SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0000014: PPTP Passthrough does not work - MantisBT Endian Bugtracker
Endian Issue Tracker

Please see now our new Bugtracker system: JIRA

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000014Endian FirewallGUIpublic2006-08-09 22:092009-10-27 12:00
Assigned Topeter-endian 
PlatformOSOS Version
Product Version2 
Target VersionFixed in Version 
Summary0000014: PPTP Passthrough does not work
DescriptionPPTP VPN Access to Win2K3 box behind Endian FW 2 does not work.
Additional Information Hi all,
Using OpenVPN for site2site communications I still need to be able to have some external clients connect using Microsoft PPTP VPN.
Those connections should pass-thru to a Windows 2003 server on the inside.
I have setup rules to allow both GRE and TCP 1723 to that server.
For some reason this does not work.
The Endian FW replaced a Linksys VPN router due to some incompatablities with Dutch ADSL from KPN.
Due to those incompatabilities both IPSec and PPTP site to site VPN's don't work reliably.
With the Linksys in place I was able to setup client PPTP connections to the W2K3 box, so I know it has something to do with the EFW.
When connecting the pptp vpn it fails with error 619, although it does get to verifying username and password.
Has anyone an idea on what I missed in the configuration.
I am using EFW2.
TagsNo tags attached.
Attached Files

- Relationships
related to 0000543closedpeter-endian Port Forwarding not working 

-  Notes
remyservices (reporter)
2007-02-13 03:02

I am experiencing this same issue. Forwarding port 1723 creates a 619 error in windows. Server is running fine on built in RRAS forwarding port 1723 but not with Endian.
baldy (reporter)
2007-02-13 12:18

Hi all,

Issue only occurs when connecting from behind an Microsft ISA Server 2004 / 2006 protected network to a network protected by Endian FW with a Microsoft RRAS server behind the EFW.

Looks like a protocol issue here as vpn's without the ISA server work fine through EFW and other VPN's to non EFW protected networks from behind the ISA server also work properly.


remyservices (reporter)
2007-02-16 15:39

Hi baldy,
I do not have an ISA server in my farm at all, all servers go directly to Endain and then out to the internet. If my ISP has an ISA then that is beyond my knowledge but I am running a MS RRAS server behind Endian.
Any ideas as to how to resolve/fix this issue?

David Remy
baldy (reporter)
2007-02-16 22:46

Hi David,

Please check that GRE is also forwarded to your RRAS server.

If not please add GRE port 0 to your FW config.

If it still does not work it is probably best to start a seperate topic on this issue.


VolkerR (reporter)
2007-03-16 20:26


we also can not connect from behind a ISA Server 2004 protected Network to a RAS Server behind EFW. We always get error 619. Connections from other locations (not behind ISA Servers) work fine.
Ports 1723 and GRE are forwarded to the Windows 2003 RAS Server.

Is there a solution or workaround for this?

Kind regards.
remyservices (reporter)
2007-03-16 20:34

I have been forwarding GRE to the RRAS server the whole time with no effect. If I am to open another bug report, what might you suggest it be? It seems this is a PPTP issue, but if you feel otherwise let us know so we can get this bug report reported correctly. Thanks for your help.
baldy (reporter)
2007-03-16 20:35

Hi Volker,

Response on this issue is almost non-existent.

Hope someone will pick this up sometime soon as this issue has been running since August and no-one of the EFW group has picked this up.

Please check that the RRAS server you are trying to connect to has outbound access allowing TCP 1723 and GRE as well.


remyservices (reporter)
2007-06-28 22:50
edited on: 2007-06-28 22:56

I have upgraded to Endian 2.1.1 and I still have this issue, but its a little different now.
Now I get an "Error: 806" with the exact same rules as before. Can anyone confirm this or help in what might be the issue?
I do have GRE forwarded as the error suggests checking and I can't see anything wrong with the rules.
Thanks for the help.
David Remy

baldy (reporter)
2007-06-28 22:57

Hi David,

For testing purposes you can try to allow all traffic from and to the ISA protected network on the Endian FW.

Have you already upgraded to ISA 2004 SP3 ?

Due to implenting a hardware firewall I am no longer using ISA and have not been able to test the issue further.

Imho it has something to do with packets being modified on EFW and therefore resulting in ISA dropping those packets.


remyservices (reporter)
2007-06-29 02:00

I am not using an ISA server at all actually. I have my DSL directly connected to Endian and then Endian is directly connected to the RRAS server. From what I have been told it is how Endian touches up the files, but I would really like to know how to get arround this issue.
Thanks for the help!
baldy (reporter)
2007-06-29 03:10

Hi David,

Misread your post, sorry about that.

I am currently supporting and maintaining about 16 EFW installations and about half of them have a Windows 2003 RRAS server behind it.

I have no problems connecting to them with PPTP vpn.

On those machines port 1723 TCP and port 0 GRE are forwarded to the RRAS server.
Also there is a rule allowing the RRAS server full access on TCP&UDP to the internet.

Is your DSL modem in bridge or router mode ?


unixguru (reporter)
2007-07-12 22:06
edited on: 2007-07-12 22:07

RemyServices is right.

I run a bittorrent client on Windows 2003 Server (handles more simultaneous connections)through a PPTP VPN for anonymisation.

I have recently switched to endian and my router/modem is bridged to the red interface.
When I open a PPTP tunnel for it starts working OK and then collapses after around 30-60 seconds.

If I take the endian box out of the equation, which I don't wish to, it all works fine!!

So something is wrong with endian.
Otherwise, it's a damn fine product!

unixguru (reporter)
2007-07-24 06:28

This would appear to have been fixed in 2.1.2

My bittorrent client is safely behind by VPN connection once more.
unixguru (reporter)
2007-08-01 07:48

The problem seems to still exist, however it seems to be taking longer for the tunnel to die. This is making the tunnel useable, but not stable!
pvontobel (reporter)
2007-08-04 17:27

With such an error, I would check microsoft domain rights and or routing permission, such as rdp autorization for your specific client
smr (reporter)
2007-08-10 19:14

I have a similar problem.
My client's using Microsoft PPTP VPN for connect.
I have EFW 2.1.2. My Clients are wxp.
Are not one red Microsoft.
If we changed EFW by router, the conección is ok.

  ---- ---- -----------
  |wxp| ---> |EFW|---> | server VPN|
  ----- ----- -----------

 I have In "Outgoing firewall":
   Proto Source Destination

Something is wrong with my configuration or wrong endian.
Thanks for the help and sorry about my bad english.
smr (reporter)
2007-08-11 01:21

I'm sorry, the configuration of the "Outgoing firewall" is

   Proto Source Destination

 Thanks ... again.
marktrent (reporter)
2007-09-04 23:01

I can confirm we have the exact same problem as smr, winxp machines cannot connect through endian to a MS Server on the internet with pptp, we have also opened all the relevant ports, and still no go, howeever with endian 2.1.1 this works without any problem!
jcasilva (reporter)
2007-09-19 01:19

The problem really exists, possesss a ISA under of the EFW and I do not obtain to have access the VPN of it, exactly pointing, saw NAT, the doors 1723 TCP and protocol GRE for it.

How to resolve this problem?

btvrugt (reporter)
2007-09-21 09:57

We have the same problem (isa 2006/server 2003 sp2).

Winxp -> ISA 2006 -> EFW 2.1 -> rras server -> fail (error 619)
Winxp -> ISA 2006 -> EFW 2.1.2 -> rras server -> fail (error 619)

Winxp -> ISA 2006 -> EFW 2.1.2 -> draytek router -> pass
Winxp -> ISA 2006 -> rras server -> pass
Winxp -> EFW 2.1.2 -> rras server -> pass

EFW Firewall rules:

ISA rules:
Allow PPTP + network protocol 47

any solutions?
more people have this problem with ISA server. [^]
jnewlon (reporter)
2007-09-26 19:10

I am experiencing the same issues. I have opened up all the ports including GRE and still getting the 619 error. I had an active working PPTP VPN working and did upgrade to firewall replacing a linksys router. I changed nothing on the server or clients.

Any suggestions?
btvrugt (reporter)
2007-09-28 15:02
edited on: 2007-09-28 15:06

i think i found why it isnt working.

we replaced efw with ipcop 1.4.16 (linux kernell 2.4) and its working! AARGH

efw is running at linux kernell 2.6 and i found some pages on internet that linux kernell 2.6 is not working well with double nat connections.

winxp -> ISA 2006 -> EFW 2.1.2 (kernell 2.6) -> internet -> random firewall -> rras server

winxp -> ISA 2006 -> ipcop 1.4.16 (kernell 2.4) -> internet -> random firewall -> rras server

in this release note it says [^]

[PATCH] PPTP helper: Fix endianness bug in GRE key / CallID NAT
This endianness bug slipped through while changing the 'gre.key' field in
the conntrack tuple from 32bit to 16bit.
None of my tests caught the problem, since the linux pptp client always has
'0' as call id / gre key.
Only windows clients actually trigger the bug.

hamish (reporter)
2007-10-03 07:27

I have been experiencing the same problem. Tried just about everything to get PPTP working. I'm also "double-Natting"

Does anyone have any idea on how to patch this or when an update for Endian will be released.

Endian is an awsome product and I'd hate to change to something else just becuase of PPTP not working.
peter-endian (administrator)
2008-01-08 12:25

Endian Firewall 2.2-beta2 has now a new kernel ( and thus new netfilter and pptp-helper.

Could anyone please try if this problem still happens?
btvrugt (reporter)
2008-01-10 07:51

problem still exist

Winxp -> ISA 2006 -> EFW 2.1.2 -> rras server -> fail (error 619)
Winxp -> ISA 2006 -> EFW 2.2-b2 -> rras server -> fail (error 619)

Winxp -> ISA 2006 -> rras server -> pass
Winxp -> EFW 2.2-b2 -> rras server -> pass
peter-endian (administrator)
2008-01-10 11:29

could you please try
Winxp -> EFW 2.2-b2 -> ISA 2006

I'm not sure if this is really something we can deal with on efw. Would like to make sure the problem is not on ISA server or on the protocol itself, that it maybe generally don't like to be NAT'ed twice.

the pptp helper is now the actual netfilter version. If there is really a problem in the helper it must be a global problem for worldwide linux users. If that's so, I'm interested to fix it.
btvrugt (reporter)
2008-01-11 15:02

Winxp -> EFW 2.2-b2 -> ISA 2006 -> rras server -> pass

incomming vpn traffic works, only outgoing pptp traffic fails
gruetze (reporter)
2008-06-18 10:00

The Solution form ID 0000543 fixed my issue. Now i can connect to my internal PPTP-Server from the outside.
raphael-endian (administrator)
2009-03-17 06:55

Fixed in 2.2

- Issue History
Date Modified Username Field Change
2006-08-09 22:09 baldy New Issue
2007-02-13 03:02 remyservices Note Added: 0000181
2007-02-13 12:18 baldy Note Added: 0000182
2007-02-16 15:39 remyservices Note Added: 0000183
2007-02-16 22:46 baldy Note Added: 0000184
2007-03-16 20:26 VolkerR Note Added: 0000241
2007-03-16 20:34 remyservices Note Added: 0000242
2007-03-16 20:35 baldy Note Added: 0000243
2007-06-28 22:50 remyservices Note Added: 0000365
2007-06-28 22:56 remyservices Note Edited: 0000365
2007-06-28 22:57 baldy Note Added: 0000366
2007-06-29 02:00 remyservices Note Added: 0000367
2007-06-29 03:10 baldy Note Added: 0000368
2007-07-12 22:06 unixguru Note Added: 0000394
2007-07-12 22:07 unixguru Note Edited: 0000394
2007-07-24 06:28 unixguru Note Added: 0000406
2007-08-01 07:48 unixguru Note Added: 0000412
2007-08-03 13:12 Anonymous Note Added: 0000413
2007-08-03 13:12 Anonymous Status new => acknowledged
2007-08-03 13:13 Anonymous Note Added: 0000414
2007-08-03 13:13 Anonymous Status acknowledged => feedback
2007-08-04 17:27 pvontobel Note Added: 0000415
2007-08-04 17:27 pvontobel Status feedback => acknowledged
2007-08-10 19:14 smr Note Added: 0000432
2007-08-11 01:21 smr Note Added: 0000433
2007-09-04 23:01 marktrent Note Added: 0000472
2007-09-19 01:19 jcasilva Note Added: 0000510
2007-09-19 01:19 jcasilva Note Added: 0000511
2007-09-19 01:19 jcasilva Status acknowledged => feedback
2007-09-19 01:20 jcasilva Note Deleted: 0000510
2007-09-21 09:57 btvrugt Note Added: 0000513
2007-09-26 19:10 jnewlon Note Added: 0000515
2007-09-28 15:02 btvrugt Note Added: 0000516
2007-09-28 15:06 btvrugt Note Edited: 0000516
2007-09-28 15:11 Anonymous Note Deleted: 0000413
2007-09-28 15:11 Anonymous Note Deleted: 0000414
2007-10-03 07:27 hamish Note Added: 0000517
2007-10-27 18:23 peter-endian Status feedback => assigned
2007-10-27 18:23 peter-endian Assigned To => peter-endian
2008-01-08 12:25 peter-endian Note Added: 0000737
2008-01-08 12:25 peter-endian Status assigned => feedback
2008-01-10 07:51 btvrugt Note Added: 0000758
2008-01-10 11:29 peter-endian Note Added: 0000765
2008-01-11 15:02 btvrugt Note Added: 0000789
2008-06-18 10:00 gruetze Note Added: 0001327
2009-03-17 06:54 raphael-endian Relationship added related to 0000543
2009-03-17 06:55 raphael-endian Note Added: 0002051
2009-03-17 06:55 raphael-endian Status feedback => resolved
2009-03-17 06:55 raphael-endian Resolution open => fixed
2009-10-27 12:00 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.

Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker