RV082 not allowing PPTP traffic to VPN server on LAN

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by 0x0A0B0C0D, May 21, 2008.

  1. 0x0A0B0C0D

    0x0A0B0C0D Addicted to LI Member

    Here's the scenario:

    I need to have more than five PPTP VPN accounts. As a result, I'm trying to use RRAS on a Windows Server 2003 machine that is behind an RV082. Here's what I've done:

    I've enabled RRAS, set it up as correctly as I know how to and created a test user account on the server to authenticate with.

    I've forwarded traffic on TCP port 1723 to the server.

    IPSec, PPTP, and L2TP pass through are all enabled. I'm assuming this takes care of the GRE requirements?

    I've turned off the PPTP server on the RV082. (Actually, it was still turned on until I read this thread, specifically posts #6, #7, and #8: http://www.linksysinfo.org/forums/showthread.php?t=54018 )

    The firmware is the latest: 1.3.6-q50

    Using a computer that is on the LAN, I can connect to the Server by using both the LAN address and the public IP address.

    When I try to connect to the external IP from a computer that is not on the LAN I hang at "Verifying username and password..." and then get Error: 806. It's essentially griping that GRE may not be allowed.

    What worries me is that while the previously mentioned thread indicates that it's possible to have a PPTP VPN server behind a RV042 (which I hope means that the RV082 can do it too), this thread says that it can't happen (post #11): http://www.linksysinfo.org/forums/showthread.php?t=41094&page=2

    Any suggestions?
  2. 0x0A0B0C0D

    0x0A0B0C0D Addicted to LI Member

    Problem fixed... but not solved

    So I've done some more in-depth sleuthing today and stumbled upon a fix that still completely bewilders me.

    I sniffed packets on a client PC trying to connect to the internal VPN server from outside the LAN. The result was that all communication seemed to be normal until the client PC sent a PPP LCP Configuration Request packet. There was no response. The client PC dutifully sent repeated Configuration Request packets. Eventually the endpoint sent a TCP pptp > 51444 [ACK] packet back and 0.7 seconds later the client and endpoint exchanged Stop-Control-Connection-Request and Reply messages.

    Here's where things get really weird. I wanted to sniff from the VPN server, so I downloaded WireShark Portable onto the server and installed WinPcap 4.0.2. I began to take a traffic sample from the server and tried to connect from the client. The connection was successful!!! Nothing changed except for the installation of WinPcap. Unconvinced, I disconnected and tried once more. It worked! I uninstalled WinPcap since that was the only thing that changed. After a reboot (WinPcap required it) I tried once more and... IT WORKED!!

    ::double take:: :confused::confused::confused:

    I’m scratching my head and trying to figure out what all of this means. Anyone care to chime in?

  3. ifican

    ifican Network Guru Member

    In order to get pptp to work through any router that nats when connecting from the outside to the inside is to A) static nat by one to one mapping or B) put the internal server in the DMZ. Reason being is you need to get GRE (protocol 47) to the server. The passthru you mentioned is only for host connecting from the inside out and has no bearing on traffic the other way around. My guess is that you connected to the server but you will not beable to transfer traffic as GRE is not working properly.
  4. 0x0A0B0C0D

    0x0A0B0C0D Addicted to LI Member



    Bearing in mind my second post, I've now had a second user connect to the VPN that is on the Windows Server 2003 machine behind the RV082. We can map drives, 'net view', transfer files, remote desktop, ping, and all the rest of it. As far as I can tell it's a fully functioning VPN. I have no explanation for this.

    Retracing my steps, I recall that after my first post I returned the settings in the RV082 to what they had been before I attempted this task. The next day I tried once more. I turned off the PPTP server and port forwarded PPTP traffic to the server. After frobbing around for a while I decided to do the packet capture and you can read all about that in my second post.

    I agree with you that GRE is essential to this process. How it's getting passed is beyond me. One-to-one NAT is disabled and the server is on the LAN, not the DMZ.

    Has anyone here ever set up a PPTP VPN behind the RV082 without using 1-to-1 NAT or the DMZ?

  5. Jamesss

    Jamesss LI Guru Member

    If you dont mind how many NIC's are you using on your sever 2003? Coz I have same setup with you but I cannot ping my clients behind RVO82 on RRAS 2003 server.. Can you tell me how to setup RRAS that can accept IPSec behind RV082? I hope you can help.. Thanks
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice