Link to home
Start Free TrialLog in
Avatar of pk_mag
pk_mag

asked on

Watchguard VPN connection from VMWare is established, but I don't have any traffic!

Hi,
I am running a Windows XP 32bit in a VMWare Fusion on my MacBook Pro 5.1 (Leopard 10.5.6).
First of all I had problems even to enable bridged networking within my VM but it works fine now.
Currently I got the Watchguard Mobile VPN Client Version 10.0 to connect to the corporate network.
In my vm I tried using both bridged networking and NAT. In both cases the VPN tunnel to the company could be established but I neither am receiving a single bit from the outside nor can send anything over the tunnel.
When using bridged networking and the VPN tunnel, ICMP packets are not going further than to the host and the router connecting my macbook to the internet.
But when using bridged networking only, everything is fine: ping, nslookup etc.
Mac's and Windows' own firewalls are off. Additionally I opened the Ports for the Watchguard connection (UDP4500/500) (just in case, you never know ;-))

In my Watchguard profile I am using the 'LAN over IP' setting.
Due to that I bridged once on my Wireless NIC and once on my Ethernet NIC because I thought of incompatibilities between Wireless protocols and the 'LAN over IP' setting.
After that I ran Watchguard VPN Client but the same problem occured: connection is ok, but no traffic!
I get DNS, WINS server IPs and a standard gateway IP similar to another Watchguard connection running on a physical machine in the same network. But there it works without any problems!

Is there any protocol, that blocks my traffic from VM to the host?
Or can you think of something different which causes the problem?


I also did research on the web for possible solutions but I just couldn't figure out how to deal with this problem.

I really would appreciate your answers! Thank you.

Kind regards,
Phil
Avatar of thetmanvn
thetmanvn
Flag of Viet Nam image

Hi pk_maq,

After you 've got VPN established, can you post output of "route print" command from your XP Client. It seems routing trouble.
Avatar of pk_mag
pk_mag

ASKER

i hope the following ipconfig output clarifies a bit:

Ethernetadapter VMWare Fusion Bridged:

        Verbindungsspezifisches DNS-Suffix: fh-joanneum.at
        IP-Adresse. . . . . . . . . . . . : 10.15.200.118 // this is my local client IP in the VMWare Bridge
        Subnetzmaske. . . . . . . . . . . : 255.255.0.0
        Standardgateway . . . . . . . . . :

Ethernetadapter VPN-Corporate Connection:

        Verbindungsspezifisches DNS-Suffix:
        IP-Adresse. . . . . . . . . . . . : 10.123.10.111 // this is my IP in the Corporate network (VPN IP)
        Subnetzmaske. . . . . . . . . . . : 255.255.255.0
        Standardgateway . . . . . . . . . : 10.123.10.112

so my lan is: 10.15.0.0/16
my Corporate network: 10.123.10.0/24
my vpn IP: 10.123.10.111 (client), 88.217.156.167 (Ext IP Server) -> VPN Server Side??

ad case 1. correct
ad case 2. i can't do anything at all. no internet (e.g. ping google.com) and no corporate network.

Ok, so everything are clear now.

In this case, in your output, I saw that, after you connect to your CorpNet via VPN, it change default gateway on your XP Client from 10.15.1.254 (Your LAN router maybe) to 10.123.10.112 (VPN Peer server). It means you will connect to the Internet via CorpNet. And then, because you cannot communicate to VPN Gateway Side, so you can't ping anything.

So when your VPN connected  try these routing command in your cmd

c:>route del 0.0.0.0
c:>route add 0.0.0.0 mask 0.0.0.0 10.15.1.254 metric 1 if 0x2
("if 0x2" if your Interface 10.15.200.118 MAC address is 00-0c-29-d3-53-2b and "if 0x3" if your Interface 10.15.200.118 MAC address is 00 0c 29 d3 53 21)

After that, sure you can connect to the Internet.
Now try to troubleshoot the VPN Connection, you can't ping, but can you use some service in your CorpNet, because maybe Watchguard block ping from VPN Client but allow Client to use some Intranet Service.
Yes, new routing table work OK because

Now Every traffic to outside except 10.123.10.0/24 network will go through 10.15.1.254. (0.0.0.0          0.0.0.0      10.15.1.254   10.15.200.118       1)
Traffic to 10.15.0.0/16 will go through VPN tunnel (10.123.10.0    255.255.255.0    10.123.10.113   10.123.10.113       1)

1./ Can you ping 10.123.10.112 (IP of standard gateway Watchguard gave you) ?
And right after you ping .112, run arp -a, and did it has entry of 10.123.10.112?
2./ Compare your routing table with another ones of physical PC that you said worked well to see any difference?
ASKER CERTIFIED SOLUTION
Avatar of thetmanvn
thetmanvn
Flag of Viet Nam image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pk_mag

ASKER

hi,
ad 1. I requested the number from our admin but he hast not been responding yet.

ad 2. Both Machines (VM and Physical PC) were connected at the same time

ad 3. Yes i turned off Windows firewall and do not run any 3rd Party firewall

ad 4. sorry! here is the code from the arps (i got new IPs everytime i connect)
Physical PC
 
C:\>ping 10.123.10.18
Ping wird ausgeführt für 10.123.10.18 mit 32 Bytes Daten:
 
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
 
Ping-Statistik für 10.123.10.18:
    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust),
 
C:\>arp -a
 
Schnittstelle: 10.35.7.13 --- 0x4
  Internetadresse       Physikal. Adresse     Typ
  10.35.0.1             00-13-49-9a-7c-dc     dynamisch
  10.35.255.2           00-80-3f-2b-e3-70     dynamisch
 
Schnittstelle: 10.123.10.17 --- 0x5
  Internetadresse       Physikal. Adresse     Typ
  10.123.10.18          02-00-52-1c-8d-ce     dynamisch
 
 
================
VM PC
 
C:>ping 10.123.10.104
Ping wird ausgeführt für 10.123.10.104 mit 32 Bytes Daten:
 
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
 
Ping-Statistik für 10.123.10.104:
    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust),
 
C:\>arp -a
 
Schnittstelle: 10.35.2.249 --- 0x2
  Internetadresse       Physikal. Adresse     Typ
  10.35.0.1             00-13-49-9a-7c-dc     dynamisch
  10.35.255.2           00-80-3f-2b-e3-70     dynamisch
 
Schnittstelle: 10.123.10.103 --- 0x3
  Internetadresse       Physikal. Adresse     Typ
  10.123.10.104         02-00-5a-b3-e7-cb     dynamisch

Open in new window

1./ Both result from Physical PC and VM PC are the same. Both can see the other end of tunnel. (As you can see both machines have ARP entry of the the endpoint address. So at this step, everything is ok with both machines.

2./ Try these tricks: Disconnect both tunnel from Physical PC and VM PC. REBOOT your HOME ROUTER. Re-connect ONLY your VM PC. Then tell me the result.
Avatar of pk_mag

ASKER

hi thetmanvn
i now got the response from our admin:
he says, It depends on the different watchguard profiles i am using in VM and Physical PC!
Physical PC's profile is able to ping, send DNS-Requests and so on whereas the profile in vm is ONLY allowed to connect to one specific IP within the entire corporate network! this is server-side driven and configured in the firewall, so we are not able to route any packet through this tunnel and get satisfying results!

maybe he would have told me this fairly small detail before turning inside out of my routing table!!
thank you anyway for your professional support!

kind regards, phil
Avatar of pk_mag

ASKER

it was an internal problem but your support was very professional.
thank you very much!
Yeah,

You're welcome, and I'm glad to see you found the root of problem and get out of this.

Nice day.
Anyway, you should add EE mod to see that you can modify all details info in this thread, because it publish a lot of info about your home and your corp network.

See ya
Avatar of pk_mag

ASKER

thanks for the hint, but how do i do this?
Avatar of pk_mag

ASKER

replacement data for deleted comments:
This is an edited version of the conversation excluding sensitive details about routing tables.

pk_mag's comment:
hi thetmanvn,

unfortunately i can just post it in german.

===========================================================================
Schnittstellenliste
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #3 - Paketplaner-Miniport
0x3 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #2 - Paketplaner-Miniport
0x4 ...02 00 52 XX XX XX ...... WatchGuard Secure Client Adapter - Paketplaner-Miniport
===========================================================================
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway   Schnittstelle  Anzahl
          0.0.0.0          0.0.0.0    10.123.XX.XXX   10.123.XX.XXX       1
        10.15.0.0      255.255.0.0    10.15.XXX.XXX   10.15.XXX.XXX       10
    10.15.XXX.XXX  255.255.255.255        127.0.0.1       127.0.0.1       10
      10.123.XX.0    255.255.255.0    10.123.XX.XXX   10.123.XX.XXX       1
    10.123.XX.XXX  255.255.255.255        127.0.0.1       127.0.0.1       1
   10.255.255.255  255.255.255.255    10.15.XXX.XXX   10.15.XXX.XXX       10
   10.255.255.255  255.255.255.255    10.123.XX.XXX   10.123.XX.XXX       1
   XX.XXX.XXX.167  255.255.255.255      10.15.X.XXX   10.15.XXX.XXX       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        240.0.0.0    10.15.XXX.XXX   10.15.XXX.XXX       10
        224.0.0.0        240.0.0.0    10.123.XX.XXX   10.123.XX.XXX       1
  255.255.255.255  255.255.255.255    10.15.XXX.XXX   10.15.XXX.XXX       1
  255.255.255.255  255.255.255.255    10.123.XX.XXX               2       1
  255.255.255.255  255.255.255.255    10.123.XX.XXX   10.123.XX.XXX       1
Standardgateway:     10.123.XX.XXX
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Anzahl
   XX.XXX.XXX.167  255.255.255.255      10.15.X.XXX       1





The expert's answer:
No problem, I can understand.

In this output,

Your LAN: 10.123.XX.X/24 - GW: 10.123.XX.XXX
Your Coporate Network: 10.15.X.X/16
Your VPN IP: 10.15.XXX.XXX - Your VPN Server Side: 10.15.X.XXX (Ext IP is XX.XXX.XXX.167)

1. In first case, when using Only Bridged Networking, no VPN Client, you can ping and send anything to Internet

2. In 2nd case, use Bridged and enable VPN Client, you can't do anything to Internet or only can't do anything to Coporate networks.

Does overview above right? Or I miss something and then we can dig further


pk_mag's comment:
i hope the following ipconfig output clarifies a bit:

Ethernetadapter VMWare Fusion Bridged:

        Verbindungsspezifisches DNS-Suffix: xx-xxxxxxxx.at
        IP-Adresse. . . . . . . . . . . . : 10.15.XXX.XXX // this is my local client IP in the VMWare Bridge
        Subnetzmaske. . . . . . . . . . . : 255.255.0.0
        Standardgateway . . . . . . . . . :

Ethernetadapter WG_MAG-VPN:

        Verbindungsspezifisches DNS-Suffix:
        IP-Adresse. . . . . . . . . . . . : 10.123.XX.XXX // this is my IP in the Corporate network (VPN IP)
        Subnetzmaske. . . . . . . . . . . : 255.255.255.0
        Standardgateway . . . . . . . . . : 10.123.XX.XXX

so my lan is: 10.15.X.X/16
my Corporate network: 10.123.XX.X/24
my vpn IP: 10.123.XX.XXX (client), XX.XXX.XXX.167 (Ext IP Server) -> VPN Server Side??

ad case 1. correct
ad case 2. i can't do anything at all. no internet (e.g. ping google.com) and no corporate network.



pk_mag's comment:
hi,
internet traffic works now fine even with established vpn connection
but i am still not able to use any service from corporate network.

what do you mean by troubleshoot the vpn client connection?

my new routing table looks like this:

===========================================================================
Schnittstellenliste
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #3 - Paketplaner-Miniport
0x3 ...00 0c 29 d3 XX XX ...... VMware Accelerated AMD PCNet Adapter #2 - Paketplaner-Miniport
0x4 ...02 00 52 XX XX XX ...... WatchGuard Secure Client Adapter - Paketplaner-Miniport
===========================================================================
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway   Schnittstelle  Anzahl
          0.0.0.0          0.0.0.0      10.15.X.XXX   10.15.XXX.XXX       1
        10.15.0.0      255.255.0.0    10.15.XXX.XXX   10.15.XXX.XXX       10
    10.15.XXX.XXX  255.255.255.255        127.0.0.1       127.0.0.1       10
      10.123.XX.X    255.255.255.0    10.123.XX.XXX   10.123.XX.XXX       1
    10.123.XX.XXX  255.255.255.255        127.0.0.1       127.0.0.1       1
   10.255.255.255  255.255.255.255    10.15.XXX.XXX   10.15.XXX.XXX       10
   10.255.255.255  255.255.255.255    10.123.XX.XXX   10.123.XX.XXX       1
   XX.XXX.XXX.167  255.255.255.255      10.15.1.254   10.15.XXX.XXX       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        240.0.0.0    10.15.XXX.XXX   10.15.XXX.XXX       10
        224.0.0.0        240.0.0.0    10.123.XX.XXX   10.123.XX.XXX       1
  255.255.255.255  255.255.255.255    10.15.XXX.XXX   10.15.XXX.XXX       1
  255.255.255.255  255.255.255.255    10.123.XX.XXX               2       1
  255.255.255.255  255.255.255.255    10.123.XX.XXX   10.123.XX.XXX       1
Standardgateway:       10.15.X.XXX
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Anzahl
   XX.XXX.XXX.167  255.255.255.255      10.15.X.XXX       1
          0.0.0.0          0.0.0.0      10.15.X.XXX       1