VPN

Hi there

I have just swapped over to monowall from our dying Watchguard Firebox II and want to use it purely to accept PPTP connections from remote users.

We seem to be having a problem with some users not able to connect, getting error 619 from the Windows XP built in PPTP client after a long pause on "Verifying username and password". It seems to be some sort of router/NAT issue because all the users that have problems connection have NAT routers - those that use USB modems to connect to the internet do not have the problem. There are some that use NAT routers that work fine however so it isn't purely down to that.

We never had any problems with the old Watchguard so I wouldn't have thought it to be at the client end (such as GRE forwarding issues).

Anyone have any ideas on what I can do to get it to work for everyone?

Thanks

Moffet

619 errors with PPTP at some but not all locations means an issue with GRE and whatever NAT device they're behind.

Hello, thanks for the response.

Yes, that is generally the answer I found when looking into it. Is there any way round it?

I'm pretty sure our previous box used purely TCP for PPTP connections (only TCP port 1723 was open so that is all it could have used) which is why they didn't have problems before. Is there a way of forcing monowall to do this?

Thanks.

Standard PPTP requires GRE, if you were using the Windows VPN client, you were using GRE. There's no way around it because that's how PPTP works. By 1723 being all that was "open", you probably mean from a port scan, GRE is a different IP protocol that won't show up in a port scan.

I use OpenVPN to avoid the whole NAT mess, though that's not currently an option in m0n0wall (mine runs on pfsense).

Ok, I understand that.

I'm just trying to figure out why our old box never had problems with GRE and NAT (and still doesn't when the thing boots up which is pretty infrequently these days...) wheras the new monowall box does. Nothing has changed at the client end (yes they are using the XP client) so why? Doesn't make sense to me.

I need this to work, so any suggestions? Will pfSense have exactly the same problem with the XP client? I think swapping to OpenVPN will be too much for most of our remote users - it was hard enough getting them to change the IP address in the XP client connection to the new one from the old one which was only one digit different!

Thanks for the help