Forum Discussion
VPN on Windows Server 2016 not working
I followed the stand procedure to set up VPN on Windows Server 2016.
Let me jump to where I am now. The event viewer has the following two entries when a client connects to the VPN server:
A connection between the VPN server and the VPN client 72.74.70.135 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47).
CoId={23FC7BC4-0885-5E63-715B-8EFAD37B9E15}: The following error occurred in the Point to Point Protocol module on port: VPN2-127, UserName: <Unauthenticated User>. Negotiation timed out
I am not familiar with GRE, so add rules for both inbound and outbound GRE on both the Windows Server 2016 and the client machine (Windows 11 Pro).
Could anyone offer a direction to guide me in diagnosing this?
11 Replies
I have realized there is a delay of at least 3 or 4 hours in displaying my posts here. My reply here will not show up until quite a few hours later.
The router Fios-G1100 does not have an option for PPTP.
I have verified that RRAS is running and PPTP is enabled.
I am not sure about the binding:
In the event viewer, there are no entries for RRAS. There is only one for System:
A connection between the VPN server and the VPN client 72.74.77.135 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47).
I tried to use an Android device with WF turned off to make a connection (type IKEv2/IPSec MSCHAPv2), but nothing happened on the server side.
Hi, the server and RRAS are configured correctly: the problem is the Fios G1100 router, which does not forward the GRE protocol (needed for PPTP). Opening only TCP port 1723 is not enough
The ways are:-replace or bridge the G1100 with a router that supports PPTP-passthrough
-or change VPN on Windows Server and use SSTP (TCP 443) or L2TP/IPsec, which do not require GRE
putting the server in DMZ on the G1100 can work, but it is not guaranteed
It is not Windows' fault, it is the router that blocks GRE; you need a new router or a different protocol
To avoid my Fios router, I tried my Android device without Wi-Fi (i.e., using only cellular connection). The Android built-in VPN client does not work and gives no information about why the connection fails.
I downloaded the app strongSwan. Its connection fails too, but it has a log:
I left two replies, and both are gone. It seems that I have been banned from replying.
I had a long reply detailing my setup, with screenshots of WS capture for port 1723. It seems that my reply has been removed.
There are TCP and PPTP packets (Start-Control-Connection-Request, Start-Control-Connection-Reply, Outgoing-Call-Request, Outgoing-Call-Reply, Set-Link-Info, Call-Clear-Request, Call-Disconnect-Notify...)
What should I look for?
Hi, enable RRAS in PPTP mode on Server.
-On server, client and router open TCP port 1723 and protocol 47 (GRE).
-Do a packet capture (WS or netsh trace) to check if GRE packets arrive.
My settings:
Server: Windows Server 2016 VPS
Client: Windows 11 Pro behind a Fios Router.
Here is what I did (I probably overdid it):
I ran the following on BOTH server and client:
New-NetFirewallRule -DisplayName "Allow VPN" -Direction Inbound -Protocol TCP -LocalPort 1723,443 -Action Allow New-NetFirewallRule -DisplayName "Allow VPN UDP" -Direction Inbound -Protocol UDP -LocalPort 500,1701,4500 -Action AllowI enabled GRE traffic for the firewall on both the server and client.
I forwarded ports 1723 and 47 to the Windows 11 Pro PC on the client side.
Here is the traffic on the server side captured on port 1723:
Traffic on the client side:
Error message for the client connection:
Any tip will be greatly appreciated.
Hi Aran, i see that the client opens TCP correctly on port 1723 but then receives a FIN/ACK followed by RST: it is almost always a symptom that the GRE (protocol 47) is not actually transported by the router. On many Fios routers the only “port” you can open is TCP/1723, while the GRE only passes through the “PPTP passthrough” option.
Try this:
-On the Fios router explicitly enable PPTP Passthrough (or “VPN Passthrough”) to ensure that the GRE is forwarded.
-Verify in RRAS (Routing and Remote Access) of the server that the service is started, that PPTP support is enabled and that the public card is correctly “binding”.
-Check in Event Viewer - “Routing and Remote Access” for any errors at the time of the call: often there you find the real reason for the RST.
If you have the means, test a VPN client from another network (e.g. phone hotspot) to rule out NAT issues on the client.
If you continue to have problems, consider switching to a more “NAT-friendly” protocol such as SSTP or L2TP/IPsec, which bypass the GRE issue entirely.
