cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
chromiszach
New Contributor

Problem with VPN connection through 3120

Jump to solution

I have a client who is trying to connect to a remote VPN (PPTP) and they get kicked off almost immediately upon trying to establish a connection. We've tried with the PPTP ALG turned on and off and neither seems to remedy the situation...

Firmware Version: 18.03.01.00.E

Topology looks like this:

PC > Switch > Netvanta 3120 > Cable modem > Internet > VPN Server

We're fairy confident that the Adtran is the culprit as multiple computers can connect to this VPN server on different networks. (I.E. I can take my laptop home and it works, but when I'm at the client's office using the Adtran controlled network it doesn't work.) Any advice?

Labels (1)
0 Kudos
2 Solutions

Accepted Solutions
Anonymous
Not applicable

Re: Problem with VPN connection through 3120

Jump to solution

Are you attempting to initiate the VPN connection from within the 3120's LAN?  If so, it should work. The firewall should allow a session to be created for the outbound / inbound traffic.

View solution in original post

0 Kudos
Anonymous
Not applicable

Re: Problem with VPN connection through 3120

Jump to solution

My guess is that the Clients office is using the same LAN IP subnet as the far side office.  It only makes sense since you are putting a different LAN subnet into play with the addition of router behind 3120.  PPTP does not like matching subnets at both locations.  If you are not seeing any error messages come up when "kicked" from VPN than this may be the case.  If you look at the ipconfig /all of the far and near side without the additional router in place I will bet you see subnets that are the same.

e.g.

near side 192.168.1.0

far side 192.168.1.0

This will always cause problems.  Most of the time I just see dns issues but depending on PPTP server you could get disconnected.  PPTP requires different subnets at both ends in most cases, depends on many things including DHCP over VPN and others.

View solution in original post

0 Kudos
9 Replies
Anonymous
Not applicable

Re: Problem with VPN connection through 3120

Jump to solution

Hi chromiszach,

Which protocol are you using for create the VPN, remember that with Adtran we handle just IPsec protocol, if your server uses PPTP or L2TP then the problem is that.

On the other hand, if you are using IPSec, it would be more helpfully if you can share the debug of the debug crypto ike and debug crypto ipsec.

With that we can see what is happening between the Adtran and the Server.

Cheers,

Re: Problem with VPN connection through 3120

Jump to solution

So what's the function of the PPTP ALG? Is that for inbound connections?

This case is a client using a PPTP connection on the far end. So what you're telling me is that the 3120 doesn't support this VPN pass through connection?

Anonymous
Not applicable

Re: Problem with VPN connection through 3120

Jump to solution

Dear chromiszach,

Yes the ALG will dynamically handle the ports for allow the inbound connections after the inside host starts the communication.

Another thing that you can try is open the ports for the PPTP (1723, 43) in the firewall and try again.

Cheers,

Anonymous
Not applicable

Re: Problem with VPN connection through 3120

Jump to solution

Are you attempting to initiate the VPN connection from within the 3120's LAN?  If so, it should work. The firewall should allow a session to be created for the outbound / inbound traffic.

0 Kudos

Re: Problem with VPN connection through 3120

Jump to solution

Correct.

User is connecting to a VPN over the internet connection and the VPN connection cannot be established when they connect to the LAN being controlled by Adtran device.

So again here's what it looks like:

PC trying to connect to far side PPTP VPN > Switch > Netvanta 3120 (Doing routing, firewall, etc.) > Cox Cable modem > Internet > Far side PPTP VPN Server

It's an outbound session so I don't understand why we can't connect?

Anonymous
Not applicable

Re: Problem with VPN connection through 3120

Jump to solution

If the routing device/firewall at the "far side" has 1723 forwarded to the VPN server then there should be no issue.  The office Adtran 3120 at the "near side" should allow connections back in from far side since this is solicitied traffic. I assume the pc is using the VPN client inherent to Windows and not a thrid party VPN client?  If using the windows based client you should get an error message after the vpn connection fails.  Do you see it going through the steps of Connecting, Connected, Verifying Username and password, etc.  At what point does it fail?  Then you should receive an error message, 720, 800, 691, etc. We have a ton of the 3120's installed for our clients that use a Windows server to terminate a vpn client connection without issue and I do not need to enable ALG setting.  Also, if it is an Adtran 3120 at the "near side" the spi firewall will not block solicited traffic coming from the WAN requested by the LAN unless they have an ACL specifically blocking certain traffic from WAN to LAN. By default the 3120 will block all unsolicited traffic.

Re: Problem with VPN connection through 3120

Jump to solution

So we've had an interesting turn of events, it must be the way the NAT'ing is being done on the Adtran. I can plug another router (thus double NAT'ing) into the Adtran and connect to the VPN... The customer is fine with this and is willing to spend $50 to buy a cheap Cisco/Linksys router to solve the issue...

Anonymous
Not applicable

Re: Problem with VPN connection through 3120

Jump to solution

My guess is that the Clients office is using the same LAN IP subnet as the far side office.  It only makes sense since you are putting a different LAN subnet into play with the addition of router behind 3120.  PPTP does not like matching subnets at both locations.  If you are not seeing any error messages come up when "kicked" from VPN than this may be the case.  If you look at the ipconfig /all of the far and near side without the additional router in place I will bet you see subnets that are the same.

e.g.

near side 192.168.1.0

far side 192.168.1.0

This will always cause problems.  Most of the time I just see dns issues but depending on PPTP server you could get disconnected.  PPTP requires different subnets at both ends in most cases, depends on many things including DHCP over VPN and others.

0 Kudos

Re: Problem with VPN connection through 3120

Jump to solution

Duh... Yeah that's exactly what the problem is... I didn't even think about it until you said something... Thanks!