Windows PPTP client behind Vyos

I’ve searched high and low, and for the life of me can’t figure out why this is not working.

I have a windows client (Windows 8 and Windows 10 both), behind VyOS 1.1.6 in a NAT configuration. I see nf_conntrack_pptp and nf_conntrack_gre loaded in the kernel module list, but it appears that the firewall is not properly reverse-NAT’ing the PPTP connection. I get an error code 619 from Windows PPTP when it attempts to create the tunnel.

Here’s my configuration (non-relevant items like NTP removed to reduce noise). What am I missing?

firewall {
    all-ping disable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name EXTERNAL-IN {
        default-action drop
        rule 1 {
            action accept
            source {
                address x.x.x.x/xx
            }
        }
        rule 3 {
            action accept
            destination {
                address 0.0.0.0/0
            }
            source {
                address x.x.x.x/xx (my internal ip block)
            }
        }
        rule 999 {
            action accept
            log disable
            state {
                established enable
                related enable
            }
        }
    }
    name INTERNAL {
        default-action drop
        rule 1 {
            action accept
            destination {
                address 0.0.0.0/0
            }
            protocol tcp
            source {
                address x.x.x.x/xx (my internal ip block)
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address x.x.x.x/xx
        description "External Internet"
        duplex auto
        firewall {
            local {
                name EXTERNAL-IN
            }
            out {
                name EXTERNAL-IN
            }
        }
        hw-id xx:xx:xx:xx:xx:xx
        smp_affinity auto
        speed auto
        vif 0 {
            address x.x.x.x/xx
        }
        vif 1 {
            address x.x.x.x/xx
        }
        vif 2 {
            address x.x.x.x/xx
        }
        vif 3 {
            address x.x.x.x/xx
            firewall {
                out {
                    name EXTERNAL-IN
                }
            }
        }
    }
    ethernet eth1 {
        address x.x.x.x/xx
        description DMZ
        duplex auto
        hw-id xx:xx:xx:xx:xx:xx
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        address x.x.x.x/xx
        description "Internal Network"
        duplex auto
        firewall {
            in {
                name INTERNAL
            }
        }
        hw-id xx:xx:xx:xx:xx:xx
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
nat {
    source {
        rule 90 {
            outbound-interface eth0
            source {
                address x.x.x.x/xx
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop x.x.x.x {
                distance 1
            }
        }
    }
}
system {
    name-server 8.8.8.8
}

I found the issue. I had to enable protocol gre on the internal side of my NAT.

 rule 5 {
     action accept
     protocol gre
 }

set nat destination rule 10 inbound-interface 'eth0
set nat destination rule 10 protocol gre
set nat destination rule 10 translation address ‘192.168.0.100’