VPN PPTP on 2003 server wont connect remotely, but will if on same network.. Assistance?

I recently re-did the setup in RAS of our PPTP vpn connection to our
LAN.. I followed the wizard along as I had before.. chose the VPN and
NAT option.. setup the DHCP relay agent..

I can connect via Vista on the same lan just fine..

Now attempts to connect via our external dns address just sit there
and dont go anywhere, it never gets to the verifying user name and
password phase..

I'm out of ideas.. I've checked that TCP 1723 is open on the router
(as it was before)..

Any thoughts out there?

Thanks

You may want to use the Microsoft VPN tools to test the ports.

VPN troubleshooting toolsVPN Troubleshooting Tools. 1. PPTPclnt and PPTPsrv to test GRE and PPTP ... 11. Troubleshooting IPSec Tools. Related Topics. Troubleshooting VPN ...
http://www.chicagotech.net/vpnissues/vpntools.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"markm75" <(E-Mail Removed)> wrote in message news:(E-Mail Removed) ups.com...
I recently re-did the setup in RAS of our PPTP vpn connection to our
LAN.. I followed the wizard along as I had before.. chose the VPN and
NAT option.. setup the DHCP relay agent..

I can connect via Vista on the same lan just fine..

Now attempts to connect via our external dns address just sit there
and dont go anywhere, it never gets to the verifying user name and
password phase..

I'm out of ideas.. I've checked that TCP 1723 is open on the router
(as it was before)..

Any thoughts out there?

Thanks

On Jul 12, 1:16 pm, "Robert L [MVP - Networking]"
<nore...@hotmail.com> wrote:
> You may want to use the Microsoft VPN tools to test the ports.
>
> VPN troubleshooting toolsVPN Troubleshooting Tools. 1. PPTPclnt and PPTPsrv to test GRE and PPTP ... 11. Troubleshooting IPSec Tools. Related Topics. Troubleshooting VPN ...
> http://www.chicagotech.net/vpnissues/vpntools.htm
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting onhttp://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access onhttp://www.HowToNetworking.com
> "markm75" <markm...@msn.com> wrote in messagenews:(E-Mail Removed) oglegroups.com...
> I recently re-did the setup in RAS of our PPTP vpn connection to our
> LAN.. I followed the wizard along as I had before.. chose the VPN and
> NAT option.. setup the DHCP relay agent..
>
> I can connect via Vista on the same lan just fine..
>
> Now attempts to connect via our external dns address just sit there
> and dont go anywhere, it never gets to the verifying user name and
> password phase..
>
> I'm out of ideas.. I've checked that TCP 1723 is open on the router
> (as it was before)..
>
> Any thoughts out there?
>
> Thanks

Thanks for that tip...

Those tools are great.. didnt realize they were there.

Actually, after rebooting the server (I did run the tools and they
worked).. all is working now via the client and all.

Not sure what was up there.

Thanks

Thank you for the update.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"markm75" <(E-Mail Removed)> wrote in message news:(E-Mail Removed) ups.com...
On Jul 12, 1:16 pm, "Robert L [MVP - Networking]"
<nore...@hotmail.com> wrote:
> You may want to use the Microsoft VPN tools to test the ports.
>
> VPN troubleshooting toolsVPN Troubleshooting Tools. 1. PPTPclnt and PPTPsrv to test GRE and PPTP ... 11. Troubleshooting IPSec Tools. Related Topics. Troubleshooting VPN ...
> http://www.chicagotech.net/vpnissues/vpntools.htm
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting onhttp://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access onhttp://www.HowToNetworking.com
> "markm75" <markm...@msn.com> wrote in messagenews:(E-Mail Removed) oglegroups.com...
> I recently re-did the setup in RAS of our PPTP vpn connection to our
> LAN.. I followed the wizard along as I had before.. chose the VPN and
> NAT option.. setup the DHCP relay agent..
>
> I can connect via Vista on the same lan just fine..
>
> Now attempts to connect via our external dns address just sit there
> and dont go anywhere, it never gets to the verifying user name and
> password phase..
>
> I'm out of ideas.. I've checked that TCP 1723 is open on the router
> (as it was before)..
>
> Any thoughts out there?
>
> Thanks

Thanks for that tip...

Those tools are great.. didnt realize they were there.

Actually, after rebooting the server (I did run the tools and they
worked).. all is working now via the client and all.

Not sure what was up there.

Thanks

On Jul 12, 9:52 pm, "Robert L [MVP - Networking]"
<nore...@hotmail.com> wrote:
> Thank you for the update.
>

Just curious.. are you or anyone else out there aware of the security
implications of using PPTP? IE: Is it true the password is sent in
clear text, the only insecure part, after that its very secure?

Is one solution which gets closer to the security of ipsec, to use EAP
with a certificate (somehow)?

Thanks

"markm75" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> On Jul 12, 9:52 pm, "Robert L [MVP - Networking]"
> <nore...@hotmail.com> wrote:
>> Thank you for the update.
>>
>
> Just curious.. are you or anyone else out there aware of the security
> implications of using PPTP? IE: Is it true the password is sent in
> clear text, the only insecure part, after that its very secure?

That depends on the device providing the PPTP/VPN. MS products, RRAS &
ISA provide a multiude of authentication choices,...it really isn't about
PPTP itself.

> Is one solution which gets closer to the security of ipsec, to use EAP
> with a certificate (somehow)?

That would be L2TP instead of PPTP

IPSec secured VPN is used for Site-to-Site VPNs (aka Router-to-Router VPNs)
L2TP secured VPN is primarily used for Remote Access VPN.
PPTP is commonly used for both Remote Access VPN and Site-toSite VPNs.

All are encryped & encapsulated,...it is just a debate of methods and
degrees.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

On Jul 17, 1:24 am, "Phillip Windell" <philwind...@hotmail.com> wrote:
> "markm75" <markm...@msn.com> wrote in message
>
> news:(E-Mail Removed) ups.com...
>
> > On Jul 12, 9:52 pm, "Robert L [MVP - Networking]"
> > <nore...@hotmail.com> wrote:
> >> Thank you for the update.
>
> > Just curious.. are you or anyone else out there aware of the security
> > implications of using PPTP? IE: Is it true the password is sent in
> > clear text, the only insecure part, after that its very secure?
>
> That depends on the device providing the PPTP/VPN. MS products, RRAS &
> ISA provide a multiude of authentication choices,...it really isn't about
> PPTP itself.
>
> > Is one solution which gets closer to the security of ipsec, to use EAP
> > with a certificate (somehow)?
>
> That would be L2TP instead of PPTP
>
> IPSec secured VPN is used for Site-to-Site VPNs (aka Router-to-Router VPNs)
> L2TP secured VPN is primarily used for Remote Access VPN.
> PPTP is commonly used for both Remote Access VPN and Site-toSite VPNs.
>
> All are encryped & encapsulated,...it is just a debate of methods and
> degrees.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------

Ah ok, so I should try switching to L2TP on the MS server side
settings, this would be the more secure way to go, short of
proprietary router vpn and software.

We aren't doing router to router.. just router to client type setups.

Currently we use a 460R router from Symantec, which will only work
with their proprietary VPN ipsec software.. so for Vista there is no
client. Hence I had setup the Microsoft PPTP vpn ability through one
of our servers.

I guess the other option is to find a better gateway that supports SSL
(and is dual wan), more universal, no software dependencies.

"markm75" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Ah ok, so I should try switching to L2TP on the MS server side
> settings, this would be the more secure way to go, short of
> proprietary router vpn and software.

Yes, I think the L2TP would be the correct solution since you are using
Remote Access VPN.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

On Jul 17, 1:24 am, "Phillip Windell" <philwind...@hotmail.com> wrote:
> "markm75" <markm...@msn.com> wrote in message
>
> news:(E-Mail Removed) ups.com...
>
> > On Jul 12, 9:52 pm, "Robert L [MVP - Networking]"
> > <nore...@hotmail.com> wrote:
> >> Thank you for the update.
>
> > Just curious.. are you or anyone else out there aware of the security
> > implications of using PPTP? IE: Is it true the password is sent in
> > clear text, the only insecure part, after that its very secure?
>
> That depends on the device providing the PPTP/VPN. MS products, RRAS &
> ISA provide a multiude of authentication choices,...it really isn't about
> PPTP itself.
>
> > Is one solution which gets closer to the security of ipsec, to use EAP
> > with a certificate (somehow)?
>
> That would be L2TP instead of PPTP
>
> IPSec secured VPN is used for Site-to-Site VPNs (aka Router-to-Router VPNs)
> L2TP secured VPN is primarily used for Remote Access VPN.
> PPTP is commonly used for both Remote Access VPN and Site-toSite VPNs.
>
> All are encryped & encapsulated,...it is just a debate of methods and
> degrees.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------

Ah so I should try setting the Windows VPN (RAS) to l2tp instead..
this would be as close as I can go to IPSEC, without using the
proprietary software required for the symantec gateway 460R..

I installed vpn on the MS 2003 server, simply because with vista
clients, there is no way to connect to the Gateway 460R, as they dont
have a "Symantec VPN client" for vista (x64 or x86) as of yet.

I guess an alternative idea would be to look for a router that is both
dual wan and SSL capable, eliminating the burden of software on the
client side? (I Havent found any that are both dual wan and have SSL
vpn ability thus far).

On Jul 17, 11:22 am, "Phillip Windell" <philwind...@hotmail.com>
wrote:
> "markm75" <markm...@msn.com> wrote in message
>
> news:(E-Mail Removed) ups.com...
>
> > Ah ok, so I should try switching to L2TP on the MS server side
> > settings, this would be the more secure way to go, short of
> > proprietary router vpn and software.
>
> Yes, I think the L2TP would be the correct solution since you are using
> Remote Access VPN.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------

I gave l2tp a try.. but havent had any success connecting remotely.. I
thought the only thing I needed to change was checking off "allow
custom ipsec policy for l2tp connection" on the Security tab when you
right click the server and do properties in RAS and add a pre shared
key.

I then switched the client config to l2tp ipsec and entered in the
same password.

When it tried to connect it fails with:


"Error 789: The l2tp connection attempt failed because the security
layer encountered a processing error during initial negotiations with
the remote computer"

Any thoughts out there?

Thanks