VPN Problem with Linksys RV042 and Windows 7 File Sharing
I have setup a VPN connection between 2 locations that is successfully pingable between both locations.
I attempted to setup filesharing on the systems but am unable to see or ping computers on the other subnets. I am also needing to setup remote desktop, but that can be done later. I am relatively new with Windows 7, but am really new to the file sharing proceedures in W7. Couple of key things to know before hand:
Computers are set to be at "Work" not "Home."
Workgroup names are the same.
Is there a port that needs to be opened on the RV042?
I attempted to setup filesharing on the systems but am unable to see or ping computers on the other subnets. I am also needing to setup remote desktop, but that can be done later. I am relatively new with Windows 7, but am really new to the file sharing proceedures in W7. Couple of key things to know before hand:
Computers are set to be at "Work" not "Home."
Workgroup names are the same.
Is there a port that needs to be opened on the RV042?
ASKER
Thinkpads, thanks for the response. yes, they were done gateway to gateway. The VPNs are setup with subnets of 192.168.2.0 and 192.168.4.0 (there is a 3rd one not currently connected.) Anyway, my thinking was that something in Windows 7 was preventing filesharing and browsing since we aren't using that HOMEGROUP that Microsoft throws all over the place lately.
To clarify, I can ping the other ROUTER. I can not PING other PCs...even those that have their firewalls turned off.
To clarify, I can ping the other ROUTER. I can not PING other PCs...even those that have their firewalls turned off.
First, please do answer my settings questions above.
Second, then, on Windows 7, look at the following: In Control Panel -> Network and Sharing Center -> Advanced Sharing settings:
Turn on: Network Discovery, File and Print Sharing, Use 128 bit encryption, Password protected sharing, Use user accounts and passwords.
Turn off: Public folder sharing, media streaming. And the obverse of "Use user accounts" is to ensure Homegroup is off.
Try these settings, however, I don't think these settings affect the ability to ping the other end. You need to establish this before proceeding.
Now, do you have two firewalls. Please overtly check, because there is a Windows firewall and there may be your own AntiVirus firewall.
And then to belt and suspender, we cannot deal with firesharing until you can ping.
... Thinkpads_User
Second, then, on Windows 7, look at the following: In Control Panel -> Network and Sharing Center -> Advanced Sharing settings:
Turn on: Network Discovery, File and Print Sharing, Use 128 bit encryption, Password protected sharing, Use user accounts and passwords.
Turn off: Public folder sharing, media streaming. And the obverse of "Use user accounts" is to ensure Homegroup is off.
Try these settings, however, I don't think these settings affect the ability to ping the other end. You need to establish this before proceeding.
Now, do you have two firewalls. Please overtly check, because there is a Windows firewall and there may be your own AntiVirus firewall.
And then to belt and suspender, we cannot deal with firesharing until you can ping.
... Thinkpads_User
ASKER
Thinkpads, I will get back to ASAP. I have a quick cable-run to go do and then I'll be back.
ASKER
I have gone through the settings as you suggested. I also turned on NetBIOS in the advanced option but no luck.
I am unable to ping any PC on the other subnet. I am able to ping the remote subnet router without issue. I checked and am able to ping PCs from within their own subnets.
Definitely at the router. Could this be a route thing? Not sure. I reread the documentation (still going through it) and don't see anything in it about this.
Panda
I am unable to ping any PC on the other subnet. I am able to ping the remote subnet router without issue. I checked and am able to ping PCs from within their own subnets.
Definitely at the router. Could this be a route thing? Not sure. I reread the documentation (still going through it) and don't see anything in it about this.
Panda
Question: When you say you can ping the other router, can you be at 192.168.2.x and ping 192.168.4.x ? That is, can you ping from inside one end to inside the other end. Ping the router gateway.
One thing you might try is to reset the two routers to factory condition, ensure the firmware is at 1.3.12.16, and then rebuild the tunnels.
Something I am not certain about: One end of the system can be on a dynamic IP (external). But the other end must be static, I think. I do not think you can have both ends dynamic.
... Thinkpads_User
One thing you might try is to reset the two routers to factory condition, ensure the firmware is at 1.3.12.16, and then rebuild the tunnels.
Something I am not certain about: One end of the system can be on a dynamic IP (external). But the other end must be static, I think. I do not think you can have both ends dynamic.
... Thinkpads_User
ASKER
Out with flu. Will reply ASAP
ASKER
"Question: When you say you can ping the other router, can you be at 192.168.2.x and ping 192.168.4.x ? That is, can you ping from inside one end to inside the other end. Ping the router gateway." Yes, that is exactly what I am saying.
Both routers were reset to factory already and am rebuilding them because the prior admin didn't have the passwords or anything else documented.
As far as using dymic IP on both, if you used DDNS it wouldn't matter. But these are both static IPs.
Both routers were reset to factory already and am rebuilding them because the prior admin didn't have the passwords or anything else documented.
As far as using dymic IP on both, if you used DDNS it wouldn't matter. But these are both static IPs.
Thanks. Let us know when you have them rebuilt. I have clients with these little boxes on static IP's, set up as I suggested above and they communicate just fine. ... Thinkpads_User
ASKER
They are rebuilt...I apologize I wasn't clear. I had already reset them to factory and this is when the problems began.
As I said, they appear to connecting to each other just fine just not passing any info other than to the gateways themselves. I can't ping anything else other than x.x.x.1 from the other subnet; 2-254 isn't available.
As I said, they appear to connecting to each other just fine just not passing any info other than to the gateways themselves. I can't ping anything else other than x.x.x.1 from the other subnet; 2-254 isn't available.
So you are at 192.168.2.100 (say) and you can ping 192.168.4.1 but not 192.168.4.100? Is there only one device at 192.168.4.x? And is that one single device a Windows 7 computer? What IP address does this Windows 7 computer get? If there is more than one device at .4, what are they and what IP addresses do they get?
I am away right now and not near my own RV042 but I should be able to assist.
... Thinkpads_User
I am away right now and not near my own RV042 but I should be able to assist.
... Thinkpads_User
ASKER
Your scenario is correct. The main office is the 192.168.2.x and it has multiple machines (I can't ping any of them.) The branch office is 192.168.4.x and only has the one device which is a W7 machine. It receives a dynamic IP from the router which defaults at .100 I believe.
I am VERY thankful for the help thinkpads!
I am VERY thankful for the help thinkpads!
ASKER
edit above comment: Your scenario is correct. The main office is the 192.168.2.x and it has multiple machines (I can't ping any of them FROM THE BRANCH OFFICE.)
At this point, I am not sure the tunnel is properly established. I don't see how so many devices cannot be pinged.
Check in the tunnel setup page that the connection button stays connected. It should say Disconnect.
.... Thinkpads_User
Check in the tunnel setup page that the connection button stays connected. It should say Disconnect.
.... Thinkpads_User
ASKER
I do have the option to disconnect. I disconnected the tunnels and reconnected the tunnels just to be sure. No change.
The RV042 has WAN and DMZ ports along with 4 LAN ports. I assume you have connected your internet source (DSL modem or like) into the WAN1 port and that your tunnel references WAN1. I also assume you have the RV042 on the other end properly set up with respect to ports as well.
I would re-emphasize two things from earlier.
(a) Make sure the firewall settings (in the firewall tab) are set properly. I do not have an RV042 at hand until Monday next but go into the firewall tab and make sure you are not blocking anything.
(b) Did you try setting NAT Traversal on one end and also try both ends. You need to experiment with this setting. Try none both ends, set one end with the other off, and then set both ends. Make sure Aggressive mode is set the same on each end.
... Thinkpads_User
I would re-emphasize two things from earlier.
(a) Make sure the firewall settings (in the firewall tab) are set properly. I do not have an RV042 at hand until Monday next but go into the firewall tab and make sure you are not blocking anything.
(b) Did you try setting NAT Traversal on one end and also try both ends. You need to experiment with this setting. Try none both ends, set one end with the other off, and then set both ends. Make sure Aggressive mode is set the same on each end.
... Thinkpads_User
Another thing to try (separate from the RV042) is to set up Wireshark on one computer and see what traffic is happening and from where when you try to ping a computer on the other end. ... Thinkpads_User
ASKER
Okay thinkpads. Thanks for sticking with me. I'm going to be working on a network for the next two days so I may only be able to get to this friday afternoon.
I'll get back to you as soon as possible.
I'll get back to you as soon as possible.
Monday would be fine as well, as I will be able to work with my own RV042 remotely and locally. So take your time and Monday is fine. ... Thinkpads_User
@BadPanda - It is Monday and I am at one other end of my home RV042 Cisco LinkSys Router (which has permanent Gateway <--> Gateway IPSec Tunnels to several clients) .
I just pinged my home Windows 7 Pro machine with no issue. Last Friday from home I pinged a client XP Pro machine with no issue. So generally, connections work and with XP / Windows 7 .
So big picture:
1. Make sure your tunnels are mirror images of each other per steps above (which I can repeat if need be).
2. Make sure you have plugged into WAN1 (and not DMZ) on both routers.
3. Make sure client firewalls everywhere allow all subnets.
4. I have a HOSTS entry for each client. You may need a HOSTS entry.
... Thinkpads_User
I just pinged my home Windows 7 Pro machine with no issue. Last Friday from home I pinged a client XP Pro machine with no issue. So generally, connections work and with XP / Windows 7 .
So big picture:
1. Make sure your tunnels are mirror images of each other per steps above (which I can repeat if need be).
2. Make sure you have plugged into WAN1 (and not DMZ) on both routers.
3. Make sure client firewalls everywhere allow all subnets.
4. I have a HOSTS entry for each client. You may need a HOSTS entry.
... Thinkpads_User
ASKER
I'm thinking I need to work on step 4. Can you post a sample?
The HOSTS file looks like this:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
#
192.168.0.100 computername # Description
192.168.0.101 otherpcname # Description
----------------------
Lines beginning with # are comments.
So you need at one end, the internal IP of the other end, with the name of the computer. You need a line for each computer.
... Thinkpads_User
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
#
192.168.0.100 computername # Description
192.168.0.101 otherpcname # Description
----------------------
Lines beginning with # are comments.
So you need at one end, the internal IP of the other end, with the name of the computer. You need a line for each computer.
... Thinkpads_User
Don't forget that the HOSTS file is only to relate IP address to computer name. If you are pinging by IP number, the HOSTS file does not enter into it. If you ping by computer name, then the HOSTS file does enter into it.
I double checked: I can ping my Windows 7 machine, my print server, and my wireless router from a client with a tunnel connected to my RV042.
So I still wonder about your router setup. Specifically (and some repitition here):
1. In the RV042 setup, in the Firewall tab, you need Firewall, SPI, DoS, and HTTPS all enabled. I have Block WAN request Enabled, but you might try it on one end Disabled. You should have Remote Management and Multicast disabled. Block (Java, Cookies etc) all unchecked. Don't block Java/ActiveX also unchecked.
2. I did NOT play with or alter any ports.
3. Make sure you are on WAN1 both ends.
4. In the VPN tab for a Tunnel, make sure local security groups are set to subnet and that subnet and mask are correct. Make sure the IPSec setup is mirrored both ends. Then in Advanced, Aggressive mode both checked or both unchecked. Compress unchecked. Keep Alive checked. AH Hash unchecked, NetBIOS unchecked. NAT Traversal EXPERIMENT all combinations. Dead Peer Detect checked.
.... Thinkpads_User
I double checked: I can ping my Windows 7 machine, my print server, and my wireless router from a client with a tunnel connected to my RV042.
So I still wonder about your router setup. Specifically (and some repitition here):
1. In the RV042 setup, in the Firewall tab, you need Firewall, SPI, DoS, and HTTPS all enabled. I have Block WAN request Enabled, but you might try it on one end Disabled. You should have Remote Management and Multicast disabled. Block (Java, Cookies etc) all unchecked. Don't block Java/ActiveX also unchecked.
2. I did NOT play with or alter any ports.
3. Make sure you are on WAN1 both ends.
4. In the VPN tab for a Tunnel, make sure local security groups are set to subnet and that subnet and mask are correct. Make sure the IPSec setup is mirrored both ends. Then in Advanced, Aggressive mode both checked or both unchecked. Compress unchecked. Keep Alive checked. AH Hash unchecked, NetBIOS unchecked. NAT Traversal EXPERIMENT all combinations. Dead Peer Detect checked.
.... Thinkpads_User
Hello BadPanda -
Any luck pinging devices? I am thinking you have used IP instead of Subnet in the local security groups (2 places).
By the way, you probably should increase the points in this question given the overall difficulty.
... Thinkpads_User
Any luck pinging devices? I am thinking you have used IP instead of Subnet in the local security groups (2 places).
By the way, you probably should increase the points in this question given the overall difficulty.
... Thinkpads_User
ASKER
This job is for a client and they have been too busy to let me get back there.
Could you clarify the last comment? Where would this be checked and I can see if I did that?
Thanks!
Panda
Could you clarify the last comment? Where would this be checked and I can see if I did that?
Thanks!
Panda
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thank you. I was pleased to help you out with this. ... Thinkpads_User
ASKER
you were awesome thinkpads. Thanks again!
When you set up the tunnel in the RV02, did you use gateway <--> gateway ? According to the above, you would want this setup up. Then make sure the VPN setups are the same on both ends.
Then, in the tunnel setup, look down the setup page to the advanced settings. Make sure the advanced settings are the same on both ends and then you might try turning on NAT Traversal to see if that helps. Experiment both ways.
Now look in the firewall tab. The settings in there should be all enabled except for remote management (unless you want that) and multicast pass-through.
Otherwise, if the tunnel is properly set up and working, the appropriate ports should already be working. I have not had to open specifi ports
.. Thinkpads_User