Win2K introduces handy PPTP-management features

Windows 2000 includes a superset of the VPN connectivity features in Windows NT. The enhanced feature set includes improved support for PPTP as well as support for the Layer 2 Tunneling Protocol (L2TP) and IP Security (IPSec) protocol. Although L2TP and IPSec offer some exciting new capabilities, many organizations will continue to use PPTP for several reasons: administrators and users already understand it, it's easy to configure, and it offers technical advantages (e.g., PPTP is the only Win2K VPN option that supports Network Address Translation—NAT).

Win2K doesn't introduce major changes to PPTP; however, Microsoft has improved PPTP-based VPN management in several ways. First, VPN clients no longer need to manually initiate two DUN connections to establish PPTP-based connections with the corporate network. In previous Windows versions, clients made one call to the ISP and a second call to establish the PPTP session with an Internet-accessible RAS or RRAS server. Alternatively, NT 4.0 clients could use the Microsoft Connection Manager (CM) and Connection Manager Administration Kit (CMAK) to eliminate the need for a second call. Win2K simplifies the PPTP connection setup process by providing a wizard-based option that walks the user through creating a multipart VPN connection.

Second, Win2K includes a PPTP Ping utility. (Win2K's PPTP Ping is actually a pair of utilities, pptpclnt.exe and pptpsrv.exe, that you can find in the support.cab file in the \support\tools folder on the Win2K installation CD-ROM.) Ping provides basic diagnostic functionality that lets you determine whether two IP hosts can reach each other across a network. Win2K's PPTP Ping provides diagnostic capabilities similar to TCP/IP ping, but for Layer-2-based PPTP rather than Layer-3-based IP connections.

For a PPTP client and server (or two servers, if you use RRAS servers to create LAN-to-LAN PPTP connections) to successfully connect, several conditions must be true. First, you must have correctly installed and configured the PPTP protocol within RAS or DUN on the client and the server. Second, the client and server must have compatible versions of PPTP and DUN. Finally, you need to open the ports required for PPTP operation on any firewalls between the two PPTP-enabled hosts. This step plagues administrators because the operation is difficult.

PPTP requires that the two PPTP-enabled hosts send network traffic using TCP port 1723 and IP protocol 47 (i.e., Generic Routing Encapsulation—GRE—packets). You can use PPTP Ping to ensure that the proper ports are open on the firewall and that the remote server is successfully receiving incoming client connection requests. To do so, copy pptpsrv.exe to the server and run the utility at a command prompt by typing

pptpsrv

The utility will initialize a socket and begin listening for incoming requests. Next, copy pptpclnt.exe to a PPTP client and launch it at a command prompt by typing

pptpclnt

where server is the name or IP address of the PPTP server. A PPTP Ping client will show that it's sending packets but won't confirm whether the server successfully receives them. To verify that the test was successful, you need to look at the server. If the connection and packet transfer succeeded, the server will display the following output

Total GRE packets received = 1
Total GRE packets received = 2
Total GRE packets received = 3
Total GRE packets received = 4
Total GRE packets received = 5

================================



GRE protocol test was successful!

=================================

Closing socket
Goodbye!

If the connection wasn't successful, the server displays an error message that you can use to find the problem's cause.

Interestingly, I discovered that you can use Win2K's PPTP Ping utility with NT 4.0 PPTP clients and servers. Using PPTP Ping, I successfully tested PPTP connections between clients and servers running various combinations of Win2K and NT 4.0.