Solved

Watchguard VPN connection from VMWare is established, but I don't have any traffic!

Posted on 2009-05-14
14
1,569 Views
Last Modified: 2013-11-16
Hi,
I am running a Windows XP 32bit in a VMWare Fusion on my MacBook Pro 5.1 (Leopard 10.5.6).
First of all I had problems even to enable bridged networking within my VM but it works fine now.
Currently I got the Watchguard Mobile VPN Client Version 10.0 to connect to the corporate network.
In my vm I tried using both bridged networking and NAT. In both cases the VPN tunnel to the company could be established but I neither am receiving a single bit from the outside nor can send anything over the tunnel.
When using bridged networking and the VPN tunnel, ICMP packets are not going further than to the host and the router connecting my macbook to the internet.
But when using bridged networking only, everything is fine: ping, nslookup etc.
Mac's and Windows' own firewalls are off. Additionally I opened the Ports for the Watchguard connection (UDP4500/500) (just in case, you never know ;-))

In my Watchguard profile I am using the 'LAN over IP' setting.
Due to that I bridged once on my Wireless NIC and once on my Ethernet NIC because I thought of incompatibilities between Wireless protocols and the 'LAN over IP' setting.
After that I ran Watchguard VPN Client but the same problem occured: connection is ok, but no traffic!
I get DNS, WINS server IPs and a standard gateway IP similar to another Watchguard connection running on a physical machine in the same network. But there it works without any problems!

Is there any protocol, that blocks my traffic from VM to the host?
Or can you think of something different which causes the problem?


I also did research on the web for possible solutions but I just couldn't figure out how to deal with this problem.

I really would appreciate your answers! Thank you.

Kind regards,
Phil
0
Comment
Question by:pk_mag
  • 7
  • 6
14 Comments
 
LVL 8

Expert Comment

by:thetmanvn
ID: 24382877
Hi pk_maq,

After you 've got VPN established, can you post output of "route print" command from your XP Client. It seems routing trouble.
0
 

Author Comment

by:pk_mag
ID: 24383181
i hope the following ipconfig output clarifies a bit:

Ethernetadapter VMWare Fusion Bridged:

        Verbindungsspezifisches DNS-Suffix: fh-joanneum.at
        IP-Adresse. . . . . . . . . . . . : 10.15.200.118 // this is my local client IP in the VMWare Bridge
        Subnetzmaske. . . . . . . . . . . : 255.255.0.0
        Standardgateway . . . . . . . . . :

Ethernetadapter VPN-Corporate Connection:

        Verbindungsspezifisches DNS-Suffix:
        IP-Adresse. . . . . . . . . . . . : 10.123.10.111 // this is my IP in the Corporate network (VPN IP)
        Subnetzmaske. . . . . . . . . . . : 255.255.255.0
        Standardgateway . . . . . . . . . : 10.123.10.112

so my lan is: 10.15.0.0/16
my Corporate network: 10.123.10.0/24
my vpn IP: 10.123.10.111 (client), 88.217.156.167 (Ext IP Server) -> VPN Server Side??

ad case 1. correct
ad case 2. i can't do anything at all. no internet (e.g. ping google.com) and no corporate network.

0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 24383244
Ok, so everything are clear now.

In this case, in your output, I saw that, after you connect to your CorpNet via VPN, it change default gateway on your XP Client from 10.15.1.254 (Your LAN router maybe) to 10.123.10.112 (VPN Peer server). It means you will connect to the Internet via CorpNet. And then, because you cannot communicate to VPN Gateway Side, so you can't ping anything.

So when your VPN connected  try these routing command in your cmd

c:>route del 0.0.0.0
c:>route add 0.0.0.0 mask 0.0.0.0 10.15.1.254 metric 1 if 0x2
("if 0x2" if your Interface 10.15.200.118 MAC address is 00-0c-29-d3-53-2b and "if 0x3" if your Interface 10.15.200.118 MAC address is 00 0c 29 d3 53 21)

After that, sure you can connect to the Internet.
Now try to troubleshoot the VPN Connection, you can't ping, but can you use some service in your CorpNet, because maybe Watchguard block ping from VPN Client but allow Client to use some Intranet Service.
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 24383681
Yes, new routing table work OK because

Now Every traffic to outside except 10.123.10.0/24 network will go through 10.15.1.254. (0.0.0.0          0.0.0.0      10.15.1.254   10.15.200.118       1)
Traffic to 10.15.0.0/16 will go through VPN tunnel (10.123.10.0    255.255.255.0    10.123.10.113   10.123.10.113       1)

1./ Can you ping 10.123.10.112 (IP of standard gateway Watchguard gave you) ?
And right after you ping .112, run arp -a, and did it has entry of 10.123.10.112?
2./ Compare your routing table with another ones of physical PC that you said worked well to see any difference?
0
 
LVL 8

Accepted Solution

by:
thetmanvn earned 500 total points
ID: 24392108
I don't see anything really difference in this two machines in routing and network sections.
So we will try find out in other:

1./ How many tunnel that your CorpNet Watguard support cho Mobile VPN Client?

2./ In this scenario, you both connect two machines to your Corpnet at time or only one?

3./ Did you check your firewall in your VM (Windows Firewall or 3rd party firewall)

4./ You still not show me the arp -a right after you ping the peer IP of tunnel (For example above, in your physical PC, ping 10.123.10.28 and then arp -a (output will have entry of 10.123.10.128) and ping 10.123.10.101 then arp -a in VM PC.
0
 

Author Comment

by:pk_mag
ID: 24392961
hi,
ad 1. I requested the number from our admin but he hast not been responding yet.

ad 2. Both Machines (VM and Physical PC) were connected at the same time

ad 3. Yes i turned off Windows firewall and do not run any 3rd Party firewall

ad 4. sorry! here is the code from the arps (i got new IPs everytime i connect)
Physical PC
 

C:\>ping 10.123.10.18

Ping wird ausgeführt für 10.123.10.18 mit 32 Bytes Daten:
 

Zeitüberschreitung der Anforderung.

Zeitüberschreitung der Anforderung.

Zeitüberschreitung der Anforderung.

Zeitüberschreitung der Anforderung.
 

Ping-Statistik für 10.123.10.18:

    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust),
 

C:\>arp -a
 

Schnittstelle: 10.35.7.13 --- 0x4

  Internetadresse       Physikal. Adresse     Typ

  10.35.0.1             00-13-49-9a-7c-dc     dynamisch

  10.35.255.2           00-80-3f-2b-e3-70     dynamisch
 

Schnittstelle: 10.123.10.17 --- 0x5

  Internetadresse       Physikal. Adresse     Typ

  10.123.10.18          02-00-52-1c-8d-ce     dynamisch
 
 

================

VM PC
 

C:>ping 10.123.10.104

Ping wird ausgeführt für 10.123.10.104 mit 32 Bytes Daten:
 

Zeitüberschreitung der Anforderung.

Zeitüberschreitung der Anforderung.

Zeitüberschreitung der Anforderung.

Zeitüberschreitung der Anforderung.
 

Ping-Statistik für 10.123.10.104:

    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust),
 

C:\>arp -a
 

Schnittstelle: 10.35.2.249 --- 0x2

  Internetadresse       Physikal. Adresse     Typ

  10.35.0.1             00-13-49-9a-7c-dc     dynamisch

  10.35.255.2           00-80-3f-2b-e3-70     dynamisch
 

Schnittstelle: 10.123.10.103 --- 0x3

  Internetadresse       Physikal. Adresse     Typ

  10.123.10.104         02-00-5a-b3-e7-cb     dynamisch

Open in new window

0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 8

Expert Comment

by:thetmanvn
ID: 24393036
1./ Both result from Physical PC and VM PC are the same. Both can see the other end of tunnel. (As you can see both machines have ARP entry of the the endpoint address. So at this step, everything is ok with both machines.

2./ Try these tricks: Disconnect both tunnel from Physical PC and VM PC. REBOOT your HOME ROUTER. Re-connect ONLY your VM PC. Then tell me the result.
0
 

Author Comment

by:pk_mag
ID: 24393084
hi thetmanvn
i now got the response from our admin:
he says, It depends on the different watchguard profiles i am using in VM and Physical PC!
Physical PC's profile is able to ping, send DNS-Requests and so on whereas the profile in vm is ONLY allowed to connect to one specific IP within the entire corporate network! this is server-side driven and configured in the firewall, so we are not able to route any packet through this tunnel and get satisfying results!

maybe he would have told me this fairly small detail before turning inside out of my routing table!!
thank you anyway for your professional support!

kind regards, phil
0
 

Author Closing Comment

by:pk_mag
ID: 31581356
it was an internal problem but your support was very professional.
thank you very much!
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 24393115
Yeah,

You're welcome, and I'm glad to see you found the root of problem and get out of this.

Nice day.
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 24393137
Anyway, you should add EE mod to see that you can modify all details info in this thread, because it publish a lot of info about your home and your corp network.

See ya
0
 

Author Comment

by:pk_mag
ID: 24393203
thanks for the hint, but how do i do this?
0
 

Author Comment

by:pk_mag
ID: 24399134
replacement data for deleted comments:
This is an edited version of the conversation excluding sensitive details about routing tables.

pk_mag's comment:
hi thetmanvn,

unfortunately i can just post it in german.

===========================================================================
Schnittstellenliste
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #3 - Paketplaner-Miniport
0x3 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #2 - Paketplaner-Miniport
0x4 ...02 00 52 XX XX XX ...... WatchGuard Secure Client Adapter - Paketplaner-Miniport
===========================================================================
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway   Schnittstelle  Anzahl
          0.0.0.0          0.0.0.0    10.123.XX.XXX   10.123.XX.XXX       1
        10.15.0.0      255.255.0.0    10.15.XXX.XXX   10.15.XXX.XXX       10
    10.15.XXX.XXX  255.255.255.255        127.0.0.1       127.0.0.1       10
      10.123.XX.0    255.255.255.0    10.123.XX.XXX   10.123.XX.XXX       1
    10.123.XX.XXX  255.255.255.255        127.0.0.1       127.0.0.1       1
   10.255.255.255  255.255.255.255    10.15.XXX.XXX   10.15.XXX.XXX       10
   10.255.255.255  255.255.255.255    10.123.XX.XXX   10.123.XX.XXX       1
   XX.XXX.XXX.167  255.255.255.255      10.15.X.XXX   10.15.XXX.XXX       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        240.0.0.0    10.15.XXX.XXX   10.15.XXX.XXX       10
        224.0.0.0        240.0.0.0    10.123.XX.XXX   10.123.XX.XXX       1
  255.255.255.255  255.255.255.255    10.15.XXX.XXX   10.15.XXX.XXX       1
  255.255.255.255  255.255.255.255    10.123.XX.XXX               2       1
  255.255.255.255  255.255.255.255    10.123.XX.XXX   10.123.XX.XXX       1
Standardgateway:     10.123.XX.XXX
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Anzahl
   XX.XXX.XXX.167  255.255.255.255      10.15.X.XXX       1





The expert's answer:
No problem, I can understand.

In this output,

Your LAN: 10.123.XX.X/24 - GW: 10.123.XX.XXX
Your Coporate Network: 10.15.X.X/16
Your VPN IP: 10.15.XXX.XXX - Your VPN Server Side: 10.15.X.XXX (Ext IP is XX.XXX.XXX.167)

1. In first case, when using Only Bridged Networking, no VPN Client, you can ping and send anything to Internet

2. In 2nd case, use Bridged and enable VPN Client, you can't do anything to Internet or only can't do anything to Coporate networks.

Does overview above right? Or I miss something and then we can dig further


pk_mag's comment:
i hope the following ipconfig output clarifies a bit:

Ethernetadapter VMWare Fusion Bridged:

        Verbindungsspezifisches DNS-Suffix: xx-xxxxxxxx.at
        IP-Adresse. . . . . . . . . . . . : 10.15.XXX.XXX // this is my local client IP in the VMWare Bridge
        Subnetzmaske. . . . . . . . . . . : 255.255.0.0
        Standardgateway . . . . . . . . . :

Ethernetadapter WG_MAG-VPN:

        Verbindungsspezifisches DNS-Suffix:
        IP-Adresse. . . . . . . . . . . . : 10.123.XX.XXX // this is my IP in the Corporate network (VPN IP)
        Subnetzmaske. . . . . . . . . . . : 255.255.255.0
        Standardgateway . . . . . . . . . : 10.123.XX.XXX

so my lan is: 10.15.X.X/16
my Corporate network: 10.123.XX.X/24
my vpn IP: 10.123.XX.XXX (client), XX.XXX.XXX.167 (Ext IP Server) -> VPN Server Side??

ad case 1. correct
ad case 2. i can't do anything at all. no internet (e.g. ping google.com) and no corporate network.



pk_mag's comment:
hi,
internet traffic works now fine even with established vpn connection
but i am still not able to use any service from corporate network.

what do you mean by troubleshoot the vpn client connection?

my new routing table looks like this:

===========================================================================
Schnittstellenliste
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #3 - Paketplaner-Miniport
0x3 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #2 - Paketplaner-Miniport
0x4 ...02 00 52 XX XX XX ...... WatchGuard Secure Client Adapter - Paketplaner-Miniport
===========================================================================
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway   Schnittstelle  Anzahl
          0.0.0.0          0.0.0.0      10.15.X.XXX   10.15.XXX.XXX       1
        10.15.0.0      255.255.0.0    10.15.XXX.XXX   10.15.XXX.XXX       10
    10.15.XXX.XXX  255.255.255.255        127.0.0.1       127.0.0.1       10
      10.123.XX.X    255.255.255.0    10.123.XX.XXX   10.123.XX.XXX       1
    10.123.XX.XXX  255.255.255.255        127.0.0.1       127.0.0.1       1
   10.255.255.255  255.255.255.255    10.15.XXX.XXX   10.15.XXX.XXX       10
   10.255.255.255  255.255.255.255    10.123.XX.XXX   10.123.XX.XXX       1
   XX.XXX.XXX.167  255.255.255.255      10.15.1.254   10.15.XXX.XXX       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        240.0.0.0    10.15.XXX.XXX   10.15.XXX.XXX       10
        224.0.0.0        240.0.0.0    10.123.XX.XXX   10.123.XX.XXX       1
  255.255.255.255  255.255.255.255    10.15.XXX.XXX   10.15.XXX.XXX       1
  255.255.255.255  255.255.255.255    10.123.XX.XXX               2       1
  255.255.255.255  255.255.255.255    10.123.XX.XXX   10.123.XX.XXX       1
Standardgateway:       10.15.X.XXX
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Anzahl
   XX.XXX.XXX.167  255.255.255.255      10.15.X.XXX       1
          0.0.0.0          0.0.0.0      10.15.X.XXX       1
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

It Is not possible to enable LLDP in vSwitch(at least is not supported by VMware), so in this article we will enable this, and also go trough how to enabled CDP and how to get this information in vSwitches and also in vDS.
HOW TO: Install and Configure VMware vSphere Hypervisor 6.5 (ESXi 6.5), Step by Step Tutorial with screenshots. From Download, Checking Media, to Completed Installation.
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now