VPN Clients May Not Work on ISA Server Perimeter Networks

From a client on an Internet Security and Acceleration (ISA) Server perimeter network, you may be unable to create a virtual private networking (VPN) connection to a server on the external network. The connection does not work using either PPTP and L2TP.

When you try to make a connection, you see the Verifying Username and Password dialog box. However, the connection attempt eventually generates the error message "Error 628: The Connection was closed."

VPN connections from the internal network to a VPN server on the Internet work correctly.

This issue is caused by an incompatibility between the ISA Server Packet filter and the Windows 2000 Network Address Translation (NAT) editor.

To resolve this problem, obtain the latest service pack for ISA Server 2000. For additional information about the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:

To work around this issue, create a perimeter or DMZ network by using two ISA Server computers: This will allow VPN connections to be created successfully from a client in the DMZ to an Internet VPN server.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was corrected in ISA Server 2000 SP1.

A network trace shows that TCP packets on port 1723 are forwarded correctly by ISA Server. However, GRE packets (IP protocol 47) never make it through ISA Server. GRE packets are dropped even though the Packet Filter log states that the GRE packets are "Allowed."

Note that perimeter networks are found on triple-homed ISA Servers computers. This is also referred to as a DMZ. The perimeter network is reachable by using a public IP address, but it is protected by the ISA Server firewall. See the ISA Help for additional information.