1. Home
  2. Cisco Systems
  3. PPTP behind 2821 - help!

PPTP behind 2821 - help!

I have a Win2003 server that accepts MS RRAS PPTP VPN connections. Or rather, it did until I moved them from the cheap soho routers they used to be on to a shiny new 2821. The machine's public ip of 66.17.84.14 works; outbound NAT and VPN is fine, I can RDC and FTP into the box. What doesn't work is connecting to this box with PPTP. I get the familiar GRE error in the event logs:

"The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation..."

I found this article...

formatting link
... but that doesn't quite apply, as the VPN server isn't behind NAT or PIX. Public IP going right to the NIC.

I keep thinking this is an easy fix and if I were to just focus the full light of my attention on it and google like mad I'd be able to fix it. That was a month ago, so I'm looking for some help here.

Thanks, Dave West

PS: Router config follows.

---------------------------------------------- Current configuration : 1421 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname rt00-core boot-start-marker boot-end-marker ! enable secret 5 xxxxx no aaa new-model ! ip cef ! no ip domain lookup multilink bundle-name authenticated ! voice-card 0 no dspfarm ! archive log config ! interface GigabitEthernet0/0 no ip address duplex auto speed auto ! interface GigabitEthernet0/0.10 description v010-outside-link-to-citylink encapsulation dot1Q 10 ip address 218.50.192.78 255.255.255.248 no ip unreachables ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet0/1.2 description v002-internal-mgt-vlan encapsulation dot1Q 2 ip address 172.16.0.1 255.255.255.0 ! interface GigabitEthernet0/1.20 description v020-public-ip-inside encapsulation dot1Q 20 ip address 66.17.84.1 255.255.255.240 no ip unreachables ! ip default-gateway 218.50.192.73 ip route 0.0.0.0 0.0.0.0 218.50.192.73 archive log config ! interface GigabitEthernet0/0 no ip address duplex auto speed auto ! interface GigabitEthernet0/0.10 description v010-outside-link-to-citylink encapsulation dot1Q 10 ip address 218.50.192.78 255.255.255.248 no ip unreachables ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet0/1.2 description v002-internal-mgt-vlan encapsulation dot1Q 2 ip address 172.16.0.1 255.255.255.0 ! interface GigabitEthernet0/1.20 description v020-public-ip-inside encapsulation dot1Q 20 ip address 66.17.84.1 255.255.255.240 no ip unreachables ! ip default-gateway 218.50.192.73 ip route 0.0.0.0 0.0.0.0 218.50.192.73

Reply to
David L. West
Loading thread data ...

PPTP uses two "channels" - a control channel that use TCP port 1723 and a data channel that use GRE (IP protocol 47).

See RFC 2637 for more details on this protocol.

Assuming you have an inbound access list on your router, the ACL must permit both of these protocols before a PPTP session will passthru the router the the server:

access-list ACL-IN permit gre any host x.x.x.x access-list ACL-IN permit tcp any host x.x.x.x eq 1723

However looking at the posted I do not see any access-list for the interfaces in the path to the RAS server. Did you remove access-lists or is this the complete router config ?

If the posted config is complete, then I would conclude that the issue you are experiencing is NOT being caused by the new router.

You can verify this by putting a PC with a sniffer on VLAN 66.17.84.0 to see if the inbound PPTP stream for GRE and TCP 1723 is being passed thru the router.

What else changed as part of moving to the new router ?

Reply to
Merv

It's the complete config -- only alteration was masking the pwds and public IPS.

That was my thinking, too. BUT: I *can* connect to this server from another machine on the same subnet.

Doing a bunch of sniffing with WireShark now trying to see what's what.

Just changing the IP of the external NIC in the server, and updating the DNS to reflect the addr change.

Reply to
David L. West

You should see the standard TCP SYN, SYN-ACK, ACK sequence for the startup of the PPTP control channel on TCP port 1723.

If that does not occur then there will be no PPTP session established.

Reply to
Merv

When the IP address was changed on the server, was the defaultegateway also changed ?

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.