Posted: Mon May 14, 2012 7:16 Post subject: VPN Connection to Win7 machine
At home I have a TP-Link TL-WR1043ND with DD-WRT Build 14896. I have several computers connected to that router, and one of them I use as a server. It's a Windows 7 x64 machine with loads of files on it, you know the drill.
Recently I set up VPN (the built-in one) on that server, however I can't connect to it. I've forwarded port 1723 to the server, PPTP, IPSec and L2PT Passtrough are all enabled, the Windows firewall allows VPN connections, but still it doesn't work.
What I find strange is when I put my server in the router DMZ, it does work. So it seems that the router is still blocking something.
When I try to connect from my work, it gives me error 806, which tells me that one or more devices between the VPN client and Server are not configured to allow GRE (Generic Routing Encapsulation). The problem is, I can't find any config page on DD-WRT on how to enable it.
Has anyone encountered this problem before and/or has a solution?
#1: ipsec end-to-end communications (transport mode) requires NAT-T on the client, router and server (winxp+up).
#2: ipsec in transport mode requires UDP 4500, ISAKMP requires UDP 500.
#3: transport mode isn't recommended for traversal over a public network like the internet. it's not really a huge issue for a personal network, but IP addresses and packet lengths can be determined to build a map of your network. this is because the IP header cannot be encrypted or it would not work with NAT-T.
#4: pptp doesn't work over ipv6. not a huge concern at the moment since most ipv6 routers are setup with 6to4.
#5: pptp requires you to forward GRE (protocol 47). this can be done using iptables/telnet in dd-wrt i think, but not through the GUI. don't ask me how, i really hate providing linux support.
#6: pptp has known vulnerabilities. ipsec is difficult to configure. choose your poison.