't need it and you prefer Belkin :)
     
  13. Toot4fun

    Toot4fun Network Guru Member

    Well, the issue was a configuration issue on the RV042. When I was doing my port forwarding, I overlooked the default PPTP entry in the list of services. I added my own TCP/1723 service and forwarded this to my SBS. Apparently, this manual entry doesn't include forwarding the GRE protocol as well. Once I deleted my manual entries and forwarded the system default PPTP and IPSec services to my SBS, everything worked as expected.

    Thank you everyone for your help.
     
  14. ifican

    ifican Network Guru Member

    I really need to get me an RV042 to see what all the hubub is about.
     

Share This Page