• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2372
  • Last Modified:

Internal VPN & Routing table

I am using secpol.msc in windows XP Home and a Linksys BEFVP41 VPN Router to configure a VPN between a private network and a single private pc
I have set the security policies and tunnel parameters in windows and the linksys BEFVP41 vpn router
The set up is

VPN Server end
Lan IP 192.168.1.0  Mask 255.255.255.0   Def Gateway 192.168.1.1
-----> Linksys VPN Router:  IP 192.168.1.1   Mask 255.255.255.0   Wan IP 192.168.3.249

Client PC end
----> D-Link DI-624 Router:   Wan IP 192.168.3.150    IP 192.168.3.1    Mask  255.255.255.0
 ---> Client PC: IP 192.168.3.149   Mask 255.255.255.0   Def Gateway 192.168.3.1

When I ping 192.168.1.110 (one of the pc's on the lan) from the Client PC I get  Negotiating IP Security I set it to ping 30 packets but no reply
I think I need to add a route to the table but i dont know what. The D-Link router has IPSec and PPTP set to always allow
0
jedfreeman
Asked:
jedfreeman
  • 3
  • 2
1 Solution
 
lrmooreCommented:
I'm a little confused on your setup. The BEFVP41 is the VPN server.
Are you doing this in a lab with the two routers on the same LAN subnet for testing?
GW=default gateway
L= LAN port
W= WAN port

PC w/IPsecpol  -------> DI-624 <----------------->BEFVP41<----------test system
       |                             |                                 |                            |
192.168.3.149            L-192.168.3.150            L-192.168.1.1          192.168.1.100
GW: 192.168.3.150     W-192.168.4.249--------W-192.168.4.250     GW: 192.168.1.1
                                GW:192.168.4.250         GW:192.168.4.249

It appears that you currently have the same LAN subnet on both sides of your DL-624
Each device in line should have a default gateway pointing to the next hop. PC points to local router LAN IP,
Each router points to either 1) default gateway of ISP in live environment  2) next hop router in test environment (they point to each other as defaults)

0
 
jedfreemanAuthor Commented:
Thanks that makes sense I have changed the setup accordingly but I still dont get a response when I ping 192.168.1.100
Just: Negotiating IP Security which I think means the security policies are working. I have the tunnel parameters in IPSecpol
set as the WAN Addresses both ends is this correct, the securities are identical to the VPN Router ie: MD5 and 3DES  inc the Pre-Shared Key
One more thing I have the remote secure group on the VPN Router set to the DI-624 WAN IP
I can post the route print if nessesary

And Yes it is just for testing
0
 
lrmooreCommented:
Have you followed these directions for setting up the PC?
http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=207

[URL edited for length by The--Captain]
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
jedfreemanAuthor Commented:
Yes this is what is printed in the manual but I had to add IPsecpol to XP Home
The settings are the same exept the Authentication I have MD5 instead of SHA and the tunnel end points which are the wan addresses

I wanted to use SSH Sentinel client software to do the job but it's no longer available

And Yes edit the post
0
 
lrmooreCommented:
Jon, go ahead and edit the link. Thanks..

0
 
The--CaptainCommented:
I concur with lrmoore -  your config should be adjusted as suggested - I agree that the same subnet on multiple interfaces is nonsensical, but it is a bizarre fact of life there exist routers (typically low-end) that support (or even demands) the same subnet on both interfaces - the Cayman series of router supplied to DSL customers of SBC comes to mind as a concrete example - if you want me to post a link to the URL that tells how to configure your Cayman this way, I could likely dig it up - it's the only way to make SBC DSL connections using a Cayman route the entire netblock to the customer firewall, AFAIK)

In any case, I am curious to know what you see if you run a sniffer on 192.168.1.110 while it is being pinged from the client PC - can you see the ICMP packets arriving and the corresponding replies going out?

Cheers,
-Jon
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now