?
Solved

Subnet Mask issue in VPN

Posted on 2010-01-02
15
Medium Priority
?
3,313 Views
Last Modified: 2012-05-08
I'm trying to setup a PPTP VPN on my Windows 2000 server.  When I connect to the VPN connection.  I get an IP address 192.168.0.52 and Subnet mask of 255.255.255.255.  The exchange server that I'm trying to connect to is 192.168.0.23 but subnet mask of 255.255.255.0.  Is this why I can't ping the exchange server once I'm connected thru the VPN?  If this is my issue, now can I change the subnet mask to match the existing server network's subnet mask.

Thanks in advance for any advice.
0
Comment
Question by:Zantis
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 72

Expert Comment

by:Qlemo
ID: 26163371
If you check "Use remote gateway" in your client's PPTP connection properties, you get a changed default route using the PPTP server, and that single host route you mention.

If you do not check that option, you should get that host route, plus a network route with 255.255.255.0 subnet mask for that network.

0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26163439
That could be a VPN assigned host address on the remote network.
Do an ipconfig /all on the client PC and see what address is used for the tunnel.
Is the exchange server on the same physical server as the VPN termination point  or a separate box?
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26163551
On the server is there an Allow callers to access my local area network checkbox like in Vista? You would need that to hit private LAN side resources.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Expert Comment

by:johngerity
ID: 26166189
Correct me if I'm wrong, but isn't a subnet mask of 255.255.255.255 going to prevent you from doing anything at all over any network? .. well, except maybe pinging yourself.

The subnet mask seperates the network and host portions of your IP address. A subnet mask of 255.0.0.0 makes the first octet the network and the last 3 the node/host/whatever. But one that's all 255's would mean you have a network with 0 possible hosts.

Whatever is assigning you the IP address seems to have some faulty info. Either that, or your computer has TCP/IP configured manually (always fun). I'm guessing it's supposed to be 255.255.255.0, since you're using a 192.168 address. If not, try 255.255.0.0.
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 26166295
MS RAS will always create such a host route. There need to be additional routes to allow for network access, however.
0
 

Author Comment

by:Zantis
ID: 26207123
Ok, so I did a test just to make sure it wasn't Windows 7, I created my Windows XP Mode computer and configured the VPN.  The VPN connects and gives me the following with "Use default gateway on remote network." checked.

I get the following assigned
The local area network
192.168.1.141
255.255.255.0
192.168.1.1

192.168.0.51
255.255.255.255
192.168.0.51

You would think that the server would issue 255.255.255.0 and 192.168.0.1 but it doesn't, and from what I've seen configuring the VPN connection on the server it doesn't show where to configure that info.  This is basically the same thing that I was getting on the Windows 7 box.  The exchange server's address on the inside network is 192.168.0.23
0
 

Author Comment

by:Zantis
ID: 26207151
Ok unchecked the "Use default gateway on remote network" and go the following

Local Area Connection
192.168.1.141
255.255.255.0
192.168.1.1

PPP Adapter VPN Connection
192.168.0.51
255.255.255.255
Gateway Nothing

I also tried to ping the exchange server at 192.168.0.23 and got two responses then anytime I try to ping it responds with timeout
0
 

Author Comment

by:Zantis
ID: 26207235
ok, I tried again on the Windows 7 system, at first I had the use remote network checked and the VPN connected.  I tried pinging the exchange server and got about 20 responses back, then it started "Request timed out"  then I unchecked use remote network and connected again and it pinged for about a minute or so and then started Request timed out.  When it is able to ping the exchange server the Outlook client can show names of people on the server to add your account and of course when the request timed out starts happening then you can't.

I just tried stopping the VPN and immediately reconnecting to it, then trying the "Add New Email Account" in Outlook 2007 and it found my name and server.  So far it is still pinging about a minute or two later, oop, soon as I wrote that, Request Timed Out."

It also seems that as soon as that hits it never finds it again until I disconnect from the VPN and reconnect
0
 

Author Comment

by:Zantis
ID: 26207295
Connected again for a few minutes and pinged two different servers on the remote network, the exchange server and another server.  Both were pinging  back and then both Request times out at the same time.  That would make me believe that it is router or the switch on the network.  Maybe it is blocking it because of the 255.255.255.255? maybe?  just scratching my head
0
 

Author Comment

by:Zantis
ID: 26207349
Is anyone else using the MS VPN PPTP on their server to connect to a remote network?  Do this give you the 255.255.255.255 subnet mask also?

I just reconnected to the VPN and was on the 192.168.0.1 configuration page of the router and it seems to not like that "Request Timed Out" almost within a few seconds of accessing a page on the router.

I now connected the Windows 7 and the XP Mode computer and both are pinging at the same time.  Both request timed out happened at the same time on both computer connected to the remote network.
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 26208686
The "Request time out" is most probably an issue with duplicate IP addresses. It appears that either the RAS server or RAS client IP are used already on your network (as mentioned in http:#26163439.
The host route (single IP address, subnet mask 255.255.255.255) is correct, RAS client will always generate that subnet mask (as mentioned already in http:#26166295.

I assume that the duplicate IP is the only problem you have, which is causing all that trouble. No matter how you set the "Use remote gateway" option, you should always be able to reach the remote network (on the same subnet of your assigned RAS IP). Only difference is for addresses other than the RAS LAN, if they will be send via RAS in addition, or stay local.
0
 

Author Comment

by:Zantis
ID: 26275426
Definitely not a duplicate IP Address issue, I only have a few servers and the IP address range used in RAS is 192.168.0.50-59 and not used anywhere else and only this laptop has been trying to access it.

I enabled logging on the RAS server and one thing I got was
The user <>i has connected and has been successfully authenticated on port VPN4-127. Data sent and received over this link is strongly encrypted.

This connection was severed about 10 seconds later and no other logging was performed, the laptop still shows the VPN connection as still connected even though you can't ping any of the servers on the remote network anymore.  My guess is the 2wire modem/router has something to do with this issue..

I guess I could create a RAS server for a test and have someone else try it that would like to configure it and test it themselves  Anyone willing to do that for this test? maybe I'm missing something.
0
 
LVL 72

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 26336067
If it is no Dup IP, and the connection on port 1723 (PPTP) remains open, I have to assume that you have a GRE issue. GRE is an own protocol (#47), not using ports, and has some issues with double-NAT, incomplete implementations by vendors, and much more. If this is the case here, you have two probable sources of trouble:
  • the VPN server OS has issues with PPTP behind a NAT router (which is certainly your config). Likely with W2000.
  • the modem/router has issues with GRE, not maintaining all session info necessary, timing out or whatsovever. This will NOT stop the connection, but it is useless.
  • Multi-Peer connection issues behind NAT. If the local router is not capable of interpreting GRE session info correctly, a connection between more than one local PC and the same remote gateway (public IP!) confuses the NAT session info of the router, and packets will be sent not at all or to the wrong local target.
The usual things to advice are
  • to try with another OS (needs not to be a server OS, as long as you need a single connection only; for test, that is sufficient).
  • to try with a single connection only
  • to have a look for modem/router firmware updates.
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 26336081
I forgot one option: Change the VPN type, e.g. to L2TP/IPsec with pre-shared secret. That is easy to set up, and sufficient for your case.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Spectre and Meltdown, how it affects me and my clients?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question