Solved

Internal VPN & Routing table

Posted on 2004-10-17
7
2,292 Views
Last Modified: 2012-06-27
I am using secpol.msc in windows XP Home and a Linksys BEFVP41 VPN Router to configure a VPN between a private network and a single private pc
I have set the security policies and tunnel parameters in windows and the linksys BEFVP41 vpn router
The set up is

VPN Server end
Lan IP 192.168.1.0  Mask 255.255.255.0   Def Gateway 192.168.1.1
-----> Linksys VPN Router:  IP 192.168.1.1   Mask 255.255.255.0   Wan IP 192.168.3.249

Client PC end
----> D-Link DI-624 Router:   Wan IP 192.168.3.150    IP 192.168.3.1    Mask  255.255.255.0
 ---> Client PC: IP 192.168.3.149   Mask 255.255.255.0   Def Gateway 192.168.3.1

When I ping 192.168.1.110 (one of the pc's on the lan) from the Client PC I get  Negotiating IP Security I set it to ping 30 packets but no reply
I think I need to add a route to the table but i dont know what. The D-Link router has IPSec and PPTP set to always allow
0
Comment
Question by:jedfreeman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12333082
I'm a little confused on your setup. The BEFVP41 is the VPN server.
Are you doing this in a lab with the two routers on the same LAN subnet for testing?
GW=default gateway
L= LAN port
W= WAN port

PC w/IPsecpol  -------> DI-624 <----------------->BEFVP41<----------test system
       |                             |                                 |                            |
192.168.3.149            L-192.168.3.150            L-192.168.1.1          192.168.1.100
GW: 192.168.3.150     W-192.168.4.249--------W-192.168.4.250     GW: 192.168.1.1
                                GW:192.168.4.250         GW:192.168.4.249

It appears that you currently have the same LAN subnet on both sides of your DL-624
Each device in line should have a default gateway pointing to the next hop. PC points to local router LAN IP,
Each router points to either 1) default gateway of ISP in live environment  2) next hop router in test environment (they point to each other as defaults)

0
 

Author Comment

by:jedfreeman
ID: 12334241
Thanks that makes sense I have changed the setup accordingly but I still dont get a response when I ping 192.168.1.100
Just: Negotiating IP Security which I think means the security policies are working. I have the tunnel parameters in IPSecpol
set as the WAN Addresses both ends is this correct, the securities are identical to the VPN Router ie: MD5 and 3DES  inc the Pre-Shared Key
One more thing I have the remote secure group on the VPN Router set to the DI-624 WAN IP
I can post the route print if nessesary

And Yes it is just for testing
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12335149
Have you followed these directions for setting up the PC?
http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=207

[URL edited for length by The--Captain]
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 

Author Comment

by:jedfreeman
ID: 12336944
Yes this is what is printed in the manual but I had to add IPsecpol to XP Home
The settings are the same exept the Authentication I have MD5 instead of SHA and the tunnel end points which are the wan addresses

I wanted to use SSH Sentinel client software to do the job but it's no longer available

And Yes edit the post
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12337847
Jon, go ahead and edit the link. Thanks..

0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12345196
I concur with lrmoore -  your config should be adjusted as suggested - I agree that the same subnet on multiple interfaces is nonsensical, but it is a bizarre fact of life there exist routers (typically low-end) that support (or even demands) the same subnet on both interfaces - the Cayman series of router supplied to DSL customers of SBC comes to mind as a concrete example - if you want me to post a link to the URL that tells how to configure your Cayman this way, I could likely dig it up - it's the only way to make SBC DSL connections using a Cayman route the entire netblock to the customer firewall, AFAIK)

In any case, I am curious to know what you see if you run a sniffer on 192.168.1.110 while it is being pinged from the client PC - can you see the ICMP packets arriving and the corresponding replies going out?

Cheers,
-Jon
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question