pk_mag
asked on
Watchguard VPN connection from VMWare is established, but I don't have any traffic!
Hi,
I am running a Windows XP 32bit in a VMWare Fusion on my MacBook Pro 5.1 (Leopard 10.5.6).
First of all I had problems even to enable bridged networking within my VM but it works fine now.
Currently I got the Watchguard Mobile VPN Client Version 10.0 to connect to the corporate network.
In my vm I tried using both bridged networking and NAT. In both cases the VPN tunnel to the company could be established but I neither am receiving a single bit from the outside nor can send anything over the tunnel.
When using bridged networking and the VPN tunnel, ICMP packets are not going further than to the host and the router connecting my macbook to the internet.
But when using bridged networking only, everything is fine: ping, nslookup etc.
Mac's and Windows' own firewalls are off. Additionally I opened the Ports for the Watchguard connection (UDP4500/500) (just in case, you never know ;-))
In my Watchguard profile I am using the 'LAN over IP' setting.
Due to that I bridged once on my Wireless NIC and once on my Ethernet NIC because I thought of incompatibilities between Wireless protocols and the 'LAN over IP' setting.
After that I ran Watchguard VPN Client but the same problem occured: connection is ok, but no traffic!
I get DNS, WINS server IPs and a standard gateway IP similar to another Watchguard connection running on a physical machine in the same network. But there it works without any problems!
Is there any protocol, that blocks my traffic from VM to the host?
Or can you think of something different which causes the problem?
I also did research on the web for possible solutions but I just couldn't figure out how to deal with this problem.
I really would appreciate your answers! Thank you.
Kind regards,
Phil
I am running a Windows XP 32bit in a VMWare Fusion on my MacBook Pro 5.1 (Leopard 10.5.6).
First of all I had problems even to enable bridged networking within my VM but it works fine now.
Currently I got the Watchguard Mobile VPN Client Version 10.0 to connect to the corporate network.
In my vm I tried using both bridged networking and NAT. In both cases the VPN tunnel to the company could be established but I neither am receiving a single bit from the outside nor can send anything over the tunnel.
When using bridged networking and the VPN tunnel, ICMP packets are not going further than to the host and the router connecting my macbook to the internet.
But when using bridged networking only, everything is fine: ping, nslookup etc.
Mac's and Windows' own firewalls are off. Additionally I opened the Ports for the Watchguard connection (UDP4500/500) (just in case, you never know ;-))
In my Watchguard profile I am using the 'LAN over IP' setting.
Due to that I bridged once on my Wireless NIC and once on my Ethernet NIC because I thought of incompatibilities between Wireless protocols and the 'LAN over IP' setting.
After that I ran Watchguard VPN Client but the same problem occured: connection is ok, but no traffic!
I get DNS, WINS server IPs and a standard gateway IP similar to another Watchguard connection running on a physical machine in the same network. But there it works without any problems!
Is there any protocol, that blocks my traffic from VM to the host?
Or can you think of something different which causes the problem?
I also did research on the web for possible solutions but I just couldn't figure out how to deal with this problem.
I really would appreciate your answers! Thank you.
Kind regards,
Phil
ASKER
i hope the following ipconfig output clarifies a bit:
Ethernetadapter VMWare Fusion Bridged:
Verbindungsspezifisches DNS-Suffix: fh-joanneum.at
IP-Adresse. . . . . . . . . . . . : 10.15.200.118 // this is my local client IP in the VMWare Bridge
Subnetzmaske. . . . . . . . . . . : 255.255.0.0
Standardgateway . . . . . . . . . :
Ethernetadapter VPN-Corporate Connection:
Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : 10.123.10.111 // this is my IP in the Corporate network (VPN IP)
Subnetzmaske. . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 10.123.10.112
so my lan is: 10.15.0.0/16
my Corporate network: 10.123.10.0/24
my vpn IP: 10.123.10.111 (client), 88.217.156.167 (Ext IP Server) -> VPN Server Side??
ad case 1. correct
ad case 2. i can't do anything at all. no internet (e.g. ping google.com) and no corporate network.
Ethernetadapter VMWare Fusion Bridged:
Verbindungsspezifisches DNS-Suffix: fh-joanneum.at
IP-Adresse. . . . . . . . . . . . : 10.15.200.118 // this is my local client IP in the VMWare Bridge
Subnetzmaske. . . . . . . . . . . : 255.255.0.0
Standardgateway . . . . . . . . . :
Ethernetadapter VPN-Corporate Connection:
Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : 10.123.10.111 // this is my IP in the Corporate network (VPN IP)
Subnetzmaske. . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 10.123.10.112
so my lan is: 10.15.0.0/16
my Corporate network: 10.123.10.0/24
my vpn IP: 10.123.10.111 (client), 88.217.156.167 (Ext IP Server) -> VPN Server Side??
ad case 1. correct
ad case 2. i can't do anything at all. no internet (e.g. ping google.com) and no corporate network.
Ok, so everything are clear now.
In this case, in your output, I saw that, after you connect to your CorpNet via VPN, it change default gateway on your XP Client from 10.15.1.254 (Your LAN router maybe) to 10.123.10.112 (VPN Peer server). It means you will connect to the Internet via CorpNet. And then, because you cannot communicate to VPN Gateway Side, so you can't ping anything.
So when your VPN connected try these routing command in your cmd
c:>route del 0.0.0.0
c:>route add 0.0.0.0 mask 0.0.0.0 10.15.1.254 metric 1 if 0x2
("if 0x2" if your Interface 10.15.200.118 MAC address is 00-0c-29-d3-53-2b and "if 0x3" if your Interface 10.15.200.118 MAC address is 00 0c 29 d3 53 21)
After that, sure you can connect to the Internet.
Now try to troubleshoot the VPN Connection, you can't ping, but can you use some service in your CorpNet, because maybe Watchguard block ping from VPN Client but allow Client to use some Intranet Service.
In this case, in your output, I saw that, after you connect to your CorpNet via VPN, it change default gateway on your XP Client from 10.15.1.254 (Your LAN router maybe) to 10.123.10.112 (VPN Peer server). It means you will connect to the Internet via CorpNet. And then, because you cannot communicate to VPN Gateway Side, so you can't ping anything.
So when your VPN connected try these routing command in your cmd
c:>route del 0.0.0.0
c:>route add 0.0.0.0 mask 0.0.0.0 10.15.1.254 metric 1 if 0x2
("if 0x2" if your Interface 10.15.200.118 MAC address is 00-0c-29-d3-53-2b and "if 0x3" if your Interface 10.15.200.118 MAC address is 00 0c 29 d3 53 21)
After that, sure you can connect to the Internet.
Now try to troubleshoot the VPN Connection, you can't ping, but can you use some service in your CorpNet, because maybe Watchguard block ping from VPN Client but allow Client to use some Intranet Service.
Yes, new routing table work OK because
Now Every traffic to outside except 10.123.10.0/24 network will go through 10.15.1.254. (0.0.0.0 0.0.0.0 10.15.1.254 10.15.200.118 1)
Traffic to 10.15.0.0/16 will go through VPN tunnel (10.123.10.0 255.255.255.0 10.123.10.113 10.123.10.113 1)
1./ Can you ping 10.123.10.112 (IP of standard gateway Watchguard gave you) ?
And right after you ping .112, run arp -a, and did it has entry of 10.123.10.112?
2./ Compare your routing table with another ones of physical PC that you said worked well to see any difference?
Now Every traffic to outside except 10.123.10.0/24 network will go through 10.15.1.254. (0.0.0.0 0.0.0.0 10.15.1.254 10.15.200.118 1)
Traffic to 10.15.0.0/16 will go through VPN tunnel (10.123.10.0 255.255.255.0 10.123.10.113 10.123.10.113 1)
1./ Can you ping 10.123.10.112 (IP of standard gateway Watchguard gave you) ?
And right after you ping .112, run arp -a, and did it has entry of 10.123.10.112?
2./ Compare your routing table with another ones of physical PC that you said worked well to see any difference?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi,
ad 1. I requested the number from our admin but he hast not been responding yet.
ad 2. Both Machines (VM and Physical PC) were connected at the same time
ad 3. Yes i turned off Windows firewall and do not run any 3rd Party firewall
ad 4. sorry! here is the code from the arps (i got new IPs everytime i connect)
ad 1. I requested the number from our admin but he hast not been responding yet.
ad 2. Both Machines (VM and Physical PC) were connected at the same time
ad 3. Yes i turned off Windows firewall and do not run any 3rd Party firewall
ad 4. sorry! here is the code from the arps (i got new IPs everytime i connect)
Physical PC
C:\>ping 10.123.10.18
Ping wird ausgeführt für 10.123.10.18 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Ping-Statistik für 10.123.10.18:
Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust),
C:\>arp -a
Schnittstelle: 10.35.7.13 --- 0x4
Internetadresse Physikal. Adresse Typ
10.35.0.1 00-13-49-9a-7c-dc dynamisch
10.35.255.2 00-80-3f-2b-e3-70 dynamisch
Schnittstelle: 10.123.10.17 --- 0x5
Internetadresse Physikal. Adresse Typ
10.123.10.18 02-00-52-1c-8d-ce dynamisch
================
VM PC
C:>ping 10.123.10.104
Ping wird ausgeführt für 10.123.10.104 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Ping-Statistik für 10.123.10.104:
Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust),
C:\>arp -a
Schnittstelle: 10.35.2.249 --- 0x2
Internetadresse Physikal. Adresse Typ
10.35.0.1 00-13-49-9a-7c-dc dynamisch
10.35.255.2 00-80-3f-2b-e3-70 dynamisch
Schnittstelle: 10.123.10.103 --- 0x3
Internetadresse Physikal. Adresse Typ
10.123.10.104 02-00-5a-b3-e7-cb dynamisch
1./ Both result from Physical PC and VM PC are the same. Both can see the other end of tunnel. (As you can see both machines have ARP entry of the the endpoint address. So at this step, everything is ok with both machines.
2./ Try these tricks: Disconnect both tunnel from Physical PC and VM PC. REBOOT your HOME ROUTER. Re-connect ONLY your VM PC. Then tell me the result.
2./ Try these tricks: Disconnect both tunnel from Physical PC and VM PC. REBOOT your HOME ROUTER. Re-connect ONLY your VM PC. Then tell me the result.
ASKER
hi thetmanvn
i now got the response from our admin:
he says, It depends on the different watchguard profiles i am using in VM and Physical PC!
Physical PC's profile is able to ping, send DNS-Requests and so on whereas the profile in vm is ONLY allowed to connect to one specific IP within the entire corporate network! this is server-side driven and configured in the firewall, so we are not able to route any packet through this tunnel and get satisfying results!
maybe he would have told me this fairly small detail before turning inside out of my routing table!!
thank you anyway for your professional support!
kind regards, phil
i now got the response from our admin:
he says, It depends on the different watchguard profiles i am using in VM and Physical PC!
Physical PC's profile is able to ping, send DNS-Requests and so on whereas the profile in vm is ONLY allowed to connect to one specific IP within the entire corporate network! this is server-side driven and configured in the firewall, so we are not able to route any packet through this tunnel and get satisfying results!
maybe he would have told me this fairly small detail before turning inside out of my routing table!!
thank you anyway for your professional support!
kind regards, phil
ASKER
it was an internal problem but your support was very professional.
thank you very much!
thank you very much!
Yeah,
You're welcome, and I'm glad to see you found the root of problem and get out of this.
Nice day.
You're welcome, and I'm glad to see you found the root of problem and get out of this.
Nice day.
Anyway, you should add EE mod to see that you can modify all details info in this thread, because it publish a lot of info about your home and your corp network.
See ya
See ya
ASKER
thanks for the hint, but how do i do this?
ASKER
replacement data for deleted comments:
This is an edited version of the conversation excluding sensitive details about routing tables.
pk_mag's comment:
hi thetmanvn,
unfortunately i can just post it in german.
========================== ========== ========== ========== ========== =========
Schnittstellenliste
0x1 .......................... . MS TCP Loopback interface
0x2 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #3 - Paketplaner-Miniport
0x3 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #2 - Paketplaner-Miniport
0x4 ...02 00 52 XX XX XX ...... WatchGuard Secure Client Adapter - Paketplaner-Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Anzahl
0.0.0.0 0.0.0.0 10.123.XX.XXX 10.123.XX.XXX 1
10.15.0.0 255.255.0.0 10.15.XXX.XXX 10.15.XXX.XXX 10
10.15.XXX.XXX 255.255.255.255 127.0.0.1 127.0.0.1 10
10.123.XX.0 255.255.255.0 10.123.XX.XXX 10.123.XX.XXX 1
10.123.XX.XXX 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.15.XXX.XXX 10.15.XXX.XXX 10
10.255.255.255 255.255.255.255 10.123.XX.XXX 10.123.XX.XXX 1
XX.XXX.XXX.167 255.255.255.255 10.15.X.XXX 10.15.XXX.XXX 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.15.XXX.XXX 10.15.XXX.XXX 10
224.0.0.0 240.0.0.0 10.123.XX.XXX 10.123.XX.XXX 1
255.255.255.255 255.255.255.255 10.15.XXX.XXX 10.15.XXX.XXX 1
255.255.255.255 255.255.255.255 10.123.XX.XXX 2 1
255.255.255.255 255.255.255.255 10.123.XX.XXX 10.123.XX.XXX 1
Standardgateway: 10.123.XX.XXX
========================== ========== ========== ========== ========== =========
Ständige Routen:
Netzwerkadresse Netzmaske Gatewayadresse Anzahl
XX.XXX.XXX.167 255.255.255.255 10.15.X.XXX 1
The expert's answer:
No problem, I can understand.
In this output,
Your LAN: 10.123.XX.X/24 - GW: 10.123.XX.XXX
Your Coporate Network: 10.15.X.X/16
Your VPN IP: 10.15.XXX.XXX - Your VPN Server Side: 10.15.X.XXX (Ext IP is XX.XXX.XXX.167)
1. In first case, when using Only Bridged Networking, no VPN Client, you can ping and send anything to Internet
2. In 2nd case, use Bridged and enable VPN Client, you can't do anything to Internet or only can't do anything to Coporate networks.
Does overview above right? Or I miss something and then we can dig further
pk_mag's comment:
i hope the following ipconfig output clarifies a bit:
Ethernetadapter VMWare Fusion Bridged:
Verbindungsspezifisches DNS-Suffix: xx-xxxxxxxx.at
IP-Adresse. . . . . . . . . . . . : 10.15.XXX.XXX // this is my local client IP in the VMWare Bridge
Subnetzmaske. . . . . . . . . . . : 255.255.0.0
Standardgateway . . . . . . . . . :
Ethernetadapter WG_MAG-VPN:
Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : 10.123.XX.XXX // this is my IP in the Corporate network (VPN IP)
Subnetzmaske. . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 10.123.XX.XXX
so my lan is: 10.15.X.X/16
my Corporate network: 10.123.XX.X/24
my vpn IP: 10.123.XX.XXX (client), XX.XXX.XXX.167 (Ext IP Server) -> VPN Server Side??
ad case 1. correct
ad case 2. i can't do anything at all. no internet (e.g. ping google.com) and no corporate network.
pk_mag's comment:
hi,
internet traffic works now fine even with established vpn connection
but i am still not able to use any service from corporate network.
what do you mean by troubleshoot the vpn client connection?
my new routing table looks like this:
========================== ========== ========== ========== ========== =========
Schnittstellenliste
0x1 .......................... . MS TCP Loopback interface
0x2 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #3 - Paketplaner-Miniport
0x3 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #2 - Paketplaner-Miniport
0x4 ...02 00 52 XX XX XX ...... WatchGuard Secure Client Adapter - Paketplaner-Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Anzahl
0.0.0.0 0.0.0.0 10.15.X.XXX 10.15.XXX.XXX 1
10.15.0.0 255.255.0.0 10.15.XXX.XXX 10.15.XXX.XXX 10
10.15.XXX.XXX 255.255.255.255 127.0.0.1 127.0.0.1 10
10.123.XX.X 255.255.255.0 10.123.XX.XXX 10.123.XX.XXX 1
10.123.XX.XXX 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.15.XXX.XXX 10.15.XXX.XXX 10
10.255.255.255 255.255.255.255 10.123.XX.XXX 10.123.XX.XXX 1
XX.XXX.XXX.167 255.255.255.255 10.15.1.254 10.15.XXX.XXX 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.15.XXX.XXX 10.15.XXX.XXX 10
224.0.0.0 240.0.0.0 10.123.XX.XXX 10.123.XX.XXX 1
255.255.255.255 255.255.255.255 10.15.XXX.XXX 10.15.XXX.XXX 1
255.255.255.255 255.255.255.255 10.123.XX.XXX 2 1
255.255.255.255 255.255.255.255 10.123.XX.XXX 10.123.XX.XXX 1
Standardgateway: 10.15.X.XXX
========================== ========== ========== ========== ========== =========
Ständige Routen:
Netzwerkadresse Netzmaske Gatewayadresse Anzahl
XX.XXX.XXX.167 255.255.255.255 10.15.X.XXX 1
0.0.0.0 0.0.0.0 10.15.X.XXX 1
This is an edited version of the conversation excluding sensitive details about routing tables.
pk_mag's comment:
hi thetmanvn,
unfortunately i can just post it in german.
==========================
Schnittstellenliste
0x1 ..........................
0x2 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #3 - Paketplaner-Miniport
0x3 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #2 - Paketplaner-Miniport
0x4 ...02 00 52 XX XX XX ...... WatchGuard Secure Client Adapter - Paketplaner-Miniport
==========================
==========================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Anzahl
0.0.0.0 0.0.0.0 10.123.XX.XXX 10.123.XX.XXX 1
10.15.0.0 255.255.0.0 10.15.XXX.XXX 10.15.XXX.XXX 10
10.15.XXX.XXX 255.255.255.255 127.0.0.1 127.0.0.1 10
10.123.XX.0 255.255.255.0 10.123.XX.XXX 10.123.XX.XXX 1
10.123.XX.XXX 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.15.XXX.XXX 10.15.XXX.XXX 10
10.255.255.255 255.255.255.255 10.123.XX.XXX 10.123.XX.XXX 1
XX.XXX.XXX.167 255.255.255.255 10.15.X.XXX 10.15.XXX.XXX 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.15.XXX.XXX 10.15.XXX.XXX 10
224.0.0.0 240.0.0.0 10.123.XX.XXX 10.123.XX.XXX 1
255.255.255.255 255.255.255.255 10.15.XXX.XXX 10.15.XXX.XXX 1
255.255.255.255 255.255.255.255 10.123.XX.XXX 2 1
255.255.255.255 255.255.255.255 10.123.XX.XXX 10.123.XX.XXX 1
Standardgateway: 10.123.XX.XXX
==========================
Ständige Routen:
Netzwerkadresse Netzmaske Gatewayadresse Anzahl
XX.XXX.XXX.167 255.255.255.255 10.15.X.XXX 1
The expert's answer:
No problem, I can understand.
In this output,
Your LAN: 10.123.XX.X/24 - GW: 10.123.XX.XXX
Your Coporate Network: 10.15.X.X/16
Your VPN IP: 10.15.XXX.XXX - Your VPN Server Side: 10.15.X.XXX (Ext IP is XX.XXX.XXX.167)
1. In first case, when using Only Bridged Networking, no VPN Client, you can ping and send anything to Internet
2. In 2nd case, use Bridged and enable VPN Client, you can't do anything to Internet or only can't do anything to Coporate networks.
Does overview above right? Or I miss something and then we can dig further
pk_mag's comment:
i hope the following ipconfig output clarifies a bit:
Ethernetadapter VMWare Fusion Bridged:
Verbindungsspezifisches DNS-Suffix: xx-xxxxxxxx.at
IP-Adresse. . . . . . . . . . . . : 10.15.XXX.XXX // this is my local client IP in the VMWare Bridge
Subnetzmaske. . . . . . . . . . . : 255.255.0.0
Standardgateway . . . . . . . . . :
Ethernetadapter WG_MAG-VPN:
Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : 10.123.XX.XXX // this is my IP in the Corporate network (VPN IP)
Subnetzmaske. . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 10.123.XX.XXX
so my lan is: 10.15.X.X/16
my Corporate network: 10.123.XX.X/24
my vpn IP: 10.123.XX.XXX (client), XX.XXX.XXX.167 (Ext IP Server) -> VPN Server Side??
ad case 1. correct
ad case 2. i can't do anything at all. no internet (e.g. ping google.com) and no corporate network.
pk_mag's comment:
hi,
internet traffic works now fine even with established vpn connection
but i am still not able to use any service from corporate network.
what do you mean by troubleshoot the vpn client connection?
my new routing table looks like this:
==========================
Schnittstellenliste
0x1 ..........................
0x2 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #3 - Paketplaner-Miniport
0x3 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #2 - Paketplaner-Miniport
0x4 ...02 00 52 XX XX XX ...... WatchGuard Secure Client Adapter - Paketplaner-Miniport
==========================
==========================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Anzahl
0.0.0.0 0.0.0.0 10.15.X.XXX 10.15.XXX.XXX 1
10.15.0.0 255.255.0.0 10.15.XXX.XXX 10.15.XXX.XXX 10
10.15.XXX.XXX 255.255.255.255 127.0.0.1 127.0.0.1 10
10.123.XX.X 255.255.255.0 10.123.XX.XXX 10.123.XX.XXX 1
10.123.XX.XXX 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.15.XXX.XXX 10.15.XXX.XXX 10
10.255.255.255 255.255.255.255 10.123.XX.XXX 10.123.XX.XXX 1
XX.XXX.XXX.167 255.255.255.255 10.15.1.254 10.15.XXX.XXX 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.15.XXX.XXX 10.15.XXX.XXX 10
224.0.0.0 240.0.0.0 10.123.XX.XXX 10.123.XX.XXX 1
255.255.255.255 255.255.255.255 10.15.XXX.XXX 10.15.XXX.XXX 1
255.255.255.255 255.255.255.255 10.123.XX.XXX 2 1
255.255.255.255 255.255.255.255 10.123.XX.XXX 10.123.XX.XXX 1
Standardgateway: 10.15.X.XXX
==========================
Ständige Routen:
Netzwerkadresse Netzmaske Gatewayadresse Anzahl
XX.XXX.XXX.167 255.255.255.255 10.15.X.XXX 1
0.0.0.0 0.0.0.0 10.15.X.XXX 1
After you 've got VPN established, can you post output of "route print" command from your XP Client. It seems routing trouble.