[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN Problem

Posted on 2006-05-05
20
Medium Priority
?
231 Views
Last Modified: 2010-03-19
Hello

I have 2 ADSL connections at the office (one test and one Primary).
Both have the same router
The test network uses IP addresses in the range 192.168.0.* and consists of a router and one client
The primary network uses IP addresses in the range 192.0.1.* and consists of Win 2003 Server

Using the test network I can establish a VPN connection to our parent company...but using the Primary network I cannot.  The parent network uses the range 192.168.1.1

Is the problem related to the IP Addressing scheme used by the Primary network?  Or does the problem lie eslewhere.

I can VPN in to other sites but not our parent company!

Please advise.
0
Comment
Question by:doddwell
  • 8
  • 6
  • 5
  • +1
20 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16612889
Hi doddwell,

what are the errors you are getting when you try and contact the primary
0
 

Author Comment

by:doddwell
ID: 16612987
It comes up with a box saying "Verifying Username and Password" and then it says:
"Error 721 The remote computer did not respond"
0
 
LVL 2

Expert Comment

by:AbIg0r6
ID: 16613121
usually err 721 on authentication can indicate about a wrong security parameters in the VPN dialer....
chk the security & encryption & also chk the vpn type (pptp/l2tp ipsec)

good lyuck and let us know the resoults :)
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:doddwell
ID: 16613268
Are you sure that's where I need to look (after all I can connect from the test network using the same vpn connection)?  I can't test your suggestion at the moment as the parent site is down at the moment!
0
 
LVL 2

Assisted Solution

by:AbIg0r6
AbIg0r6 earned 400 total points
ID: 16613444
no i'm not sure 100% precent that that is the problem however err 721 on user+pass chk might indicate that the dialer configuration is wrong or the VPN server in busy/unavalible...
0
 

Author Comment

by:doddwell
ID: 16613468
The fact that I can connect to other VPN's from my Primary network suggests an issue at the parent site?
0
 
LVL 2

Expert Comment

by:AbIg0r6
ID: 16613504
are there any changes to the dialer required to connect to the other VPN's ?
0
 

Author Comment

by:doddwell
ID: 16613731
Not sure - about dialer settings for otehr sites (user who has these not in at the moment).

The fact that I can vpn into the parent company using same dialer settings when using my Test connection suggests a problem at my site or the parent company has blocked access from our site?  This brings me back to my original thought.....do you think that my IP address range is causing the problem?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16614125
-I assume port forwarding is set up on the router for port 1723.
-is the router on the 192.168.1.0 network, the default gateway for the server? If not you will need to add a static routing command with route add

-A 721 error usually specifically means the GRE packets are being blocked. 4 suggested possible causes of this would be:
1) the router does not support or have GRE enabled. On mosts smaller home/office routers this is set up using "enable PPTP pass-through" or "enable VPN pass-through" on the router
2) the Windows firewall or another software firewall could be blocking it
3) are there multiple NAT devices such as a modem that has combined modem and router capabilities, in addition to a route
4) not as common but some routers, modems, and ISP's ( last one obviously not the option here) do not support PPTP traffic

-Although the remote and local networks should never be the same with a VPN connection, it is usually OK with a Windows VPN connection using the PPTP client. This is due to the fact that it uses a virtual adapter. However, if the network at the remote site is using 192.168.1.0 as well I would change it. I also don't recommend using a default IP scheme at the main office, it creates the opportunity for IP conflicts with different users connecting from different sites.
0
 

Author Comment

by:doddwell
ID: 16615466
All outbound ports are open
Primary network uses 192.0.1.0...and yes, the default gateway for the server on this network is the router

1.) I don't  think this is an issue.  I have 2 identical routers with same settings. Except the one on the test network is used as a DHCP server.  On the primary network the server does the DHCP
2.) I connected my PC directly to the router (it's a switch too) and the problem still exists so no firewall issues.
3.) No
4.) I think this is most likely issue is the ISP esp. as I have tried connecting directly via the router.  I plan to migrate to a different ISP anyway....so hopefully this will resolve the issue

What do you mean by "don't use a default IP scheme at the main office".

Please advise, Simon
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16616114
>>"2.) I connected my PC directly to the router (it's a switch too) and the problem still exists so no firewall issues."
I don't follow how you connected your PC. The firewall I am referring to would be on the VPN server, the Windows server, and blocking inbound connections. Try testing by disabling it [ Control Panel | Windows Firewall | Off ]

>>"What do you mean by "don't use a default IP scheme at the main office".
VPN's should always have different subnets at either ends of a tunnel. If you use something like 192.168.1.0 at the main office, which is a very common default subnet, used by many home routers, remote VPN users run a greater risk of having routing issues due to the same subnet at the remote end. Better at the office to use something less common like 192.168.123.0  For the record the most common ones are 192.168.0.0, 192.168.1.0, 192.168.2.0, 192.168.100.0.0 and 10.0.0.0

Twice now you have shown 192.0.1.0 as the office subnet. Is this correct or a typo? 192.0.1.0 is a public IP range and should not be used on a private LAN. If a Typo  and it should read 192.168.1.0 that is fine, though I prefer something different as mentioned above.
0
 

Author Comment

by:doddwell
ID: 16624534
>>We have a Netgear wireless Router/modem with built in firewall and it has LAN ports on it.  I connected my laptop directly to one of these ports.  All outbound ports on the firewall are open.  Do i need to open some inbound ones as well.

>>OK - got you.

No - it's not a typo! Our office subnet is 192.0.1.0.  Could this be the problem?
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 600 total points
ID: 16625139
>>" I connected my laptop directly to one of these ports. "
This is fine as a test, but when connecting from the Internet you will be using your public/Internet IP, don't forget to change that when on the local LAN to point to the private IP of the VPN Server.

>>"All outbound ports on the firewall are open.  Do i need to open some inbound ones as well."
Where you need to worry about the firewall is a software firewall such as the Windows firewall, on the VPN server blocking incoming traffic.

>>"Our office subnet is 192.0.1.0.  Could this be the problem?"
Though it might not be the problem with the VPN, it certainly could be a problem.
192.0.1.0 is a public IP subnet. Though it can work where you are behind a NAT router, you can still run into issues especially if you wanted to connect to an Internet site site on the 192.0.1.0 network. Also it can be an issue for someone remotely trying to resolve that IP. If you are going to continue to use it, which I recommend against, on your VPN client, on the remote computer, make sure "use default gateway on remote network"  is checked (enabled). This is located:
  Control panel | Network connections | right click on virtual VPN adapter and choose properties | Networking | Internet protocol TCP/IP | Properties | Advanced | General |.......

Private networks should always use one of the following IP schemes:
10.0.0.0           to  10.255.255.255
172.16.255.255 to  172.31.255.255
192.168.0.0      to  192.168.255.255
0
 
LVL 2

Expert Comment

by:AbIg0r6
ID: 16629172
what basically RobWill means is that the vpn server's firewall might be blocking your office subnet -=> the one with the ip range 192.0.1.x

i think it will be a good start to try and disabling it first....
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16629925
Actually, AbIg0r6, in the second section of my previous post, I was referring to the possibility that the Windows server may have the Windows firewall or some other software firewall enabled which is bocking all incoming traffic, specifically VPN GRE and PPTP traffic.
0
 
LVL 2

Expert Comment

by:AbIg0r6
ID: 16631221
to RobWill -> from my exp. with vpn usually the err you get if being blocked by a firewall is  678 or 769

any way it's easy to chk by trying to telnet to that spacific server on the vpn port/s
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16757058
doddwell , were you able to resolve? Did you change your subnet to a standard private range?
--Rob
0
 

Author Comment

by:doddwell
ID: 16789855
Sorry for delay - been off.  The parent company have upgraded their router and firewall.  Not sure what they have done...but it works!
0
 

Author Comment

by:doddwell
ID: 16789864
By the way..have done nothing at this end (so left subnet as is)
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16790528
Thanks doddwell. Glad to hear you are up and running.
As for the 192.0.1.0 subnet it will work fine, but if ever a user should happen to try to connect to a web site, for example, with a public IP in that subnet they will not be able to connect.
Cheers.
--Rob
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question