We have a remote LAN with addressing 172.16.1.0/24 which must be reachable by Windows PPTP VPN clients located wherever. The border gateway between this remote LAN and the Internet is a router Cisco 1841. Inside the LAN, there is a VPN server (172.16.1.11) based on Windows RRAS (Remote Routing and Access Server).
Our problem is that Windows PPTP clients located outside in the Internet are not even authenticated. No traces can be found in RRAS log file in Windows server.
We know that RRAS is well configured because PPTP VPN clients located in the same LAN manage to establish the tunnel very quickly after a successful authentication. So we suspect that the problem is in the router. Relevant configuration is as follows (we already tried without CBAC but unsuccessfully):
ip inspect name CBAC_inspect tcp
ip inspect name CBAC_inspect udp
ip inspect name CBAC_inspect icmp
ip address 172.16.1.3 255.255.255.0
ip nat inside
ip inspect CBAC_inspect in
ip address xx.yy.zz.tt 255.255.255.240
ip access-group 101 in
ip nat outside
ip nat inside source static tcp 172.16.1.11 1723 xx.yy.zz.tt 1723 extendable
access-list 101 permit tcp any host xx.yy.zz.tt eq 1723
access-list 101 permit gre any host xx.yy.zz.tt
We took some Wireshark/Ethereal captures in VPN server. It seems that the remote client does not receive the "PPP LC Configuration ACK" sent by the VPN server, so he re-tries "PPP LC Configuration Request" over and over again. We don't know why the remote client does not receive this ACK sent by the server, because the router 1841 seems to be configured according to Cisco documentation.
Thank you very much for your help.