PPTP outbound


I have a problem, we are trying to connect to a PPTP server from behind a M590 cluster, I have the PPTP rule in place and I see the allow attempts while Im trying to connect - but connection never get established, instead it ends with misc errors.
Windows 10 client with bulit in PPTP VPN setup.

If I instead use a 4G modem, I am able to connect (!) without any issues.

What could be the issue?


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @martindavidsson
    I'd suggest looking for any deny logs for any protocols that you might be trying to use. PPTP will attempt to stand up a GRE tunnel, and depending on how the rule you created is set up, may not be allowing this.

    I would suggest considering using a different VPN technology. PPTP is not considered secure and is easily cracked/exploited. Using a newer VPN technology like IKEv2 or L2TP can provide the same built-in VPN experience with a less broken security mechanism behind it.

    -James Carson
    WatchGuard Customer Support

  • I know PPTP is unsecure.. but this is a customer we connect to and they insist on using PPTP for some reason...

  • I have a similar issue, just swapped an M500 for the M590.
    Outbound PPTP VPN worked before the swap, now it shows allowed but gets stuck at 'verifying username and password'.
    I have tried adding registry keys to the client PC (as we had this issue after a windows update some years ago), but no joy.
    Here is the link in case you want to try it:

  • I've done some further testing on this. when we use PPTP outbound on a T35 running 12.5.4 its fine and we can see PPTP/TCP 1723 and GRE traffic being allowed outbound, VPN connects ok.
    On the M590 running 12.8.2 we can only see PPTP/TCP 1723 traffic allowed, there is no GRE being registered and the VPN fails.
    I'm going to open a ticket with WatchGuard support.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Phil_B
    The default outgoing rule won't allow GRE traffic - make sure you make a packet filter to allow that traffic outbound.
    GRE is in the list of pre-defined packet filters you can select when you're making a new policy.

    -James Carson
    WatchGuard Customer Support

  • Hi James,

    I tried creating a custom packet filter rule for GRE outbound too and it made no difference.
    The default PPTP packet filter is supposed to allow TCP 1723 and GRE traffic.
    On the M270 12.8.1 and 12.8.2 U1 it works fine and shows outbound traffic TCP 1723 allowed and GRE 'related' on the next line in traffic monitor, it connects ok.
    On the T35 running 12.5.4 it's also fine.
    On the M590 running 12.8.2 or 12.8.2 U1 it only shows TCP 1723 allowed, the GRE traffic does not register using the default rule or with the extra GRE packet filter outbound.
    I'm going to open a support ticket as something is different on the M590.

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited October 2022

    sounds good, sorry that didn't help.
    If you can please reply with the case number once you create the case, I can make sure that your case ends up with the correct team to help with it.

    I was able to find it by searching around for PPTP cases.
    I've got it assigned to the firewall team, and I left some information in your case to help find some more data. Based on your logs, the GRE traffic isn't even being presented to the firewall, and we're looking to get some more data to confirm that, and if so, try to figure out why.

    -James Carson
    WatchGuard Customer Support

  • Any update on this? Im having exactly the same issue with 2 pairs of M690s was working fine and now nothing. Tried everything you have mentioned above and can see the pptp traffic leave site and hit the other end but not seeing GRE and getting an error authenticating.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Contrac_IT If it was working and stopped with no change on your firewall, the issue is most likely at the VPN server. I'd suggest checking logs there for more info.

    -James Carson
    WatchGuard Customer Support

  • @james.carson Users can VPN from other sites and using hotspot just not through the firewalls. ISP is saying nothing is blocked their side.

  • You can do an NMAP IP scan (-so) to see if GRE is open on the firewall.

    In my case it is not open on my firewall.
    2022-10-14 08:27:57 Deny gre Trust-VLAN Firebox Denied 20 47 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" Traffic

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Contrac_IT I'd suggest creating a support case so that we can look at the issue and help determine what is going on.
    It's difficult to speculate what the issue might be without any logs or context as to why that might not be working.

    -James Carson
    WatchGuard Customer Support

  • I had the same issue upgrading from an M370 to an M390, along with a few other surprises. I'm working out a gateway wireless controller issue so didn't open a ticket yet for this. However, seeing this thread gave me an idea that worked.

    The Automatic policy generated "WatchGuard IPSec", made when you tick the box in the VPN settings doesn't work on the M390. The only thing showing up in the logs was a single deny from the client's workstation to the external IP address. Protocol gre, (unhandled Internal Packet-00). The fix was to disable the automatically generated policy and make my own custom policy for IPSec Outbound. From any-trusted to any-external (instead of any), ports are gre, esp, ah, udp:500 and udp:4500.

    Works great now!

  • edited October 2022

    Is GRE with IPSec really needed?

  • The reason that I ask is that the predefined IPSec packet filter does not include GRE.

Sign In to comment.