Cisco VPN client and Netgear WGR614 problem

[vanc]

This is one even the Netgear support people can't solve. I Cannot map network drives or use intranet or remote desktop for resources behind my company's firewall using Cisco VPN Client 4.6.04.0043 and a netgear WGR614v6 wireless router. VPN connection works if I bypass the router and connect directly to DSL modem.
Here is what I''ve already tried:

Turned off firewall on my laptop (running Windows XP SP2)

Here''s what I''ve tried so far on my router and nothing has worked:

Used port forwarding for UDP ports 50, 51, 500, 4001 and 1723 for my laptops IP
Disabled the SPI firewall
Checked "respond to ping on internet port"
Upgraded firmware to V1.0.11_1.0.7NA
Disabled Access control
Disabled all security (normally WPA-psk)
Set MTU to 1300 on both Cicso VPN client and WGR615
set MTU to 1430 on both Cisco VPN client adn WGR615
Added laptop''s IP to DMZ server
Tried both IPSec over UDP and IPSec over TCP on Cisco VPN Client
Reset router to factory defaults

Still no go on VPN. Can someone suggest something else for this router other than what we already know which is this VPN client and router combination are incompatable. Perhaps a setting in the laptops Intel® PRO/Wireless 2200 that I can tweak? One post I read said the user tries a Cisco Systems Aironet PCI Wireless LAN Adapter and got it to work but that would be my last choice and not guaranteed in my situation.

Thanks,
Van

[twwabw]

On one of the (cough) "other" forums? there was this:

It's working now. I upgraded to the latest firmware and added a 'Reservation' for the machine under the LAN IP Setup to create essentially a static IP. I then added port forwarding for the 'PPTP' application and did a 'custom service' for port 47. Then under 'Wan Setup', I set it to 'Respond to Ping on Internet Port'. I was then able to successfully log into my Work VPN. This was all recommended by Netgear's Tech support department (via email). I was skeptical at first because I thought I'd already tried all that before, but did it again and it worked

The firmware was just released last week (1/17), so if you haven't tried the new version, give it a shot and see if it works for you...

Why these things don't support VPN passthrough like virtually everyone else does is beyond me. But then again, never too fond of Netgear anyway.

[NutgearH8r]

Bravo! I had gone insane trying to config VPN. After 15 minutes of following your post, I am finally able to VPN to two different sites! This should have been trivial, but NOT WITH NETGEAR!

Thanks for posting a viable solution.

[arielg]

I had the same problem - my solution was very wierd.
I had my "disable SPI firewall" CHECKED, and once I unchecked it - so that the firewall was on - it actually started working. I know it sounds the exact opposite should happen - but believe me I checked it about 5 times. once I unchecked the option - the VPN works.

!Q@$%@#$% netgear.

P.S

I have v6 of wgr614

[deepmime]

Yeah,

I had the exact same issue make sure you UNCHECK "Disable SPI Firewall". VPN worked for me after that. It seems Netgear isn't as good as it used to be. Why does SPI enabled actually allow VPN connections?

Who knows.

[Noumenon]

The firmware was just released last week (1/17)

Hi, new user here. I'm having trouble with my recently bought WGR614 v6. It works fine with my recreational lap top / desk top but when I try to use my work machine with VPN it gets problems, kicks me off the VPN connection inconsistantly.

Netgear are proving...unhelpful so far. I wanted to download the 1.0.11 update but the links are all down on their website. Can anyone supply a link for the Non-US version? I'll follow the steps in the 02-01-06 04:47 PM post as soon as I have it.

Hope you can help me, I'm losing the will to work. Such that it is.

[eric07920]

I thought I had a problem fixed, but something just happened that makes me question things.

I have a printer connected directly to my gMac, which is ethernet wired to a port on my Netgear WGT624 v2 wireless firewall router. My son has an inspiron which connects wirelessly to the router. So far so good. I've configured the default printer on my son's computer to be the CUPS server on my gmac (http://192.168.0.5:631/printers/mc2430DL). I've added a static IP assignment on the router using (http://192.168.0.1/start.htm) and "LAN IP Setup" which associates IP addr 192.168.0.5 to my gMac's MAC address. Well, this changes nothing. I still get a random IP assigned to my gMac varying from 192.169.0.2-5.

Any advice?

Thanks,
Eric

[mbin]

I found I had to do this to make my office VPN connection work as well, and after a little thought, it just might make sense. SPI = Stateful Packet Inspection. I don't know the details of the PPTP protocol (just that it uses TCP port 1723 and IP #47 for GRE), but I'm guessing it takes more than the standard TCP 3-way handshake using simple source & destination port numbers. As implemented in the NETGEAR Router OS, the SPI just might be smart enough, and necessary, to implement the protocol awareness necessary to make PPTP work. Whereas, without SPI, the protocol awareness isn't there, and the router follows its default firewall behavior (DROP) WRT inbound packets that aren't part of an existing Layer 3 connection, which apparently prevents completion of the PPTP connection.

Somewhere, this should be clearly explained and documented by the NETGEAR team, but it's not something the avg Level 1 Help Desk guy is going to be conversant with. For those interested though, it's easy enough to find online info on how PPTP works (and stateful packet filters).

[Wendigo]

Yeah,

I had the exact same issue make sure you UNCHECK "Disable SPI Firewall". VPN worked for me after that. It seems Netgear isn't as good as it used to be. Why does SPI enabled actually allow VPN connections?

Who knows.

So, i just wanted to correct a misunderstanding.

The options mentioned: "Disable SPI Firewall"

The netgear does not default do any packet inspection and since the VPN traffic is a port changing application it drops the returning packet on port 4500 . .. hence it started out using port 500 UDP. Whit the SPI enabled - it looks into the packets and sees that the port is changing.

Therefore: uncheck the "diable SPI firewall" is the correct action when you want to make sure your connection passes through. Netgear has not misunderstood something on this matter.

Same **** can be expirienced whit FTP protocol.

[brownj00]

I see the same thing.

This is what my Netgear says on the help screen on the right-hand side: "Disable SPI Firewall - The SPI (Stateful Inpection) Firewall protects your LAN against Denial of Service attacks. This should only be disabled in special circumstances."

so... why did you CHECK that box (disable SPI) in the first place?

I don't remember why I did, except maybe it was VPN related. I now need to connect to an L2TP and a IPsec VPN at the same time from home. Initially one would work and one wouldn't depending on SPI.

As a network engineer for 20+ years, I know sometimes you just have to try all the buttons to see what happens. Sometimes it doesn't make any sense... and I am one of those guys who wants to "understand the reason why". Basically I agree with what was said above in this thread. The ports change, PPTP (and L2TP, IPsec, etc.) are all more involved than the basic 3-way handshake (syn, ack, syn-ack). FTP for example has different "modes" and the standard active mode FTP has the FTP server initiate a NEW connection back to your PC on a different port - and you know if your firewall doesn't recognize that follow-up connection as kind of a "return-call" it is going to drop it as just one more disallowed connection from the Internet. Typically recognizing "follow-on" traffic as related to earlier (allowed) traffic is what SPI is for.

So I agree with the speculation that the Netgear SPI is protocol aware to some extent and is recognizing that a different connection (new port, new direction, whatever) is related to the earlier approved and established VPN connection attempt - and is therefor allowed and passed. I sniff VPN negotiations from time to time - it's way more complicated than a "normal" connection, especially with encryption, authentication, etc. etc.

In theory you could setup the port forwarding with ALL the necessary settings to allow the needed connection ports. I don't bother - if everything I need works with the SPI ON (unchecked) then that is the way I am running it. With SPI turned on and the port forwarding and WAN-resond-to-ping I have set everything works... and I'm going to stop playing with it now.

[Ray M]

New to this forum and wireless routing.

Just got a new laptop at work with wireless built in.
I found this thread doing a search because I was having the same issue as described here.
Hoping that I'd found the solution, I logged into my router hoping to find the "disable spi firewall" setting checked, but it wasn't.

I checked it, and as soon as the changes took effect...VPN started working.

What am I risking by having it disabled? With the key required to log in, am I still messing up by having that disabled?

Glad I found this thread....

[NO1B4ME]

New to this forum and wireless routing.

Just got a new laptop at work with wireless built in.
I found this thread doing a search because I was having the same issue as described here.
Hoping that I'd found the solution, I logged into my router hoping to find the "disable spi firewall" setting checked, but it wasn't.

I checked it, and as soon as the changes took effect...VPN started working.

What am I risking by having it disabled? With the key required to log in, am I still messing up by having that disabled?

Glad I found this thread....

I am curious as well. I had to diasble SPI as well for my VPN conneciton to work. Does anyone know if diabling this will cause my LAN to get hacked more.

Thanks,
Lu

[vpnworks]

I am curious as well. I had to diasble SPI as well for my VPN conneciton to work. Does anyone know if diabling this will cause my LAN to get hacked more.

Thanks,
Lu

Hey guys, ive just signed up here in a quick happy moment to confirm if you uncheck disable SPI Firewall then VPN will work great!

Thanks for u guys help me.

My router is a NETGEAR WGR416 v7

[popoki]

I have a Netgear WGR614v6, and 2 VPN accounts on different servers. For the IPSec VPN to work, SPI needed to be disabled; but for the PPTP VPN, SPI needed to be enabled. Very strange!

[ski1962]

Sorry for the dumb question - but not that computer savvy - how do you log in to the router?