VPN through NAT firewall

arclight · Tue Jun 21, 2005 9:06 am

I am running a couple of 2.8 firewalls, and I have a client PPTP VPN set up. I am able to connect from the outside via a Windows or OS/X PPTP client and get on the network, as well as inside via my WiFi interface.

However, it does not work when I am connecting from behind my MT firewall nor any of my customers' other home firewalls. It does work from behind the cheap Netgear box at my local coffee shop.

Any ideas? Should I switch to L2TP or IPSEC? Is there a firewall setting that makes NAT traversal more reliable?

Will send configs/logs as needed.

Thanks,

John

sten · Wed Jun 22, 2005 12:09 am

Properly configured MT router should work. At home you dont say if you are NATing or no but either way it should work. You dont say what kind of PPTP server you are using. Do you have PPTP enabled in Firewall->Ports ?

On to topic. PPTP is generally easier to get through firewalls than IPSec. L2TP however should go straight through (the easiest), unless it's been specifically firewall'ed out. However Microsoft's L2TP implementation wants to run with IPSec. I guess you could modify it to not use IPSec encryption on the L2TP tunnel using registry or something. (Try googling it).

arclight · Thu Jun 23, 2005 12:15 am

When I connect from outside my firewall, everything works and I get authenticated almost immediately. From inside my FW or my customer's home WiFi LAN, it hangs on "verifying username and password" and ends up with Microsoft error 619, if connecting from Windows XP.

Here are my configurations on the PPTP server:

[admin@MikroTik] interface pptp-server> pri det
Flags: X - disabled, D - dynamic, R - running
0 name="pptp-in1" user=""

# NAME PORTS
0 ftp 21
1 pptp
2 gre
3 X h323
4 mms
5 irc 6667
6 quake3
7 X tftp 69

[admin@MikroTik] ppp profile> pri
Flags: * - default
0 * name="default" local-address=0.0.0.0 remote-address=0.0.0.0
session-timeout=0s idle-timeout=0s use-compression=yes
use-vj-compression=no use-encryption=yes require-encryption=yes
only-one=no change-tcp-mss=yes tx-bit-rate=0 rx-bit-rate=0
incoming-filter="" outgoing-filter="" dns-server=4.2.2.1 wins-server=""

0 name="user1" service=pptp caller-id="" password="password123" profile=default
local-address=192.168.1.254 remote-address=192.168.1.241 routes=""
limit-bytes-in=0 limit-bytes-out=0

1 name="user2" service=pptp caller-id="" password="password123" profile=default
local-address=192.168.1.254 remote-address=192.168.1.240 routes=""
limit-bytes-in=0 limit-bytes-out=0

admin@MikroTik] ip firewall rule input> pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow all incoming traffic on local LAN.
src-address=192.168.1.0/24 in-interface=!public action=accept

1 ;;; Allow PPTP to firewall.
dst-address=4.3.211.111/32 protocol=gre action=accept

0 ;;; Allow firewall services out to LAN.
src-address=192.168.1.254/32 dst-address=192.168.1.0/24
out-interface=!public action=accept

1 ;;; Allow outbound FW VPN traffic.
src-address=4.3.211.111/32 out-interface=public protocol=gre
action=accept

2 src-address=4.3.211.111/32:1723 out-interface=public protocol=tcp
action=accept

Any ideas?

John

randyloveless · Mon Jun 27, 2005 7:49 am

i have the same issue on this. it works from most other routers to our MT router. but we have a couple of satelite connections that for the life of me wont connect . they do 1 out of 50 times maybe . tryied changing mtu . no luck . i am also getting the same 619 error.

sten · Mon Jun 27, 2005 12:54 pm

Could be that one end does not set the correct GRE session id. This was the case for the longest time with poptop which apparently many have based their code on.

randyloveless · Mon Jun 27, 2005 7:06 pm

sten

i am going to change out the linsys router that i am having an issue with and see if this fixes the issue. but is there a work around for this or not ?

Randy

scurtis@acrsokc.com · Sun Aug 21, 2005 6:24 am

I am having the same issue here. In fact I have serveral MT and from the house I am able to get into one (pptp) and not the other. I looked at pptp server settings at both and ensured all settings are the same. For some reason it hangs at authentication attempt when I try to get in. I do not beleive it is a NAT issue as it works for one MT and not for an other. I would love it if someone here can figure this out.

randyloveless · Sun Aug 21, 2005 8:13 am

make sure you have both in coming and out going . GRE and PPTP ports are set the passthru on each router.

this will work with any router you control. except some linsys and dlink
routers seem to have more issues then the rest.

i am still looking into a better way to do this .

csickles · Mon Aug 22, 2005 8:09 pm

I can't tell you exactly how to do it, as I paid to have help seting it up,,
and I would not feel right in not refering potential clients to him.
but I can refer you to the person who helped me set it up...
His rates are EXREAMLY reasonable and it will save you a tone of time and greaf...

What we did:

1) create a IPSEC 3DES tunnel between the routers. 10.0.X.X to 10.3.X.X
etc.

2) Set up each router to use its own gateway for internet traffic.

The result, two networks using their own gateways for internet traffic, but interconnected via a IPSEC tunnel with out L2TP etc.

Drop me a message off line at sales@software-routers.com
and I will forward you to him...

VPN through NAT firewall

VPN through NAT firewall

MT config for PPTP

same issue of error 619 on pptp authenticatioin