Solved

VPN problem - VPN not responding waiting for MSG 2

Posted on 2013-01-27
16
4,984 Views
Last Modified: 2013-02-03
I'm changing my home PC from one running XP to one running Windows 7 x64. At the moment I have them both connected to my home router (Virgin broadband) and the Watchguard VPN client is installed on both with the same current WGX file.

The XP PC can connect the VPN fine but the Windows 7 box reports the error "VPN not responding waiting for MSG 2". For now I've turned off the Windows firewall on Windows 7 but that hasn't helped.

I'm not that familiar with VPN set up so I'm baffled why XP is fine but Windows 7 isn't.

Can anyone help?

Thanks
0
Comment
Question by:funasset
  • 7
  • 6
  • 3
16 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 38824203
I assume you are using the IPSec client (not SSL, which is in fact OpenVPN). MSG2 is the first reply the initiator (client) expects to get - it does not, and you should see the reason on your WatchGuard for that, IF the initial packet arrives there, that is.

Did you stop the Windows Firewall service, or just switched off the firewall? The latter should be done, as the first causes strange behaviour most of the time.
Sadly, there is not much you can test, as IPSec uses a UDP connection on port 500 (switching to UDP/4500 after the first exchanges because you are behind a NAT firewall - your router). UDP connections are more hard to trace, as they are state- and sessionless.

You might want to try out Shrew VPN (http://www.shrew.net/download/vpn), a compatible, free VPN client able to read a WGX file, or update the WatchGuard client if it is older than 2010 (v11).
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38824222
Another client to try is NCP Secure Entry (www.ncp-e.com). This is not a free client but it is best of breed, works on Windows 7 and 8 Pro 64-bit and works through double NAT arrangements. This is the client I use and I find it very much worth the cost.

.... Thinkpads_User
0
 

Author Comment

by:funasset
ID: 38824337
I'm just using the same software I had before. Dumb question - how do I know if it's using IPSec? I went in to the firewall settings and stopped any firewall I could find. Win7 seems to have more than one (domain, public) although XP could have had them but they were better hidden!

I'll check for client software updates on Watchguard and investigate the Shrew VPN as well.

Thanks

To be continued.......................
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 38824352
If I think about it, a WGX file suggests you use the IPSec client ;-).

What you see about Domain and stuff is called Network Zones, and was invented with Vista. Depending on whether the default gateway is reachable, it is well-known already and such, the firewall determines if you are using a public hotspot or your more secure private home office, and applies different security rules for that. The zones can (and shall) be assigned as soon as a new network is detected.

So you switched off the firewall in the firewall settings - that is great, exactly what you should do. Since you are behind a router, the switched-off local firewall will not matter much (in respect to threads trying to attact from the Web).

You should also make sure you do not use the client on XP and W7 at the same time - that might introduce additional issues, as the WatchGuard might not be able to associate the connection to the client properly, and only one of both will work.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38824520
VPN software for XP may not work in a 64-bit environment. That is why I switched to a more universal and capable IPSec client.

how do I know if it's using IPSec?  "VPN not responding waiting for MSG 2" is an IPSec type of message (two phases).

.... Thinkpads_User
0
 

Author Comment

by:funasset
ID: 38824755
"You might want to try out Shrew VPN (http://www.shrew.net/download/vpn), a compatible, free VPN client able to read a WGX file, or update the WatchGuard client if it is older than 2010 (v11)."

I looked on the Watchguard site for an updated client and it seems they are now recommending Shrew VPN! I find this a bit odd as colleagues using Windows 7 have used the same software I installed and they've had no problem.  I downloaded this anyway but it might as well be in Welsh. I couldn't see any option to read in a WGX file?

I've opened a ticket with WG support to see whether they can guide me through.

Thanks all for your help thus far - I'll update this later.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 38824807
Sorry for the WGX misinformation. Shrew cannot read it, I was mislead by the search results you get mentioning WGX files and Shrew :(.
WatchGuard describes how to create the .vpn file needed for Shrew in
http://www.watchguard.com/help/docs/webui/11/en-US/index_Left.html#CSHID=en-US%2Fmvpn%2Fipsec%2Fmvpn_ipsec_generate-profile-files_web.html|StartTopic=Content%2Fen-US%2Fmvpn%2Fipsec%2Fmvpn_ipsec_generate-profile-files_web.html

Those fellows of you using MUVPN on W7, do they have x86 or x64?

Whatsoever, seems to be a good idea to get WG itself involved.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38824815
Shrew does work but we had to add settings in a Juniper Netscreen at a client. We have gone back to NCP because it is robust and reliable. It is not free, but where ever a connection is very important to a client, we use NCP.

.... Thinkpads_User
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:funasset
ID: 38824835
Thanks again all - I'll look at the details tomorrow and get back to you.
0
 

Author Comment

by:funasset
ID: 38826368
Update - just spoke to my 2 colleagues who also VPN to the office and they are both using Win7 x64 with the same Watchguard software I have installed.

WG also provided a link to instructions re creating a file to import in to Shrew but Help seems to be down as neither that link or the one kindly provided here appear to be working.

And it's only Monday..........
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38826417
How long ago did you upgrade?

A couple of things:
1. Are you behind a double NAT? This realist from extra networking layers. That is not always fixable without upgrading to a different client that will traverse double NAT systems.

2. Do a TCP/IP repair on your PC.

3. Consider upgrading firmware on your home router.
.    Thinkpads_User
0
 

Author Comment

by:funasset
ID: 38826430
Upgrade the client software you mean? I don't know to be honest - I don't have much to do with the WG box or VPN as you can probably tell!

1.  How can I check?
2.  That's a new one on me - can you advise please?
3.  I'd need to speak to my cable provider about that. I'll look in to it.

Thanks
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38826451
If your existing VPN application works on other computers, then in theory it should work on your mschine.

What I meant by new client application was different client software like NCP.

Talk to your cable provider first, though.
.... Thinkpads_User
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38826648
With respect to TCP/IP:

http://support.microsoft.com/kb/299357 to reset TCP/IP  and

http://windows.microsoft.com/en-US/windows-vista/Troubleshoot-Internet-connection-problems  for general troubleshooting steps.

One more thing:  I do not do this and do not necessarily recommend it, but you might try disabling IPv6 to see if that helps. It should not interfere, but in the event it does, disabling may help.

.... Thinkpads_User
0
 

Accepted Solution

by:
funasset earned 0 total points
ID: 38830457
Well I created the wgx file again, just as I had done before and emailed it to my home account once again. I uninstalled and re-installed the WG client in exactly the same way I had done umpteen times over the weekend. I then applied the wgx file and used the exact same passwords etc as before......and the damned thing decided to connect this time. I give up.

At least if it falls over again I now know about the Shrew VPN alternative so thanks for that.

Sometimes, just sometimes I really hate technology.............

Thanks all.
0
 

Author Closing Comment

by:funasset
ID: 38848243
See previous post.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now