WinGate Forums

by **iquijas** » May 12 06 6:20 am

Hi Guys,

I'm currently evaluating Wingate 6.1.1 for a customer and one of the final tasks in the review process is to configure it to work with the VPN server behind the proxy so the sales people can connect to the LAN from the road.

The VPN server is a Windows 2003 R2 machine with Routing and Remote Access service enabled and sits in the land behind the Wingate machine.

So far I haven't been able to connect from outside the LAN using the Microsoft VPN client.

¿Any suggestions?

Regards

by **Pascal** » May 12 06 9:04 am

Have you forwarded the right ports to that machine?

by **iquijas** » May 12 06 10:05 am

I configured port forwarding (TCP 1723) for the W2K3 Server and selected "Don't translate source IP" but every time I try to connect to the server I get the following error message in Wingate Firewall:

Wingate firewall hit report:

Time: 5/11/2006 3:59:09 PM
Reason:
Source MAC address: 00-15-E9-19-39-20
Destination MAC address: 00-30-F1-36-3E-74
Source IP Address: 207.248.39.5 : 52590
Destination IP Address: 192.168.0.10 : 1723
Protocol: TCP
TCP flags: S
Time-to-live: 121

Wingate firewall hit report:

Time: 5/11/2006 3:59:03 PM
Reason:
Source MAC address: 00-15-E9-19-39-20
Destination MAC address: 00-30-F1-36-3E-74
Source IP Address: 207.248.39.5 : 52590
Destination IP Address: 192.168.0.10 : 1723
Protocol: TCP
TCP flags: S
Time-to-live: 121

The following entries are recorded in the WinGate NAT log:

05/11/06 15:54:37 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10

05/11/06 15:54:38 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10

05/11/06 15:54:39 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10

05/11/06 15:54:40 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10

by **Pascal** » May 12 06 10:19 am

Ah, packets with an invalid checksum. You'll need Genie for that one; he'll be able to help you with that. I'll bring this topic to his attention.

by **genie** » May 12 06 10:58 am

Aye, checksum errors - you can allow Wingate driver to ignore checksum errors: in registry editor find the following key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QbikHkXP\Parameters

and add a DWORD value with name ValidateTCPChecksum, set its value to 0 and reboot the machine.

by **iquijas** » May 12 06 4:01 pm

I just applied the change to the registry of the computer but connection is still not able to be made

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QbikHkXP\Parameters]
"BootStatus"=hex:02,00,00,00
"PreEngineStartLockdown"=dword:00000000
"ValidateTCPChecksum"=dword:00000000

The Firewall Log

05/11/06 21:40:43 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10
05/11/06 21:40:44 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10
05/11/06 21:40:44 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10
05/11/06 21:41:48 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10
05/11/06 21:42:06 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10
05/11/06 21:42:59 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10
05/11/06 21:43:05 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10

05/11/06 21:44:30 Debug: Sent security table 0 with 1 entries, return status 0
05/11/06 21:44:30 Debug: Sent security table 0 with 1 entries, return status 0
05/11/06 21:44:30 Debug: Sent security table 1 with 0 entries, return status 0
05/11/06 21:44:30 Debug: Sent security table 2 with 0 entries, return status 0
05/11/06 21:44:30 Debug: Sent security table 3 with 0 entries, return status 0
05/11/06 21:44:30 Debug: Sent security table 4 with 1 entries, return status 0
05/11/06 21:44:30 Debug: Sent security table 5 with 0 entries, return status 0
05/11/06 21:44:30 Debug: Sent security table 6 with 0 entries, return status 0
05/11/06 21:44:30 Debug: Sent security table 7 with 0 entries, return status 0
05/11/06 21:44:30 Debug: Sent security table 8 with 0 entries, return status 0
05/11/06 21:44:30 Debug: Sent security table 9 with 0 entries, return status 0
05/11/06 21:44:38 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10
05/11/06 21:58:18 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10
05/11/06 21:58:24 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10

Firewall Console:

Wingate firewall hit report:

Time: 5/11/2006 9:58:24 PM
Reason:
Source IP Address: 207.248.39.5 : 32993
Destination IP Address: 192.168.0.10 : 1723
Protocol: TCP
TCP flags: S
Time-to-live: 121

Wingate firewall hit report:

Time: 5/11/2006 9:58:18 PM
Reason:
Source IP Address: 207.248.39.5 : 32993
Destination IP Address: 192.168.0.10 : 1723
Protocol: TCP
TCP flags: S
Time-to-live: 121

by **genie** » May 12 06 5:12 pm

Oh, my bad - I had to check what I was typing - it had to go to CurrentControlSet, rather than ControlSet001 - my apologies. Please, add this value to CurrentControlSet.

by **iquijas** » May 13 06 3:25 am

I modified the correct key but I'm still hetting the checksum error in the firewall

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QbikHkXP\Parameters]
"BootStatus"=hex:02,00,00,00
"PreEngineStartLockdown"=dword:00000000
"ValidateTCPChecksum"=dword:00000000

Wingate firewall hit report:

Time: 5/12/2006 9:18:35 AM
Reason:
Source IP Address: 207.248.39.5 : 52826
Destination IP Address: 192.168.0.10 : 1723
Protocol: TCP
TCP flags: S
Time-to-live: 121

Time: 5/12/2006 9:18:28 AM
Reason:
Source IP Address: 207.248.39.5 : 52826
Destination IP Address: 192.168.0.10 : 1723
Protocol: TCP
TCP flags: S
Time-to-live: 121

Wingate NAT Log

05/12/06 09:18:11 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10

05/12/06 09:18:28 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10

05/12/06 09:18:35 Debug: NAT STATUS: packet discarded checksum error: TCP src 207.248.39.5 dst 192.168.0.10

by **iquijas** » May 13 06 3:35 am

This is the current configuration of the Wingate machine

1.01 WINGATE CONFIGURATION REPORT

1.02 Friday, May 12, 2006, 09:33

1.03

1.04 ---------------------------------------------

1.05 WinGate Engine

1.06 ---------------------------------------------

1.07 WinGate 6.1.1 (Build 1077)

1.08 Operating System: Windows 2000 (NT 5.1)

1.09 Language: ENU

1.10 User database: NT

1.11 Num. users: 21

1.12

1.13

3.01 ---------------------------------------------

3.02 License details

3.03 ---------------------------------------------

3.04 License Key 1

3.05 Version: WinGate 6 Enterprise 250+ concurrent users

3.06 Expiry: 06/Jun/2006

3.07

4.01 ---------------------------------------------

4.02 Dialer information

4.03 ---------------------------------------------

4.04 Dialer is disabled

4.05

5.01 ---------------------------------------------

5.02 Network Interfaces

5.03 ---------------------------------------------

5.04 Local Area Connection (Ethernet) internal

5.05 Local Area Connection 2 (Ethernet) internal

5.06 MS TCP Loopback interface (Loopback)

5.07

6.01 ---------------------------------------------

6.02 Services

6.03 ---------------------------------------------

6.04

6.05 System Policies

6.06 ---------------------------------------------

6.07 Default System Access Rights:

6.08 Everyone - Unrestricted rights

6.09 Default Start/Stop Rights:

6.10 Administrators - Unrestricted rights

6.11 Default Edit Rights:

6.12 Administrators - Unrestricted rights

6.13

6.14 Telnet Proxy server (Telnet Proxy server)

6.15 ---------------------------------------------

6.16 Session Timeout: 180

6.17 Port: 23

6.18 Startup: Automatic start/stop

6.19 Access Rights: Defaults: may be used instead

6.20 Start/Stop Rights: Defaults: may be used instead

6.21 Edit Rights: Defaults: may be used instead

6.22

6.23 WWW Proxy server (WWW Proxy server)

6.24 ---------------------------------------------

6.25 Session Timeout: 28800

6.26 Port: 80

6.27 Startup: Automatic start/stop

6.28 Access Rights: Defaults: are ignored

6.29 Empleados - Restricted by request

6.30 Gerencia - Unrestricted rights

6.31 Domain Admins - Unrestricted rights

6.32 webproxyadmin - Unrestricted rights

6.33 Start/Stop Rights: Defaults: may be used instead

6.34 Edit Rights: Defaults: may be used instead

6.35

6.36 DHCP Service (DHCP Service)

6.37 ---------------------------------------------

6.38 Session Timeout: 180

6.39 Port: 67

6.40 Startup: Disabled

6.41 Access Rights: Defaults: are ignored

6.42 Everyone - Unrestricted rights

6.43 Start/Stop Rights: Defaults: may be used instead

6.44 Edit Rights: Defaults: may be used instead

6.45

6.46 Winsock Redirector Service (Winsock Redirector Service)

6.47 ---------------------------------------------

6.48 Session Timeout: 600

6.49 Port: 2080

6.50 Startup: Automatic start/stop

6.51 Access Rights: Defaults: may be used instead

6.52 Start/Stop Rights: Defaults: may be used instead

6.53 Edit Rights: Defaults: may be used instead

6.54

6.55 FTP Proxy server (FTP Proxy server)

6.56 ---------------------------------------------

6.57 Session Timeout: 180

6.58 Port: 21

6.59 Startup: Automatic start/stop

6.60 Access Rights: Defaults: may be used instead

6.61 Start/Stop Rights: Defaults: may be used instead

6.62 Edit Rights: Defaults: may be used instead

6.63

6.64 IMAP4 Server (IMAP4 Server)

6.65 ---------------------------------------------

6.66 Session Timeout: 1800

6.67 Port: 143

6.68 Startup: Disabled

6.69 Access Rights: Defaults: may be used instead

6.70 Start/Stop Rights: Defaults: may be used instead

6.71 Edit Rights: Defaults: may be used instead

6.72

6.73 RTSP Streaming Media Proxy (RTSP Streaming Media Proxy)

6.74 ---------------------------------------------

6.75 Session Timeout: 180

6.76 Port: 554

6.77 Startup: Automatic start/stop

6.78 Access Rights: Defaults: may be used instead

6.79 Start/Stop Rights: Defaults: may be used instead

6.80 Edit Rights: Defaults: may be used instead

6.81

6.82 SOCKS Proxy server (SOCKS Proxy server)

6.83 ---------------------------------------------

6.84 Session Timeout: 180

6.85 Port: 1080

6.86 Startup: Automatic start/stop

6.87 Access Rights: Defaults: may be used instead

6.88 Everyone - Unrestricted rights

6.89 Start/Stop Rights: Defaults: may be used instead

6.90 Edit Rights: Defaults: may be used instead

6.91

6.92 VDOLive Proxy server (VDOLive Proxy server)

6.93 ---------------------------------------------

6.94 Session Timeout: 180

6.95 Port: 7000

6.96 Startup: Automatic start/stop

6.97 Access Rights: Defaults: may be used instead

6.98 Start/Stop Rights: Defaults: may be used instead

6.99 Edit Rights: Defaults: may be used instead

6.100

6.101 POP3 Server (POP3 Server)

6.102 ---------------------------------------------

6.103 Session Timeout: 120

6.104 Port: 110

6.105 Startup: Disabled

6.106 Access Rights: Defaults: may be used instead

6.107 Start/Stop Rights: Defaults: may be used instead

6.108 Edit Rights: Defaults: may be used instead

6.109

6.110 SMTP Server (SMTP Server)

6.111 ---------------------------------------------

6.112 Session Timeout: 300

6.113 Port: 25

6.114 Startup: Disabled

6.115 Access Rights: Defaults: may be used instead

6.116 Everyone - Unrestricted rights

6.117 Start/Stop Rights: Defaults: may be used instead

6.118 Edit Rights: Defaults: may be used instead

6.119

6.120 GDP Service (GDP Service)

6.121 ---------------------------------------------

6.122 Session Timeout: 180

6.123 Port: 368

6.124 Startup: Automatic start/stop

6.125 Access Rights: Defaults: may be used instead

6.126 Start/Stop Rights: Defaults: may be used instead

6.127 Edit Rights: Defaults: may be used instead

6.128

6.129 XDMA Proxy service (XDMA Proxy service)

6.130 ---------------------------------------------

6.131 Session Timeout: 20

6.132 Port: 8000

6.133 Startup: Automatic start/stop

6.134 Access Rights: Defaults: may be used instead

6.135 Start/Stop Rights: Defaults: may be used instead

6.136 Edit Rights: Defaults: may be used instead

6.137

6.138 DNS Service (DNS Service)

6.139 ---------------------------------------------

6.140 Session Timeout: 180

6.141 Port: 53

6.142 Startup: Automatic start/stop

6.143 Access Rights: Defaults: may be used instead

6.144 Start/Stop Rights: Defaults: may be used instead

6.145 Edit Rights: Defaults: may be used instead

6.146

6.147 WWW Server for viewing log files (Logfile Server)

6.148 ---------------------------------------------

6.149 Session Timeout: 180

6.150 Port: 8010

6.151 Startup: Automatic start/stop

6.152 Access Rights: Defaults: may be used instead

6.153 Start/Stop Rights: Defaults: may be used instead

6.154 Edit Rights: Defaults: may be used instead

6.155

6.156 Remote Control Service (Remote Control Service)

6.157 ---------------------------------------------

6.158 Session Timeout: 180

6.159 Port: 808

6.160 Startup: Automatic start/stop

6.161 Access Rights: Defaults: may be used instead

6.162 Start/Stop Rights: Defaults: may be used instead

6.163 Edit Rights: Defaults: may be used instead

6.164

7.01 ---------------------------------------------

7.02 System Route Table

7.03 ---------------------------------------------

7.04 Current Route Table:

7.05 ---------------------------------------------

7.06 Network Mask Gateway Interface Metric

7.07 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 20

7.08 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

7.09 172.16.0.0 255.255.0.0 172.16.1.1 172.16.1.1 20

7.10 172.16.1.1 255.255.255.255 127.0.0.1 127.0.0.1 20

7.11 172.16.255.255 255.255.255.255 172.16.1.1 172.16.1.1 20

7.12 192.168.0.0 255.255.255.0 192.168.0.10 192.168.0.10 20

7.13 192.168.0.10 255.255.255.255 127.0.0.1 127.0.0.1 20

7.14 192.168.0.255 255.255.255.255 192.168.0.10 192.168.0.10 20

7.15 224.0.0.0 240.0.0.0 172.16.1.1 172.16.1.1 20

7.16 224.0.0.0 240.0.0.0 192.168.0.10 192.168.0.10 20

7.17 255.255.255.255 255.255.255.255 172.16.1.1 172.16.1.1 1

7.18 255.255.255.255 255.255.255.255 192.168.0.10 192.168.0.10 1

7.19

8.01 ---------------------------------------------

8.02 Enhanced Network Support

8.03 ---------------------------------------------

8.04 Enhanced Network Support: Qbik NDIS Hook 6.0 - Installed and active

8.05 Driver: Enabled

8.06 NAT: Enabled

8.07 Router: Enabled

8.08 Firewall level: Custom

8.09

8.10 Firewall

8.11 ---------------------------------------------

8.12 Disable network name broadcasts to the Internet: Enabled

8.13 Allow users to ping this machine locally: Enabled

8.14 Allow users to ping this machine from the Internet: Disabled

8.15 Discard spoofed packets: Enabled

8.16

8.17 Routing

8.18 ---------------------------------------------

8.19 Multiple default routes: Enabled

8.20 Relay UDP broadcast packets: Enabled

8.100

8.101 Port Security

8.102 ---------------------------------------------

8.103

8.104 Security for: External TCP

8.105 Action: Redirect Port: 1723 - PPTP Server

8.106

8.107 Security for: External UDP

8.108

8.109 Security for: Internal TCP

8.110

8.111 Security for: Internal UDP

8.112

8.113 Security for: NAT TCP

8.114 Action: Redirect Port: 80 - Intercepted by WWW Proxy server

8.115

8.116 Security for: NAT UDP

8.117

8.118 Security for: DMZ TCP

8.119

8.120 Security for: DMZ UDP

8.121

8.122 Security for: (unknown)

8.123

8.124 Security for: (unknown)

8.500

9.01 ---------------------------------------------

9.02 END OF CONFIGURATION REPORT

by **iquijas** » May 16 06 4:56 am

Since Port Redirection didn't work I configured TCP Mapping for the port 1723. With this setting I was able to reach the VPN server behind the Wingate Firewall with no checksum errors but now it seems the communication from the VPN Server to the external computer can't be performed, this is the server log regarding this issue:

Event Type: Warning
Event Source: Rasman
Event Category: None
Event ID: 20209
Date: 5/15/2006
Time: 10:52:20 AM
User: N/A
Computer: SERVERMTY
Description:
A connection between the VPN server and the VPN client 172.16.1.1 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

by **iquijas** » May 24 06 3:32 pm

I've just upgraded to the new Wingate version (6.1.2) but I'm still getting the same error message about GRE protocol:

Event Type: Warning
Event Source: Rasman
Event Category: None
Event ID: 20209
Date: 5/23/2006
Time: 9:27:29 PM
User: N/A
Computer: SERVERMTY
Description:
A connection between the VPN server and the VPN client 172.16.1.1 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Does Wingate support GRE?

by **adrien** » May 25 06 12:28 am

Hi

WinGate has special application handling for PPTP (port 1723 and GRE) in the ENS / NAT driver.

So you need to use the port redirection in extended networking.

What network hardware do you have installed on the WinGate machine?

Also, did you reboot after changing the TCP checksum setting?

Regards

Adrien

by **Kedryn** » Jun 01 06 3:15 am

I also had this problem and solved it with port redirection in ENS
BUT,
if i'm right, that means:

1) We can't choose what ip/network adapter to bind to the vpn passthrough, se we cant have multiple vpn servers on different ips, nor limit access from only one of our public ip

2) We can't select the gateway that the vpn trafic will use, so if we default all trafic to an adsl connection, and some choosen trafic (mail, remote desktop, etc.) to an hdsl, our vpn will still use the slower connection,because it's a ens rule and not a service (as a tcp mapping is).

Right?

by **adrien** » Jun 01 06 10:34 pm

Hi

You're right about the choice of ip to bind to.

as for the gateway to use though, you can control the default one that will be used by ENS (where there are multiple) by overriding the metric of the interface associated with that default gateway.

Regards

Adrien

WinGate Forums

W2K3 VPN Server and Wingate - HELP

W2K3 VPN Server and Wingate - HELP

Who is online