WinGate Forums

[mcit]

What do I have to do to enable MS VPN L2TP services through Wingate 6.2?
I have mapped Port 1723 through Wingate to the VPN server. What happens with GRE [protocol 47] is that handled automatically?

Matthew

[adrien]

Hi

port 1723 is the control port for PPTP, not L2TP.

L2TP doesn't use GRE either - that's used by PPTP. WinGate supports PPTP simply by mapping the control port.


Adrien

[adrien]

looks like all you should need to do is forward UDP packets on port 1701 - which is used for both control and data for L2TP

You may also need to forward UDP port 500 if you are using IPSec over L2TP to support the key exchange protocol.

Regards

Adrien

[adrien]

actually - looks also like for IPsec you need to forward the ESP protocol (protocol 50 c.f. TCP = 6, UDP = 17), which WinGate doesn't currently support.

You may be better off using PPTP.

Regards

Adrien

[mcit]

Sorry, my mistake. It is PPTP I am using. Windows Server 2003 VPN. Not L2TP. I can get the remote end to establish, but it never gets past verifying username and password. It just times out with Error 721. The event log on the server logs the following:

Event Type: Warning
Event Source: Rasman
Event Category: None
Event ID: 20209
Date: 30/01/2009
Time: 8:54:29 PM
User: N/A
Computer:****SERVER
Description:
A connection between the VPN server and the VPN client 10.0.0.1 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


I have tried from multiple remote locations and have confirmed that the remote routers support VPN passthrough. Other than mapping the TCP port 1723, what else has to be done through wingate to make the connections work?

[kgoodknecht]

Adien spent the better part of a month with me working out the PPTP VPN through Wingate (Inbound) working on v6.2 a year or so ago working. The fact that you are getting 20209 events says that you are getting through to the VPN server. These events tend to be caused by a problem on the client end, what kind of connection do you have on the client end?
If you have DSL with a separate modem and a PPPoE connection through a router, you must have the PPPoE on the router, not on the modem. I've also seen some issues I've not been able to work out with some cable and satelite internet but in most cases PPTP VPNs connect just fine so long as the VPN server can send the GRE packets back to the client.

[mcit]

I have tried from a couple of different remote locations. The remotes are clients behind a DSL modem/router that support VPN passthrough. They are therefore behind NAT if that makes any difference.

At this point, unless I were to setup a dialup account, I have no directly connected remote to test with, only NAT'd DSL clients. One interesting thing is that I have tested also from clients who are using old DSL modems that I think DO NOT support VPN passthrough and they have the same symptoms.

I have spent many hours testing everything that I can think of with this, but so far I have had no luck at all. We are trying to avoid using the wingate VPN for the sake of cost, and also so that the client setup is simple and can be a guided procedure over the phone rather than a site visit.

Just to clarify, the remotes that I have tested have all been single unit modem/router. They are small branch offices and home connections.

[kgoodknecht]

Is the Wingate Server also the VPN server?

[mcit]

No. The wingate server is a virtual machine that runs ontop of the VPN server. The wingate server is just a gateway and DNS forwarder. Everything else is handled by the main server [host machine]

[kgoodknecht]

Interesting setup, I use a simular setup, but with reversed roles. I'm not sure what your reasoning is but I will add this, if you are taking advantage of the KAV plugin, which would be the main reasoning for using Wingate for the Gateway, the KAV plugin is very processor intensive so I would not run it on a Virtual Machine because you are limiting the amount of processor available to the KAV plugin, assuming the host machine is a multi-processor machine. Virtual Machines are limited to a percentage of one processor.
On the other hand RAS is more memory intensive so you are limited only by how much memory you can assign to the machine, and these days memory is a cheap upgrade.
I also assume you have only one public IP address available to you, so I would recommend moving Wingate to the host machine, using the Virtual machine as the RAS server, provided the VM is a Windows Server machine. I can also tell you that you can run RRAS and Wingate on the same server, but you'll need to Disable the Routing and NAT features in Wingate and let RRAS handle all the routing, the only thing you need to leave enabled on the Extended Network Driver in Wingate is the firewall to take advantage of the Proxy redirects which are done by the Firewall. I've setup four servers this way with v6.2 so I know it works, and works well. The only problem I have is that with v6.5 the ENS Driver breaks the RRAS routing features, which is why I here, I'm hoping to find a v6.5 config that doesn't break the routing and NAT features in RRAS.

[mcit]

Well the reason for the setup being this way, is more a process of evolution than anything else.

Originally, there were 2 servers. An internal server and a gateway or internet facing server. Due to cost cutting and attempting to better utilise resources, when it came time to replace the internal server, it was decided to make it a more powerful machine and run the gateway server on it in a virtual machine [2 physical servers, combined into 1 with same functionality]

Other than the upgrades to Wingate, not much has changed on the gateway machine since this was done 5yrs ago. The idea being that, should anything go wrong with the gateway [virtual machine] it would be a simple reimage and other than email and internet, there would be no downtime. This has served us well up until now.

The configuration is:
Windows Server 2003 SP2 in Virtual Machine [Running ontop of Windows Server 2003 SP2 Host]
Wingate 6.2 - Running ENS & NAT. Firewall disabled. No KAV or any other plugins.
We run NOD32 on the gateway.
This server does control the RAS also via PPPOE. [Not RRAS]
The firewall used to be AT Guard 3.22 [but this no longer works as of the SP2 upgrade, so it was uninstalled.]

What we do with the gateway could mostly be done with a SOHO modem / router. But we have the Wingate licence, and every now and then, management wants to know why the bandwidth usage is so high, or why the internet seems slow. So Wingate's logging comes in handy here.

None of this config has been an issue until they wanted to implement remote VPN connections. That is what brings me to where I am.
I intend to get a mobile wireless for one of the managers and test it with the VPN to see if that works. But if not, I am completely stumped as to the cause of this.

As a matter of interest, I did previously configure the RRAS service on the gateway to see if it was a routing problem between the servers for the incoming VPN. That had the same result as when the RRAS sits on the host.

[adrien]

Hi Kevin

We have a couple of known issues with dialup with 6.5, if you'd like to try a newer build and see if this fixes your RRAS problems, let me know.

Adrien

[aalexx62]

Confirm I've got the same problem on 6.5, have updated to 6.5.2 yesterday. Will try again, report

[aalexx62]

Have tested today from alternative location without router - MS VPN works perfect behind Wingate! My conclusion: the problem is hidden in router (DI-604), while Wingate is transparent for MS VPN port & protocols. Therefore Adrien can relax with this issue :-)