Windows 2003 VPN server VPN behind WAG54GX2 router

Discussion in 'Networking Issues' started by scubapro10, May 1, 2006.

  1. scubapro10

    scubapro10 LI Guru Member


    I’ve a configuration issue with the following Linksys router:

    Model: WAG54GX2
    Firmware: V1.00.03

    I’m trying to configure this router in order to allow remote users to connect our Windows 2003 server via VPN (PPTP). I’ve checked the linksys support site and found this article:*&p_li=&p_topview=1

    It says that I only need to enable the PPTP PassThrough option and forward the TCP port 1723 to my Windows 2003 server fixed LAN IP. I did this and it doesn’t work. Indeed, remote users trying to connect the VPN server get an “error 721†message. I’ve checked the Windows VPN server configuration and everything is OK. Indeed, if I put my Windows server in the DMZ using the linksys router management console, this VPN server is working well and remote users can connect. This is not a good solution for me since I want to keep my windows server behind the router firewall.

    Any help is welcome,
    Thanks a lot.
  2. Toxic

    Toxic Administrator Staff Member

    is there a firewall on the Windows 2003 server?
  3. scubapro10

    scubapro10 LI Guru Member

    No, we don't have a firewall software on our Windows server.
    We are using windows small business server 2003 standard and ISA firewall server is not installed.
  4. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Single homed SBS box?

    Well..that shouldn't matter....if you setup the port forwarding correctly, port 1723 TCP, and enabled PPTP pass through in the checkbox option (which allows IP type 47 GRE to pass unmolested) should work.

    In DMZ'ing your SBS box...and having it proved that your SBS box is setup far as VPN setup goes.

    Error 721 is the common one if the there's a firewall on either end not allowing GRE to pass.

    Perhaps it's broken in the current firmware of you DSL gateway. Couple of things I'd try...
    disable SPI if you have that option
    disable "block WAN request"
    Add "allow IPSec pass through"...even though it's a different port and protocol type..harmless to try.
    Make sure you the MTU is set correctly on the unit...I never trust "auto"..I always manually set the MTU, 1492 for PPPoE DSL, and 1500 for bridged DSL and cable.

    The pain in the butt a hard factory reset on the unit...start it over again.
  5. scubapro10

    scubapro10 LI Guru Member

    If you look at the images below, you can check that I've done correctly the thing to try to make this work.



    I've also tried to change MTU from auto to 1492 but this didn't help.

    I'm now conviced the firmware is surely the culpate. Unfortunately I can't find a firmware that is newer than mine (v1.00.03). What's strange even is that Linksys only provides v1.00.02 for download (I've checked on several Linksys country web sites), unless if you go to their GPL section where you can find v1.00.03.

    Anyway, I've contacted the Linksys support by mail hopping they will provide me a solution. I will post it if I get one.

  6. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Just to review things....
    Your SBS Server is single NIC?
    Are you sure your SBS box has its IP at 100? Normally you want to assign your servers (or any box that you port forward to) an IP address outside of the DHCP pool. By default the DHCP pool on Linksys routers starts at router itself is leaves you - for your free range.

    I'm just having a fleeting moment of panic that your SBS box is set to obtain IP automatically...and picturing all sorts of stuff like AD and DNS being broken...
  7. scubapro10

    scubapro10 LI Guru Member

    Yes my SBS is single NIC. I had modified the DHCP server of the linksys router so it start the pool from instead of

    So I was able to use also address as fixed IPs. I'm using fixed IP for my SBS box just by convention.
  8. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Gotcha. OK, there's a who bunch of reasons that are not related to this topic, as to why I don't like running DHCP on a router, prefer to run it on a real server...especially when active directory is your clients need to see your server for their one and only DNS, etc....

    I love of my primary sources of income...I try to use it as much as I can for my clients! :D

    Back on topic...I'd say based on what we've appears either port forwarding, or GRE passthrough, or broken on this version of your firmware.

    You state it works when you DMZ your server :eek: so we know your server is setup correctly. And your clients can function. I say :eek: because DMZ'ing the server...ack...scarey. Even for a few seconds, since it's the NIC that your services are bound do.

    The only other thing to double that your clients are trying to dial in from a network other than you don't want computers from networks in the same range establishing a VPN, they should be in separate IP ranges. Then again...that being the case, they shouldn't have been able to log in if the server was DMZd.

    Try backing up to the prior version of firmware, 1.00.02? Note that going backwards in firmware will reset your get your settings's basically revert to factory defaults. Doesn't hurt to reset the router to factory defaults before flashing it to an older version.
  9. DocLarge

    DocLarge Super Moderator Staff Member Member

    My take after reading all of this is that the firmware on the router doesn't support NAT-T and GRE,

    Not to be a poop, here, but you're killing yourself on this one :cry:

    As Stonecat has hinted out, passing GRE is a "MUST" if you're going to run a vpn server behind a router, and unfortunately, the RV line might not do that.

    If you still must run that vpn server, my advice (which I've used and passed to other consultants) is to purchase a router that does support passing GRE (i.e. Netgear DG834G, SMCBR14VPN, Linksys BEFVP41), make it your internet gateway, and hang your WAG54GX2 off of it; you'll just need to make some minor configuration changes on the second router to avoid double nat'ing. In this config, you just forward 1723 from you GRE capable router to your vpn server and your in business. Another benefit is now you have a second subnet to play with :D

    If you need this server, don't let cost effect your decision. Yes, it sucks to shell out additional money for another device to do what you figured you could do with a current one. With the exception of the DG834G ($140), the other two routers aren't over $80.

    As was suggested, try a previous firmware before going this road...

  10. scubapro10

    scubapro10 LI Guru Member

    As far as I know "PPTP PassThrough" option in Linksys routers means "allow passing GRE (protocol 47)".

    Changing router is not an option I like since this is already the second router we are buying in one week and it costed already some bucks (140€). Indeed it replace a belkin one because its stability and range were awful. We selected this linksys model based of several factors:

    - Range is supposed to be good (thanks to srx200 and MIMO)
    - Linksys brand (supposed to be one of the best brand for home office and small business)
    - all in one solution (ADSL modem, router, VPN passthrough, etc)

    I've contacted the Linksys support and hope to get a solution or a least a confirmation of this is a problem of their firmware and not an issue with our particular router.

    If they can't give us a solution like a fixed firmware (this will make us very angry), we will have only these three other options left most probably:

    - buy again another router (it will not be a linksys in that case :x )
    - put the SBS server in DMZ and install a firewall software on it (like ISA server)
    - use the built-in VPN server of our linksys router (I don't like much the idea since remote users will have to install the linksys proprietary VPN client software and windows integrated security will not be possible I guess)

    THanks for your help anyway
  11. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    That's correct..yes.

    Have you tried reverting back one version of firmware yet?

    Generally for my business clients...I try to stay away from the "all in one" devices.

    My more common setups lately.....I've been having great success using the RV082/RV016 routers...which have built in PPTP VPN server. VERY robust, stable, fast. I prefer to have a hardware VPN less service a server has to run.

    External modem...for ease of replacement.

    WAP for it off the router. Also gives you flexibility in can place it in the optimal spot for your office (or use several if large coverage is needed)
  12. DocLarge

    DocLarge Super Moderator Staff Member Member

    I was under the impression the wag54gx2 didn't have a builtin vpn server and was only a vpn "pass thru" unit. The only vpn routers that linksys makes that have proprietary software vpn clients (quickvpn) are the RV0XX series, the WRV54G, and the new WRV200.

    Could you get a screenshot of the vpn configuration page?

    Also, if you truly don't have vpn endpoint capability on this router, I'd suggest returning the wag54gx2 for either a WAG54G V1 or V2 (don't laugh, I have one with a firmware version on it that's been running for 4 months straight with no downtime) or netgear dg834g...

  13. scubapro10

    scubapro10 LI Guru Member

  14. DocLarge

    DocLarge Super Moderator Staff Member Member


    I'm on familiar ground now. My WAG54G was similar in the aspect that of it being an ADSL gateway/modem combination device; I don't recall it having that GRE limitation if that is truly the problem.

    Here's a list of vpn error codes:

    Here's another link showing how to configure your vpn policy because I don't recall proper vpn policy configuration being discussed:,15110311~start=0

    I put this video together to demonstrate how easy it is to setup a microsoft vpn server with "one" NIC; it's much more secure this way IMO... Just read down the page and you'll see it. Install this small codec first so you can watch the video:

  15. clicker666

    clicker666 LI Guru Member

    Ports I forward that *always* work with VPN to a MS RRAS server.

    Port 1723, 47 and 500.

    Try it - see what happens.
  16. DocLarge

    DocLarge Super Moderator Staff Member Member

    I think the OP is long gone on this one, clicker...

    Concur, 1723 and 500 are good ports to forward but 47 isn't a port associated with VPN; Protocol 47 (GRE) is associated. People unintentionally misinterprete "port 47" to have functionality with vpn when it actually correlates to NI- FTP:

    Hell, I thought this also when I first started with VPN's :)

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice