SA520 PPTP VPN issue

Answered Question
Sep 28th, 2010

Hi.

We have just setup a SA520 at a customer location. It is running firmware version 1.1.65.

It seems to be operating fine, except PPTP VPN.

Looking at the log from the SA520 it forwards port 1723 and 500 to the correct PPTP server in the network. But it seems like this machine it not receiving the PPTP VPN request.
On the server is also running a FTP service which works fine - so the server is alive.

Is there something about we also need to use GRE (Protocol 47) when using PPTP? We have looked everywhere in the SA520, but can't find it.

Any help appreciated, thanks!

/Ulrik

Attached: SA520-log, PPTP-server-log, Firewall-rules.

I have this problem too.
0 votes
Correct Answer by Tiya Rabb about 6 years 2 months ago

Hello Ulrick,

By default, PPTP Passthrough is enabled on the SA500 series devices; this allows the GRE protocol through. GRE is a protocol that uses port 47, versus a service that uses port 47. Also, you mentioned you were unable to see GRE in the firewall rules. We should have PPTP as a firewall option. Forward this rule to your PPTP VPN server in lieu of GRE protocol, as again, GRE protocol is enabled when PPTP Passthrough is enabled; which it is by default. I hope this clears things up a bit.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Federico Coto F... Tue, 09/28/2010 - 15:54

Hi,

As far as I know PPTP uses TCP 1723 to establish the tunnel and GRE to pass the traffic.

There's no use for UDP 500 (this is to establish an IPsec tunnel).

When you establish the PPTP connection it connects?

In other words, the tunnel is established but you can't pass traffic through the tunnel, that's the problem?

Federico.

Ulrik Thorup Tue, 09/28/2010 - 23:59

Hi Federico.

I also believe GRE must be used to establish the PPTP connection, but it is not listed as a service under firewall rules or anywhere else in the SA520.

The reason to open port 500 was because we could see a request to the port, when we were trying to connect. It doesn't change anything if the port is open or not.

I don't think it establish the PPTP tunnel at all. The receiving server is just listening for connections as the screenshot of the log shows. It doesn't indicate an established connection.

I am pretty sure GRE is the problem, but they big question is how do enable it in the SA520.

/Ulrik

Correct Answer
Tiya Rabb Sat, 10/02/2010 - 18:33

Hello Ulrick,

By default, PPTP Passthrough is enabled on the SA500 series devices; this allows the GRE protocol through. GRE is a protocol that uses port 47, versus a service that uses port 47. Also, you mentioned you were unable to see GRE in the firewall rules. We should have PPTP as a firewall option. Forward this rule to your PPTP VPN server in lieu of GRE protocol, as again, GRE protocol is enabled when PPTP Passthrough is enabled; which it is by default. I hope this clears things up a bit.

Ulrik Thorup Tue, 10/05/2010 - 01:01

Hi Trabb.

Thanks for your explanation, it cleared up some things.

Then I believe the problem must be on the clients server. We have allowed and NAT'ed PPTP on the firewall.

I will continue to look for the problem with the client on his server and see if we can solve it.

/Ulrik

Tiya Rabb Tue, 10/05/2010 - 05:38

No problem Ulrik

We would be happy to hear your findings when you get to the bottom of things. And if you run into any snags at all, big or small, feel free to call the SBSC, 1-866-606-1866, we are available for you 24/7/365!