The odd-musings of Jared, the Director of Network Security for IAPS Security Services.

Hi Folks,

I’ve finally gotten the time (barely) to implement L2TP vpn services on a select few servers. By this time tomorrow all servers will have this ability. This type of vpn is more secure than the normal PPTP vpn type and also will help those of you that for one reason or another were previously usable to connect to a PPTP vpn server. For those of you in Italy who were previously blocked by your isp (FastWebNet), this new type of vpn will enable you to finally connect. I’ve never forgotten about you folks in Italy and this solution was made just for you, but will benefit all IAPS clients regardless of geographical location.

If you are in immediate need of L2TP VPN services, please get a hold of me and I’ll get you taken care of. Thank you.

Error 806: a connection between your computer and the VPN server has been established but the VPN connection cannot be completed. The most common cause for this is that there is at least one internet device between your computer and the VPN server is not configured to allow GRE protocol packets Verify that protocol 47 GRE is allowed on all personal firewall devices or routers.

Resolutions:

1) if you have a router/firewall, make sure you open TCP Port 1723, IP Protocol 47 (GRE).
2) make sure you can reach the VPN server by using ping. Sometimes, poor connection can cause this issue too.
3) You may need to updated firmware on a router or firewall.
4) The VPN server may not be able to get IP from DHCP for the VPN client. So, you may want to re-configure VPN host networking settings. For XP pro VPN host, go to the Properties of the VPN>Network, check Specify TCP/IP address and Allow calling computer to specify its own IP address, and uncheck Assign TCP/IP addresses automatically using DHCP.
5) Make sure other secure software blocks your access, for example, if you use Norton secure software, you may need to add the remote client’s IP so that the client can access.
6) If your VPN running on a Windows RRAS with NAT enabled, you may want to check the NAT settings.

Error 800: Unable to establish the VPN connection. The VPN server may be un-reachable, or security parameters may not be configured properly for this connection.

Resolutions:

1) if you have firewall, open TCP Port 1723, IP Protocol 47 (GRE).
2) make sure you can reach the VPN server by using ping. Sometimes, poor connection can cause this issue too.
3) You may need to updated firmware on a router or firewall if other OS (win9x/nt/me/w2k) works except XP.
4) The VPN server may not be able to get IP from DHCP for the VPN client. So, you may want to re-configure VPN host networking settings. For XP pro VPN host, go to the Properties of the VPN>Network, check Specify TCP/IP address and Allow calling computer to specify its own IP address, and uncheck Assign TCP/IP addresses automatically using DHCP.
5) Make sure no other secure software blocks your access, for example, if you use Norton secure software, you may need to add the remote client’s IP so that the client can access.
6) If your VPN running on a Windows RRAS with NAT enabled, you may want to check the NAT settings.
7) If you can establish the VPN from the desktop at home but not from the laptop. Make sure no security software like Microsoft OneCare software that blocks the GRE.

Folks many, many of you have come to me and asked how you could improve your speed while using vpn and ssh services. I’ve compiled the minimum possible hardware and internet service provider (local) speeds for you to get an idea.

Minimum Standards:

Windows XP or Windows Vista
Intel Pentium 4 3.0 GHz or AMD Equivalency
2 GB Ram DDR2 or Better
Local ISP Speed of 2 MB/s Minimum

Recommended Standards:

Windows XP or Windows Vista
Intel Pentium Dual or Quad-Core
4 GB RAM DDR2 or Better
Local ISP Speed of 4 MB/s

Another thing to look at is how many programs you have running at the same. If you have several programs running, either in the background or system process, shut them down. If you are a Windows Vista user shut down that pesky User Account Control. Here are instructions for shutting off that worthless User Account Control:

Vista Users Only:

1.) Click on your Start Button
2.) Click on Control Panel
3.) Click on User Accounts
4.) Click on “Turn User Account Control On/Off

Reboot to make the changes effective.

Another issue I see is that several of you are under the impression that you can be 5,000 or more miles away from your vpn server and still expect local isp speeds. Folks, thats never possible. If your sitting in Thailand with a 2 MB/s local in-country speed and your vpn is somewhere in Europe you can’t reasonably expect blazing speeds at your local connection rate. When connected to your vpn server your bypassing your local isp’s service and using whats considered a foreign network. The routes from Asia to Europe are exceptionally long and Asian countries are not known for their great internet speeds. Keep this in mind when traveling. Remember, local speeds and international speeds are two very different categories. What your local isp advertises as 5 MB/s only applies to in-country service. This speed has no relevance to international destinations.

Another thing is Windows Firewall. I see this issue all the time folks. Most people I’ve met in this business have no real clue how their firewall works nor how to configure it. Most firewalls have an option to allow passthrough/exception rules for vpn services. I’ll make a post at a later time explaining that. In most cases, either temporarily disable and try connecting again, or make the modifications to the firewall yourself if your feeling brave enough. Its not all that hard and can take as little as 30 seconds to get it done.