Solved

MUVPN cannot ping across BOVPN

Posted on 2008-10-10
7
1,423 Views
Last Modified: 2015-09-16
We have 3 fireboxes conneted via BOVPN which is working fine. We are able to access servers across the BOVPN when on the trusted network. The problem is when I VPN in via the MUVPN IPSEC to one of the fireboxes, I cannot ping across the BOVPN.

The MUVPN rule is set to ANY, and the IP address pool that it is giving out is on the same subnet as the trusted LAN. Given these factors I should be able to ping the servers across the BOVPN but this is not the case.

Is there anything that I am missing?
0
Comment
Question by:bdragun
  • 4
  • 2
7 Comments
 
LVL 8

Expert Comment

by:Shmoid
ID: 22687000
On the VPN client do you have "use default gateway on remote network" unchecked?

To find out:
Right click the VPN connection
Select Properties
Click Networking Tab
Select TCP/IP in the list
Click the properties button
Click the advanced button.

I normally keep it unchecked unless I need to map a drive to  a server at one of our remote sites. That way I'm accessing the Internet through my ISP rather than the VPN.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 125 total points
ID: 22688575
While configuring the MUVPN client; edit the user/group; under resources tab, do you have the checkbox "Force All Traffic Through Tunnel" checked; if not you would need to check it.

After you check the box; you would need to re-generate the files and distribute to clients so the changes are uploaded in the client. Till that time the users would not be able to connect to firebox using MUVPN.

Let's see why this is needed and what are the drawbacks of this approach, I will take an example to explain.

Let's say the setup is as below:

              192.168.1.0/24 Internal network---Firebox A----VPN --Site B --- 192.168,2,0/24
                                                                                       |            |
                                                        192.168.3.0/24  Site C       Site D --- 192.168.4.0/24
The remote client when connects using MUVPN is assigned IP address in the range 192.168.1.100. And let's say under allowed resources you only have 192.168.1.0/24; this would mean the traffic from the remote client would only be put on tunnel when it is destined for 192.168.1.0/24 subnet.
After we make the change and check the box; then all the traffic including the internet traffic would first come to the firebox; firebox already has policy allowing all traffic from the remote client; further firebox also has policies to route traffic between 192.168.1.0/24 and other subnets (.2.0; .3.0 and .4.0).
With all the traffic including internet traffic coming to firebox over the VPN tunnel and then to the internet and then through VPN tunnel back to user; the latency for internet traffic would increase considerably. In some cases the remote user might not be able to access local shared drives till the VPN connection is closed.

Please implement and update.

Thank you.
0
 
LVL 1

Author Comment

by:bdragun
ID: 22689844
I made the change and forced all traffic through the firewall and it is working. Do we have to use this method? Can it be setup so that a user can use thier local internet access instead of being forced through the firebox?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 32

Expert Comment

by:dpk_wal
ID: 22690235
Under allowed resources; you can add specific subnet and try; again reload the updated policy on the client.

Please implement and update.

Thank you.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22690258
Sorry forgot to add, uncheck force all traffic checkbox.
0
 
LVL 1

Author Comment

by:bdragun
ID: 22702323
well like I said when I force traffic it works but when I unchecked the force traffic through tunnel and it doesn't seem to want to work. At first I thought it might be because of the subnet I am on, but I tried from a Sprint Air card and I am having the same issue.
Going to try a couple different configs and test them out. Also plan to upgrade the firmware to the most recent.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22702840
Upgrading firware would not help; as I explained earlier either you configure zero route tunnel or add multiple subnets in the allowed resrouces.

After you uncheck the box; can you specify under allowed resources; what do you have.

Thank you.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question