Solved

Internal network range not reachable via windows vpn

Posted on 2010-09-13
11
669 Views
Last Modified: 2012-05-10
When creating a windows vPN connection (PPTP or IPSec), I'm not able to reach our new range at work. I'm able to make a connection and get an IP in the range 206.182.115.x from our vpn-server.  I can reach our network 206.182.115.x but not 192.168.0.x if the client is also in the 192.168.0.x network (on a lot of home devices, this is a default range).
I thought after creating a vpn all traffic is send over the vpn and not locally.  But for some reason if the clients DG is also in the range 192.168.0.x it doesn't work.  It works when the client is in another range (e.g. 172.16.0.x)
Regarding the routing table it seems it has to go over the vpn link (on-link)

Work:
--------
- range: 206.182.115.x
- new range: 192.168.0.x

Client home setup:
--------------------
- windows7 or xp
- For win7 I've enabled the setting "Use default gateway on remote network" for vpn conn.
- Remote access conn. is on top under adapters and bindings
A. when client has is in the range 192.168.0.x (dg=192.168.0.1) => NOT WORKING
B. when client has is in the range 172.16.0.x (dg=172.16.0.1) => WORKING

Test result
------------
A.
PPP adapter VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 206.182.115.133
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : telenet.be
   Link-local IPv6 Address . . . . . : fe80::c4f6:9d49:8b94:472a%11
   IPv4 Address. . . . . . . . . . . : 192.168.0.118
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1

C:\Users\nmeeus>telnet 192.168.0.11 (normally I should be able to do this)
Connecting To 192.168.0.11...Could not open connection to the host, on port 23: Connect failed

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.118   4250
          0.0.0.0          0.0.0.0         On-link   206.182.115.133     26
      81.83.6.157  255.255.255.255      192.168.0.1    192.168.0.118   4251
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
      192.168.0.0    255.255.255.0         On-link     192.168.0.118   4506
    192.168.0.118  255.255.255.255         On-link     192.168.0.118   4506
    192.168.0.255  255.255.255.255         On-link     192.168.0.118   4506
  206.182.115.133  255.255.255.255         On-link   206.182.115.133    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link     192.168.0.118   4507
        224.0.0.0        240.0.0.0         On-link   206.182.115.133     26
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link     192.168.0.118   4506
  255.255.255.255  255.255.255.255         On-link   206.182.115.133    281
===========================================================================
Persistent Routes:
  None

B.
PPP adapter VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 206.182.115.134
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0


Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : telenet.be
   Link-local IPv6 Address . . . . . : fe80::c4f6:9d49:8b94:472a%11
   IPv4 Address. . . . . . . . . . . : 172.16.0.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.0.1


C:\Users\nmeeus>ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=36ms TTL=63

C:\Users\nmeeus>ping 192.168.0.11

Pinging 192.168.0.11 with 32 bytes of data:
Reply from 192.168.0.11: bytes=32 time=22ms TTL=62

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       172.16.0.1     172.16.0.100   4255
          0.0.0.0          0.0.0.0         On-link   206.182.115.134     31
      81.83.6.157  255.255.255.255       172.16.0.1     172.16.0.100   4256
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
       172.16.0.0    255.255.255.0         On-link      172.16.0.100   4511
     172.16.0.100  255.255.255.255         On-link      172.16.0.100   4511
     172.16.0.255  255.255.255.255         On-link      172.16.0.100   4511
  206.182.115.134  255.255.255.255         On-link   206.182.115.134    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link      172.16.0.100   4512
        224.0.0.0        240.0.0.0         On-link   206.182.115.134     31
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link      172.16.0.100   4511
  255.255.255.255  255.255.255.255         On-link   206.182.115.134    286
===========================================================================
Persistent Routes:
  None












0
Comment
Question by:michael_fascian
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 9

Expert Comment

by:ken2421
ID: 33662508
Don't know how much help this will be to you but I had to change my home network IP scheme for this very reason. If I connected to a customer or office through vpn that had that same scheme, DNS would freak. It would drop Terminal services or whatever because it didn't know how to resolve when mine and the vpn schemes were the same.

I will be anxious to find out what you find out.

Good luck,
Ken
0
 

Author Comment

by:michael_fascian
ID: 33662613
I've changed my ip range for my home and it's working but I can not do this for all our users who connect via vpn.  At his moment the new range isn't used yet but soon it will. I can not change the range 192.168.0.x at work.

@ ken2421 - regarding DNS your should put remote access conn.  on top under adapters and bindings

0
 

Author Comment

by:michael_fascian
ID: 33662614
I've changed my ip range for my home and it's working but I can not do this for all our users who connect via vpn.  At his moment the new range isn't used yet but soon it will. I can not change the range 192.168.0.x at work.

@ ken2421 - regarding DNS your should put remote access conn.  on top under adapters and bindings

0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 3

Expert Comment

by:edrean
ID: 33662927
0
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 33669245
please tell whether your are using any firewall/utm or vpn gateway/server to create vpn server...then  it will be easy to give a solution
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33678575
This is the default behavior and I'm not aware of any way of changing it in the Windows VPN client.  Because the PC is in the 192.168.0.x network, it will not route packets for what it considers local hosts over the VPN.  You can overcome this behavior somewhat with custom routes on the remote host, like "route add 192.168.0.11 mask 255.255.255.255  206.182.115.133", but obviously there are problems like the VPN address changing on each connect and if there are many hosts on the other side of the VPN that you need access to.  If you're using a Cisco ASA or PIX, then you can use the latest Cisco VPN client, which is able to overcome this limitation, but it will disable communications with all other local IPs except for the DG while connected.  If you're using some other device, then you will have to research if it has an option to NAT the new network before traversing the VPN.
0
 

Author Comment

by:michael_fascian
ID: 33680386
@ edrean: no experience with OpenVPN to setup a bridged VPN connection. But I assume we need to install a kind of vpn client on the pc?

@diprajbasu => ...then  it will be easy to give a solution
As vpn-server I'm using MS ISA 2004 server (which is also used as proxy/fw for internal clients)

Active Routes:

@kuoh
If it has an option to NAT the new network before traversing the VPN. Maybe this is an option but how?

What I don't understand if you look at the routing table on the client you should think everything is routed over the vpn tunnel.
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.118   4250
          0.0.0.0          0.0.0.0         On-link   206.182.115.133     26
     192.168.0.0    255.255.255.0         On-link     192.168.0.118   4506

0
 

Author Comment

by:michael_fascian
ID: 33680387
@ edrean: no experience with OpenVPN to setup a bridged VPN connection. But I assume we need to install a kind of vpn client on the pc?

@diprajbasu => ...then  it will be easy to give a solution
As vpn-server I'm using MS ISA 2004 server (which is also used as proxy/fw for internal clients)

Active Routes:

@kuoh
If it has an option to NAT the new network before traversing the VPN. Maybe this is an option but how?

What I don't understand if you look at the routing table on the client you should think everything is routed over the vpn tunnel.
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.118   4250
          0.0.0.0          0.0.0.0         On-link   206.182.115.133     26
     192.168.0.0    255.255.255.0         On-link     192.168.0.118   4506

0
 
LVL 3

Expert Comment

by:edrean
ID: 33680469
According to your routing table all 192.168.0.0/24 traffic will be routed out on the 192.168.0.118 interface and not to any gateway. Only traffic that don't match will be sent over the default gateway, starting with the one with the lowest metric value.

How does the routing table look like on the server side?

To use OpenVPN you will need to install an OpenVPN server on the server side (unless your server already supports OpenVPN) and an OpenVPN client on the client side. I have used it once, also without prior experience on it and it wasn't hard. It is well documented so you shouldn't have trouble. I really think it would be the easiest way for you to bridge the same IP network over a VPN connection.
0
 
LVL 3

Expert Comment

by:edrean
ID: 33680481
As I see it, you only have three options :
1. Use different network addresses
2. Use different subnets
3. Bridging your Ethernet interface and your VPN interface. (OpenVPN can do this for you)
0
 
LVL 3

Accepted Solution

by:
edrean earned 500 total points
ID: 33680492
Correction on no. 1 :
1. Use different IP networks.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
connect to cisco 2690 series 6 71
Low ampere 10 118
Connecting via HTTP / HTTPS 10 79
GET INFO ABOUT WHAT THE PRINTER IS DOING ? 11 76
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question