How to enable pptp / ms vpn through a netscreen 5xt.
To address this problem, enable the VIP multi-port command, which will allow configuration of a VIP service which has more than 1 port it listens to. Without this command, a VIP service can only listen to one port. Note that setting VIP multi-port will require a reboot.
From the command line interface (CLI):
set vip multi-port [Enter]
The multi-port command will match the first port it sees in the custom service.
Next, define a custom service for PPTP and apply this service in the VIP. From the CLI:
set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048 [Enter]
set service CustomPPTP + tcp src 0-65535 dst 1723-1723 [Enter]
set interface ethernet0/0 vip 2048 CustomPPTP 10.1.1.10 [Enter]
Finally, create an incoming policy with destination address as the VIP using the custom service object. From the CLI:
set policy from untrust to trust "any" "VIP::1" "CustomPPTP" permit [Enter]
In this example, the PPTP server was assumed to be on the trust side of the Firewall, at IP address 10.1.1.10. Note that for Microsoft Windows, the custom PPTP service must contain both TCP port 1723 and IP protocol 47 with port 2048. The source port for TCP 1723 must be 0-65535 to allow for any source port.
I used this setup for vpn enabling to a windows 2003 small business server. And it worked fine and fast.
Tip for small business 2003 use the build in vpn wizard. ;-)