9 Replies Latest reply on Mar 21, 2013 10:21 AM by chromiszach

    Problem with VPN connection through 3120

    chromiszach New Member

      I have a client who is trying to connect to a remote VPN (PPTP) and they get kicked off almost immediately upon trying to establish a connection. We've tried with the PPTP ALG turned on and off and neither seems to remedy the situation...

       

      Firmware Version: 18.03.01.00.E

       

      Topology looks like this:

       

      PC > Switch > Netvanta 3120 > Cable modem > Internet > VPN Server

       

      We're fairy confident that the Adtran is the culprit as multiple computers can connect to this VPN server on different networks. (I.E. I can take my laptop home and it works, but when I'm at the client's office using the Adtran controlled network it doesn't work.) Any advice?

        • Re: Problem with VPN connection through 3120
          dcorrea Visitor

          Hi chromiszach,

           

          Which protocol are you using for create the VPN, remember that with Adtran we handle just IPsec protocol, if your server uses PPTP or L2TP then the problem is that.

           

          On the other hand, if you are using IPSec, it would be more helpfully if you can share the debug of the debug crypto ike and debug crypto ipsec.

           

          With that we can see what is happening between the Adtran and the Server.

           

          Cheers,

          • Re: Problem with VPN connection through 3120
            danb Visitor

            Are you attempting to initiate the VPN connection from within the 3120's LAN?  If so, it should work. The firewall should allow a session to be created for the outbound / inbound traffic.

              • Re: Problem with VPN connection through 3120
                chromiszach New Member

                Correct.

                 

                User is connecting to a VPN over the internet connection and the VPN connection cannot be established when they connect to the LAN being controlled by Adtran device.

                 

                So again here's what it looks like:

                 

                PC trying to connect to far side PPTP VPN > Switch > Netvanta 3120 (Doing routing, firewall, etc.) > Cox Cable modem > Internet > Far side PPTP VPN Server

                 

                It's an outbound session so I don't understand why we can't connect?

                  • Re: Problem with VPN connection through 3120
                    3l3mn8r New Member

                    If the routing device/firewall at the "far side" has 1723 forwarded to the VPN server then there should be no issue.  The office Adtran 3120 at the "near side" should allow connections back in from far side since this is solicitied traffic. I assume the pc is using the VPN client inherent to Windows and not a thrid party VPN client?  If using the windows based client you should get an error message after the vpn connection fails.  Do you see it going through the steps of Connecting, Connected, Verifying Username and password, etc.  At what point does it fail?  Then you should receive an error message, 720, 800, 691, etc. We have a ton of the 3120's installed for our clients that use a Windows server to terminate a vpn client connection without issue and I do not need to enable ALG setting.  Also, if it is an Adtran 3120 at the "near side" the spi firewall will not block solicited traffic coming from the WAN requested by the LAN unless they have an ACL specifically blocking certain traffic from WAN to LAN. By default the 3120 will block all unsolicited traffic.

                      • Re: Problem with VPN connection through 3120
                        chromiszach New Member

                        So we've had an interesting turn of events, it must be the way the NAT'ing is being done on the Adtran. I can plug another router (thus double NAT'ing) into the Adtran and connect to the VPN... The customer is fine with this and is willing to spend $50 to buy a cheap Cisco/Linksys router to solve the issue...

                          • Re: Problem with VPN connection through 3120
                            3l3mn8r New Member

                            My guess is that the Clients office is using the same LAN IP subnet as the far side office.  It only makes sense since you are putting a different LAN subnet into play with the addition of router behind 3120.  PPTP does not like matching subnets at both locations.  If you are not seeing any error messages come up when "kicked" from VPN than this may be the case.  If you look at the ipconfig /all of the far and near side without the additional router in place I will bet you see subnets that are the same.

                            e.g.

                            near side 192.168.1.0

                            far side 192.168.1.0

                             

                            This will always cause problems.  Most of the time I just see dns issues but depending on PPTP server you could get disconnected.  PPTP requires different subnets at both ends in most cases, depends on many things including DHCP over VPN and others.