Solved

Internal network range not reachable via windows vpn

Posted on 2010-09-13
11
664 Views
Last Modified: 2012-05-10
When creating a windows vPN connection (PPTP or IPSec), I'm not able to reach our new range at work. I'm able to make a connection and get an IP in the range 206.182.115.x from our vpn-server.  I can reach our network 206.182.115.x but not 192.168.0.x if the client is also in the 192.168.0.x network (on a lot of home devices, this is a default range).
I thought after creating a vpn all traffic is send over the vpn and not locally.  But for some reason if the clients DG is also in the range 192.168.0.x it doesn't work.  It works when the client is in another range (e.g. 172.16.0.x)
Regarding the routing table it seems it has to go over the vpn link (on-link)

Work:
--------
- range: 206.182.115.x
- new range: 192.168.0.x

Client home setup:
--------------------
- windows7 or xp
- For win7 I've enabled the setting "Use default gateway on remote network" for vpn conn.
- Remote access conn. is on top under adapters and bindings
A. when client has is in the range 192.168.0.x (dg=192.168.0.1) => NOT WORKING
B. when client has is in the range 172.16.0.x (dg=172.16.0.1) => WORKING

Test result
------------
A.
PPP adapter VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 206.182.115.133
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : telenet.be
   Link-local IPv6 Address . . . . . : fe80::c4f6:9d49:8b94:472a%11
   IPv4 Address. . . . . . . . . . . : 192.168.0.118
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1

C:\Users\nmeeus>telnet 192.168.0.11 (normally I should be able to do this)
Connecting To 192.168.0.11...Could not open connection to the host, on port 23: Connect failed

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.118   4250
          0.0.0.0          0.0.0.0         On-link   206.182.115.133     26
      81.83.6.157  255.255.255.255      192.168.0.1    192.168.0.118   4251
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
      192.168.0.0    255.255.255.0         On-link     192.168.0.118   4506
    192.168.0.118  255.255.255.255         On-link     192.168.0.118   4506
    192.168.0.255  255.255.255.255         On-link     192.168.0.118   4506
  206.182.115.133  255.255.255.255         On-link   206.182.115.133    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link     192.168.0.118   4507
        224.0.0.0        240.0.0.0         On-link   206.182.115.133     26
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link     192.168.0.118   4506
  255.255.255.255  255.255.255.255         On-link   206.182.115.133    281
===========================================================================
Persistent Routes:
  None

B.
PPP adapter VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 206.182.115.134
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0


Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : telenet.be
   Link-local IPv6 Address . . . . . : fe80::c4f6:9d49:8b94:472a%11
   IPv4 Address. . . . . . . . . . . : 172.16.0.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.0.1


C:\Users\nmeeus>ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=36ms TTL=63

C:\Users\nmeeus>ping 192.168.0.11

Pinging 192.168.0.11 with 32 bytes of data:
Reply from 192.168.0.11: bytes=32 time=22ms TTL=62

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       172.16.0.1     172.16.0.100   4255
          0.0.0.0          0.0.0.0         On-link   206.182.115.134     31
      81.83.6.157  255.255.255.255       172.16.0.1     172.16.0.100   4256
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
       172.16.0.0    255.255.255.0         On-link      172.16.0.100   4511
     172.16.0.100  255.255.255.255         On-link      172.16.0.100   4511
     172.16.0.255  255.255.255.255         On-link      172.16.0.100   4511
  206.182.115.134  255.255.255.255         On-link   206.182.115.134    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link      172.16.0.100   4512
        224.0.0.0        240.0.0.0         On-link   206.182.115.134     31
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link      172.16.0.100   4511
  255.255.255.255  255.255.255.255         On-link   206.182.115.134    286
===========================================================================
Persistent Routes:
  None












0
Comment
Question by:michael_fascian
11 Comments
 
LVL 9

Expert Comment

by:ken2421
Comment Utility
Don't know how much help this will be to you but I had to change my home network IP scheme for this very reason. If I connected to a customer or office through vpn that had that same scheme, DNS would freak. It would drop Terminal services or whatever because it didn't know how to resolve when mine and the vpn schemes were the same.

I will be anxious to find out what you find out.

Good luck,
Ken
0
 

Author Comment

by:michael_fascian
Comment Utility
I've changed my ip range for my home and it's working but I can not do this for all our users who connect via vpn.  At his moment the new range isn't used yet but soon it will. I can not change the range 192.168.0.x at work.

@ ken2421 - regarding DNS your should put remote access conn.  on top under adapters and bindings

0
 

Author Comment

by:michael_fascian
Comment Utility
I've changed my ip range for my home and it's working but I can not do this for all our users who connect via vpn.  At his moment the new range isn't used yet but soon it will. I can not change the range 192.168.0.x at work.

@ ken2421 - regarding DNS your should put remote access conn.  on top under adapters and bindings

0
 
LVL 3

Expert Comment

by:edrean
Comment Utility
0
 
LVL 11

Expert Comment

by:diprajbasu
Comment Utility
please tell whether your are using any firewall/utm or vpn gateway/server to create vpn server...then  it will be easy to give a solution
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:kuoh
Comment Utility
This is the default behavior and I'm not aware of any way of changing it in the Windows VPN client.  Because the PC is in the 192.168.0.x network, it will not route packets for what it considers local hosts over the VPN.  You can overcome this behavior somewhat with custom routes on the remote host, like "route add 192.168.0.11 mask 255.255.255.255  206.182.115.133", but obviously there are problems like the VPN address changing on each connect and if there are many hosts on the other side of the VPN that you need access to.  If you're using a Cisco ASA or PIX, then you can use the latest Cisco VPN client, which is able to overcome this limitation, but it will disable communications with all other local IPs except for the DG while connected.  If you're using some other device, then you will have to research if it has an option to NAT the new network before traversing the VPN.
0
 

Author Comment

by:michael_fascian
Comment Utility
@ edrean: no experience with OpenVPN to setup a bridged VPN connection. But I assume we need to install a kind of vpn client on the pc?

@diprajbasu => ...then  it will be easy to give a solution
As vpn-server I'm using MS ISA 2004 server (which is also used as proxy/fw for internal clients)

Active Routes:

@kuoh
If it has an option to NAT the new network before traversing the VPN. Maybe this is an option but how?

What I don't understand if you look at the routing table on the client you should think everything is routed over the vpn tunnel.
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.118   4250
          0.0.0.0          0.0.0.0         On-link   206.182.115.133     26
     192.168.0.0    255.255.255.0         On-link     192.168.0.118   4506

0
 

Author Comment

by:michael_fascian
Comment Utility
@ edrean: no experience with OpenVPN to setup a bridged VPN connection. But I assume we need to install a kind of vpn client on the pc?

@diprajbasu => ...then  it will be easy to give a solution
As vpn-server I'm using MS ISA 2004 server (which is also used as proxy/fw for internal clients)

Active Routes:

@kuoh
If it has an option to NAT the new network before traversing the VPN. Maybe this is an option but how?

What I don't understand if you look at the routing table on the client you should think everything is routed over the vpn tunnel.
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.118   4250
          0.0.0.0          0.0.0.0         On-link   206.182.115.133     26
     192.168.0.0    255.255.255.0         On-link     192.168.0.118   4506

0
 
LVL 3

Expert Comment

by:edrean
Comment Utility
According to your routing table all 192.168.0.0/24 traffic will be routed out on the 192.168.0.118 interface and not to any gateway. Only traffic that don't match will be sent over the default gateway, starting with the one with the lowest metric value.

How does the routing table look like on the server side?

To use OpenVPN you will need to install an OpenVPN server on the server side (unless your server already supports OpenVPN) and an OpenVPN client on the client side. I have used it once, also without prior experience on it and it wasn't hard. It is well documented so you shouldn't have trouble. I really think it would be the easiest way for you to bridge the same IP network over a VPN connection.
0
 
LVL 3

Expert Comment

by:edrean
Comment Utility
As I see it, you only have three options :
1. Use different network addresses
2. Use different subnets
3. Bridging your Ethernet interface and your VPN interface. (OpenVPN can do this for you)
0
 
LVL 3

Accepted Solution

by:
edrean earned 500 total points
Comment Utility
Correction on no. 1 :
1. Use different IP networks.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
LAN or WAN ? 11 58
reserve ip based on mac addresses 6 68
EIGRP Full Mesh 2 30
Connecting LAN to a new leased line 2 17
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now