Solved

VPN issue

Posted on 2006-11-14
37
332 Views
Last Modified: 2010-03-18
I use RRAS service to setup vpn, the router is Linksys RV042, in the router,  I don't use the vpn function, just by pass Ipsec, pptp, l2tp, and port forwarding them to our rras server (win2000), which is a domain controler, have only one network adapter, I use the static address pool for the vpn clients, the problem is when clients login the vpn, is successful, but they only can ping or access the RRAS server, all other resources in the network can not be accessed, even I setup vpn clients use DHCP as the address pool, still same problem, so what's going on? except the rras server nothing the vpn clients can see on the network, thanks lot, looking forward to your response,
0
Comment
Question by:zybxtv
  • 15
  • 10
  • 7
  • +1
37 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17942309
can you post an ipconfig once connected to the VPN
0
 
LVL 6

Expert Comment

by:gvlob
ID: 17942384
Are you pinging by name or IP address?
0
 

Author Comment

by:zybxtv
ID: 17948059
I did check ipconfig, everything is right, the only thing is after vpn connected, the vpn client's subnet is 255.255.255.255, and the default gate is the ip address which he got it. and for ping command, both by name and ip adress not work, but they work on RRAS server, and NETBIOS over TCP/IP is enable, thanks, do you have any clue?
0
 
LVL 6

Expert Comment

by:gvlob
ID: 17948568
Are the VPN clients on the same subnet as your network?
0
 

Author Comment

by:zybxtv
ID: 17953051
no , they on the different subnet, the LAN subnet is 255.255.0.0, the vpn clients subnet is 255.255.255.255, but I don't know where I can change the vpn subnet, looking for forward to you response, thanks.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17953272
i do beleive that is your problem, they cannot talk across subnets
0
 
LVL 6

Expert Comment

by:gvlob
ID: 17956083
You either have to change your VPN static IPs to the same subnet or create a static route, on the server I think, that will make the server the gateway for your 255.255.255.255 to access the 255.255.0.0 subnet.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17956207
Not to steal Jay_Jay70's thunder :-)  but he was referring to the subnet, not the subnet mask. The office can use whatever subnet mask, 255.255.0.0 is fine, the VPN client will automatically be, or at least should be, assigned an IP in the same subnet and with the default subnet mask of 255.255.255.255  This is normal. However, the subnets must be different. If the office uses 192.168.1.x then the remote site must use something different such as 192.168.2.x, or there will be a routing conflict. The VPN will look after the routing between the subnets. This is a very common source of the problem you are describing, and may well be your problem.

By the way on the RV042 you only need PPTP pass-through, not IPSec and L2TP. Sounds like you have done so but you also need to forward port 1723 to the RRAS server.
If you like, you can upgrade the RV042 to the latest firmware and it can then act as the PPTP VPN tunnel endpoint, instead of the RRAS server, but not necessary.
0
 
LVL 6

Expert Comment

by:gvlob
ID: 17956351
Sorry, that's what I was thinking but not what I wrote. That's what happens when you answer questions and are working on something else at the same time. :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17956415
:-) been there, done that.
0
 

Author Comment

by:zybxtv
ID: 17960141
thank you for your help.  this is the routing information.
LAN is 172.16.0.0, subnet mask is 255.255.0.0, default gateway is 172.16.0.38;
VPN is 172.16.10.0, subnet mask is 255.255.255.255(which is vpn clients ip subnet mask), default gateway is 172.16.10.1;
actually, both 172.16.0.38 and 172.16.10.1 are on the same network, is the RRAS server(win2000 server, domain controler), which have only one adapter, internal ip is 172.16.0.38, vpn ip is 172.16.10.1, so would mind show me how to setup the static route between 172.16.0.38 and 172.16.10.1, I really appreciate your help!
0
 

Author Comment

by:zybxtv
ID: 17960179
sorry , I mean  172.16.0.38 and 172.16.10.1 are on the same Network Adapter, is the RRAS server
0
 
LVL 6

Expert Comment

by:gvlob
ID: 17960957
On your server, open a command prompt and type in "route Print" without the quot marks and reply with the output. This way we can see the routing table on your server.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17961012
To confirm, in relation to the earlier subnet discussion, the home local network should be using neither 172.16.0.0 or 172.16.10.0 correct ?

>>"VPN is 172.16.10.0, subnet mask is 255.255.255.255(which is vpn clients ip subnet mask), default gateway is 172.16.10.1"
Is the default gateway on the server or on the client? Usually the server would not have a default gateway for the VPN/PPP adapter. Normally if you assign a static pool for the VPN say 172.16.10.1 to 172.16.10.20 the server will receive the firsts IP and the clients the rest. Both server and client have a 255.255.255.255 subnet mask and the client will have a default gateway which is the same as it's own PPP IP.

>>"so would mind show me how to setup the static route between 172.16.0.38 and 172.16.10.1"
No need to add a route as both 172.16.0.0 ans 172.16.10.0 are part of the same subnet, because you are using a 255.255.0.0 subnet mask.

gvlob's suggestion of rout print output is good, but should be from both client and server while the VPN is connected. Otherwise the virtual routing will not be present.

0
 

Author Comment

by:zybxtv
ID: 17961437
default gateway 172.16.10.1 is the gateway for vpn client after client successfully login vpn, which is I got from the "route Print" on the RRAS server, (after vpn client disconnect, run the "route Print" on the RRAS server, there is no 172.16.10.1 this address anymore.) however, default gateway on the vpn client computer,  use "ipconfig/all" is vpn client's ip address, for example, if client got vpn ip is 172.16.10.5, his default gateway is 172.16.10.5 too.
exactly like you said "Normally if you assign a static pool for the VPN say 172.16.10.1 to 172.16.10.20 the server will receive the firsts IP and the clients the rest".
I fully understand what you mean, looks everything is right, like you said "No need to add a route as both 172.16.0.0 ans 172.16.10.0 are part of the same subnet, because you are using a 255.255.0.0 subnet mask.", but , just 172.16.0.XXX(client's vpn ip adress), only can talk to the first vpn ip, which is the rras server 's vpn ip 172.16.10.1, and even from 172.16.10.xxx, I can ping 172.16.0.38(rras server's LAN ip), but that is only machine (rras server has 172.16.10.1 and 172.16.0.38) I can ping, nothing else I can ping or access, for example , I can not ping 172.16.0.39, error is "Request time out", this issus really drive us craze. do you have any clue, where is wrong?
0
 

Author Comment

by:zybxtv
ID: 17961447
sorry,-------------- just 172.16.10.XXX(client's vpn ip adress), only can talk to the first vpn ip, which is the rras server 's vpn ip 172.16.10.1, and even from 172.16.10.xxx, I can ping 172.16.0.38(rras server's LAN ip), but that is only machine (rras server has 172.16.10.1 and 172.16.0.38) I can ping, nothing else I can ping or access, for example , I can not ping 172.16.0.39, error is "Request time out", this issus really drive us craze. do you have any clue, where is wrong?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17961499
I have been assuming single network adapter on the server. Correct me if that is not the case.

Though I don't see it as the problem, try as a test, creating a route on the client machine.
First connect to the VPN, and on the client do an ipconfig.
Assuming the client has an IP of 172.168.10.1 try:
route  add  172.16.0.0  mask 255.255.0.0  172.168.10.1

Should it work, it is not a solution as the IP is dynamic, but it may help with the diagnosis.
To remove:
route  delete  172.16.0.0
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:zybxtv
ID: 17961918
right, single network adapter on the server
0
 

Author Comment

by:zybxtv
ID: 17962000
sorry, from client machine, I can not add this in "route  add  172.16.0.0  mask 255.255.0.0  172.168.10.1", I don't know how come!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17962048
Interesting. Do you get an error message ? It should not reply with anything when adding, but a route print should show changes in routing table. Sorry I didn't mention, it needs to be done from a command line (DOS window). Did you try it from there?
0
 
LVL 6

Expert Comment

by:gvlob
ID: 17965042
When you did the route print on your server, was the loopback address (127.0.0.0) in the list? Also, from the local network can you ping the secondary ip adress on your server (172.16.10.1)?
0
 

Author Comment

by:zybxtv
ID: 17965834
When I did the route print on the server, the loopback address (127.0.0.0) is in the list. the rras server and vpn client can ping each other, nothing else can ping, I did this command from vpn client machine (dos windows) "route  add  172.16.0.0  mask 255.255.0.0  172.168.10.1", got error: "the route addition failed: either the interface index is wrong or the gateway does not lie on the same network as the interface. check the ip address table for the machine." thanks.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17971475
>>" got error: "the route addition failed:"
The VPN needs to be connected at the time you add the route, and also the IP at the end of the command must be the VPN/PPP adapter's current IP, 172.168.10.1 was just an example.
0
 

Author Comment

by:zybxtv
ID: 18000824
thanks, I did add "route  add  172.16.0.0  mask 255.255.0.0  172.168.10.2", this time it's successful, the ip 172.16.10.2 is the VPN/PPP adapter's current IP, but it still only can access the rras server, when I ping others, "Request time out", thanks.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18003640
Re-reading this I see we still do not know the subnet, the remote/client system is using for it's local LAN. Because of your office subnet  172.16.0.0/16 (255.255.0.0) your client network cannot use any IP (other than the VPN/PPP adapter) between 172.16.0.0 and 172.16.255.255  Is it different, such as 172.17.0.0/16 ?  If not you will have routing conflicts and results such as you are describing.

An   ipconfig /all   from the client site, as Jay_Jay70 first requested, would help to confirm this.
0
 

Author Comment

by:zybxtv
ID: 18080016
this is the routing table at RRAS server:
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.16.0.31      172.16.0.37     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
   139.142.18.120  255.255.255.255      172.16.0.31      172.16.0.37     20
   139.142.18.121  255.255.255.255      172.16.0.31      172.16.0.37     20
       172.16.0.0      255.255.0.0      172.16.0.37      172.16.0.37     20
      172.16.0.37  255.255.255.255        127.0.0.1        127.0.0.1     20
      172.16.10.1  255.255.255.255        127.0.0.1        127.0.0.1     50
      172.16.10.5  255.255.255.255      172.16.10.1      172.16.10.1      1
   172.16.255.255  255.255.255.255      172.16.0.37      172.16.0.37     20
        224.0.0.0        240.0.0.0      172.16.0.37      172.16.0.37     20
  255.255.255.255  255.255.255.255      172.16.0.37      172.16.0.37      1
Default Gateway:       172.16.0.31
__________________________________________________________________
this is the routing table at vpn client computer, which is not in the network.
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     139.142.18.1  139.142.18.121        21
          0.0.0.0          0.0.0.0      172.16.10.5     172.16.10.5        1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
     139.142.18.0    255.255.255.0   139.142.18.121  139.142.18.121        20
   139.142.18.120  255.255.255.255   139.142.18.121  139.142.18.121        20
   139.142.18.121  255.255.255.255        127.0.0.1       127.0.0.1        20
  139.142.255.255  255.255.255.255   139.142.18.121  139.142.18.121        20
       172.16.0.0      255.255.0.0      172.16.10.5     172.16.10.5        20
      172.16.10.1  255.255.255.255      172.16.10.5     172.16.10.5        20
      172.16.10.5  255.255.255.255        127.0.0.1       127.0.0.1        50
   172.16.255.255  255.255.255.255      172.16.10.5     172.16.10.5        50
        224.0.0.0        240.0.0.0   139.142.18.121  139.142.18.121        20
        224.0.0.0        240.0.0.0      172.16.10.5     172.16.10.5        1
  255.255.255.255  255.255.255.255   139.142.18.121  139.142.18.121        1
Default Gateway:       172.16.10.5

the [  
          172.16.0.0      255.255.0.0      172.16.10.5     172.16.10.5        20
         172.16.10.1  255.255.255.255      172.16.10.5     172.16.10.5        20
       ] is I use "route add" to add into the route table after vpn clients connected. but still same problem, I don't see any problem from the router table, but stil only can ping or access rras server, all the others it request time out, do you have any clue? thanks.
0
 

Author Comment

by:zybxtv
ID: 18080050
so , the 172.16.10.1 and 172.16.0.37 is same network adapter on the rras server, 172.16.0.5 is the vpn client ip address, and client vpn address pool is from 172.16.10.1 to 172.16.10.100, the clients can ping and access the rras server:172.16.10.1 or 172.16.0.37, but still nothing else on the network can access, thanks.
0
 

Author Comment

by:zybxtv
ID: 18080089
by the way, from the vpn client after vpn connected use ipconfig/all, we can see the dns and wins ip address, but , can not ping it, seems the clients not connected with the rras server at all, from rras server or from vpn clients, they can ping each other, that is it, hope I can find some smart guy can "save my life", this problem almost kill me!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18084680
Looking at the above, it appears both the server and client sites use 172.16.0.0/16  (172.16.0.1 to 172.16.255.254 with 255.255.0.0). If so, then both sites are part of the same network segment and will not be able to communicate. This is a basic VPN rule. Packets are routed bu subnet and the router can not deal with having the same subnet at 2 different sites. The reason you can connect to the remote RRAS server is the "use default gateway on remote network" is enabled on the VPN client.  Can you try changing the server or client site to something like 172.17.x.x  255.255.0.0 ?
0
 

Author Comment

by:zybxtv
ID: 18085592
I change the static address pool for the vpn clients from the rras server to 172.17.10.1 ~ 172.17.10.100, subnet is 255.255.255.128, honestly, this subnet address come up automatically, I don't have much experienece for the ip routing, I don't know how to change it to 255.255.0.0. still same problem, I really appreciate your help, could you find something wrong, thanks.

this is the routing table at RRAS server:
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.16.0.31      172.16.0.37     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
   139.142.18.120  255.255.255.255      172.16.0.31      172.16.0.37     20
   139.142.18.121  255.255.255.255      172.16.0.31      172.16.0.37     20
       172.16.0.0      255.255.0.0      172.16.0.37      172.16.0.37     20
      172.16.0.37  255.255.255.255        127.0.0.1        127.0.0.1     20
   172.16.255.255  255.255.255.255      172.16.0.37      172.16.0.37     20
      172.17.10.1  255.255.255.255        127.0.0.1        127.0.0.1     50
      172.17.10.2  255.255.255.255      172.17.10.1      172.17.10.1      1
        224.0.0.0        240.0.0.0      172.16.0.37      172.16.0.37     20
  255.255.255.255  255.255.255.255      172.16.0.37      172.16.0.37      1
Default Gateway:       172.16.0.31
________________________________________________________________
this is the routing table at vpn client computer, which is not in the network.
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     139.142.18.1  139.142.18.121        21
          0.0.0.0          0.0.0.0      172.17.10.2     172.17.10.2        1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
     139.142.18.0    255.255.255.0   139.142.18.121  139.142.18.121        20
   139.142.18.120  255.255.255.255   139.142.18.121  139.142.18.121        20
   139.142.18.121  255.255.255.255        127.0.0.1       127.0.0.1        20
  139.142.255.255  255.255.255.255   139.142.18.121  139.142.18.121        20
      172.17.10.2  255.255.255.255        127.0.0.1       127.0.0.1        50
   172.17.255.255  255.255.255.255      172.17.10.2     172.17.10.2        50
        224.0.0.0        240.0.0.0   139.142.18.121  139.142.18.121        20
        224.0.0.0        240.0.0.0      172.17.10.2     172.17.10.2        1
  255.255.255.255  255.255.255.255   139.142.18.121  139.142.18.121        1
Default Gateway:       172.17.10.2
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18087036
It's not the VPN subnet that needs to be changed but one or the other sites. The entire local LAN. If this is a difficult task you might want to try connecting from another site that uses a different subnet to verify that is the problem.
0
 

Author Comment

by:zybxtv
ID: 18088720
I can not change the server site to something like 172.17.x.x  255.255.0.0, but I can change to vpn client site which are not in the network, please look the up routing table, can you see any problem? or maybe the problem is from the router?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 18094321
zybxtv, the subnet mask of 255.255.255.128 for the VPN clients is OK, that is just indicative of how many IP's are assigned to the VPN DHCP scope/range.

As for the local and remote subnets, perhaps you do did not have duplicate subnets. By that I mean, if your server site locally uses 172.16.x.x with 255.255.0.0 then the connecting site cannot use locally anything with 172.16.x.x  It is OK if the VPN client does, and probably should. However looking at the routing table it looks like the connecting client is connected directly to a modem, has an IP of 139.142.18.121 and no others. Is this correct, if so great, not subnet changes required.

I am a little confused by the routing tables. Not suggesting they are wrong, just cannot quite figure out, what is 139.142.18.120 ?  Does the server site have two network adapters or are any static routes that have been manually added? Perhaps the output of     ipconfig  /all  from both sites, without the VPN connected, would help.

You may also want to review the following configuration outline:
Server 2003 configuration:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
Windows XP client configuration:
http://www.onecomputerguy.com/networking/xp_vpn.htm
You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
http://www.portforward.com/english/applications/port_forwarding/PPTP/PPTPindex.htm
0
 
LVL 6

Expert Comment

by:gvlob
ID: 19431485
If we did not solve the problem, then my vote is to give him back the points. If you feel that a good enough effort has been made that points should be awarded, give them to RobWill, he stuck with it much longer than I did.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now