Screen OS

I have tried to setup my NS-25 to pass through PPTP (1723) and GRE (47) to the VPN server using VIP and have setup policies to allow these two ports to pass from untrust to trust  and from trust to untrust. when i try to connect to the VPN from outside i can see in the server log where PPTP contacts the server but i get a Rasman error 20209  'connection can not be complete' firewall may be blocking GRE (port 47). do you have any suggestions?

I would normally use a MIP in this instance, but if you only have one IP, check this:

 

http://kb.juniper.net/KB5471

 

Synopsis

Allow PPTP traffic inbound through a Juniper Firewall in NAT mode with only 1 publicly available IP address. This method can be applied to the general issue of port forwarding by substituting the protocols (e.g. PPTP to HTTP)

Problem

 

• VIP same as untrust
• Only have 1 publicly available IP address
• VIP defined with PPTP service

• Cannot define VIP same as untrust if using PPTP as service

Solution

This article applies to ScreenOS 5.0 and higher.

 

 

To address this problem, enable the VIP multi-port command, which will allow configuration of a VIP service which has more than 1 port it listens to.  Without this command, a VIP service can only listen to one port.  Note that setting VIP multi-port will require a reboot.

From the command line interface (CLI):

set vip multi-port [Enter]
save [Enter]
reset [Enter]

The multi-port command will match the first port it sees in the custom service.

Next, define a custom service for PPTP and apply this service in the VIP.  From the CLI:

set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048 [Enter]
set service CustomPPTP + tcp src 0-65535 dst 1723-1723 [Enter]
set interface ethernet0/0 vip 2048 CustomPPTP 10.1.1.10 [Enter]

Finally, create an incoming policy with destination address as the VIP using the custom service object.  From the CLI:

set policy from untrust to trust "any" "VIP::1" "CustomPPTP" permit [Enter]
save [Enter]

 

In this example, the PPTP server was assumed to be on the trust side of the Firewall, at IP address 10.1.1.10. Note that for Microsoft Windows, the custom PPTP service must contain both TCP port 1723 and IP protocol 47 with port 2048. The source port for TCP 1723 must be 0-65535 to allow for any source port.

 

Hi Privatepile,

 

We are having similar issue over here as well using SSG5 6.1.0r3 on both ends and what we are trying to setup is to establish a Windows PPTP VPN session from one site to the Windows RRAS Server on the other site.  By saying that, we don't have problems when clients do not use any firewall / using any 3G wireless cards / using home network routers and this problem only applies when the clients are connecting from a corporate network that uses either a Juniper or Cisco firewall.

 

And the problem symptons seems like that the sesssion simply stays at "Connecting to xxxxx" and eventually timesout.  When we check the server end, we are getting both PPTP and GRE traffic from other clients which were able to establish a session, but when we check the SSG5 logs on our remote site, it seems to be only passing PPTP traffic through.

 

Our server has a MIP setup with both the predefined GRE and PPTP services allowed through the inbound policy but I have also tried to create a custom service which includes both IP 47 (with port 2048) and TCP 1723 (src port to be 0 - 65535) but no luck so far.

 

Would you be able to shed some lights on how we could get it going please?

 

Thanks
Andy

What ScreenOS version are you running?
This article may apply to you:

KB9662 -Outgoing PPTP Connection Fails on ScreenOS 5.4.0r3

If not, I would capture debugs (debug flow basic) on the firewall to analyze further:

See Troubleshooting Tips - Debug commands and KB12208 - 'debug flow basic' Example.

 

Let us know how it goes.

--Josine