Fanco
asked on
Problem to connect to VPN server behind Netgear DG834G router.
Hallo,
Actually my problem was good described in the
https://www.experts-exchange.com/questions/20922615/Error-721-when-trying-to-connect-to-VPN.html
thread. Unfortunately the solution at the end (to upgrade/downgrade to 1.04 firmware) did not worked for me. I trye to put my question on the end of this thread, but since no one replyed, here I go with a new thread:
I have a small LAN of 5 computers (4 of them running Windows XP Home edition SP2, the last one is an Linux machine). I bought the DG834G ADSL modem + router from netgear to connect them all. So far all worked as should. The problem started when I tried to set up an VPN server onto one of the Win XP copmputers to be able to tunel the network from outside using my notebook when I am out of home. The neotebook has an GPRS internet connection. So I set up an account on dyndns.org to be able always find my canging routers address (ISP use dynamic addressing). Then I set up an PPTP account on one of the LANs computers. I use routers DHCP server ability, but I reserved the address of the VPN server computer, so it does not change within the LAN. on the router I set up the inbound connections firewall to pass throug the PORTs 1723 and 500 to VPN servers address.
Now when I am trying to connect with the notebook to the VPN server I always become the 721 ERROR. It says the time run out by verifiing the username and password. In the log of the router it says the connection was passed through to the IP address of the VPN server with the comment "MATCH".
In some of the advices I ŕead about to try windows tools pptpclnt.exe and pptpsrv.exe. I am able to run the pptpsrv.exe, which waits for the connection, but on all three computers the program pptpclnt.exe just blinks and closes itself without prompting me to anything. This could be sign to a problem couldnt it?
Please advice what to do to be able to connect to the VPN server. I spend abou three days now experimenting and I would be very happy to find some working solution. By the way the routers manufactor declares the router to be able to passthrough VPN connections. There has obviously been some problems with firmware since by the Firmware 1.04.01 it states VPN passthrough solved, but for me it does not work with 1.04.01 nor 1.05.00 :-(
I am giving all my points to this hoping I will find the right EXPERT. The online help by Netgear did not bother to answer me and their telephone support does not pick up the phone in Austria either.... :-(
Actually my problem was good described in the
https://www.experts-exchange.com/questions/20922615/Error-721-when-trying-to-connect-to-VPN.html
thread. Unfortunately the solution at the end (to upgrade/downgrade to 1.04 firmware) did not worked for me. I trye to put my question on the end of this thread, but since no one replyed, here I go with a new thread:
I have a small LAN of 5 computers (4 of them running Windows XP Home edition SP2, the last one is an Linux machine). I bought the DG834G ADSL modem + router from netgear to connect them all. So far all worked as should. The problem started when I tried to set up an VPN server onto one of the Win XP copmputers to be able to tunel the network from outside using my notebook when I am out of home. The neotebook has an GPRS internet connection. So I set up an account on dyndns.org to be able always find my canging routers address (ISP use dynamic addressing). Then I set up an PPTP account on one of the LANs computers. I use routers DHCP server ability, but I reserved the address of the VPN server computer, so it does not change within the LAN. on the router I set up the inbound connections firewall to pass throug the PORTs 1723 and 500 to VPN servers address.
Now when I am trying to connect with the notebook to the VPN server I always become the 721 ERROR. It says the time run out by verifiing the username and password. In the log of the router it says the connection was passed through to the IP address of the VPN server with the comment "MATCH".
In some of the advices I ŕead about to try windows tools pptpclnt.exe and pptpsrv.exe. I am able to run the pptpsrv.exe, which waits for the connection, but on all three computers the program pptpclnt.exe just blinks and closes itself without prompting me to anything. This could be sign to a problem couldnt it?
Please advice what to do to be able to connect to the VPN server. I spend abou three days now experimenting and I would be very happy to find some working solution. By the way the routers manufactor declares the router to be able to passthrough VPN connections. There has obviously been some problems with firmware since by the Firmware 1.04.01 it states VPN passthrough solved, but for me it does not work with 1.04.01 nor 1.05.00 :-(
I am giving all my points to this hoping I will find the right EXPERT. The online help by Netgear did not bother to answer me and their telephone support does not pick up the phone in Austria either.... :-(
ASKER
Here is more details. When I run the pptpsrv.exe on the VPN server computer it replays with:
Error 10048 binding socket
WSAEADDRINUSE : Address already in use
After this sign program runs, but recieves no text string sent from pptpclnt.exe over internet. Both programs communicate though some way, because when I run the pptpclnt.exe with the correct address and I do not run the pptpsrv.exe on the other side, the client does not sent anything.
what could this mean???
PLEASE HELP!!!
Thanks
Error 10048 binding socket
WSAEADDRINUSE : Address already in use
After this sign program runs, but recieves no text string sent from pptpclnt.exe over internet. Both programs communicate though some way, because when I run the pptpclnt.exe with the correct address and I do not run the pptpsrv.exe on the other side, the client does not sent anything.
what could this mean???
PLEASE HELP!!!
Thanks
If you want PPTP to work, you need TCP port 1723 and protocol #47 (GRE) open.
Port 500 is for IPSEC, which you're not using...
Port 500 is for IPSEC, which you're not using...
ASKER
Hi everybody,
To Tim Holman: as I listed above, I have set up the port 1723 to be opened (forwarded to the VPN server). Ath the router there is no possibility to set up the Protocol 47 (GRE), but the manufaturer declares the unit is PPTP enabled. I can close the port 500 as not needed, but this will not help. The problem will be something with the address as the windows utility pptpserv.exe does not run as on the other machines. As I stated before ist says:
Error 10048 binding socket
WSAEADDRINUSE : Address already in use
I do not know, which address is ment. Please help, Thanks
To Tim Holman: as I listed above, I have set up the port 1723 to be opened (forwarded to the VPN server). Ath the router there is no possibility to set up the Protocol 47 (GRE), but the manufaturer declares the unit is PPTP enabled. I can close the port 500 as not needed, but this will not help. The problem will be something with the address as the windows utility pptpserv.exe does not run as on the other machines. As I stated before ist says:
Error 10048 binding socket
WSAEADDRINUSE : Address already in use
I do not know, which address is ment. Please help, Thanks
If you run pptpserv.exe on a VPN server, which already has PPTP running, then you'll get this message.
To double check what ports your VPN server has running, use netstat -an.
To double check what ports your VPN server has running, use netstat -an.
ASKER
Hello, its me again,
yes, when I deleted the VPN incoming connection, the program pptpsrv.exe runs without errors. I even made a succesful pptp pin from a remote computer. Unfortunately the real VPN connection still hangs in the negotiation phase resulting to 721 error as stated above.
Then Itried it the other way. I started pptpsrv on the remote computer and tried to send a text string from within my LAN. The pptpclnt.exe tool ended up with an eroor 10060 calling connect<>:
WSAETIMEDOUT: Connection timed out.
Could it be possible the router would stop the outgoing data? I tried this with the firewall off so there should be nothing else staing in way the outgoing connection.
Any ideas?????
P.S.: The netstat command only listed one build connetion on the outgoing port 1168. Any idea what program uses this port?
yes, when I deleted the VPN incoming connection, the program pptpsrv.exe runs without errors. I even made a succesful pptp pin from a remote computer. Unfortunately the real VPN connection still hangs in the negotiation phase resulting to 721 error as stated above.
Then Itried it the other way. I started pptpsrv on the remote computer and tried to send a text string from within my LAN. The pptpclnt.exe tool ended up with an eroor 10060 calling connect<>:
WSAETIMEDOUT: Connection timed out.
Could it be possible the router would stop the outgoing data? I tried this with the firewall off so there should be nothing else staing in way the outgoing connection.
Any ideas?????
P.S.: The netstat command only listed one build connetion on the outgoing port 1168. Any idea what program uses this port?
Your server should say something like:
127.0.0.1:1723 LISTENING
..if PPTP is up and running.
1168/tcp comes up as VChat conference Service ?
A 721 error usually means that either GRE protocol 47 or PPTP / TCP 1723 is being blocked. What's the difference between the 'remote computer' you mentioned in your last post, to an actual VPN client in the wild - are they the same machine ?
If one end is behind NAT, you have to make sure the NAT rule passes EVERYTHING associated with that address, and not just specific ports, otherwise the encapsulation can get screwed.
More here:
http://www.microsoft.com/technet/community/columns/cableguy/cg0103.mspx
127.0.0.1:1723 LISTENING
..if PPTP is up and running.
1168/tcp comes up as VChat conference Service ?
A 721 error usually means that either GRE protocol 47 or PPTP / TCP 1723 is being blocked. What's the difference between the 'remote computer' you mentioned in your last post, to an actual VPN client in the wild - are they the same machine ?
If one end is behind NAT, you have to make sure the NAT rule passes EVERYTHING associated with that address, and not just specific ports, otherwise the encapsulation can get screwed.
More here:
http://www.microsoft.com/technet/community/columns/cableguy/cg0103.mspx
ASKER
Hi here is a listing from the netstat with PPTP incoming connection set up:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>netstat -an
Aktive Verbindungen
Proto Lokale Adresse Remoteadresse Status
TCP 0.0.0.0:135 0.0.0.0:0 ABHÖREN
TCP 0.0.0.0:445 0.0.0.0:0 ABHÖREN
TCP 0.0.0.0:1723 0.0.0.0:0 ABHÖREN
TCP 0.0.0.0:2869 0.0.0.0:0 ABHÖREN
TCP 127.0.0.1:1029 0.0.0.0:0 ABHÖREN
TCP 192.168.0.3:139 0.0.0.0:0 ABHÖREN
TCP 192.168.0.3:1300 207.46.107.195:1863 HERGESTELLT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1035 *:*
UDP 0.0.0.0:1267 *:*
UDP 0.0.0.0:1304 *:*
UDP 0.0.0.0:1701 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1034 *:*
UDP 127.0.0.1:1282 *:*
UDP 127.0.0.1:1297 *:*
UDP 127.0.0.1:1298 *:*
UDP 127.0.0.1:1649 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.3:9 *:*
UDP 192.168.0.3:123 *:*
UDP 192.168.0.3:137 *:*
UDP 192.168.0.3:138 *:*
UDP 192.168.0.3:1900 *:*
UDP 192.168.0.3:47388 *:*
ABHÖREN=LISTEN
HERGESTELT=connection builded
The diffrence between the remote computer and the VPN server is that the remote computer is a laptop connected to the internet through another provider (GPRS) nad the VPN server computer is one of mz LANs computer behind the router DG834G (Netgear) The router has NAT enabled, but seting up a DMZ does not help. The problem looks to be withe the outgoing communication from mz LAN to internet. Looks like the router does not allow outgoing communication on port 1723, which does not make sense.
Please help.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>netstat -an
Aktive Verbindungen
Proto Lokale Adresse Remoteadresse Status
TCP 0.0.0.0:135 0.0.0.0:0 ABHÖREN
TCP 0.0.0.0:445 0.0.0.0:0 ABHÖREN
TCP 0.0.0.0:1723 0.0.0.0:0 ABHÖREN
TCP 0.0.0.0:2869 0.0.0.0:0 ABHÖREN
TCP 127.0.0.1:1029 0.0.0.0:0 ABHÖREN
TCP 192.168.0.3:139 0.0.0.0:0 ABHÖREN
TCP 192.168.0.3:1300 207.46.107.195:1863 HERGESTELLT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1035 *:*
UDP 0.0.0.0:1267 *:*
UDP 0.0.0.0:1304 *:*
UDP 0.0.0.0:1701 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1034 *:*
UDP 127.0.0.1:1282 *:*
UDP 127.0.0.1:1297 *:*
UDP 127.0.0.1:1298 *:*
UDP 127.0.0.1:1649 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.3:9 *:*
UDP 192.168.0.3:123 *:*
UDP 192.168.0.3:137 *:*
UDP 192.168.0.3:138 *:*
UDP 192.168.0.3:1900 *:*
UDP 192.168.0.3:47388 *:*
ABHÖREN=LISTEN
HERGESTELT=connection builded
The diffrence between the remote computer and the VPN server is that the remote computer is a laptop connected to the internet through another provider (GPRS) nad the VPN server computer is one of mz LANs computer behind the router DG834G (Netgear) The router has NAT enabled, but seting up a DMZ does not help. The problem looks to be withe the outgoing communication from mz LAN to internet. Looks like the router does not allow outgoing communication on port 1723, which does not make sense.
Please help.
ASKER
Jut to be sure I contacted my ISP and they asured me they do not block any ports nor the GRE protokol. The problem seems to be the router...
You may need to open TCP port 500 on the router too -
http://kbserver.netgear.com/kb_web_files/n101222.asp
http://kbserver.netgear.com/kb_web_files/n101222.asp
ASKER
I have TCP port 500 opened - no joy.....
try and also forward port 47 tcp/udp to the VPN server in your router
HynesCo
HynesCo
ASKER
sorry, forwarding port 47 tcp/udp does not help either....
Sorry about that it is actually protocol 47 GRE, O.K download port detective from http://www.portdetective.com/ and you will probably have to inter the port manually 1723 and test, Does the router have a setting for PPTP Passthrough? Also I have seen simular issues with the dhcp service on routers enabled.
HynesCo
HynesCo
ASKER
Hi HynesCo, The Port detective says the port 1723 is open. The router has no settings regarding PPTP passthrough, but on the box and in the manual it says it has PPTP passthrough. How should I correct deselect DHCP and still have the LAN working? Maybe this could help to find the solution. I repeat again I already found out the problem is to send PPTP data out of the server into internet - not to recieve them (this works fine). For VPN working it is neccessary to communicate both directions.
Fanco,
I had to run to a client, but check and make sure you have it configured like on this site:
http://www.wown.com/j_helmig/xpvpnsrv.htm
I had to run to a client, but check and make sure you have it configured like on this site:
http://www.wown.com/j_helmig/xpvpnsrv.htm
Fanco - set your router up to forward EVERYTHING - ie just do a direct one-to-one translation of your internal VPN Server address to your external address.
Also, does a PPTP client work OK on the inside of the network ?
Finally, verify your MTU settings on the GPRS connection and tune if necessary - http://www.dslreports.com/faq/695
Also, does a PPTP client work OK on the inside of the network ?
Finally, verify your MTU settings on the GPRS connection and tune if necessary - http://www.dslreports.com/faq/695
ASKER
Hi,
to HynesCo: I set up everything as stated there except I am behind the ADSL router - thats my problem. Does not work....
to Tim Holman: On the router I can only set up the VPN server IP as DMZ. There is no other possibility to direct one to one translation, since I have from provider only one IP address. Setting it as the DMZ should do this, but the VPN does not work with this settings neither.
PPTP Client and server ping utilities work inside my LAN perfectly. The problem is only when the PPTP server utility is outside the LAN - in internet. I could not find how exactly should I change the MTU on the GPRS connection to highest level first. Without this setup there was no fragmentation with pinging the value 1472.
I concentrate myself to test the VPN connection between two computers using GPSR on both sides. If this will work I can conclude, that the problem is definitely with the router stoping outgoing communications. Unfortunately the Netgear are not willing to collaborate saing the problem is not in the router.
to HynesCo: I set up everything as stated there except I am behind the ADSL router - thats my problem. Does not work....
to Tim Holman: On the router I can only set up the VPN server IP as DMZ. There is no other possibility to direct one to one translation, since I have from provider only one IP address. Setting it as the DMZ should do this, but the VPN does not work with this settings neither.
PPTP Client and server ping utilities work inside my LAN perfectly. The problem is only when the PPTP server utility is outside the LAN - in internet. I could not find how exactly should I change the MTU on the GPRS connection to highest level first. Without this setup there was no fragmentation with pinging the value 1472.
I concentrate myself to test the VPN connection between two computers using GPSR on both sides. If this will work I can conclude, that the problem is definitely with the router stoping outgoing communications. Unfortunately the Netgear are not willing to collaborate saing the problem is not in the router.
The DG824M Netgear router supports VPN passthrough, so the DG834G, being more recent, should also:
http://kbserver.netgear.com/kb_web_files/n101222.asp
I really doubt this is a router issue.
Does your VPN work using a standard dial-up account ?
Are there any personal firewalls installed on the notebooks that could be preventing the connection ?
http://kbserver.netgear.com/kb_web_files/n101222.asp
I really doubt this is a router issue.
Does your VPN work using a standard dial-up account ?
Are there any personal firewalls installed on the notebooks that could be preventing the connection ?
(Windows XP firewall will block PPTP)
Did you use DrTcp to change the MTU ?
ASKER
Tim,
I have intalled Zone Alarm Pro firewal on the remote computer and Windows SP2 Firewal at the VPN server, but both are disabled while experimenting and yes, I have disabled olso the Windows SP2 firewal on remote, which start to be active as long I switch the Zone Alarm Pro off. There also schold not be a firewall problem. If it should not be the router, it only could be a filtering problem by the GPRS provider, but it does not look to be so. I tried to ask by the cellular telephone provider, but the people there doesnt look very informed about those thinghs. Is there any possibility to test this?
I was a little afraid to experiment with MTU since the Microsoft article look a bit scary. Could You please advice me how exactly do I have to change the MTU in Windows XP Home? The GPRS connection is via Bluetooth.
Thank you in advance. Mario
I have intalled Zone Alarm Pro firewal on the remote computer and Windows SP2 Firewal at the VPN server, but both are disabled while experimenting and yes, I have disabled olso the Windows SP2 firewal on remote, which start to be active as long I switch the Zone Alarm Pro off. There also schold not be a firewall problem. If it should not be the router, it only could be a filtering problem by the GPRS provider, but it does not look to be so. I tried to ask by the cellular telephone provider, but the people there doesnt look very informed about those thinghs. Is there any possibility to test this?
I was a little afraid to experiment with MTU since the Microsoft article look a bit scary. Could You please advice me how exactly do I have to change the MTU in Windows XP Home? The GPRS connection is via Bluetooth.
Thank you in advance. Mario
Hi Franco,
to rule out the possibility of a router issue , can you directly connect the vpn comuter to the ISP euipment and see if you can authenticate that way
HynesCo
to rule out the possibility of a router issue , can you directly connect the vpn comuter to the ISP euipment and see if you can authenticate that way
HynesCo
ASKER
Unfortunatelly this is not possible with this router, since it has not a WAN connector (it is a ADSL modem and router in one box - it has only telephone connector) Would be a good idea, but I am not able to simulate ADSL signal. :-(
I try to find someone with the GPRS by the same provider and try to ping PPTP with him, but it is not easy, since I dont know anybody personaly and the people who do not know me are not ready to experiment on this level...
Any other suggestion?
I try to find someone with the GPRS by the same provider and try to ping PPTP with him, but it is not easy, since I dont know anybody personaly and the people who do not know me are not ready to experiment on this level...
Any other suggestion?
Changing the MTU will not damage anything - you can make MTU changes on the fly. You don't have to reboot, and you can always change things back afterwards if you don't like the results !
Follow the advice here - it shows you where to get DrTcp too -
http://www.dslreports.com/faq/695
Follow the advice here - it shows you where to get DrTcp too -
http://www.dslreports.com/faq/695
ASKER
Tim, I did not find the link where to download the DrTCP, but I found it on the net. I folowed the advices and foun out, that the dial up GPRS connection works fine with MPU 1500 (the fragmentation occurs by 1473 and higher) By the computers in may LAN in my LAN I set up the MTU to 1492 since fragmentation occured by 1465 and higher. I think I did everything as I should, but it does not work. :-( This will not be aMTU issue either.
Please try to find out some more ideas.
How could I test if there is no filtering by the GPRS provider? The do filter Voice over IP protocols for example...
Thans in advance
Please try to find out some more ideas.
How could I test if there is no filtering by the GPRS provider? The do filter Voice over IP protocols for example...
Thans in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi
Don't know if you got VPN up and running but found this thread useful I found you had to switch IPSEC udp 500, PPTP tcp 1723 & L2TP udp 1701 switched to be allowed both ways and also port 500 TCP to be switched on both ways. Firewall of router now allows VPN traffic with no problems.
S Dalgety
Don't know if you got VPN up and running but found this thread useful I found you had to switch IPSEC udp 500, PPTP tcp 1723 & L2TP udp 1701 switched to be allowed both ways and also port 500 TCP to be switched on both ways. Firewall of router now allows VPN traffic with no problems.
S Dalgety
pptpsrv and pptpclient will test whether or not the correct ports are open end to end...
Having already used pptpsrv and pptpclient to test the connections, it showed that everything was working fine, but until we opened TCP500 the VPN connection could not be sucesfully established and refused to work, yet as soon as we opened TCP500 the connection works without any problems whatsoever. (Also remembering to open the ports on firewalls at BOTH ends)
I had to add the external port of the SBS server to the DMZ to get past the error 721. It seems traffic WAS getting in, but nothing was coming back, as I too, could vpn within the lan ok, and could telnet to the port 1723.
Odd that with the previous router I did not have to do this..?
Odd that with the previous router I did not have to do this..?
ASKER
I do not know what is the result of it though since I am not at home now, and there is nobody at my computer. Any othet comments appretiated.
Thanks