RVS4000 Blocking PPTP passthrough/GRE 47 IP packets

Unanswered Question
Sep 18th, 2009

We have a PPTP VPN on a MSFT 2003 server, which was working fine with a Linksys BEFSR41 in place. Replaced with a RVS4000, enabled PPTP passthrough, and forwarded port TCP 1723 traffic to server, and now when we attempt the above mentioned VPN, we get error 806, which is related to not being able to pass the GRE packets. Has anyone else seen/corrected this issue yet? Have the newest version of firmware loaded in the router. Any assistance would be greatly appreciated. Thanks!


Joe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David Hornstein Sat, 09/19/2009 - 16:29

Hi Joe,


PPTP pass through from the LAN to Internet is supported.  That what is meant by passthru, not Internet to a server on private LAN side.


You will note, if you go to the firwall tab and then look under single port forwarding,  there are only two options for protocols, TCP and UDP and not user defined protocol number.  In your case there has to be an option for protocol 47 (GRE).


I had thought that you could not have a PPTP server behind a small business router, maybe a traditional Cisco or SR520 or ASA,  but the following community forum question and answer made me think twice.


I have not tried this on my RVS4000, because I don't have a PPTP server. But it sure would be interesting to see if the following link may work with the RVS4000.  If it does work,  it's a most interesting work around.  If you have the patience maybe you can give it a go. I would be interested to hear the results.


regards Dave



https://www.myciscocommunity.com/message/16037#16037

jdanie01 Mon, 09/21/2009 - 06:06

Thanks for the response Dave. When he is saying to edit the config file, would I use notepad for that? I will give that a shot, and let you know the results.


Thanks!


Joe

jdanie01 Mon, 09/21/2009 - 07:19

Hmmmm, well, I did as recommended, but when I go to edit the file, there is no mention of 6 or 7 as stated, just 47. When I search for GRE, I get the name of the port forward (GREudp and GREtcp), and they have the IP address:1:47:47. Have not actually tried the VPN yet, since I added the port forward portion suggested in the thread. Hopefully will get a chance later today.


Joe

daviddun Mon, 09/21/2009 - 14:23

Good Afternoon,


I worked with a similar type case and the end result turned into being the server, This router will allow all this traffic to pass thru by factory default.  Be sure that you have the latest firmware on the router.


After you get the firmware upgrade and you reset the router to factory default, then contact Microsoft support to get help configuring the server.


Have a great day :)

jdanie01 Mon, 09/21/2009 - 14:27

Hi Dave. Pretty sure it's not the server, because if I replace the rvs4000 with the old BEFSR41, the VPN works properly. This is the newest version of firmware for the router, it's the one with the new Cisco interface, very nice overall!


Thanks!


Joe

David Hornstein Mon, 09/21/2009 - 16:47

Hi Joe,


Just finished upgrading my RVS4000 to the new publicly available code and enabled the DMZ function.


I managed to get to my server behind my RVS4000 from the internet.  Must admit, it's slick software.


Try setting your PPTP server at a fixed private IP address on the LAN, and the  set the DMZ address in the RVS4000 to that of the server. see figure below


(obiously set gateway and dns information on the server :-) )


rvs4000.JPG


regards Dave

jdanie01 Mon, 09/21/2009 - 18:15

Dave,


That works, however, I can't really leave my SBS server exposed to the internet. That's basically what that does, right?


Thanks!


Joe

David Hornstein Mon, 09/21/2009 - 20:39

Hi Joe,


I guess, if you have a SBS server you may also have at least, a managed Layer 2 switch on the LAN.


It might then be an easy task, I hope,  to add some access list functionality to the switch to allow only certain traffic from the Internet  to the SBS server.


But you need to at least have the following allowed items from the Internet in your Access List.

1.  tcp port 1723

2.  Protocol 47 or GRE


Or maybe even use the access list functionality built within the SBS server.


Give it a try


regards Dave

jdanie01 Tue, 09/22/2009 - 06:20

Thanks for the suggestions Dave, I'll take a look at those possibilities.


Thanks!


Joe

Actions

This Discussion