Win2K RRAS VPN through Netgear DG834

Hi,

I am having a few problems re-setting up my VPN, for client PCs I have
connected to the internet elsewhere, using a new Netgear DG834
modem/router/firewall. I used to have my Win2k SP3 DC connected directly to
the internet using the BT Frog (Alcatel USB ADSL modem), but this has always
caused massive instability on my server, so have moved to a separate router
(the DG834).
I have had a VPN (PPTP) set up using RRAS on this server, which has always
worked fine. I have now, obviously removed the RRAS configuration on the
server that provided the internet connectivity for my LAN clients and have
instead set up the new router to provide this. I have now reconfigured RRAS
to simply provide VPN functions.
I performed the following tasks to accomplish this:

(1) Created firewall rules on the DG834 to forward PPTP and IPSec traffic to
my Win2K server:

Outbound Services
1 Port135 BLOCK always Any Any Always
Default Yes Any ALLOW always Any Any Never

Inbound Services
1 Any(ALL) ALLOW always 192.168.0.5 Any Never - THIS IS DISABLED and only
there for testing...
2 SETI ALLOW always 192.168.0.5 Any Always
3 VNC1 ALLOW always 192.168.0.5 Any Always
4 VNC2 ALLOW always 192.168.0.5 Any Always
5 FTP ALLOW always 192.168.0.5 Any Always
6 HTTP ALLOW always 192.168.0.5 Any Always
7 SMTP ALLOW always 192.168.0.5 Any Always
8 RemAcc ALLOW always 192.168.0.5 Any Always
9 Port135 ALLOW always 192.168.0.5 Any Always
10 POP3 ALLOW always 192.168.0.5 Any Always
11 VPN-PPTP ALLOW always 192.168.0.5 Any Always
12 VPN-IPSEC ALLOW always 192.168.0.5 Any Always
Default Yes Any BLOCK always Any Any Never

I am a little unsure about the necessity for IPSEC, as I thought this was
only required for L2TP VPNs, but did see an article somewhere on the Netgear
forums saying it should be used. I'm probably wrong about it either way!
I am blocking Port135 out as I have another DC at the end of a VPN
connection that my main DC is sending 135 traffic to, but my ISP is
detecting all 135 traffic out and blocking the connection, due to the
possibility of it being a virus / worm. I am not worried about this and
don't really need the other DC.

(2) Set up RRAS on my Win2k Server:
I started the configuration wizard and selected to install the RRAS Service
manually, as advised in many places, due to a bug in RRAS. I then allowed
the service to start. I right clicked the Server and selected "Properties"
and ensured that "Router" was ticked, "LAN and demand-dial routing" was
selected and "Remote Access Server" was ticked. On the "IP" tab, "Enable IP
Routing" and "Allow IP-based remote access and demand-dial connection" are
both ticked and I set up the server to assign IP addresses using a "Static
address pool" of 192.168.0.200 - 192.168.0.210
Next, I clicked on the "Ports" icon and selected "Properties", clicked on
"WAN Miniport (L2TP)" and "Configure" and reduced the "Maximum Ports" to 0.
I did the same for "WAN Miniport (PPTP)", but increased the number of ports
to 10. Both "Remote access connections (inbound only)" and "Demand-dial
routing connections (inbound and outbound)" are ticked. "Phone number for
this device" is left blank, as I am not using "Called-Station-Id"
attribute... !
All other options have been left at defaults.

(3) Configure VPN client:
I did nothing to change my original VPN network connections that previously
worked fine. They are pretty standard and have the static IP address of my
modem / router entered as the destination, IP address and DNS are set to be
assigned automatically, Windows Domain is included and the option to use the
"default gateway on the remote network" is disabled. I have subsequently
tried setting the type of VPN to "PPTP VPN" explicitly, but his has had no
effect.

(4) Tested the connection:
When running the connect attempt, I get a dialogue saying that it is
"Verifying username and password...", but this eventually times out with an
error (Error 721: The remote computer did not respond)
The only log information that I can find is in the file
C:\WINNT\SYSTEM32\LOGFILES\IN010405.LOG and seems to be of little help, in
fact, for most of my testing nothing has been logged at all:
192.168.0.5,,01/05/2004,10:11:51,RAS,SERVER01,4,192.168.0.5,44,40,40, 8,4108,
192.168.0.5,0,,4136,4,4142,0
192.168.0.5,,01/05/2004,10:31:49,RAS,SERVER01,4,192.168.0.5,44,41,40, 7,4108,
192.168.0.5,0,,4136,4,4142,0
192.168.0.5,,01/05/2004,10:59:40,RAS,SERVER01,4,192.168.0.5,44,41,40, 8,4108,
192.168.0.5,0,,4136,4,4142,0
192.168.0.5,,01/05/2004,10:59:45,RAS,SERVER01,4,192.168.0.5,44,42,40, 7,4108,
192.168.0.5,0,,4136,4,4142,0

Nothing seems to be logged in the Windows Event Log, even though I have
turned full logging on, so I suspect that my problem lies with my router and
either the VPN passthrough is not working properly or I have messed up my
rules somehow.

(5) Further information:
My Win2k SP3 Server has all Windows Update patches applied as does my
Windows XP Professional workstation attempting to connect. The Netgear DG834
has the latest 1.03.00 firmware loaded.

I hope this is sufficient information and if anyone can help me with this
problem I would be very grateful. If you need further information, I can
obviously get that to you.

Thanks,

Charles Crawley

Being a complete pillock, I said Win2K SP3... It is, of course, running
Service Pack 4...

"Charles Crawley" <(E-Mail Removed)> wrote in message
news:3ff96cd2$(E-Mail Removed)...
> Hi,
>
> I am having a few problems re-setting up my VPN, for client PCs I have
> connected to the internet elsewhere, using a new Netgear DG834
> modem/router/firewall. I used to have my Win2k SP3 DC connected directly
to
> the internet using the BT Frog (Alcatel USB ADSL modem), but this has
always
> caused massive instability on my server, so have moved to a separate
router
> (the DG834).
> I have had a VPN (PPTP) set up using RRAS on this server, which has always
> worked fine. I have now, obviously removed the RRAS configuration on the
> server that provided the internet connectivity for my LAN clients and have
> instead set up the new router to provide this. I have now reconfigured
RRAS
> to simply provide VPN functions.
> I performed the following tasks to accomplish this:
>
> (1) Created firewall rules on the DG834 to forward PPTP and IPSec traffic
to
> my Win2K server:
>
> Outbound Services
> 1 Port135 BLOCK always Any Any Always
> Default Yes Any ALLOW always Any Any Never
>
> Inbound Services
> 1 Any(ALL) ALLOW always 192.168.0.5 Any Never - THIS IS DISABLED and
only
> there for testing...
> 2 SETI ALLOW always 192.168.0.5 Any Always
> 3 VNC1 ALLOW always 192.168.0.5 Any Always
> 4 VNC2 ALLOW always 192.168.0.5 Any Always
> 5 FTP ALLOW always 192.168.0.5 Any Always
> 6 HTTP ALLOW always 192.168.0.5 Any Always
> 7 SMTP ALLOW always 192.168.0.5 Any Always
> 8 RemAcc ALLOW always 192.168.0.5 Any Always
> 9 Port135 ALLOW always 192.168.0.5 Any Always
> 10 POP3 ALLOW always 192.168.0.5 Any Always
> 11 VPN-PPTP ALLOW always 192.168.0.5 Any Always
> 12 VPN-IPSEC ALLOW always 192.168.0.5 Any Always
> Default Yes Any BLOCK always Any Any Never
>
> I am a little unsure about the necessity for IPSEC, as I thought this was
> only required for L2TP VPNs, but did see an article somewhere on the
Netgear
> forums saying it should be used. I'm probably wrong about it either way!
> I am blocking Port135 out as I have another DC at the end of a VPN
> connection that my main DC is sending 135 traffic to, but my ISP is
> detecting all 135 traffic out and blocking the connection, due to the
> possibility of it being a virus / worm. I am not worried about this and
> don't really need the other DC.
>
> (2) Set up RRAS on my Win2k Server:
> I started the configuration wizard and selected to install the RRAS
Service
> manually, as advised in many places, due to a bug in RRAS. I then allowed
> the service to start. I right clicked the Server and selected "Properties"
> and ensured that "Router" was ticked, "LAN and demand-dial routing" was
> selected and "Remote Access Server" was ticked. On the "IP" tab, "Enable
IP
> Routing" and "Allow IP-based remote access and demand-dial connection" are
> both ticked and I set up the server to assign IP addresses using a "Static
> address pool" of 192.168.0.200 - 192.168.0.210
> Next, I clicked on the "Ports" icon and selected "Properties", clicked on
> "WAN Miniport (L2TP)" and "Configure" and reduced the "Maximum Ports" to
0.
> I did the same for "WAN Miniport (PPTP)", but increased the number of
ports
> to 10. Both "Remote access connections (inbound only)" and "Demand-dial
> routing connections (inbound and outbound)" are ticked. "Phone number for
> this device" is left blank, as I am not using "Called-Station-Id"
> attribute... !
> All other options have been left at defaults.
>
> (3) Configure VPN client:
> I did nothing to change my original VPN network connections that
previously
> worked fine. They are pretty standard and have the static IP address of my
> modem / router entered as the destination, IP address and DNS are set to
be
> assigned automatically, Windows Domain is included and the option to use
the
> "default gateway on the remote network" is disabled. I have subsequently
> tried setting the type of VPN to "PPTP VPN" explicitly, but his has had no
> effect.
>
> (4) Tested the connection:
> When running the connect attempt, I get a dialogue saying that it is
> "Verifying username and password...", but this eventually times out with
an
> error (Error 721: The remote computer did not respond)
> The only log information that I can find is in the file
> C:\WINNT\SYSTEM32\LOGFILES\IN010405.LOG and seems to be of little help, in
> fact, for most of my testing nothing has been logged at all:
>
192.168.0.5,,01/05/2004,10:11:51,RAS,SERVER01,4,192.168.0.5,44,40,40, 8,4108,
> 192.168.0.5,0,,4136,4,4142,0
>
192.168.0.5,,01/05/2004,10:31:49,RAS,SERVER01,4,192.168.0.5,44,41,40, 7,4108,
> 192.168.0.5,0,,4136,4,4142,0
>
192.168.0.5,,01/05/2004,10:59:40,RAS,SERVER01,4,192.168.0.5,44,41,40, 8,4108,
> 192.168.0.5,0,,4136,4,4142,0
>
192.168.0.5,,01/05/2004,10:59:45,RAS,SERVER01,4,192.168.0.5,44,42,40, 7,4108,
> 192.168.0.5,0,,4136,4,4142,0
>
> Nothing seems to be logged in the Windows Event Log, even though I have
> turned full logging on, so I suspect that my problem lies with my router
and
> either the VPN passthrough is not working properly or I have messed up my
> rules somehow.
>
> (5) Further information:
> My Win2k SP3 Server has all Windows Update patches applied as does my
> Windows XP Professional workstation attempting to connect. The Netgear
DG834
> has the latest 1.03.00 firmware loaded.
>
> I hope this is sufficient information and if anyone can help me with this
> problem I would be very grateful. If you need further information, I can
> obviously get that to you.
>
> Thanks,
>
> Charles Crawley
>
>

I have read some articles / news posts elsewhere that imply that the router
may not be passing IP Protocol 47 (GRE) properly, even though it is meant
to. Can anyone comment on this?

Cheers,

Charles

"Charles Crawley" <(E-Mail Removed)> wrote in message
news:tvWKb.11568$(E-Mail Removed)...
> I have read some articles / news posts elsewhere that imply that the
router
> may not be passing IP Protocol 47 (GRE) properly, even though it is meant
> to. Can anyone comment on this?

Having investigated further, I have come across reports (in the Netgear
forum of DSLReports.com) that the VPN pass-through is possibly broken in the
latest version (1.03) of the DG834 firmware.
Can anyone confirm this?

Am I talking to myself here like a complete nutter? ;-)

Cheers,

Charles

i'm having similar problems making VPN connections (client on inside
connecting to server on outside) - what you say about GRE sounds
correct judging by the results im getting... sorry thats not much help
:-)

"Charles Crawley" <(E-Mail Removed)> wrote in message news:<3ffc4b96$(E-Mail Removed)>...
> "Charles Crawley" <(E-Mail Removed)> wrote in message
> news:tvWKb.11568$(E-Mail Removed)...
> > I have read some articles / news posts elsewhere that imply that the
> router
> > may not be passing IP Protocol 47 (GRE) properly, even though it is meant
> > to. Can anyone comment on this?
>
> Having investigated further, I have come across reports (in the Netgear
> forum of DSLReports.com) that the VPN pass-through is possibly broken in the
> latest version (1.03) of the DG834 firmware.
> Can anyone confirm this?
>
> Am I talking to myself here like a complete nutter? ;-)
>
> Cheers,
>
> Charles

Wow! A reply! Even if it isn't much help, as you say... ;-)

I'm trying to find out if going back to v1.02.10 will work... If I find
anything out, I'll post it here...

Cheers,

Charles

"Nick Osborn" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> i'm having similar problems making VPN connections (client on inside
> connecting to server on outside) - what you say about GRE sounds
> correct judging by the results im getting... sorry thats not much help
> :-)
>
> "Charles Crawley" <(E-Mail Removed)> wrote in message
news:<3ffc4b96$(E-Mail Removed)>...
> > "Charles Crawley" <(E-Mail Removed)> wrote in message
> > news:tvWKb.11568$(E-Mail Removed)...
> > > I have read some articles / news posts elsewhere that imply that the
> > router
> > > may not be passing IP Protocol 47 (GRE) properly, even though it is
meant
> > > to. Can anyone comment on this?
> >
> > Having investigated further, I have come across reports (in the Netgear
> > forum of DSLReports.com) that the VPN pass-through is possibly broken in
the
> > latest version (1.03) of the DG834 firmware.
> > Can anyone confirm this?
> >
> > Am I talking to myself here like a complete nutter? ;-)
> >
> > Cheers,
> >
> > Charles

Hi Charles,

I had the same VPN issues with a new DG834G...

Connecting client laptop via wireless Belkin card to external VPN
network through wireless Netgear DG834G firewall, router etc.
VPN would successfully connect for about 4 - 10 mins then mysteriously
lose the connection, losing the network completely by resetting the
IP address of the laptop.
It is a Cisco VPN connection.
Laptop was in same room as router.

I seem to have resolved it by doing the following...
- Upgraded to firmware 1.03.00 (Ah well, in for a penny! - Flash
worked thank God!
- Changed the MTU on the laptop Belkin adapter to 1500 (I previously
had it set to 1430 - according to the Netgear site this is VPN
preferable???) - rebooted laptop.
- Set up the port forwarding on the router to allow incoming IPSEC,
PPTP & L2TP packets to go to the laptop IP address.
- I also reserved addresses for each PC on my network via the 'LAN IP
Set up' in the router config.

Da daaaaaahhh! Yes!

I don't know which one of these did the trick although it is working a
treat now. I suspect a combination of MTU and the firmware may have
been the resolution.

Good luck!
Chris


On Fri, 9 Jan 2004 00:27:06 +0100, "Charles Crawley"
<(E-Mail Removed)> wrote:

>Wow! A reply! Even if it isn't much help, as you say... ;-)
>
>I'm trying to find out if going back to v1.02.10 will work... If I find
>anything out, I'll post it here...
>
>Cheers,
>
>Charles
>
>"Nick Osborn" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed) om...
>> i'm having similar problems making VPN connections (client on inside
>> connecting to server on outside) - what you say about GRE sounds
>> correct judging by the results im getting... sorry thats not much help
>> :-)
>>
>> "Charles Crawley" <(E-Mail Removed)> wrote in message
>news:<3ffc4b96$(E-Mail Removed)>...
>> > "Charles Crawley" <(E-Mail Removed)> wrote in message
>> > news:tvWKb.11568$(E-Mail Removed)...
>> > > I have read some articles / news posts elsewhere that imply that the
>> > router
>> > > may not be passing IP Protocol 47 (GRE) properly, even though it is
>meant
>> > > to. Can anyone comment on this?
>> >
>> > Having investigated further, I have come across reports (in the Netgear
>> > forum of DSLReports.com) that the VPN pass-through is possibly broken in
>the
>> > latest version (1.03) of the DG834 firmware.
>> > Can anyone confirm this?
>> >
>> > Am I talking to myself here like a complete nutter? ;-)
>> >
>> > Cheers,
>> >
>> > Charles
>

************************
Some say love makes the world go round -
I say try whisky, it makes the world go round twice as fast!

Yes, known problem with the firmware, though it has been fixed with a new
firmware update.

Download from here: http://www.htff.co.uk (latest beta) or from netgear.


"Chris G" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Charles,
>
> I had the same VPN issues with a new DG834G...
>
> Connecting client laptop via wireless Belkin card to external VPN
> network through wireless Netgear DG834G firewall, router etc.
> VPN would successfully connect for about 4 - 10 mins then mysteriously
> lose the connection, losing the network completely by resetting the
> IP address of the laptop.
> It is a Cisco VPN connection.
> Laptop was in same room as router.
>
> I seem to have resolved it by doing the following...
> - Upgraded to firmware 1.03.00 (Ah well, in for a penny! - Flash
> worked thank God!
> - Changed the MTU on the laptop Belkin adapter to 1500 (I previously
> had it set to 1430 - according to the Netgear site this is VPN
> preferable???) - rebooted laptop.
> - Set up the port forwarding on the router to allow incoming IPSEC,
> PPTP & L2TP packets to go to the laptop IP address.
> - I also reserved addresses for each PC on my network via the 'LAN IP
> Set up' in the router config.
>
> Da daaaaaahhh! Yes!
>
> I don't know which one of these did the trick although it is working a
> treat now. I suspect a combination of MTU and the firmware may have
> been the resolution.
>
> Good luck!
> Chris
>
>
> On Fri, 9 Jan 2004 00:27:06 +0100, "Charles Crawley"
> <(E-Mail Removed)> wrote:
>
> >Wow! A reply! Even if it isn't much help, as you say... ;-)
> >
> >I'm trying to find out if going back to v1.02.10 will work... If I find
> >anything out, I'll post it here...
> >
> >Cheers,
> >
> >Charles
> >
> >"Nick Osborn" <(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed) om...
> >> i'm having similar problems making VPN connections (client on inside
> >> connecting to server on outside) - what you say about GRE sounds
> >> correct judging by the results im getting... sorry thats not much help
> >> :-)
> >>
> >> "Charles Crawley" <(E-Mail Removed)> wrote in message
> >news:<3ffc4b96$(E-Mail Removed)>...
> >> > "Charles Crawley" <(E-Mail Removed)> wrote in message
> >> > news:tvWKb.11568$(E-Mail Removed)...
> >> > > I have read some articles / news posts elsewhere that imply that
the
> >> > router
> >> > > may not be passing IP Protocol 47 (GRE) properly, even though it is
> >meant
> >> > > to. Can anyone comment on this?
> >> >
> >> > Having investigated further, I have come across reports (in the
Netgear
> >> > forum of DSLReports.com) that the VPN pass-through is possibly broken
in
> >the
> >> > latest version (1.03) of the DG834 firmware.
> >> > Can anyone confirm this?
> >> >
> >> > Am I talking to myself here like a complete nutter? ;-)
> >> >
> >> > Cheers,
> >> >
> >> > Charles
> >
>
> ************************
> Some say love makes the world go round -
> I say try whisky, it makes the world go round twice as fast!