Can't VPN with Windows XP client

I am not having any trouble like you describe. I have setup both PPTP and L2TP and Macs and Windows machines connect without incident. I do recall that someone here mentioned that sometimes you need to allow 40-bit as well as 128-bit encryption and I have done that. Maybe try that first.

Peter

Are you using PPTP from both OS X and Windows?

You probably will have problem with L2TP from Windows if server is behind a NAT router.

If L2TP works from OS X try with PPTP. If PPTP doesn't work it could very well be GRE protocol isn't getting through.

Any router/firewall between OS X server and Internet.

PPTP needs GRE protocol and TCP port 1723 forwarded to the server IP.

Is this the newer type Airport Extreme, the square one with rounded corners?

Latest firmware installed?

Anyhow I think you will have trouble getting PPTP through it.

Some other routers has a VPN passthrough setting that sometimes work for PPTP server on the router LAN.

If you get another router/firewall (like Netgear FVS xxx) get one without a built-in VPN (IPSec) server or you most likely will have problems with L2TP pasthrough.

In my case, because my server and my clients are behind NAT, I fixed the problem of windows XP connection by adding this in the registry :

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY LOCALMACHINE\SYSTEM\CurrentControlSet\Services\IPsec
3. On the Edit menu, point to New, and then click DWORD Value.
4. In the New Value #1 box, type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
5. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
6. In the Value Data box, type one of the following values:
• 0 (default)
A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind network address translators.
• 1
A value of 1 configures Windows so that it can establish security associations with servers that are located behind network address translators.
• 2
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows XP SP2-based client computer are behind network address translators.
7. Click OK, and then quit Registry Editor.
8. Restart the computer.

This info is available on microsoft support site.

It's a pity you need to know where you connect from instead of the machine negotiating the connection.

I guess a "2" would be the most useful setting.

And I guess I would use the server (dual interfaces needed) instead of the AirPort, if the public IP is static, as the Internet gw. Or better yet another firewall/router (maybe a Linux based one like Pfsense or Ipcop if money is an issue).

You might revisit the TimeWarner modem and firewall. Even though it may allow VPN I have found that many of the home oriented products will only support one tunnel type at a time, ie you can't have an L2TP session and a PTPP session open at the same time, while you can have have multiple sessions of the same type. Most of the Modems from DSL and Cable have a firewall in them but set to UPnP which allows items on the inside to set up and temporarily mod firewall settings but not items from the outside without forwarding in place. Just a thought.

Beautiful! Worked like a charm for me