Error 721 when logging into Server 2003 VPN

Let me start with the fact this is my first VPN set up.
I am using Server 2003 Standard.
DLink di-604 router - 192.168.0.1 - running DHCP
Two NICs, 192.168.0.2 and 192.168.0.3 (static)
When going through the routing and remote access set up, I chose
192.168.0.2 to secure.
Then I added 192.168.0.1 as the DHCP Relay Agent.
The Dlink had the pptp set up as a built in forwarding option, this
began forwarding PPTP and PPTP_GRE to 192.168.0.2.
Same thing for IPSEC, port 500 forwarded to 192.168.0.2

This set up worked like a champ for a month or so, perfectly, no
problems!!
Everyone was logging in an working from home.

Then, they got a static IP from their ISP. I logged into the VPN, then
Remote Desktop Connection to the server. Then logged into the DLink
remotely. I programmed the DLink with the new static IP information,
gateway, subnet mask, and DNS. I called the client, internet worked
great and http://www.mywanip.com showed the proper IP.

But... now when connecting using the VPN connection, it connects, says
Verifying Username and Password, times out and I get the Error 721 the
server did not respond...
I read quite a bit online, but I was under a time crunch, so maybe not
enough. I read about the Port 47 thing, and added that anyway, didn't
work. Removed the server from Routing and Remote access, then readded
it.
While doing all this, I am logged in using gotomeeting, so I have full
control. I had to throw up my hands and eventually add the server into
the DMZ and again, things work perfectly.

The new static IP information did have a new subnet mask,
255.255.255.248, should that make a difference?
I did use that subnet mask as the subnet mask for the 192.168.0.2 NIC,
no difference.

My question is, how did the new WAN IP affect this, and how do I fix it
so the server doesn't have to be in the DMZ?
Thanks in advance!
Tom

The "Port 47 thing" in fact has nothing to do with port 47 or any other
port!

VPN traffic is encrypted and encapsulated. The header on the
encapsulated packet is a GRE header. GRE (Generic Routing Encapsulation
protocol) is IP protocol 47.

If no traffic comes through unless you put the server NIC in the DMZ it
means that your router is blocking GRE. This is what produces the 721 error.

Why does your server have two NICs in the same IP subnet? This is a
recipe for disaster with RRAS.

(E-Mail Removed) wrote:
> Let me start with the fact this is my first VPN set up.
> I am using Server 2003 Standard.
> DLink di-604 router - 192.168.0.1 - running DHCP
> Two NICs, 192.168.0.2 and 192.168.0.3 (static)
> When going through the routing and remote access set up, I chose
> 192.168.0.2 to secure.
> Then I added 192.168.0.1 as the DHCP Relay Agent.
> The Dlink had the pptp set up as a built in forwarding option, this
> began forwarding PPTP and PPTP_GRE to 192.168.0.2.
> Same thing for IPSEC, port 500 forwarded to 192.168.0.2
>
> This set up worked like a champ for a month or so, perfectly, no
> problems!!
> Everyone was logging in an working from home.
>
> Then, they got a static IP from their ISP. I logged into the VPN, then
> Remote Desktop Connection to the server. Then logged into the DLink
> remotely. I programmed the DLink with the new static IP information,
> gateway, subnet mask, and DNS. I called the client, internet worked
> great and http://www.mywanip.com showed the proper IP.
>
> But... now when connecting using the VPN connection, it connects, says
> Verifying Username and Password, times out and I get the Error 721 the
> server did not respond...
> I read quite a bit online, but I was under a time crunch, so maybe not
> enough. I read about the Port 47 thing, and added that anyway, didn't
> work. Removed the server from Routing and Remote access, then readded
> it.
> While doing all this, I am logged in using gotomeeting, so I have full
> control. I had to throw up my hands and eventually add the server into
> the DMZ and again, things work perfectly.
>
> The new static IP information did have a new subnet mask,
> 255.255.255.248, should that make a difference?
> I did use that subnet mask as the subnet mask for the 192.168.0.2 NIC,
> no difference.
>
> My question is, how did the new WAN IP affect this, and how do I fix
> it so the server doesn't have to be in the DMZ?
> Thanks in advance!
> Tom

I apologize, if I sound a little naive, like I said, this is my first
VPN set up. I didn't expect forwarding 47 to work, I had just seen alot
of discussion on it.
Also, it was all working before I programmed the router with the static
IP information, it hadn't been blocking GRE before.
Having both NICs using 255.255.255.0 wasn't causing an issue either. Is
it recommended to have different subnet masks defined for each card?

I agree that GRE is not well understood. Many people (including
manufacturers who should know better) talk about forwarding port 47 to solve
GRE problems. Port 47 (tcp or udp) has nothing to do with VPN.

I suspect you don't need the second NIC at all. You only need two NICs in
the server if it is acting as a router. (And in that case they would be in
different IP subnets). If the other machines in your LAN are using
192.168.0.x addresses and 255.255.255.0 subnet mask you can simply disable
the second NIC in the server.

You would forward TCP port 1723 from the "router" to 192.168.0.2 . The
two NICs could be causing the problem. RRAS VPN usually rejects replies
which come from a different IP address (ie different from the one that the
original packet was sent to). So if you forwarded the traffic to 192.168.0.2
and the reply can from 192.168.0.3 your connection could fail.

(E-Mail Removed) wrote:
> I apologize, if I sound a little naive, like I said, this is my first
> VPN set up. I didn't expect forwarding 47 to work, I had just seen
> alot of discussion on it.
> Also, it was all working before I programmed the router with the
> static IP information, it hadn't been blocking GRE before.
> Having both NICs using 255.255.255.0 wasn't causing an issue either.
> Is it recommended to have different subnet masks defined for each
> card?

Issue: When a remote vpn user tries to connect he gets error 721 "this
ip is rejected by the server".

You have to set up a remote access policy and here is how:
1. Open RRAS.
2. Right click remote access policies and go to new remote access
policy and next.
3. Name it like "allow vpn user to set own ip" and use wizard and
next.
4. VPN and next.
5. Choose a group or user to apply it to, you should have made a group
like "vpn users" and put users in it and next.
6. Choose auth. Methods you want, next, next and finish.
7. Go to properties of the policy and click edit profile.
8. Click on IP tab and choose client may request ip address if this is
what you want, like if he will need to have same network printers to
work, ie he has to print from the office to his remote printer from a
remote desktop via vpn.

Parker Wagnon, MCSE


Bill Grant wrote:
> I agree that GRE is not well understood. Many people (including
> manufacturers who should know better) talk about forwarding port 47 to solve
> GRE problems. Port 47 (tcp or udp) has nothing to do with VPN.
>
> I suspect you don't need the second NIC at all. You only need two NICs in
> the server if it is acting as a router. (And in that case they would be in
> different IP subnets). If the other machines in your LAN are using
> 192.168.0.x addresses and 255.255.255.0 subnet mask you can simply disable
> the second NIC in the server.
>
> You would forward TCP port 1723 from the "router" to 192.168.0.2 . The
> two NICs could be causing the problem. RRAS VPN usually rejects replies
> which come from a different IP address (ie different from the one that the
> original packet was sent to). So if you forwarded the traffic to 192.168.0.2
> and the reply can from 192.168.0.3 your connection could fail.
>
> (E-Mail Removed) wrote:
> > I apologize, if I sound a little naive, like I said, this is my first
> > VPN set up. I didn't expect forwarding 47 to work, I had just seen
> > alot of discussion on it.
> > Also, it was all working before I programmed the router with the
> > static IP information, it hadn't been blocking GRE before.
> > Having both NICs using 255.255.255.0 wasn't causing an issue either.
> > Is it recommended to have different subnet masks defined for each
> > card?

Correction: that should be Error 735.
parkerw...@hotmail.com wrote:
> Issue: When a remote vpn user tries to connect he gets error 721 "this
> ip is rejected by the server".
>
> You have to set up a remote access policy and here is how:
> 1. Open RRAS.
> 2. Right click remote access policies and go to new remote access
> policy and next.
> 3. Name it like "allow vpn user to set own ip" and use wizard and
> next.
> 4. VPN and next.
> 5. Choose a group or user to apply it to, you should have made a group
> like "vpn users" and put users in it and next.
> 6. Choose auth. Methods you want, next, next and finish.
> 7. Go to properties of the policy and click edit profile.
> 8. Click on IP tab and choose client may request ip address if this is
> what you want, like if he will need to have same network printers to
> work, ie he has to print from the office to his remote printer from a
> remote desktop via vpn.
>
> Parker Wagnon, MCSE
>
>
> Bill Grant wrote:
> > I agree that GRE is not well understood. Many people (including
> > manufacturers who should know better) talk about forwarding port 47 to solve
> > GRE problems. Port 47 (tcp or udp) has nothing to do with VPN.
> >
> > I suspect you don't need the second NIC at all. You only need two NICs in
> > the server if it is acting as a router. (And in that case they would be in
> > different IP subnets). If the other machines in your LAN are using
> > 192.168.0.x addresses and 255.255.255.0 subnet mask you can simply disable
> > the second NIC in the server.
> >
> > You would forward TCP port 1723 from the "router" to 192.168.0.2 . The
> > two NICs could be causing the problem. RRAS VPN usually rejects replies
> > which come from a different IP address (ie different from the one that the
> > original packet was sent to). So if you forwarded the traffic to 192.168.0.2
> > and the reply can from 192.168.0.3 your connection could fail.
> >
> > (E-Mail Removed) wrote:
> > > I apologize, if I sound a little naive, like I said, this is my first
> > > VPN set up. I didn't expect forwarding 47 to work, I had just seen
> > > alot of discussion on it.
> > > Also, it was all working before I programmed the router with the
> > > static IP information, it hadn't been blocking GRE before.
> > > Having both NICs using 255.255.255.0 wasn't causing an issue either.
> > > Is it recommended to have different subnet masks defined for each
> > > card?