Windows RRAS GRE error

olhcc · ‎06-06-2008

I have a Win2K3 RRAS server behind a 2801 router. The server is statically NATted and GRE and port 1723 are allowed via the external ACL.

I thought this was just a Windows error, but the error I get when clients try to connect led me to post this here.

The connection begins, then times out with the following error:

Event Type: Warning

Event Source: Rasman

Event Category: None

Event ID: 20209

Date: 6/6/2008

Time: 1:33:36 PM

User: N/A

Computer: SERVER

Description:

A connection between the VPN server and the VPN client 66.210.xxx.xxx has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets.

This implies that the problem is with GRE. However, GRE is permitted any any. What gives?

michael.leblanc · ‎06-06-2008

Have you provisioned the return path (inspection on the 2801's external interface, or ACL on the 2801's internal interface) to permit GRE between the two endpoints?

olhcc · ‎06-06-2008

No ACL is applied going in or out the inside interface (Fast 0/1.)

On the outside interface, the ACL is:

ip nat inside source static

access-list 160 permit icmp any any

access-list 160 permit gre any any

access-list 160 permit tcp any host eq 1723

int Fast0/0

ip access-group 160 in

exit

That should be enough to get PPTP going from the router's standpoint.