Error 720 connecting to server via VPN
Craig Hughes
I've got a SBS 2003 R2 server connected via a single NIC to my LAN. (Fully
service packed up etc.) I've got various client machines (Win XP SP2) that I
want to connect to the server via VPN (going via the LAN and remotely via the
Internet).
I've gone through this newsgroup, ran again the CEICW and Remote Access
Wizard (all complete fine).
I have run successfully the Connection Manager package on the client PC but
when I try and connect I get Error 720 - which says "A connection to the
remote computer could not be established. You might need to change the
network settings for this connection. For further assistance, click More Info
or search Help and Support Center for this error number. (Error 720) For
customized troubleshooting information for this connection, click Help."
I've used the pptp ping tools (no problems, so it's not my router firewall).
The client pc can connect by all the other methods (remote desktop, RWW, etc)
I'm using dyndns.org to get around my ISP dynamic IP and that seems to be
work fine too, as going to the URL brings up the server page.
One thing I have noticed is that under Routing and Remote Access in Ports
there is loads of WAN Miniport (PPTP) (VPN4-x), but all are have the Status
as Inactive.
The connection log (on the client) says...
[cmdial32] 22:40:00 04 Pre-Connect Event ConnectionType = 1
[cmdial32] 22:40:00 06 Pre-Tunnel Event UserName = sysadmin Domain = ******
DUNSetting = Connect to Small Business Server Tunnel DeviceName =
TunnelAddress = ******-server.homedns.org
[cmdial32] 22:40:02 20 On-Error Event ErrorCode = 720 ErrorSource = RAS
Server IPCONFIG is...
Windows IP Configuration
Host Name . . . . . . . . . . . . : ******-SERVER
Primary Dns Suffix . . . . . . . : ******.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : ******.local
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : (ZD1211B)IEEE 802.11 b+g USB Adapter
Physical Address. . . . . . . . . : 00-02-72-5E-D3-93
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.2
Any suggestions gratefully received.
Many thanks,
Craig
Claus
LAN? That's really not a good setup.
Which ports on your router are you forwarding to your server?
What is the subnet on the LAN you are trying to connect from?
And a more general question: Why VPN in the first place?
--
Claus
"Craig Hughes" <Craig...@discussions.microsoft.com> wrote in message
news:5F41B36D-85EB-4D82...@microsoft.com...
Russ Grover (SBITS.Biz)
but it didn't fully connect
Check your Router and make sure you allow either Pass-through of PPTP
or GRE (Depending on what they call it on your router)
Russ
--
Russell Grover
Microsoft Certified Gold Partner
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
Remote SBS2003 Support
http://www.SBITS.Biz
"Craig Hughes" <Craig...@discussions.microsoft.com> wrote in message
news:5F41B36D-85EB-4D82...@microsoft.com...
Craig Hughes
Wireless is the only option, I'm using the WPA2 and I'm happy with the setup.
The router is forwarding ports 25 (SMTP), 80 (HTTP), 443 (HTTPS), 444
(Sharepoint), 1723 (PPTP), 3389 (Terminal Services), 1701 (L2TP - not in use
yet, but if I get VPN working, I'll probably more to this) and 4125 (RWW).
The Client I'm trying to connect is on the same subnet as the server,
255.255.255.0.
Why VPN - well, I've got a number of PC's (laptops) and Smartphones (running
Windows Moblie) that need to connect to the server to use Exchange. They are
going to be mobile and using hotel connections and different wi-fi etc. I
want them to be able to use a secure connect to the server. VPN seems like
the right choice.
Craig
Craig Hughes
Port 1723 (PPTP) is allowed in my router for any WAN users to the server.
I've not got a rule for GRE (Port 43 I think) as I read it was a IP protocol
rather than TCP or UDP. My router only allows TCP, UDP or TCP/UDP. Should
I create a rule for port 43 as TCP/UDP?
My router is Netgear. I can't see any existing rule I can select for GRE or
port 43.
Craig
Les Connor [SBS MVP]
WM devices use SSL, and laptop users with Outlook installed use RPC/HTTP aka
"Outlook over the Internet". For setting up the latter, use the instructions
in the link on your RWW main page.
There is a white paper download available for configuring Windows Mobile
access.
--
Les Connor [SBS MVP]
"Craig Hughes" <Craig...@discussions.microsoft.com> wrote in message
news:B7AEB0CD-9AAC-45E9...@microsoft.com...
Claus
shouldn't prevent you from establishing a VPN.
Now, for your email, you should use Outlook over HTTP. It is faster and much
more secure. You do not need VPN for that. There is a link on your RWW site
that has all the configuration settings and a step by step guide on how to
set it up.
As to the VPN, your server LAN has to be different than the LAN on the
remote box. Otherwise VPN will not work. As Russ points out you need to make
sure that your router allows PPTP pass through. This is not a setting (or
rule) on your SBS, only on the router.
I would close 1701.
--
Claus
"Craig Hughes" <Craig...@discussions.microsoft.com> wrote in message
news:B7AEB0CD-9AAC-45E9...@microsoft.com...
Joe
> Hi Russ,
>
> Port 1723 (PPTP) is allowed in my router for any WAN users to the server.
>
> I've not got a rule for GRE (Port 43 I think) as I read it was a IP protocol
> rather than TCP or UDP. My router only allows TCP, UDP or TCP/UDP. Should
> I create a rule for port 43 as TCP/UDP?
>
> My router is Netgear. I can't see any existing rule I can select for GRE or
> port 43.
>
It's 47, it is a protocol and therefore has no connection with TCP or
UDP ports (most protocols don't use ports) and if you selected 'PPTP
Service' or similar on a Netgear machine then TCP/1723 and GRE are both
included. If you enable logging on that rule, you'll see (when the
system finally works) an initial TCP/1723 handshake followed by numerous
GRE packets, which carry the encrypted data.
> The Client I'm trying to connect is on the same subnet as the server,
> 255.255.255.0.
No, that's the netmask. That may or may not be the same, but the network
address, which is the IP address ANDed with the netmask (in this case
the first three octets of the IP address) must be different. This is
the most common cause of your particular problem. Your SBS has one of
the most common private network addresses (192.168.0.) and there's a
fair chance that the remote router also uses it. If so, one or the other
must change, and I'd recommend using the Change IP Address wizard on the
SBS to alter the LAN network address to something much higher, like
192.168.55. so it is unlikely to conflict with any default anywhere else.
Do you get any entry in the System event log on the SBS? If the TCP
connection works but GRE is blocked, then there will be a message to
that effect. Using the same network address at both ends produces
unpredictable errors, as there is confusion in routing, and some
messages will get through, some won't. Sometimes you'll get the System
message, sometimes not. Usually the process will fail during
authentication, when several pieces of data need to be exchanged and
some get dropped.
Craig Hughes
I think I understand.
I've checked the system log and found the following...
A connection between the VPN server and the VPN client XXX.110.88.173 has
been established, but the VPN connection cannot be completed. The most common
cause for this is that a firewall or router between the VPN server and the
VPN client is not configured to allow Generic Routing Encapsulation (GRE)
packets (protocol 47). Verify that the firewalls and routers between your VPN
server and the Internet allow GRE packets. Make sure the firewalls and
routers on the user's network are also configured to allow GRE packets. If
the problem persists, have the user contact the Internet service provider
(ISP) to determine whether the ISP might be blocking GRE packets.
So that clearly suggests the GRE is being blocked.
The problem is I don't know how to enable a protocol. The PPTP port is
open. Should I setup a firewall rules to allow port 47? But I think from
your last message, that's not the answer.
Thanks,
Craig
Craig Hughes
I'm in a remote location now and not on the same subnet. I'm still getting
error 720.
Merv Porter [SBS-MVP]
--
Merv Porter [SBS-MVP]
============================
"Craig Hughes" <Craig...@discussions.microsoft.com> wrote in message
news:987450BF-A910-4451...@microsoft.com...
Craig Hughes
Merv Porter [SBS-MVP]
you're in Australia)
Also this (from the Netgear troubleshooting page)...
By default the router's firewall is configured to drop (delete) ICMP packets
sent from outside your network to the WAN port. Your VPN may require the
ICMP packets. To accept them:
Log in to the router using a browser by typing http://192.168.0.1 or
http://192.168.1.1.
Type admin for the username and password for the password (unless you change
the password from the default). Older routers use 1234 for the default
password.
Select WAN Setup > Advanced > Respond to Ping on Internet Port. Click Apply.
Also found this:
Port Forwarding for the Netgear DG834G
(PPTP)
http://portforward.com/english/routers/port_forwarding/Netgear/DG834G/Point-to-Point_Tunneling_Protocol.htm
--
Merv Porter [SBS-MVP]
============================
"Craig Hughes" <Craig...@discussions.microsoft.com> wrote in message
news:7942D52F-1FE1-4B5B...@microsoft.com...
Leythos
Craig...@discussions.microsoft.com says...
> Port 1723 (PPTP) is allowed in my router for any WAN users to the server.
>
> I've not got a rule for GRE (Port 43 I think) as I read it was a IP protocol
> rather than TCP or UDP. My router only allows TCP, UDP or TCP/UDP. Should
> I create a rule for port 43 as TCP/UDP?
>
> My router is Netgear. I can't see any existing rule I can select for GRE or
> port 43.
GRE is not a port, you can't forward it.
Many home/residential routers, which are not real firewalls, don't
support more than 2 PPTP sessions and some don't properly forward GRE.
720 is a common GRE error.
Some vendors have a "work around" of forwarding TCP 43 inbound, others
forward UDP 43, still others forward TCP/UDP 43 inbound....
Since Netgear "Routers" are not firewalls, why not buy a firewall to
properly protect your network and to PPTP into the firewall instead of
the server.
Also, you mentioned that you allow HTTP (TCP 80) - why, that's a serious
risk.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9...@rrohio.com (remove 999 for proper email address)
Russ Grover (SBITS.Biz)
Why? SBS Handles it well and all you have to do is remember 1 Account to
Remove
than 2 Accounts.
(If you forget to delete a VPN connector on the firewall when you fire a
person it's a big risk.)
For PPTP I choose SBS because of less risk, of human errors.
Craig try this
---------------------------------------------
http://kbserver.netgear.com/kb_web_files/n101500.asp
To Troubleshoot VPN passthrough
Any of these steps may solve the problem:
If your equipment supports NAT-T (NAT Traversal), turn it on.
Contact your network administrator to understand details of how you need to
configure your VPN software. (Common software is Cisco NAT-T and NETGEAR
ProSafe).
If your company uses L2TP passthrough, register your computer's MAC address
with your company's system adminstrator. The address is found on the bottom
label of the router,
Upgrade to the latest router firmware.
Turn port forwarding for the VPN ports: 50, 51, (and 500, for IPSec VPN's).
Turn on port 1723 for PPTP VPN's- used for PPTP control. Turn on port 1701
for L2tp- L2tp routing and remote access.
By default the router's firewall is configured to drop (delete) ICMP packets
sent from outside your network to the WAN port. Your VPN may require the
ICMP packets. To accept them:
Log in to the router using a browser by typing http://192.168.0.1 or
http://192.168.1.1.
Type admin for the username and password for the password (unless you change
the password from the default). Older routers use 1234 for the default
password.
Select WAN Setup > Advanced > Respond to Ping on Internet Port.
Click Apply.
------------------------------
I hope this helps
Russ
--
Russell Grover
Microsoft Certified Gold Partner
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
Remote SBS2003 Support
http://www.SBITS.Biz
"Leythos" <vo...@nowhere.lan> wrote in message
news:MPG.21615e48d...@adfree.Usenet.com...
Craig Hughes
Many thanks to all.
Craig Hughes
website can work.
Craig
Leythos
sup...@REMOVETHIS.SBITS.Biz says...
> PPTP to the firewall IMO is just more Administration work
> Why? SBS Handles it well and all you have to do is remember 1 Account to
> Remove
> than 2 Accounts.
> (If you forget to delete a VPN connector on the firewall when you fire a
> person it's a big risk.)
>
> For PPTP I choose SBS because of less risk, of human errors.
Except that you can use a NON-Domain user name, and that means that it
requires 2 user names and passwords to get domain/network access.
So, even if you forget to delete it, if they don't have a network
account, it means they don't have access.
If you've got a EMP Termination IT checklist you don't "forget" things.
If you've setup Security right, they won't have access to anything past
the firewall.
Leythos
Craig...@discussions.microsoft.com says...
> What's wrong with having port 80 open? I thought I needed it open so the
> website can work.
Port 80 is for PUBLIC Websites, not something you should be exposing to
the public for SBS.
SBS services for your Company don't need port 80, they will work fine on
SSL (443).
Russ Grover (SBITS.Biz)
I know of very few small businesses that have a check list like this.
And let's just say the competency of some IT people are a little lack
luster.
IMO just one more thing for someone to #### up.
Russ
--
Russell Grover
Microsoft Certified Gold Partner
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
Remote SBS2003 Support
http://www.SBITS.Biz
"Leythos" <vo...@nowhere.lan> wrote in message
news:MPG.2164075f2...@adfree.Usenet.com...
Leythos
sup...@REMOVETHIS.SBITS.Biz says...
> "If you've got a EMP Termination IT checklist you don't "forget" things."
>
> I know of very few small businesses that have a check list like this.
> And let's just say the competency of some IT people are a little lack
> luster.
>
> IMO just one more thing for someone to #### up.
I always provide a Network Acceptable Use Policy template, a New User
Template, a document on what to do when terminating an employee, and
several other documents, no matter the size of the client....
I see this as the standard that all IT people working with small
businesses should be doing - It's our job to provide the ignorant with
the information they need to protect and use their solutions as we
provide them.
Russ Grover (SBITS.Biz)
I clean up a lot of systems..
I'm sort of like the guy who cleans up the dead body after the murder.
After the Previous IT person has Killed the server.
Russ
--
Russell Grover
Microsoft Certified Gold Partner
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
Remote SBS2003 Support
http://www.SBITS.Biz
"Leythos" <vo...@nowhere.lan> wrote in message
news:MPG.2166a9be9...@adfree.Usenet.com...
Leythos
sup...@REMOVETHIS.SBITS.Biz says...
> I clean up a lot of systems..
> I'm sort of like the guy who cleans up the dead body after the murder.
Yea, that's how we get most of our customers :)
Russ Grover (SBITS.Biz)
I mean I know I'm not the sharpest tack in the bunch.
But At least I know what a subnet is.
(It's a Net Under water DUH)
JK :)
Russ
When IPV6 comes out it will really mess them up! :)
--
Russell Grover
Microsoft Certified Gold Partner
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
Remote SBS2003 Support
http://www.SBITS.Biz
"Leythos" <vo...@nowhere.lan> wrote in message
news:MPG.2167528a...@adfree.Usenet.com...
KG
similiar error which is 721. However, my connection to the server is
directly attached to the cable modem. I can remote access in and I can use
web exchange and I can send and receive outlook messages via my pocket
pc...however, I cannot VPN. I have downloaded the latest in Norton and
opened up the direct link for VPN use (according to Norton tech support) but
what is the oddest thing is that I cannot ping my server outside the network.
Again, I can remote access and do web exchange but cannot VPN. I have
turned off both Windows Firewall/ICP on both the client and the server and
nothing works. Sometimes I can get in if I don't fill out the password and
let the server respond, but it is not a guaranteed thing. I am not an IT
person and there is no one locally who can service SBS2003 but I do what I
can and Dell has been very helpful to this point, but even in their research
they cannot find a viable solution to this problem (which appears to be very
common) Can someone help out? And yes I do download my email and syncronize
Outlook with VPN...I saw that there is a better way and I will look into that
thread more closely.