A-VPN connection through a Linksys router...

I am connecting to a 2003 server VPN connection just fine
as long as the server is on the DMZ (not wanted).
However, despite forwarding ports 1723 and 47 for BOTH
(udp/tcp), I cannot logon to the server. I seem to
connecct but when attempting to verify logon name and
passwork, the session times out. Are there other ports
that I need to forward through the router?

David L. Boucher
MCSE CNE
dlb Technology Consulting
Email: (E-Mail Removed)

UDP port 500 (ISAKMP), and UDP port 1701 (L2TP).


"David" <(E-Mail Removed)> wrote in message
> I am connecting to a 2003 server VPN connection just fine
> as long as the server is on the DMZ (not wanted).
> However, despite forwarding ports 1723 and 47 for BOTH
> (udp/tcp), I cannot logon to the server. I seem to
> connecct but when attempting to verify logon name and
> passwork, the session times out. Are there other ports
> that I need to forward through the router?

I would like to expand on what Michael said, because this is a common
(and sadly misunderstood) problem.

For PPTP, the only port required is tcp port 1723. The port 47 thing is
an urban myth, caused originally by somebody misreading the specs. What is
in fact essential is IP protocol 47, which is GRE (Generic Routing
Encapsulation).

PPTP is used to set up and maintain the VPN tunnel. The actual data is
transferred as IP packets with GRE headers. The encrypted tunnel data
travels as the payload. If GRE is blocked, the tunnel establishes fine, but
no data is transferred (which is pretty useless).

Note that GRE must be enabled for inward and outward traffic, because
traffic in both directions is using GRE headers on the tunnel data packets.


For L2TP you need udp port 1701, and you also need udp port 500 for key
exchange for IPSec. You do not need GRE, because the data now is encrypted
by IPSec and has ESP headers.

"Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> UDP port 500 (ISAKMP), and UDP port 1701 (L2TP).
>
>
> "David" <(E-Mail Removed)> wrote in message
> > I am connecting to a 2003 server VPN connection just fine
> > as long as the server is on the DMZ (not wanted).
> > However, despite forwarding ports 1723 and 47 for BOTH
> > (udp/tcp), I cannot logon to the server. I seem to
> > connecct but when attempting to verify logon name and
> > passwork, the session times out. Are there other ports
> > that I need to forward through the router?
>
>

I have enabled 1723 and 47 both ways in the router, but I
still don't connect to the server. I get a message that
the service is attempting to logon to no avail. I am
using valid logon credentials. I am using PPTP vice
L2TP. Any other ideas?


>-----Original Message-----
> I would like to expand on what Michael said, because
this is a common
>(and sadly misunderstood) problem.
>
> For PPTP, the only port required is tcp port 1723.
The port 47 thing is
>an urban myth, caused originally by somebody misreading
the specs. What is
>in fact essential is IP protocol 47, which is GRE
(Generic Routing
>Encapsulation).
>
> PPTP is used to set up and maintain the VPN tunnel.
The actual data is
>transferred as IP packets with GRE headers. The encrypted
tunnel data
>travels as the payload. If GRE is blocked, the tunnel
establishes fine, but
>no data is transferred (which is pretty useless).
>
> Note that GRE must be enabled for inward and outward
traffic, because
>traffic in both directions is using GRE headers on the
tunnel data packets.
>
>
> For L2TP you need udp port 1701, and you also need
udp port 500 for key
>exchange for IPSec. You do not need GRE, because the data
now is encrypted
>by IPSec and has ESP headers.
>
>"Michael Giorgio - MS MVP"
<(E-Mail Removed)> wrote in
>message news:(E-Mail Removed)...
>> UDP port 500 (ISAKMP), and UDP port 1701 (L2TP).
>>
>>
>> "David" <(E-Mail Removed)> wrote in
message
>> > I am connecting to a 2003 server VPN connection just
fine
>> > as long as the server is on the DMZ (not wanted).
>> > However, despite forwarding ports 1723 and 47 for BOTH
>> > (udp/tcp), I cannot logon to the server. I seem to
>> > connecct but when attempting to verify logon name and
>> > passwork, the session times out. Are there other
ports
>> > that I need to forward through the router?
>>
>>
>
>
>.
>2

Thanks Bill, I completely missed the port 47 thing.

"Bill Grant" <bill_grant at bigpond dot com> wrote in message
> I would like to expand on what Michael said, because this is a
common
> (and sadly misunderstood) problem.
>
> For PPTP, the only port required is tcp port 1723. The port 47
thing is
> an urban myth, caused originally by somebody misreading the specs.
What is
> in fact essential is IP protocol 47, which is GRE (Generic Routing
> Encapsulation).
>
> PPTP is used to set up and maintain the VPN tunnel. The actual
data is
> transferred as IP packets with GRE headers. The encrypted tunnel data
> travels as the payload. If GRE is blocked, the tunnel establishes
fine, but
> no data is transferred (which is pretty useless).
>
> Note that GRE must be enabled for inward and outward traffic,
because
> traffic in both directions is using GRE headers on the tunnel data
packets.
>
>
> For L2TP you need udp port 1701, and you also need udp port 500
for key
> exchange for IPSec. You do not need GRE, because the data now is
encrypted
> by IPSec and has ESP headers.

David, you need to configure port triggering with your Linksys router.
Here's a link to the article on the Linksys site that tells you how to do
this.
http://kb.linksys.com/cgi-bin/om_isapi.dll?clientID=580710&QuestionText=vpn&Sele ctName1=&advquery=%5bs%5d%5bRank%2c%2050%3a%5bSum% 3a%20vpn%5d%5bMerge%3a%20%5bThesaurus%3a%20vpn%5d% 5d%5d&infobase=linksysrev.nfo&record={3F0}&softpag e=IKW_ENU_JDocView


"David" <(E-Mail Removed)> wrote in message
news:04cc01c3c63c$f8c5b5f0$(E-Mail Removed)...
> I am connecting to a 2003 server VPN connection just fine
> as long as the server is on the DMZ (not wanted).
> However, despite forwarding ports 1723 and 47 for BOTH
> (udp/tcp), I cannot logon to the server. I seem to
> connecct but when attempting to verify logon name and
> passwork, the session times out. Are there other ports
> that I need to forward through the router?
>
> David L. Boucher
> MCSE CNE
> dlb Technology Consulting
> Email: (E-Mail Removed)
>
>

For PPTP you only require tcp port 1723. You do not require any port 47.
You do need your router to allow IP protocol 47 (GRE) in both directions,
because the encrypted data travels as the payload of a packet with a GRE
header. No GRE, no VPN traffic! PPTP just sets up and maintains the tunnel.

"Timothy McClory" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> David, you need to configure port triggering with your Linksys router.
> Here's a link to the article on the Linksys site that tells you how to do
> this.
>
http://kb.linksys.com/cgi-bin/om_isa...stionText=vpn&
SelectName1=&advquery=%5bs%5d%5bRank%2c%2050%3a%5b Sum%3a%20vpn%5d%5bMerge%3a
%20%5bThesaurus%3a%20vpn%5d%5d%5d&infobase=linksys rev.nfo&record={3F0}&softp
age=IKW_ENU_JDocView
>
>
> "David" <(E-Mail Removed)> wrote in message
> news:04cc01c3c63c$f8c5b5f0$(E-Mail Removed)...
> > I am connecting to a 2003 server VPN connection just fine
> > as long as the server is on the DMZ (not wanted).
> > However, despite forwarding ports 1723 and 47 for BOTH
> > (udp/tcp), I cannot logon to the server. I seem to
> > connecct but when attempting to verify logon name and
> > passwork, the session times out. Are there other ports
> > that I need to forward through the router?
> >
> > David L. Boucher
> > MCSE CNE
> > dlb Technology Consulting
> > Email: (E-Mail Removed)
> >
> >
>
>

It is the Linksys Router... I had the same problem with 2 different Linksys 1 port Routers... there is a problem with the firmware... They want you to downgrade the firmware version... I sent them back... Now I am having an encryption/decryption problem with a Linksys 4 port router/switch... Linksys denies any problem, but I know better... Now I am using a Watchguard SOHO6 as a firewall/simple router and everything is working just fine... only problem > very very very low bandwidth.....