Netscreen PPTP Pass Through. For Microsoft VPN Client usage.

How to enable pptp / ms vpn through a netscreen 5xt.

To address this problem, enable the VIP multi-port command, which will allow configuration of a VIP service which has more than 1 port it listens to.  Without this command, a VIP service can only listen to one port.  Note that setting VIP multi-port will require a reboot.

From the command line interface (CLI):

set vip multi-port [Enter]
save [Enter]
reset [Enter]

The multi-port command will match the first port it sees in the custom service.

Next, define a custom service for PPTP and apply this service in the VIP.  From the CLI:

set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048 [Enter]
set service CustomPPTP + tcp src 0-65535 dst 1723-1723 [Enter]
set interface ethernet0/0 vip 2048 CustomPPTP [Enter]

Finally, create an incoming policy with destination address as the VIP using the custom service object.  From the CLI:

set policy from untrust to trust "any" "VIP::1" "CustomPPTP" permit [Enter]
save [Enter]

In this example, the PPTP server was assumed to be on the trust side of the Firewall, at IP address Note that for Microsoft Windows, the custom PPTP service must contain both TCP port 1723 and IP protocol 47 with port 2048. The source port for TCP 1723 must be 0-65535 to allow for any source port.

I used this setup for vpn enabling to a windows 2003 small business server. And it worked fine and fast.

Tip for small business 2003 use the build in vpn wizard. ;-)

4 thoughts on “Netscreen PPTP Pass Through. For Microsoft VPN Client usage.

  1. Hi and thanks for the instructions.

    up to now it is not working with my ns5GT screenos 5.4.0r3a.0.

    PPTP (1732) is coming to the server (system log rasman message and firewall log) but GRE seems not to come through (rasman message says: VPN not established GRE protocoll …).

    must this be the only vip service, I have more, https and mail to the same server.

    Thx for any help.

  2. Gunnar,

    This must be on the on the VIP service like the HTTPS and MAIL. and must be forwarded to the correct VPN server.

    I tested is with ms vpn

  3. Question, please.
    how can i do this from the web interface , i opened TCP 1723, TCP 47 . and nothing still.
    Netscreen, SBS 2008.

    • I can’t tell you about this sollutions. I am using the cli most of the time. And the last 2 years i haven’t done anything with the netscreen devices.
      how ever you could look under interfaces or the policies i think something there could be wrong also.

      But I think it’s in the configuration of the SBS 2008 which is maybe wrong.

      Let me know if you found a solution.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s