Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Unable to connect to VPN through NetGear FVX538 VPN ProSafe Firewall.

Posted on 2006-06-20
Last Modified: 2009-01-20
I have had so much trouble using the Netgear VPN firewall and the VPN client software that I have decided to abandon this setup and venture into something new.
I'm now trying to set up a VPN with the provided, free software that comes with Windows XP Pro and Windows Server 2003.  I have successfully setup the VPN servers-side with Tech Republic's help and white papers and I have also setup the client-side of the VPN as well.
Now I'm at the part where I'm using pptpsvr.exe and pptpclnt.exe (free from Microsoft) to test whether or not the request from the client is making it through the NetGear firewall and making it to the VPN server. Then the VPN server should reply back to the client with "x" number of GRE packets.
This is my problem. I can't get a reply from the VPN server so I assume that the request is not making it past the firewall. I have opened up port 1723 and forwarded it directly the static IP of the VPN server. My client is on another network with an IP of 192.168.0.x while the network I'm trying to connect to is on network 192.168.1.x. I did read that I have to set up IP protocol 47 as well. To my knowledge this IP protocol 47 is not TCP/UDP port 47. I don't know how to configure this IP protocol 47 on my FVX538 VPN ProSafe firewall in order to allow my VPN request to reach the server. Any ideas out there on how to configure this IP protocol 47?
I need this issue to be resolved asap in order to keep my boss happy!
Question by:HbugProject
LVL 12

Expert Comment

ID: 16945249
I have a 538 at a clients and it works great.
I don't remember forwarding port 47, just the 1723 one.
They are using the vpn server in Windows, and it connects like a champ from my home network -so the trip is similar
home 192.168.15.x to theinternet, then public IP of the router, then to the private 192.168.1.x address of the server.
Can you try to connect to the VPN from INSIDE the network first - to verify you have it right?

Author Comment

ID: 16946132
Yes I was able to connect to the VPN inside the network. I connected just fine with no problems at all. I just can't seem to connect to it from outside the network.
LVL 77

Expert Comment

by:Rob Williams
ID: 16948289
Protocol 47 (GRE) is usually forwarded by simply enabling VPN pass-through" or "PPTP pass-through". However, on the Netgear routers I have worked with, this is not an option. Instead enabling port forwarding using their built-in PPTP port 1723 service, enables this automatically. If you manually create a new service for port 1723 rather than using the existing one, this does not seem to be the case. If blocked GRE is the problem you most often get a #721 connection error.
As for the pptpsvr/ pptpclnt I have never had it work as it is supposed to. If you enable it on the server and try to connect, the server does seem to present a message that the GRE packets were received. But I have never had it show that they were sent back. I suspect you would have to enable port forwarding and configure the firewall on the client to have it function in that way, such as in a site to site PPTP VPN configuration.

First test I would do is from the VPN server go to  http://www.canyouseeme.org  and test for port 1723. This will at least verify that the port forwarding is functioning. From this site you can also verify the IP to which yo are connecting is correct.
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.


Author Comment

ID: 16954363
That was informative because I did find an issue with my rule I created on the firewall. I went to canyouseeme.org and I tested port 1723 and it was successful. However, they gave me a different IP than the one I had in the rule which was my outside IP that I totally forgot about. So I configured my outside IP address in the rule as well.

So this is how I have my rule set up now in my firewall:
service - PPTP (TCP 1723) + None
Action - Allow always
Send to LAN Server - 192.168.1.x (internal IP of my VPN server)
WAN Users - Any
Public Destination IP Address - Other Public IP Address
                                            209.175.252.x (the IP that canyouseeme.org gave me)
QoS Priority - None
Log - Always

I'm still getting an error 800: Unable to reach VPN server from outside the network.
LVL 77

Expert Comment

by:Rob Williams
ID: 16954814
>>"Public Destination IP Address - Other Public IP Address
                                            209.175.252.x (the IP that canyouseeme.org gave me)"
Is this part of the Netgear configuration or just informing of the VPN client connection information. It is the IP the client should be connecting to.
Also I would completely disable any software firewalls on the VPN server, just as a test. Firewalls such as Windows built-in, ZoneAlarm, Symantec, McAfee and such can block the VPN. One other I have come across is, if using Symantec for virus protection, it's Internet Worm Protection feature can cause problems.
If still not working see if you can connect the remote client directly to it's modem by-passing the router as a test. If you do so make sure virus protection, Windows updates and such are in place.

Author Comment

ID: 17154854
Problem solved. I was using the wrong internal IP address as the host IP for the VPN configuration. Since I corrected it, it works fine now.
LVL 77

Expert Comment

by:Rob Williams
ID: 17160069
Ah, That would do it <G>. Thanks for the update.

Accepted Solution

ee_ai_construct earned 0 total points
ID: 17399791
PAQ / Refund
ee ai construct, community support moderator

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question