Sky VPN

markwilliams82 · 7 Oct 2009 at 20:10

Hi everyone, I've got Sky broadband via a Netgear D934G and I can't access my works VPN. I know the settings for the VPN are ok because when the IT lad set it up he tested it on another wireless network and it connected first time. He's also tried the settings out for me on his laptop at home and it worked fine.

How do I get it to work?

Caged · 7 Oct 2009 at 20:41

markwilliams82 said:
He's also tried the settings out for me on his laptop at home and it worked fine.

Surely this points to your laptop rather than Sky?

J.B · 7 Oct 2009 at 22:02

We had a problem with Tiscali at work where it just would not work on there network, never did find out why as the guy changed ISP.

Might want to check you have the right ports open on the router. Thats all I can think of.

markwilliams82 · 8 Oct 2009 at 09:17

Caged said:
Surely this points to your laptop rather than Sky?

My laptop should be ok, because I connected on other wireless networks and ran the VPN and it connected OK.

shine · 8 Oct 2009 at 11:45

Is the firewall in the Netgear blocking outbound connections?

kefkef · 8 Oct 2009 at 11:53

I had problems with a netgear DG834G router a year or so back. Wouldn't let the Cisco VPN client connect and also had problems with the SSL web access. Opened the firewall up completely on it and still the same. Ended up buying a differen't make of router and it worked fine (this is on BT Internet).

There are lads at work who use Sky and can connect, though not sure what model of router they use. I know we always had problems with AOL as they actively blocked VPN traffic, but i don't think the same is true for Sky.

This may be of help? http://www.skyuser.co.uk/forum/view-vpn.html

markwilliams82 · 8 Oct 2009 at 21:25

thanks, i had a look at the guide and added the inbound services. tried both the ip address of my laptop and the ip of the wireless router but it still stops at the verifying username and password part of the connection and then it gets error 800.

would you be able to find out what routers the people at your work use?

Willbo · 13 Oct 2009 at 09:02

I'm having the same problems with mine as well
let me know how you get on

markwilliams82 · 13 Oct 2009 at 09:03

Had a reply back from Sky support and got;

Please note, if you have a Netgear router, then you must refer to your VPN provider for assistance with setting up your VPN, as there is no issue with the Netgear model. You can check which model you have on the underside of your broadband router.

So who am I suppose to check with now? My IT support at work says the settings are all ok, so I'm guessing its got to be with the router. Would it be worth me just buyin a VPN compatible router for Sky?

mjd · 13 Oct 2009 at 10:05

What VPN client are you using?

markwilliams82 · 13 Oct 2009 at 11:19

I've had the VPN connection set up in Windows to logon to exchange.companyname.com

I'm not using any dedicated VPN Client on my laptop, should I be? I'm new to all this and they said it should work if I just double click the icon to connect :confused:

shine · 13 Oct 2009 at 11:22

On your firewall open ports 1723, 47, 50, and 500 for TCP and UDP and then try.

markwilliams82 · 13 Oct 2009 at 11:27

Sorry to sound stupid, but how do I open firewall ports?

shine · 13 Oct 2009 at 11:29

I'm not familiar with Netgear's so you'll need to check the manual.

antijoke · 13 Oct 2009 at 12:48

mjd · 13 Oct 2009 at 22:45

markwilliams82 said:
I've had the VPN connection set up in Windows to logon to exchange.companyname.com

I'm not using any dedicated VPN Client on my laptop, should I be? I'm new to all this and they said it should work if I just double click the icon to connect

Nope thats fine. Just a little easier to diagnose if we know what we are working with. As for opening ports.

Log into the web interface for the netgear.

Under content filtering select Services

Starting with the first port you need to open. Give it a name and enter the port number for both start and finish boxes. (if you are defining a range of consecutive ports you can have different start and finish ports). Click apply to save.

Once you have been throught his process for each of the ports you want to open, click firewall rules under content filtering.

Under inbound services click 'Add'.

From the service drop down, choose the first of the ports you defined under services.

Where it says 'Send to lan user', enter the IP address of the machine you wish to use to establish the VPN tunnel.

Click apply to save.

Repeat this process for the remaining ports you defined under services.

As for the ports -

PPTP

To allow PPTP tunnel maintenance traffic, open TCP 1723.
To allow PPTP tunneled data to pass through router, open Protocol ID 47.
L2TP over IPSec

To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 5500.
To allow L2TP traffic, open UDP 1701

Sorry this is a bit rough around the edges, but you should get the general idea.

Let us know how you get on.

MJD

dave-lew99 · 14 Oct 2009 at 08:15

Tell your IT people to enable NAT-T support or Cisco VPN over UDP or TCP.

Normal IPSEC VPN traffic which is covered as IP Protocols ESP and AH, do not have port numbers so cannot be forwarded in the usual way.

Also look for a VPN Passthrough option on the Netgear and DISABLE it, these implementations are always broken and never work properly.

markwilliams82 · 14 Oct 2009 at 19:45

mjd said:
Nope thats fine. Just a little easier to diagnose if we know what we are working with. As for opening ports.

Log into the web interface for the netgear.

Under content filtering select Services

Starting with the first port you need to open. Give it a name and enter the port number for both start and finish boxes. (if you are defining a range of consecutive ports you can have different start and finish ports). Click apply to save.

Once you have been throught his process for each of the ports you want to open, click firewall rules under content filtering.

Under inbound services click 'Add'.

From the service drop down, choose the first of the ports you defined under services.

Where it says 'Send to lan user', enter the IP address of the machine you wish to use to establish the VPN tunnel.

Click apply to save.

Repeat this process for the remaining ports you defined under services.

As for the ports -

PPTP

To allow PPTP tunnel maintenance traffic, open TCP 1723.
To allow PPTP tunneled data to pass through router, open Protocol ID 47.
L2TP over IPSec

To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 5500.
To allow L2TP traffic, open UDP 1701

Sorry this is a bit rough around the edges, but you should get the general idea.

Let us know how you get on.

MJD

thanks for this, i've done all that as far as I know. set them all up and put in my ip address, and allowed exceptions for all the above except protocol id 47 because i couldnt figure out how to do it. Tried to log on to the vpn but still couldnt authorise..really stuck

dave-lew99 · 14 Oct 2009 at 21:33

markwilliams82 said:
except protocol id 47 because i couldnt figure out how to do it.

Of course you can't you'd also need to enable protocol id 50 - ESP i've yet to see a domestic router which will support this.

Hence the reason for using NAT-T, which is UDP 4500 (not 5500 as suggested)

Really you shouldn't need to forward or open any ports as they will be opened automatically by the fact that they're related to an already established connection when you initiate the outbound connection to the VPN server.

mjd · 15 Oct 2009 at 13:27

I have come across this in the past but cant for the life of me remember what eventually turned out to be the cause.

Have your IT guys checked the RRAS logs their end?

Also, are you running a firewall on your laptop? If you are, switch it off, but make sure you leave the firewall service itself running.