lancom 1721 vpn Lynksys a200 + zywall 35 + windows server 03

[hackfil]

Hello,

i'm Italian and use Lancom 1721 vpn (Annex A) firmware 6.07

This is my configuration


adsl1 --> lancom 1721 vpn ---> zyxel zywall 35 ---> switch ---> pc lan

adsl 2--> linksys am200-->lancom 1721 vpn

lancom 1721 vpn : 20.0.0.1
linksys am200 : 20.0.0.1
zyxel zywall 35 : 192.168.1.1 (gateway) su wan 20.0.0.2
windows server 2003 vpn: 192.168.1.11

All port of the lancom 1721, nat to ip firewall and, on firewall nat the port 1723 and gre to the windows server 2003 vpn

On lanconfig: ip router / masq. / port forwarding table : 1 to 65535 internet adress : 20.0.0.2

On zywall 35 permit rule firewall 1723 and gre to 192.168.1.11
On zywall 35 nat 1723 to 192.168.1.11

The vpn in lan network it works, but in internet it doesn't work

In this mode the microsoft windows 2003 vpn /ras not work

The client error 721
The server error:
"
Tipo evento: Avviso
Origine evento: Rasman
Categoria evento: Nessuno
ID evento: 20209
Data: 05/11/2007
Ora: 17.05.11
Utente: N/D
Computer: xxxxxxxx
Descrizione:
È stata stabilita una connessione tra il server e il client VPN xx.xx.xx.xx, ma non è possibile completare la connessione VPN. La causa più comune di questo errore è che esista un firewall o un router tra il server e il client VPN non configurato in modo da consentire i pacchetti Generic Routing Encapsulation (GRE; protocollo 47). Verificare che i firewall e i router tra il server VPN e Internet consentano i pacchetti GRE. Verificare che anche i firewall e i router nella rete dell'utente siano configurati in modo da consentire i pacchetti GRE. Se il problema persiste, richiedere all'utente di contattare il provider di servizi Internet (ISP) per capire se possa essere l'ISP a bloccare i pacchetti GRE.

Per ulteriori informazioni, consultare la Guida in linea e supporto tecnico all'indirizzo http://go.microsoft.com/fwlink/events.asp.
"

Last week i change the adsl and router , before i use router zyxel prestige 600 only 1 adsl and all worked.


In Italy lancom is a little known and don't find helps

can you help me?

thanks
Filippo

[backslash]

Hi hackfil

your problem is here:

On lanconfig: ip router / masq. / port forwarding table : 1 to 65535 internet adress : 20.0.0.2

it is a very bad idea, to forward all ports to one PC! Only forward the ports, you really need! For PPTP this is port 1723

Never forward Ports from 57344 to 59392, because that are the ports, the LANCOM uses for NAT - with Firmware 7.20 the range has canged to 57344 ... 61440). If you forward these ports, the LANCOM has no chance to do the NAT.

regards
Backslash

[hackfil]

Hi backslash,

in lancom 1721 vpn, i disabled dhcp, dns , vpn, and firewall.

I use as firewall the "zywall 35" and only here use the "nat" to the pc of lan.

In lancom 1721 vpn forward all port to the firewall.

see this pdf: http://www.zyxel.it/managerpartner/up_a ... 141544.pdf

I have tried set nat to 1 --->57343 but it doesn't work

do you have idea on as to resolve the problem?

thanks
Filippo

[backslash]

Hi hackfil

I have tried set nat to 1 --->57343 but it doesn't work

it should work - but why don't you just forward the ports you really need?

do you have idea on as to resolve the problem?

is forwarding of GRE allowed in your zywall's config?
does it work without the zywall?

regards Backlsash

[hackfil]

Hi,
I attach my configuration.

In firewall i permit gre.


there is even something of wrong, can you check?

Thanks filippo

[backslash]

Hi hackfil

as i told you: only forward the ports yo need (in your configuraion you forward the ports 1..65535)

What happens if you "throw" the zywall away?

Is there any reason why you must have the zywall?

regards
backslash

[hackfil]

thanks alone settando the door 1723, the vpn work!
you are great

but I have another problem with the algorithm sip.

do I use asterisk and the remote insides (those with the nat) they don't work, do you perhaps know that doors I owe settare besides the 5060?
Thanks filippo

[hackfil]

open new question:
http://www.lancom-forum.de/lhtopic,6315,0,0,asc,.html

hi
Filippo