Solved

Problem to connect to VPN server behind Netgear DG834G router.

Posted on 2004-10-16
33
6,543 Views
Last Modified: 2010-03-24
Hallo,

Actually my problem was good described in the

http://www.experts-exchange.com/Networking/Broadband/VPN/Q_20922615.html

thread. Unfortunately the solution at the end (to upgrade/downgrade to 1.04 firmware) did not worked for me. I trye to put my question on the end of this thread, but since no one replyed, here I go with a new thread:

I have a small LAN of 5 computers (4 of them running Windows XP Home edition SP2, the last one is an Linux machine). I bought the DG834G ADSL modem + router from netgear to connect them all. So far all worked as should. The problem started when I tried to set up an VPN server onto one of the Win XP copmputers to be able to tunel the network from outside using my notebook when I am out of home. The neotebook has an GPRS internet connection. So I set up an account on dyndns.org to be able always find my canging routers address (ISP use dynamic addressing). Then I set up an PPTP account on one of the LANs computers. I use routers DHCP server ability, but I reserved the address of the VPN server computer, so it does not change within the LAN. on the router I set up the inbound connections firewall to pass throug the PORTs 1723 and 500 to VPN servers address.

Now when I am trying to connect with the notebook to the VPN server I always become the 721 ERROR. It says the time run out  by verifiing the username and password. In the log of the router it says the connection was passed through to the IP address of the VPN server with the comment "MATCH".

In some of the advices I ŕead about to try windows tools pptpclnt.exe and pptpsrv.exe. I am able to run the pptpsrv.exe, which waits for the connection, but on all three computers the program pptpclnt.exe just blinks and closes itself without prompting me to anything. This could be sign to a problem couldnt it?

Please advice what to do to be able to connect to the VPN server. I spend abou three days now experimenting and I would be very happy to find some working solution. By the way the routers manufactor declares the router to be able to passthrough VPN connections. There has obviously been some problems with firmware since by the Firmware 1.04.01 it states VPN passthrough solved, but for me it does not work with 1.04.01 nor 1.05.00 :-(

I am giving all my points to this hoping I will find the right EXPERT. The online help by Netgear did not bother to answer me and their telephone support does not pick up the phone in Austria either.... :-(
0
Comment
Question by:Fanco
  • 13
  • 11
  • 4
  • +2
33 Comments
 

Author Comment

by:Fanco
Comment Utility
Its me again. I was wrong with saing the pptpclnt.exe does not work. It works, it has to be run from cmd on the C:\
I do not know what is the result of it though since I am not at home now, and there is nobody at my computer. Any othet comments appretiated.
Thanks
0
 

Author Comment

by:Fanco
Comment Utility
Here is more details. When I run the pptpsrv.exe on the VPN server computer it replays with:

Error 10048 binding socket
WSAEADDRINUSE : Address already in use

After this sign program runs, but recieves no text string sent from pptpclnt.exe  over internet. Both programs communicate though some way, because when I run the pptpclnt.exe with the correct address and I do not run the pptpsrv.exe on the other side, the client does not sent anything.

what could this mean???

PLEASE HELP!!!
Thanks
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
If you want PPTP to work, you need TCP port 1723 and protocol #47 (GRE) open.
Port 500 is for IPSEC, which you're not using...
0
 

Author Comment

by:Fanco
Comment Utility
Hi everybody,

To Tim Holman: as I listed above, I have set up the port 1723 to be opened (forwarded to the VPN server). Ath the router there is no possibility to set up the Protocol 47 (GRE), but the manufaturer declares the unit is PPTP enabled. I can close the port 500 as not needed, but this will not help. The problem will be something with the address as the windows utility pptpserv.exe does not run as on the other machines. As I stated before ist says:

Error 10048 binding socket
WSAEADDRINUSE : Address already in use

I do not know, which address is ment. Please help, Thanks
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
If you run pptpserv.exe on a VPN server, which already has PPTP running, then you'll get this message.
To double check what ports your VPN server has running, use netstat -an.
0
 

Author Comment

by:Fanco
Comment Utility
Hello, its me again,

yes, when I deleted the VPN incoming connection, the program pptpsrv.exe runs without errors. I even made a succesful pptp pin from a remote computer. Unfortunately the real VPN connection still hangs in the negotiation phase resulting to 721 error as stated above.
Then Itried it the other way. I started pptpsrv on the remote computer and tried to send a text string from within my LAN. The pptpclnt.exe tool ended up with an eroor 10060 calling connect<>:
WSAETIMEDOUT: Connection timed out.
Could it be possible the router would stop the outgoing data? I tried this with the firewall off so there should be nothing else staing in way the outgoing connection.

Any ideas?????

P.S.: The netstat command only listed one build connetion on the outgoing port 1168.  Any idea what program uses this port?
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Your server should say something like:

127.0.0.1:1723 LISTENING

..if PPTP is up and running.

1168/tcp comes up as VChat conference Service ?

A 721 error usually means that either GRE protocol 47 or PPTP / TCP 1723 is being blocked.  What's the difference between the 'remote computer' you mentioned in your last post, to an actual VPN client in the wild - are they the same machine ?

If one end is behind NAT, you have to make sure the NAT rule passes EVERYTHING associated with that address, and not just specific ports, otherwise the encapsulation can get screwed.

More here:

http://www.microsoft.com/technet/community/columns/cableguy/cg0103.mspx
0
 

Author Comment

by:Fanco
Comment Utility
Hi here is a listing from the netstat with PPTP incoming connection set up:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.



C:\>netstat -an

Aktive Verbindungen

  Proto  Lokale Adresse         Remoteadresse          Status
  TCP    0.0.0.0:135            0.0.0.0:0              ABHÖREN
  TCP    0.0.0.0:445            0.0.0.0:0              ABHÖREN
  TCP    0.0.0.0:1723           0.0.0.0:0              ABHÖREN
  TCP    0.0.0.0:2869           0.0.0.0:0              ABHÖREN
  TCP    127.0.0.1:1029         0.0.0.0:0              ABHÖREN
  TCP    192.168.0.3:139        0.0.0.0:0              ABHÖREN
  TCP    192.168.0.3:1300       207.46.107.195:1863    HERGESTELLT
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1035           *:*
  UDP    0.0.0.0:1267           *:*
  UDP    0.0.0.0:1304           *:*
  UDP    0.0.0.0:1701           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1034         *:*
  UDP    127.0.0.1:1282         *:*
  UDP    127.0.0.1:1297         *:*
  UDP    127.0.0.1:1298         *:*
  UDP    127.0.0.1:1649         *:*
  UDP    127.0.0.1:1900         *:*
  UDP    192.168.0.3:9          *:*
  UDP    192.168.0.3:123        *:*
  UDP    192.168.0.3:137        *:*
  UDP    192.168.0.3:138        *:*
  UDP    192.168.0.3:1900       *:*
  UDP    192.168.0.3:47388      *:*

ABHÖREN=LISTEN
HERGESTELT=connection builded

The diffrence between the remote computer and the VPN server is that the remote computer is a laptop connected to the internet through another provider (GPRS) nad the VPN server computer is one of mz LANs computer behind the router DG834G (Netgear) The router has NAT enabled, but seting up a DMZ does not help. The problem looks to be withe the outgoing communication from mz LAN to internet. Looks like the router does not allow outgoing communication on port 1723, which does not make sense.
Please help.
0
 

Author Comment

by:Fanco
Comment Utility
Jut to be sure I contacted my ISP and they asured me they do not block any ports nor the GRE protokol. The problem seems to be the router...
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
You may need to open TCP port 500 on the router too -

http://kbserver.netgear.com/kb_web_files/n101222.asp
0
 

Author Comment

by:Fanco
Comment Utility
I have TCP port 500 opened - no joy.....
0
 
LVL 1

Expert Comment

by:HynesCo
Comment Utility
try and also forward port 47 tcp/udp to the VPN server in your router
HynesCo
0
 

Author Comment

by:Fanco
Comment Utility
sorry, forwarding port 47 tcp/udp does not help either....
0
 
LVL 1

Expert Comment

by:HynesCo
Comment Utility
Sorry about that it is actually protocol 47 GRE, O.K download port detective from http://www.portdetective.com/ and you will probably have to inter the port manually 1723 and test, Does the router have a setting for PPTP Passthrough? Also I have seen simular issues with the dhcp service on routers  enabled.
HynesCo
0
 

Author Comment

by:Fanco
Comment Utility
Hi HynesCo, The Port detective says the port 1723 is open. The router has no settings regarding PPTP passthrough, but on the box and in the manual it says it has PPTP passthrough. How should I correct deselect DHCP and still have the LAN working? Maybe this could help to find the solution. I repeat again I already found out the problem is to send PPTP data out of the server into internet - not to recieve them (this works fine). For VPN working it is neccessary to communicate both directions.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Expert Comment

by:HynesCo
Comment Utility
Fanco,

I had to run to a client, but check and make sure you have it configured like on this site:

http://www.wown.com/j_helmig/xpvpnsrv.htm

0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Fanco - set your router up to forward EVERYTHING - ie just do a direct one-to-one translation of your internal VPN Server address to your external address.
Also, does a PPTP client work OK on the inside of the network ?
Finally, verify your MTU settings on the GPRS connection and tune if necessary - http://www.dslreports.com/faq/695
0
 

Author Comment

by:Fanco
Comment Utility
Hi,

to HynesCo: I set up everything as stated there except I am behind the ADSL router - thats my problem. Does not work....

to Tim Holman: On the router I can only set up the VPN server IP as DMZ. There is no other possibility to direct one to one translation, since I have from provider only one IP address. Setting it as the DMZ should do this, but the VPN does not work with this settings neither.
PPTP Client and server ping utilities work inside my LAN perfectly. The problem is only when the PPTP server utility is outside the LAN - in internet. I could not find how exactly should I change the MTU on the GPRS connection to highest level first. Without this setup there was no fragmentation with pinging the value 1472.
I concentrate myself to test the VPN connection between two computers using GPSR on both sides. If this will work I can conclude, that the problem is definitely with the router stoping outgoing communications. Unfortunately the Netgear are not willing to collaborate saing the problem is not in the router.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
The DG824M Netgear router supports VPN passthrough, so the DG834G, being more recent, should also:

http://kbserver.netgear.com/kb_web_files/n101222.asp

I really doubt this is a router issue.

Does your VPN work using a standard dial-up account ?  

Are there any personal firewalls installed on the notebooks that could be preventing the connection ?
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
(Windows XP firewall will block PPTP)
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Did you use DrTcp to change the MTU ?
0
 

Author Comment

by:Fanco
Comment Utility
Tim,

I have intalled Zone Alarm Pro firewal on the remote computer and Windows SP2 Firewal at the VPN server, but both are disabled while experimenting and yes, I have disabled olso the Windows SP2 firewal on remote, which start to be active as long I switch the Zone Alarm Pro off. There also schold not be a firewall problem. If it should not be the router, it only could be a filtering problem by the GPRS provider, but it does not look to be so. I tried to ask by the cellular telephone provider, but the people there doesnt look very informed about those thinghs. Is there any possibility to test this?

I was a little afraid to experiment with MTU since the Microsoft article look a bit scary. Could You please advice me how exactly do I have to change the MTU in Windows XP Home? The GPRS connection is via Bluetooth.

Thank you in advance. Mario
0
 
LVL 1

Expert Comment

by:HynesCo
Comment Utility
Hi Franco,

to rule out the possibility of a router issue , can you directly connect the vpn comuter to the ISP euipment and see if you can authenticate that way

HynesCo
0
 

Author Comment

by:Fanco
Comment Utility
Unfortunatelly this is not possible with this router, since it has not a WAN connector (it is a ADSL modem and router in one box - it has only telephone connector) Would be a good idea, but I am not able to simulate ADSL signal. :-(

I try to find someone with the GPRS by the same provider and try to ping PPTP with him, but it is not easy, since I dont know anybody personaly and the people who do not know me are not ready to experiment on this level...

Any other suggestion?
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Changing the MTU will not damage anything - you can make MTU changes on the fly.  You don't have to reboot, and you can always change things back afterwards if you don't like the results !
Follow the advice here - it shows you where to get DrTcp too -

http://www.dslreports.com/faq/695
0
 

Author Comment

by:Fanco
Comment Utility
Tim, I did not find the link where to download the DrTCP, but I found it on the net. I folowed the advices and foun out, that the dial up GPRS connection works fine with MPU 1500 (the fragmentation occurs by 1473 and higher) By the computers in may LAN in my LAN I set up the MTU to 1492 since fragmentation occured by 1465 and higher. I think I did everything as I should, but it does not work.  :-( This will not be aMTU issue either.
Please try to find out some more ideas.
How could I test if there is no filtering by the GPRS provider? The do filter Voice over IP protocols for example...

Thans in advance
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
Comment Utility
The only ones for PPTP I can think of are the ones you've used (posted below for reference).  If these don't work, then it's quite possible port 1723 is blocked.
Another way of testing for open ports is to 'telnet {ip} 1723'.  If TCP 1723 isn't open, the telnet session will close, but if it is, you'll be left with a flashing cursor.

Also try an online port scanner, eg shields up - https://grc.com/x/ne.dll?bh0bkyd2.  This will tell you if port 1723 is scannable from the Internet, and well beyond the GPRS network.

btw - I can run a VPN connection using Vodafone GPRS in the UK, so it shouldn't be blocked ?  Check that a firewall hasn't bound itself to the GPRS adapter (there is a fw for each adapter on Windoze).

PPTP Ping (pptpsrv.exe and pptpclnt.exe). This client/server tool lets you verify a PPTP connection. First, you must run the pptpsrv.exe component on the server. Then, you run the pptpclnt.exe component on the client. By using TCP port 1723 (PPTP) and the Generic Routing Encapsulation (GRE) protocol to bounce a data packet between the PPTP server and the client, PPTP Ping verifies that a PPTP connection is possible.

Download from:

http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en
0
 

Expert Comment

by:AgriservSystems
Comment Utility
Hi

Don't know if you got VPN up and running but found this thread useful I found you had to switch IPSEC udp 500, PPTP tcp 1723 & L2TP udp 1701 switched to be allowed both ways and also port 500 TCP to be switched on both ways. Firewall of router now allows VPN traffic with no problems.

S Dalgety
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
pptpsrv and pptpclient will test whether or not the correct ports are open end to end...
0
 

Expert Comment

by:AgriservSystems
Comment Utility
Having already used pptpsrv and pptpclient to test the connections, it showed that everything was working fine, but until we opened TCP500 the VPN connection could not be sucesfully established and refused to work, yet as soon as we opened TCP500 the connection works without any problems whatsoever. (Also remembering to open the ports on firewalls at BOTH ends)
0
 

Expert Comment

by:broozm
Comment Utility
I had to add the external port of the SBS server to the DMZ to get past the error 721. It seems traffic WAS getting in, but nothing was coming back, as  I too, could vpn within the lan ok, and could telnet to the port 1723.
Odd that with the previous router I did not have to do this..?
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now