PPTP VPN to amazon EC2 windows 2003 instance

Martin Hansen asked:

I’m trying to setup a VPN connection to a EC2 instance running windows server 2003. But I can’t get it working. I get this error in the event log on the server.

A connection between the VPN server and the VPN client xxx.xxx.xxx.xxx has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user’s network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

So the client does connect, but because of not being able to send GRE packets, it fails. As far as I understand the GRE packets is blocked by Amazon, but is there any way to open this up? Is this the same as the ICMP option in creating security groups? I have tried adding ICMP 47 as mentioned in the error message. But it had no effect.

Any help is appreciated.

My answer:

Security groups for regular EC2 instances can only have rules applied for TCP, UDP and ICMP.

To resolve the problem, start your instance in a VPC. Security groups for VPC instances can be written for any protocol, though you may need to use the command line ec2-authorize tool to create the rule.

This should be sufficient to open up GRE for your VPC instances:

ec2-authorize security_group_name -P 47 -O access_key -W secret_key <any other options>

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.