Forum Discussion

hzhang's avatar
hzhang
Copper Contributor
May 07, 2025

VPN on Windows Server 2016 not working

I followed the stand procedure to set up VPN on Windows Server 2016. Let me jump to where I am now. The event viewer has the following two entries when a client connects to the VPN server: A co...
management
networking
windows server
hzhang's avatar
hzhang
Copper Contributor
May 13, 2025

I have realized there is a delay of at least 3 or 4 hours in displaying my posts here. My reply here will not show up until quite a few hours later.

The router Fios-G1100 does not have an option for PPTP.

I have verified that RRAS is running and PPTP is enabled.

I am not sure about the binding:

In the event viewer, there are no entries for RRAS. There is only one for System:

A connection between the VPN server and the VPN client 72.74.77.135 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47).

 

I tried to use an Android device with WF turned off to make a connection (type IKEv2/IPSec MSCHAPv2), but nothing happened on the server side. 

 

 

 

  • micheleariis's avatar
    micheleariis
    MCT
    May 13, 2025

    Hi, the server and RRAS are configured correctly: the problem is the Fios G1100 router, which does not forward the GRE protocol (needed for PPTP). Opening only TCP port 1723 is not enough


    The ways are:

    -replace or bridge the G1100 with a router that supports PPTP-passthrough

    -or change VPN on Windows Server and use SSTP (TCP 443) or L2TP/IPsec, which do not require GRE

    putting the server in DMZ on the G1100 can work, but it is not guaranteed

    It is not Windows' fault, it is the router that blocks GRE; you need a new router or a different protocol

    • hzhang's avatar
      hzhang
      Copper Contributor
      May 14, 2025

      To avoid my Fios router, I tried my Android device without Wi-Fi (i.e., using only cellular connection). The Android built-in VPN client does not work and gives no information about why the connection fails.

      I downloaded the app strongSwan. Its connection fails too, but it has a log: 

       

      • micheleariis's avatar
        micheleariis
        MCT
        May 15, 2025

        Hi, the NO\_PROPOSAL\_CHOSEN error happens because the client and server can’t agree on encryption and DH parameters for IKE. Your strongSwan settings don’t match what the server accepts.

        1. Align IKE proposals in strongSwan to match the server (e.g., aes256-sha256-modp2048)
          2. Check IPsec settings on the Windows server (Encryption, Integrity, DH Group) and make sure they match.
          3. Verify PSK or certificates are correct and identical on both sides.
          4. Test again to see if the negotiation succeeds.

        If syncing the IPsec policies is too tricky, you can temporarily try SSTP (HTTPS-based VPN) to check if the rest of the setup is fine.

         

Resources