# AVG blocks VPN



## Notay (Oct 8, 2008)

Hi (i hope this is the correct place to post this)

i have created a vpn and avg will not allow it to access. I have allowed the GRE and ESP Protocols as avg website has said (http://www.avg.co.uk/faq.num-817?srch=using-vpn#faq_817) but this has not done anything in terms of allowing a connection.

I have also allowed it in the 'defined adapters' tab in the firewall settings. I have contacted avg and they have failed to help me. can anyone please provide me with some help?

thanks

Notay


----------



## johnwill (Sep 26, 2002)

Change from AVG to a product that works.


----------



## Notay (Oct 8, 2008)

that would be easy but cannot afford to do so at the moment, any real help available?


----------



## JamesO (Mar 30, 2005)

What makes you think AVG is the problem?

Unless you have AVG with the firewall, I doubt AVG is blocking your VPN. 

Firewalls and anti-virus software should be configurable if there is anything that could or would impact the VPN.

I would not get rid of AVG as I really do not think it is the problem. Either you have a different problem or AVG is not configured correctly.

More information on what you have tired to do to troubleshoot and resolve the problem would be helpful. Need answers to some of the following:
What OS?
What are you using for a firewall?
What router are you using?
What ISP are you using?

Also describe your VPN situation, software, hardware, what you are connecting to and do you know if you may possibly have private IP address conflicts?

JamesO


----------



## Notay (Oct 8, 2008)

avg seems to be the likely problem since when i disable avg firewall, i am able to connect. i am using xp pro, avg internet security, netgeart router, sky isp. I connect to a private university vpn. 

i have tried to configure avg to allow it but to be honest i do not know much about protocols so am having a little difficulty thats why i asked on this board. i have also done exaclty what avg have said in the above link in the first post, read it.


----------



## JamesO (Mar 30, 2005)

Ok, now we are getting somewhere. AVG Internet Security has the firewall as well. As I mentioned a firewall is the most likely problem.

The issue is the firewall is not properly configured, it is actually doing its job!

You need to turn the AVG firewall off, connect to the VPN, then do an IPCONFIG and find out what the VPN IP address range is. Then add the VPN IP address range into the firewall rules. This is the first thing I would try. Usually when you connect to a VPN, you get a new IP address assignment. Have had similar issues with Zone Alarm in the past as well.

I do not have AVG Internet Security on any of my machines, but I might be able to access a machine with it if necessary.

JamesO


----------



## Notay (Oct 8, 2008)

hi

i did the ipconfig and added the ip address in the firewall settings - i clicked to add a new safe ip and entered the ip address of the vpn connection. However this still did not allow the vpn to be connected once i enabled the firewall on. I do not understand where i am going wrong or what i could be missing out


----------



## JamesO (Mar 30, 2005)

Make sure you include the VPN gateway address. Not your IP address will change once you access the VPN. Also if you are trying to VPN and use remote desktop, you probably need to also add the remote desktop address as well.

Check the AVG log to see if there is anything in the log that will clue you info what is going on. Look for blocked traffic in the *Filter Device* log.

Again, it is most likely not a problem with AVG, it is just not configured correctly.

JamesO


----------



## Phil_Perry (Nov 26, 2008)

I have been playing with AVG Internet security and had the same problem with a VPN connection. After looking at the Logs I realised that I needed to allow the UDP protocol. Under Defined services I created a new service for UDP. You can select the protocol and the ports and the direction. I set port 0 for local and remote and the direction as both ways. Then I created a System service to use this newly created Defined service. I also set the VPN connection under Defined adaptors to be safe. This was in addition to setting the System services ESP, GRE, L2TP and PPTP to safe.


----------



## Phil_Perry (Nov 26, 2008)

An update to my last message. I suggested that a UDP defined service was required. After experiencing other problems with the connection not staying up I went back to the drawing board. I now have only one profile in addition to the Allow all and Block all which you get anyway. My profile is Small home or office network. I have assigned this profile to all adaptors (which includes my VPN connection) and areas. Under this profile I have set all Defined adaptors as safe and I have created a new safe Defined network with the range of IP addresses for the network I am connecting to. As suggested by AVG, I have set System services ESP, GRE, L2TP and PPTP as safe. I no longer have a UDP defined service. In my experience the network areas are created as and when new connections are made, giving you the chance to name them and assign a profile. Things now seem to be working.


----------



## Phil_Perry (Nov 26, 2008)

Further information/update under my Small home or office network profile.
I now have defined services:
IGMP, other protocol, local port 0 - remote port 0
TCP, TCP protocol, both ways, local port 0 - 65535, remote port 0 - 65535
UDP, UDP protocol, both ways, local port 0 - 65535, remote port 0 - 65535
I have created a system service VPN that includes defined services IGMP and TCP. This is set as Allow for all.
I have modified Other Applications under Applications to include the three defined services IGMP, TCP and UDP, and set this to Allow for all.
I have modified Various System Services SVCHOST under Applications to include the UDP defined service. and set this as Allow for all.
I have a defined network covering the ip addresses of the network I am connecting to and set this as Safe.
My Small home or office network profile is assigned to my active network areas and adaptors. 
As before, I have set defined services ESP, GRE, L2TP VPN and PPTP VPN to Allow for all.
This now works consistently on my XP Professional laptop but when I tried to apply the same thinking to a Vista box I got other problems. I spoke again to AVG who said that a new update was soon to be released that may help. They seem to acknowledge that VPN connections can be a problem area.
I don't know if any of this helps anybody.


----------



## gilespublic (Jun 29, 2009)

Many thanks Phil Perry. I have been struggling with this, and it works now!


----------



## ramcast (Sep 7, 2009)

Ok this may sound crazy but it worked for me. Go to AVG overview. Click Tools then Webshield add appropriate ports that you need open to the ones Webshield scans. I did this and a video streaming software worked like a charm. I narrowed it down by disabling all services and enabling one at a time till I narrowed down which component was causing the issue.


----------



## Phil_Perry (Nov 26, 2008)

I have been playing with Internet Security v9 on Vista.
I have created an area called home for my home lan with Small Home or Office Network as the defined profile.
Under Areas and Adapters profiles I have set my VPN connection to have Small Home or Office Network as the defined profile.
Under the profile Small Home or Office Network/Defined networks I have set my VPN connection as Safe. 
Also, I have created another Safe network called office with a range of ip addresses that belong to my office network. This allows me access to my server and other pcs on the office network.
Under the profile Small Home or Office Network/System services I have set PPTP VPN and GRE protocol as allow for all. (PPTP is the type of VPN I am using and the GRE protocol is associated with this. If I were using L2TP I understand that ESP protocol would have to be set as allow for all. L2TP and ESP go together. See http://www.avg.co.uk/faq.num-817?srch=using-vpn#faq_817)


----------



## Adiyanto (Dec 7, 2010)

I also experienced the same problem when trying to make a connection to my office via VPN connection. But this is how I found the solution.

After dialing a VPN that fails, I check the *Traffic Logs* stating that the Application *FilterDevice* protocol *TCP* *Out* port *1723* was blocked. So I add a new rule on *User defined system of rules* (under *System services*) as follows: TCP, Out, remote port 1723, remote address <my address>, Allow for all.

Then I tried dialing again but failed as well. this time *Traffic Logs* mentions that the Application *SYSTEM*, protocol *GRE* was block. Then I added a second rule is: GRE bothways, remote address <my address>, Allow for all.

After that .... the problem has been resolved.
If desired, just for checking, both rules can be set as displayed on the Traffic Logs.


----------

