I am trying to open a VPN session from outside my FW to a Microsoft RAS inside the FW. I have created a rule to allow ANY service from the external host to the internal RAS server. The packet-exchanges following the initial TCP session use Generic Routing Encapsulation (GRE) as the IP protocol. By defalt my firewall seems to allow GRE packets into the RAS server, but drops outbound GRE packets. I have tried adding an outbound rule using the GRE service that I found in the FW service database, but the packets still drop out at the bottom of the Policy. The GRE service is defined as a "User-Specified Service" and contains just the Match statement "ip_p = 47" What am I missing ?
OK, I've found some answers myself - but I'll post them anyway, in case anybody else is interested. For Microsoft VPN I have used an inbound rule with services "Microsoft VPN" and "GRE" (Generic Routing Encapsulation), and an outbound rule using just GRE. The Microsoft VPN service uses TCP destination port 1723. I had to turn "Fast Mode" on, to stop the FW timing out these sessions after one minute. The GRE service is User-Defined, and can be created as a New service of type "Other". In the "Match" field put the statement: ip_p=47 For the outbound rule (GRE only) I had to create a separate source network object for the internal VPN host, using just a primary address (no NAT). The primary address was the static external address for the host. I don't really understand why this was necessary, but if I used the original object as the source, the FW simply dropped all outbound packets as unmatched. Anyway, for whatever reason, it works.