Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 302
  • Last Modified:

restoring VPN after changing ISP at one location

I have small business with two buildings a few blocks a part.  Several months ago we were in the process of changing ISP for our high speed internet.  The Building1 changeover was delayed, still on Cavtel network while Building2 was on the new Cox service.   I created a simple VPN connection from a WinXP computer in Building2 to the VPN endpoint Win2003 server in Building1.  (I opened port 1723 on the Linksys router in Building1).  It worked fine and I had access using VPN to the Win2003 server from home also.  

Then recently the Building1 service was also changed over to Cox.   I thought that I could just change the IP on the client machine and the VPN connection would continue to work fine.  That does work from home after just updating the IP address.   However my connection from Building2 no longer connects.  I have checked and rechecked the IP address there.

I suspected that there was something about the way Cox was routing the service.  The two locations appear to be on the same subnets (these are not the real IPs but similar) for example:   Building1 IP = 72.163.166.50   255.255.255.224   and Building2 IP = 72.163.166.46  255.255.255.224  both with the same default gateway  72.163.166.33.   However, I called a Cox technician and he said it is something on my end like a blocked port or something else blocked and he said that though these appear to be on the same subnet that they are separated somehow through their equipment.

Any ideas of how to get VPN to work again or how to trace what is causing the failure??
0
telectro
Asked:
telectro
1 Solution
 
naveedbCommented:
What kind of Internet connection do you have?

Do you have linksys at both sites?

When you opened ports, did you specify source and destination IP Address on the Linksys router or just internal host? Can you verify the settings.

On each Building, are you able to ping the router of other building?
0
 
The--CaptainCommented:
>Any ideas of how to get VPN to work again or how to trace what is causing the failure?

>However, I called a Cox technician

by technician I assume you mean "support monkey"

>and he said it is something on my end like a blocked port or something else blocked and he said that though these
>appear to be on the same subnet that they are separated somehow through their equipment

My guess is that since both external IPs are in the same subnet, your equipment does not realize (why should it?) that it probably needs to route packets for all hosts on the local subnet through the default gateway...  My ISP (SBC) appears to work around this by deploying some sort of ARP spoofing on their router(s) - I have a single dynamic IP, yet have an assigned mask of /24 - every host in my external subnet appears to have the same MAC address as my default gateway - as I said, an apprent ARP spoof solution on their end.

If your firewall/router supports static routing entries, then you should add a specific route at each location to the other location through the default gateway.

In linux this would be:

route add -host remote.office.ip.address gw default.gw.ip.address

>On each Building, are you able to ping the router of other building?

I am also very interested in the results of such a test...

Cheers,
-Jon

0
 
ISoulCommented:
Have you checked the IP addresses on BOTH routers?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
telectroAuthor Commented:
I cannot ping the router of the other building.  I have a Linksys at both sites but they are different models, I cannot tell you which yet as I am not at work.   I believe ping does not work because the Linksys units are not set to repond to WAN echo requests, I can try to change a setting and see if they respond.  

Yes, good point about the equipment not realizing it needs to route all packets for all hosts on the local subnet through the default gateway ...

When I opened port 1723 it is on the Building1 Linksys router --it is just specified to the local host beyond (which is the Win2003 server VPN endpoint).  I do not think it gives me the option to set the source and destination IP.

The Linksys routers do support static routing and I believe I have configured static routes appropriately --yet I specified the destination LAN address in the static routes and maybe I need to specify the destination WAN IP.   That is worth a try though it does not fit with my conventional understanding of a static route and subnetting.



0
 
telectroAuthor Commented:
The internet connection is high speed cable (as in TV).
0
 
The--CaptainCommented:
>Yes, good point about the equipment not realizing it needs to route all packets for all hosts on the local subnet through the
>default gateway ...

Glad we're on the same page here...

>The Linksys routers do support static routing and I believe I have configured static routes appropriately --yet I specified the
>destination LAN address in the static routes and maybe I need to specify the destination WAN IP.   That is worth a try
>though it does not fit with my conventional understanding of a static route and subnetting.

I am very interested in the results of adding such static routes - I know this goes against "conventional understanding", but so does my own ISP's practice of having their router answering all ARPs for all hosts on my external subnet...

I love to play devil's advocate - that side of me wonders why your problem is the first (or at least a rare case) involving such issues - surely many folks before you have encountered such problems, or at least enough that a google search would yield some potential answers?

Food for thought...

Cheers,
-Jon

0
 
telectroAuthor Commented:
Jon --The--Captain, I'm accepting your solution as you confirmed my routing question in your first repsonse and so I looked further inot it and applied statice routes that solved the problem.  I'm not sure I could have solved the problem if the WAN IP assigned to my routers had been closer together as the static route must be to a network not a device.

Let me explain.  My IP at Buliding1 (main) is X.X.X.50 and my IP at Building2 is X.X.X.46 as I described earlier.  The default gateway is X.X.X.33 for both with subnet mask of 255.255.255.224.  This suggests a subnet with 32 addresses (30 usable, 33-62).  I am really curious as to how the equipment functions at Cox's end so that these are not funtionally in the same address space.  Anyway I entered a static routes on each router (Building1 & 2) to the other like this:

On the router with address X.X.X.50 Building 1    
Route to X.X.X.46  255.255.255.254 use gateway X.X.X.33

On the router with address X.X.X.46 Building 2  
Route to X.X.X.50  255.255.255.254 use gateway X.X.X.33  

VPN works now!

(There may be solutions to this out there, I'd think someone else has encountered it, but I may not have known the right topic to search on)

 thanks,
   
0
 
The--CaptainCommented:
>I'm not sure I could have solved the problem if the WAN IP assigned to my routers had been closer together as the static
>route must be to a network not a device

Don't forget, a host is just a network with a mask of 255.255.255.255 in many circumstances involving routing...

Glad my advice worked for you - you should really yell at your ISP about this - this situation is definitely not cool.  At least my ISP does some ARP spoofing so I don't have to worry about it.

Cheers,
-Jon

0
 
telectroAuthor Commented:
>>Don't forget, a host is just a network with a mask of 255.255.255.255 in many circumstances involving routing...<<

however the Linksys routers will not let you use the mask 255.255.255.255 for the network you want to route to!!

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now