VPN

hey there everyone. i searched through the forums but was unable to find information on the problem i'm having. hopefully someone here can shed some light on this.

i'm trying to setup my monowall firewall to redirect all pptp requests to a windows server on my internal network. i've already enabled the redirect option under vpn -> pptp with no luck. following this thread didn't get it working either. i didn't reset the default settings of the firewall as advised in the thread. the firewall is in production and taking our internet connection down is not an easy task.

on the client side (external pptp user), the windows client stays at "verifying username and password" for a bit and then dumps out to an error 721: the remote computer did not respond. i've seen this before in the past with other setups and it usually points to a problem with the GRE protocol getting through. so i checked through the logs on the mono firewall and i see an entry under the firewall logs. GRE requests are being routed to a destination IP of 127.0.0.1 instead of 192.168.1.10 (internal IP for my windows server). i checked through all the settings i could think of but could find no entry or mention of using the loopback IP.

my firewall rules are clear of anything VPN or PPTP related. i completely disabled the PPTP options in the mono firewall and then re-enabled only the redirect option, still no luck. testing the vpn connection on the internal network seems to have no problems.

any ideas would be appreciated.

thanks

I have this same setup. You are doing everything right as should. Check to make sure port 47 GRE is set to pass on both WAN and LAN interfaces. If not, add the rule to both interfaces. Also make sure you have your routing and remote services correctly configured. Try doing a pptp internaly to your windows server. If you can do it locally, the server is correcly configured, if not that is where you problem is. Also check to make sure the user account that you are using from active directory is set to allow dial in.

Thanks for the reply. At one point, I'm almost positive I had added the GRE protocol to both interfaces, but I'll give that a shot to make sure. As far as testing it internally, it works fine.

GRE isn't port 47, it's IP protocol 47. GRE isn't TCP or UDP, it has no ports.

You shouldn't need to enter any firewall rules at all for this to work.

so i checked through the logs on the mono firewall and i see an entry under the firewall logs. GRE requests are being routed to a destination IP of 127.0.0.1 instead of 192.168.1.10 (internal IP for my windows server). i checked through all the settings i could think of but could find no entry or mention of using the loopback IP.

I have no idea what you're talking about here, where do you see 127.0.0.1?

Are you sure your VPN is actually PPTP and not L2TP or something else?

I stand corrected on the port, Mistype, and yes you will half to allow for incoming PPTP port 1723 and allow for protocol 47 to pass through to an internal RARS server. Note: he is not using the monowall box for the pptp server he is redirecting it to a windows server. Also CMB this is stated right down at the bottom of the PPTP settings in monowall,
 
Note:
don't forget to add a firewall rule to permit traffic from PPTP clients!.

Also, note that he is stating that he is redirecting PPTP to internal Windows server, therefor it could not be an L2TP, IPsec or any other VPN but PPTP, due to him being under the PPTP settings in monowall. It's WINDOWS!!!, which means it can only do L2TP/IPsec or PPTP, unless you are using Windows ISA Server 2004 and 2006. ISA 2000 has known issues with L2TP due to the time it was programed.

One other thing for emtek, make sure your default gateway of the windows server is set to the monowall LAN ip, other wise the PPTP will not work correctly. You must have some route there in order for it to see the internal windows server. This was something I had forgot to tell you in the first post. the 127.0.0.1, may happen because it can't find the host, so it is referring back to it's loopback to see if it can resolve where the host is.