Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 678
  • Last Modified:

Internal network range not reachable via windows vpn

When creating a windows vPN connection (PPTP or IPSec), I'm not able to reach our new range at work. I'm able to make a connection and get an IP in the range 206.182.115.x from our vpn-server.  I can reach our network 206.182.115.x but not 192.168.0.x if the client is also in the 192.168.0.x network (on a lot of home devices, this is a default range).
I thought after creating a vpn all traffic is send over the vpn and not locally.  But for some reason if the clients DG is also in the range 192.168.0.x it doesn't work.  It works when the client is in another range (e.g. 172.16.0.x)
Regarding the routing table it seems it has to go over the vpn link (on-link)

Work:
--------
- range: 206.182.115.x
- new range: 192.168.0.x

Client home setup:
--------------------
- windows7 or xp
- For win7 I've enabled the setting "Use default gateway on remote network" for vpn conn.
- Remote access conn. is on top under adapters and bindings
A. when client has is in the range 192.168.0.x (dg=192.168.0.1) => NOT WORKING
B. when client has is in the range 172.16.0.x (dg=172.16.0.1) => WORKING

Test result
------------
A.
PPP adapter VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 206.182.115.133
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : telenet.be
   Link-local IPv6 Address . . . . . : fe80::c4f6:9d49:8b94:472a%11
   IPv4 Address. . . . . . . . . . . : 192.168.0.118
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1

C:\Users\nmeeus>telnet 192.168.0.11 (normally I should be able to do this)
Connecting To 192.168.0.11...Could not open connection to the host, on port 23: Connect failed

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.118   4250
          0.0.0.0          0.0.0.0         On-link   206.182.115.133     26
      81.83.6.157  255.255.255.255      192.168.0.1    192.168.0.118   4251
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
      192.168.0.0    255.255.255.0         On-link     192.168.0.118   4506
    192.168.0.118  255.255.255.255         On-link     192.168.0.118   4506
    192.168.0.255  255.255.255.255         On-link     192.168.0.118   4506
  206.182.115.133  255.255.255.255         On-link   206.182.115.133    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link     192.168.0.118   4507
        224.0.0.0        240.0.0.0         On-link   206.182.115.133     26
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link     192.168.0.118   4506
  255.255.255.255  255.255.255.255         On-link   206.182.115.133    281
===========================================================================
Persistent Routes:
  None

B.
PPP adapter VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 206.182.115.134
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0


Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : telenet.be
   Link-local IPv6 Address . . . . . : fe80::c4f6:9d49:8b94:472a%11
   IPv4 Address. . . . . . . . . . . : 172.16.0.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.0.1


C:\Users\nmeeus>ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=36ms TTL=63

C:\Users\nmeeus>ping 192.168.0.11

Pinging 192.168.0.11 with 32 bytes of data:
Reply from 192.168.0.11: bytes=32 time=22ms TTL=62

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       172.16.0.1     172.16.0.100   4255
          0.0.0.0          0.0.0.0         On-link   206.182.115.134     31
      81.83.6.157  255.255.255.255       172.16.0.1     172.16.0.100   4256
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
       172.16.0.0    255.255.255.0         On-link      172.16.0.100   4511
     172.16.0.100  255.255.255.255         On-link      172.16.0.100   4511
     172.16.0.255  255.255.255.255         On-link      172.16.0.100   4511
  206.182.115.134  255.255.255.255         On-link   206.182.115.134    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link      172.16.0.100   4512
        224.0.0.0        240.0.0.0         On-link   206.182.115.134     31
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link      172.16.0.100   4511
  255.255.255.255  255.255.255.255         On-link   206.182.115.134    286
===========================================================================
Persistent Routes:
  None












0
michael_fascian
Asked:
michael_fascian
1 Solution
 
ken2421Commented:
Don't know how much help this will be to you but I had to change my home network IP scheme for this very reason. If I connected to a customer or office through vpn that had that same scheme, DNS would freak. It would drop Terminal services or whatever because it didn't know how to resolve when mine and the vpn schemes were the same.

I will be anxious to find out what you find out.

Good luck,
Ken
0
 
michael_fascianAuthor Commented:
I've changed my ip range for my home and it's working but I can not do this for all our users who connect via vpn.  At his moment the new range isn't used yet but soon it will. I can not change the range 192.168.0.x at work.

@ ken2421 - regarding DNS your should put remote access conn.  on top under adapters and bindings

0
 
michael_fascianAuthor Commented:
I've changed my ip range for my home and it's working but I can not do this for all our users who connect via vpn.  At his moment the new range isn't used yet but soon it will. I can not change the range 192.168.0.x at work.

@ ken2421 - regarding DNS your should put remote access conn.  on top under adapters and bindings

0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
edreanCommented:
0
 
DIPRAJCommented:
please tell whether your are using any firewall/utm or vpn gateway/server to create vpn server...then  it will be easy to give a solution
0
 
kuohCommented:
This is the default behavior and I'm not aware of any way of changing it in the Windows VPN client.  Because the PC is in the 192.168.0.x network, it will not route packets for what it considers local hosts over the VPN.  You can overcome this behavior somewhat with custom routes on the remote host, like "route add 192.168.0.11 mask 255.255.255.255  206.182.115.133", but obviously there are problems like the VPN address changing on each connect and if there are many hosts on the other side of the VPN that you need access to.  If you're using a Cisco ASA or PIX, then you can use the latest Cisco VPN client, which is able to overcome this limitation, but it will disable communications with all other local IPs except for the DG while connected.  If you're using some other device, then you will have to research if it has an option to NAT the new network before traversing the VPN.
0
 
michael_fascianAuthor Commented:
@ edrean: no experience with OpenVPN to setup a bridged VPN connection. But I assume we need to install a kind of vpn client on the pc?

@diprajbasu => ...then  it will be easy to give a solution
As vpn-server I'm using MS ISA 2004 server (which is also used as proxy/fw for internal clients)

Active Routes:

@kuoh
If it has an option to NAT the new network before traversing the VPN. Maybe this is an option but how?

What I don't understand if you look at the routing table on the client you should think everything is routed over the vpn tunnel.
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.118   4250
          0.0.0.0          0.0.0.0         On-link   206.182.115.133     26
     192.168.0.0    255.255.255.0         On-link     192.168.0.118   4506

0
 
michael_fascianAuthor Commented:
@ edrean: no experience with OpenVPN to setup a bridged VPN connection. But I assume we need to install a kind of vpn client on the pc?

@diprajbasu => ...then  it will be easy to give a solution
As vpn-server I'm using MS ISA 2004 server (which is also used as proxy/fw for internal clients)

Active Routes:

@kuoh
If it has an option to NAT the new network before traversing the VPN. Maybe this is an option but how?

What I don't understand if you look at the routing table on the client you should think everything is routed over the vpn tunnel.
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.118   4250
          0.0.0.0          0.0.0.0         On-link   206.182.115.133     26
     192.168.0.0    255.255.255.0         On-link     192.168.0.118   4506

0
 
edreanCommented:
According to your routing table all 192.168.0.0/24 traffic will be routed out on the 192.168.0.118 interface and not to any gateway. Only traffic that don't match will be sent over the default gateway, starting with the one with the lowest metric value.

How does the routing table look like on the server side?

To use OpenVPN you will need to install an OpenVPN server on the server side (unless your server already supports OpenVPN) and an OpenVPN client on the client side. I have used it once, also without prior experience on it and it wasn't hard. It is well documented so you shouldn't have trouble. I really think it would be the easiest way for you to bridge the same IP network over a VPN connection.
0
 
edreanCommented:
As I see it, you only have three options :
1. Use different network addresses
2. Use different subnets
3. Bridging your Ethernet interface and your VPN interface. (OpenVPN can do this for you)
0
 
edreanCommented:
Correction on no. 1 :
1. Use different IP networks.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now