[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 27165
  • Last Modified:

Connecting Contivity VPN client through Netgear WGR614 Wireless AP

I am trying to connect a laptop with a 802.11b wifi card to a corporate VPN using the Nortel Contivity VPN client. The local wifi AP is a Netgear WGR614 v1 router (i.e. it's 802.11b compliant).

From the laptop, I can see and ping the router. I can also see and ping the outside world (tested by pinging a known domain outside).

But login attempts on the VPN always fail, advising me to review the switch logs. I'm assuming this indiates a failure at the corporate VPN switch. But corporate IT says all is well on their end.

Router: 192.168.0.1
Laptop: 192.168.0.4 (reserved; other devices use DHCP but laptop remains at same address)

After discussion with Netgear, I set port forwarding for ports 500 and 1723.

Instruction was to indicate server to forward ports to - I entered the ip address of the laptop (192.168.0.4).

Login attempts still fail.

Advice? Should I be opening other ports? I've seen some advice to the effect that I should be messing with protocols (specifically 47 - GRE), but I see nothing at Netgear that lines up with this (or tells me how to do it).

Many thanks!
0
ceedn
Asked:
ceedn
1 Solution
 
Tim HolmanCommented:
I have the same setup at home - works fine.
You would have issues if your corporate network also uses 192.168.0.x, but apart from that, things should work !
The Netgear won't need touching - if you have NAT setup (which is default), then IPSEC/GRE passthrough is enabled automatically.
In the Contivity Client, could you do Options > Log Session to File, bring up a session, then post up the log ?


0
 
ceednAuthor Commented:
Here's a sample from the log with domains/ip obscured:

***
Sat Nov 20 13:36:38 2004 | Isakmpd | I | Connection initiated to aaa.bbb.ccc.com [192.XXX.YYY.ZZZ] using Diffie-Hellman group 2.
Sat Nov 20 13:36:45 2004 | Isakmpd | F | Login failed. Please consult the switch log for further information.
***

Not exactly a verbose exchange.

The ip referenced is the corporate server we're trying to connect to.

Assumed the switch log referred to is expected to be at 192.XXX.YYY.ZZZ, but the corp IT folks say there's no problem on their end. Other users are claimed to be connecting fine (I am confident of this).

thx.
0
 
Tim HolmanCommented:
What does the switch log say then ?
It looks like IKE / Phase 1 / ISAKMP is failing, so something like DES / 3DES or MD5 / SHA mismatch ?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
ceednAuthor Commented:
No feedback on the switch log.

Corporate IT (which supplied the laptop and Contivity client installed on it) just says there's no problem on their end (officially they don't provide support for home connections).

I'm wondering if there's another port I should be forwarding, or if there's another router setting I should be looking at.

thx.
0
 
AutoSpongeCommented:
Just to check, switch to DMZ on your .4 host and see if you can connect.  If so, then there are ports you'll need to forward.  One way to figure them out then is to run netstat from a command line while you're connected in DMZ mode.
0
 
Tim HolmanCommented:
You would generally need to setup forwarding of protocols 47, 50, 51, TCP/UDP ports 500, 1723, 4500 and 10000 to enable any combination of VPN to work (IPSEC, PPTP, NAT-T, IKE over IP).

I'm pretty sure the Netgear will do this by default, although if support have asked you to start manually forwarding ports, then perhaps this is not the default behaviour ?

ISPs also have a tendency of dropping non-IP, so you may have to end up using IKE over TCP (if the Contivity Switch supports this ?) as an alternative.

Please also make sure that your corporate network uses a different IP range than you.
0
 
ceednAuthor Commented:
Corp network has a unique ip range.

Ports 500 and 1723 already forwarded (per advice of Netgear).

I'll forward ports 4500 and 10000. But I can't find any info on how to forward protocols - just ports.

Is this done via the same interface (i.e. set port 47 to forward), or is there another way to do this?

I'll also consider moving the laptop to a DMZ (at least for a test).

thx.
0
 
Tim HolmanCommented:
Does the VPN work if you dial-up instead of going via DSL ?
0
 
ceednAuthor Commented:
Added ports 4500 and 10000 - no luck.

Moved to DMZ - no luck.

Reluctant to try dialup - I think it may be more of an old-fashioned dial-in connection - a pysical connection that means the VPN wouldn't be used anyway. If no solution by weekend will re-consider.

Any more suggestions?
0
 
Tim HolmanCommented:
Do you have a personal firewall installed ?  If so, turn it off quickly and retest the VPN to see if it is interfering.
When I say try dial-up, I mean use a dial-up to a free ISP somewhere, and try the VPN client over that instead (this will rule out Netgear problems)..
0
 
ceednAuthor Commented:
No firewall that I'm aware of (but there _is_ Norton AV), but I'll double check over the weekend.

Thanks for the clarification on dial-up - I'll see what I can do with that.

BTW, log from attempt with DMZ setup was the same as already posted.

thx.
0
 
ceednAuthor Commented:
After one last effort, I gave up on the Netgear and swapped in a Linksys 802.11g router.

Worked like a charm.

Second time a Netgear box has let me down. This was version 1 of their 802.11g, bt their website doesn't suggest that it doesn't work properly, just that they changed chipsets. Grrr....

Anyways, all's well that ends well. Thanks for the help.

p.s. Linksys worked without any tweaks to ports, etc. I was up and running in minutes.
0
 
Tim HolmanCommented:
Maybe a firmware to the Netgear would have fixed this ?
As I've said before, mine works fine - no port tweaking or anything to get my Contivity client working ?
0
 
WalleyeprofCommented:
I had this EXACT same issue and spent 4 evenings messing around with port forwarding (tried just about every port) and other things including upgrading\downgrading the firmware on my Netgear WGR614 v4 wireless router.  I have my WGR614 connect to a DSL modem (from Alltel) and decided this evening to connect my laptop directly to the dsl modem to try to rule-out the Netgear router as the problem.  When I hooked-up my laptop to the dsl modem I had the exact same vpn connection problem - which indicated that maybe the problem was not with my netgear router.  I used Alltel's DSL modem software and realized that the darn DSL modem had a built in firewall with the settings set to 'medium security.'  I turned off the firewall within the DSL router which fixed my VPN connection problem through the DSL Modem.  I then tested the VPN connection using the WGR614 and it worked great!  I then went back and removed ALL of the port forward settings in the WGR614 and everything continues to work great!!  I only wish that I had tested the connection at the DSL router 4 nights ago....  This thread helped and I wanted to contribute my findings.
0
 
ceednAuthor Commented:
Further to Tim's last comment, I had upgraded the firmware on the Netgear before starting.

I still suspect that the real culprit was chipset or some other design issue that was quietly switched in later hardware revisions.

On Walleyeprof's experience - interesting. Demonstrates the wonderful complexity of networking. It wasn't that long ago that all of this stuff was only ever touched by very expensive technicians. Now everybody and their uncle is messing with networks. And there are potential hazards at literally every point of interconnection.

On the positive, the interfaces are _much_ more user friendly these days, and it's been a long time since I've had to install proprietary software (vs. a web interface) to configure a router.

Given Tim's helpfulness, I'd suggest points go to him.

Happy new year, all.
0
 
Tim HolmanCommented:
It's up to you to 'accept' an answer...
0
 
WILLLGLOYCommented:
I experienced this same problem and ended up resetting my wireless modem back to the factory for it to work and it did.  So I made one change at a time and learned that when the SSID for the wireless contains any special characters such as a – in my case or is too long in length, that the PPTP would fail.  There is no need to set the DMZ or even open any ports since the wireless router does this automatically.

So my recommendation is keep it simple – eight or less characters in the SSID and no special characters and it should work without a problem.  
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now