• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 13283
  • Last Modified:

VPN connected, but client (Win7) cannot ping or communicate with server (Win2003)

Hi,

We need to set up a home PC, running Windows 7 Pro, to connect to our office network.

I've set up a VPN connection by following this guide: http://support.microsoft.com/kb/323441

The problem is that the client can successfully establish a VPN connection to the server, but cannot otherwise see the office's subnet, as far as I can tell. It's unable to open any shared drives, or ping any devices on the office network. (The VPN server, however, can ping the client).

Set-up

The office's internet router allows incoming and outgoing NetBIOS traffic. The office's internet modem/router is connected to the Domain Controller server, which is also the VPN server. The DC/VPN server is also running the Kerio Control firewall software. (This firewall software is the firewall for the office LAN).

On VPN server (Win 2003 R2 SP2 32-bit):
Routing and Remote Access is configured.
The RAS server is configured to provide IP addresses to the client from a static pool of 4 addresses, 192.168.5.160 to 192.168.5.163.
The Kerio Control firewall is configured to allow incoming PPTP and GRE traffic.

On VPN Client (Win 7 Pro SP1 64-bit):
Routing and Remote Access, File and Print Sharing and NetLogon have been enabled in the Windows Firewall (for Home/Work, Domain and Public network types)
The Windows Firewall has been turned off.
The Routing and Remote Access service has been started.
Network discovery and file sharing has been enabled in Advanced File sharing (for Home/Work, Domain and Public network types).

(I've both configured the Windows Firewall and also turned it off, because I've heard that some of the firewall's rules keep operating even when it's turned off (?)).

The office LAN has the subnet 192.168.5.0/24 The VPN client's subnet does not overlap with the office LAN subnet. (When at home, the client's subnet is 192.168.0.0/24, however, for the diagnostic info printed below, the client was connected to my iPhone. The same symptoms are present whether the client is at home or connected to iPhone).


Symptoms

The VPN connection is successfully made (by PPTP).
The VPN client successfully receives an IP address in the office's subnet.
The client cannot ping the VPN server, or any computer on the office subnet.
The VPN server can ping the VPN client.
Other devices on the office LAN cannot ping the VPN client.

Diagnostic Info

These are the results when running "route print" and "ipconfig /all" on the VPN server and client, when connected.

999.999.999.999 represents the (anonymised) public IP address of our internet router.
999.999.999.998 is the public IP address of the VPN server.
999.999.999.997 is an IP address from our allocated pool of static IP addresses. I don't know what it's doing in the routing table, or what device it's allocated to.

"route print" on server :
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1a 64 48 0b 37 ...... Broadcom NetXtreme Gigabit Ethernet #2 - Kerio Control
0x3 ...00 1a 64 48 0b 36 ...... Broadcom NetXtreme Gigabit Ethernet - Kerio Control
0x10004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10005 ...44 45 53 54 4f 53 ...... Kerio Virtual Network Adapter - Kerio Control
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  999.999.999.999  999.999.999.998     20
  999.999.999.997  255.255.255.248  999.999.999.998  999.999.999.998     20
  999.999.999.998  255.255.255.255        127.0.0.1        127.0.0.1     20
   81.255.255.255  255.255.255.255  999.999.999.998  999.999.999.998     20
   82.132.236.222  255.255.255.255  999.999.999.999  999.999.999.998     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      169.254.0.0      255.255.0.0   169.254.146.14   169.254.146.14     20
   169.254.146.14  255.255.255.255        127.0.0.1        127.0.0.1     20
  169.254.255.255  255.255.255.255   169.254.146.14   169.254.146.14     20
      192.168.5.0    255.255.255.0      192.168.5.1      192.168.5.1      1
      192.168.5.1  255.255.255.255        127.0.0.1        127.0.0.1      1
    192.168.5.160  255.255.255.255        127.0.0.1        127.0.0.1     50
    192.168.5.163  255.255.255.255    192.168.5.160    192.168.5.160      1
    192.168.5.255  255.255.255.255      192.168.5.1      192.168.5.1      1
        224.0.0.0        240.0.0.0  999.999.999.998  999.999.999.998     20
        224.0.0.0        240.0.0.0   169.254.146.14   169.254.146.14     20
        224.0.0.0        240.0.0.0      192.168.5.1      192.168.5.1      1
  255.255.255.255  255.255.255.255  999.999.999.998  999.999.999.998      1
  255.255.255.255  255.255.255.255   169.254.146.14   169.254.146.14      1
  255.255.255.255  255.255.255.255      192.168.5.1      192.168.5.1      1
Default Gateway:   999.999.999.999
===========================================================================
Persistent Routes:
  None

Open in new window


"ipconfig /all" on server :

Windows IP Configuration

   Host Name . . . . . . . . . . . . : gemini
   Primary Dns Suffix  . . . . . . . : IG.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : IG.local
                                       gateway.2wire.net

Ethernet adapter Internet:

   Connection-specific DNS Suffix  . : gateway.2wire.net
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 00-1A-64-48-0B-37
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 999.999.999.998
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 999.999.999.999
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DNS Servers . . . . . . . . . . . : 999.999.999.999
   Lease Obtained. . . . . . . . . . : 05 September 2012 15:38:13
   Lease Expires . . . . . . . . . . : 06 September 2012 15:38:13

Ethernet adapter LAN:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-1A-64-48-0B-36
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.5.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 192.168.5.1

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-53-45-00-00-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.5.160
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 

Ethernet adapter Kerio Virtual Network:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Kerio Virtual Network Adapter
   Physical Address. . . . . . . . . : 44-45-53-54-4F-53
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Autoconfiguration IP Address. . . : 169.254.146.14
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 
   NetBIOS over Tcpip. . . . . . . . : Disabled

Open in new window


"route print" on client :

===========================================================================
Interface List
 19...........................IG VPN connection
 16...74 e5 43 b0 35 75 ......Atheros AR9485WB-EG Wireless Network Adapter
 13...4c 72 b9 70 3b 86 ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 30...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 15...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
 17...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.20.10.1      172.20.10.3     25
  999.999.999.998  255.255.255.255      172.20.10.1      172.20.10.3     26
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      172.20.10.0  255.255.255.240         On-link       172.20.10.3    281
      172.20.10.3  255.255.255.255         On-link       172.20.10.3    281
     172.20.10.15  255.255.255.255         On-link       172.20.10.3    281
      192.168.5.0    255.255.255.0    192.168.5.160    192.168.5.163     26
    192.168.5.163  255.255.255.255         On-link     192.168.5.163    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       172.20.10.3    281
        224.0.0.0        240.0.0.0         On-link     192.168.5.163    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       172.20.10.3    281
  255.255.255.255  255.255.255.255         On-link     192.168.5.163    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 17     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 17     58 2001::/32                On-link
 17    306 2001:0:5ef5:79fd:18ee:1fb1:53eb:f5fc/128
                                    On-link
 16    281 fe80::/64                On-link
 17    306 fe80::/64                On-link
 17    306 fe80::18ee:1fb1:53eb:f5fc/128
                                    On-link
 16    281 fe80::9115:eec0:6947:843e/128
                                    On-link
  1    306 ff00::/8                 On-link
 17    306 ff00::/8                 On-link
 16    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Open in new window


"ipconfig /all" on client :

Windows IP Configuration

   Host Name . . . . . . . . . . . . : IGPLANNERLTP
   Primary Dns Suffix  . . . . . . . : IG.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : IG.local

PPP adapter IG VPN connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : IG VPN connection
   Physical Address. . . . . . . . . : 
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.5.163(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 192.168.5.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Atheros AR9485WB-EG Wireless Network Adapter
   Physical Address. . . . . . . . . : 74-E5-43-B0-35-75
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9115:eec0:6947:843e%16(Preferred) 
   IPv4 Address. . . . . . . . . . . : 172.20.10.3(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   Lease Obtained. . . . . . . . . . : 05 September 2012 19:48:44
   Lease Expires . . . . . . . . . . : 06 September 2012 19:34:33
   Default Gateway . . . . . . . . . : 172.20.10.1
   DHCP Server . . . . . . . . . . . : 172.20.10.1
   DHCPv6 IAID . . . . . . . . . . . : 494200131
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-AD-5C-42-4C-72-B9-70-3B-86
   DNS Servers . . . . . . . . . . . : 82.132.254.2
                                       82.132.254.3
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 4C-72-B9-70-3B-86
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{47EB520F-7992-410E-9322-0289EE0D11EE}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{0F1FF818-C2A8-4D21-9E4B-FABB7717A3F4}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{E6B8D20B-6554-44B8-99F4-DD8065207C2E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:18ee:1fb1:53eb:f5fc(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::18ee:1fb1:53eb:f5fc%17(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Open in new window


Any help in resolving this would be greatly appreciated!

Regards,
amral22
0
amral22
Asked:
amral22
  • 6
  • 6
  • 2
1 Solution
 
John JenningsOwnerCommented:
I noticed your VPN client does not have a gateway address.

I think that this has to do with your server not supporting IPv6, but your client does.

Go through this blog post, make your way towards the bottom, and follow the instructions to UNCHECK the 'Use default gateway on remote network' box. Just make sure that you change the setting on the IPv6 connector, NOT the IPv4 connector.

http://knowledgelayer.softlayer.com/questions/525/Setting+up+PPTP+for+Windows+7

Let's see if this helps!
0
 
John JenningsOwnerCommented:
I'd also recommend adding a persistent route for your VPN traffic.

This blog post will go into those details for you.

http://blog.foreignkid.net/2012/03/pptp-vpn-and-split-tunneling/
0
 
amral22Author Commented:
Thanks John.

In the set-up referenced in my original post, the 'Use default gateway on remote network' was unchecked for IPv4 on the client (which is why there is no gateway listed for the PPP VPN adapter, as you noted), and checked for IPv6.

I've also tried it in the configuration you suggested (unchecked for IPv6, checked for IPv4) but that doesn't work either. Also, in this configuration, I have no internet access on the client (since the default gateway is through the VPN, which isn't working).

I've also now tried unchecking IPv6 protocol in the client's VPN connection networking properties, but that doesn't seem to have made a difference.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
John JenningsOwnerCommented:
Alright. Time to get dirty. Are you familiar with WireShark?
0
 
John JenningsOwnerCommented:
Also, what roles did you select when installing RRAS? That'll help us figure out networking issues.
0
 
Arman KhodabandeCommented:
Are you sure you're using a Straight cable?
You remind me of a case which I had, he was mistakenly using Crossover cables ...

More info

Remember that if you use crossover cable some functions of network may work but it won't perform completely for example you can't see shared folders and etc...
Perhaps some network cards have the ability to change the pin out virtually and use a cross cable exactly like a normal one....
0
 
amral22Author Commented:
Hi John,

I'm not familiar with WireShark, but can learn. Does it need to be installed on both client & server?

Thx, amral
0
 
amral22Author Commented:
kpax77,

There's no cabling involved as such (apart from standard LAN cabling, which is known to be working well) - the VPN connection is a virtual connection through a working Internet connection.
0
 
Arman KhodabandeCommented:
Oh, if that's the case...

No Wireshark is just a software which is installed on the computer you want to analyze.
It's easy to install , but takes time to get familiar with...
Needs some tricks and syntax to get the right info from the analysis.
But for the beginning go to the Capture menu select interfaces then select the desired interface to analyze (usually Microsoft in windows 7). Then click options button and configure as you wish. (this is the key step in getting proper info so you need a little experience in this part, you can visit wireshark wiki online). Then Ok and then Start to start capturing the packets.
0
 
amral22Author Commented:
JohnThePro

The only role I selected when installing RRAS was VPN.

Another problem just cropped up :
I've  tried disabling and then redoing the RRAS set-up.

This time round, the 'Internal' interface for the VPN no longer has an IP address assigned to it - the IP address is "Not available", and the operational status of the interface is "Non-operational".

So I can't even make the VPN connection now. (I've tried restarting the service, resetting up RRAS and rebooting the service, to no effect).
0
 
John JenningsOwnerCommented:
amral22,

That's a bit strange. Do you have static IP addresses assigned to both NICs in the server?

Also, the NIC that is internet-facing, is it straight into the internet with a public IP? Or does it sit behind a NAT device?
0
 
amral22Author Commented:
Hi, JohnThePro,  kpax77,

The problem's fixed now - the issue was with the traffic rules of the Kerio Firewall :

As mentioned above, the firewall was configured to allow incoming PPTP and GRE traffic. That was sufficient to establish the VPN connection, but it wasn't enough to allow data to pass through the VPN tunnel. For that, I had to create two rules allowing outgoing and incoming traffic to and from the dail-up/VPN interface, and everything is working now.
0
 
John JenningsOwnerCommented:
Ah, external firewalls. That'll do it. Glad you got it figured out.
0
 
amral22Author Commented:
The problem was solved without help from any of the respondents or advice received at EE.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now