Cannot PING

[richielmt]

I have two laptops:
L1 running WinXP/Nortel Ipsec client/Sentinal Ipsec client
L2 running WinXP/Sentinal Ipsec client

L1 can connect to the tunnel and ping local ip addresses.

L2 can connect to the tunnel but cannot ping the local ip address

Tested both system in different locations same result, installed sentinal on a desk top in a different location same result as L2.

My question; Is the Nortel Ipsec client helping me ping the remote location? Should I install Nortel on the other laptop and desktop in order to ping? BTW I can not run the Nortel client while Sentinal is installed.

 

[John Lewis]

A) The Nortel client never helps. Install if you need to connect to a Nortel sever, otherwise skip it.

B) You can ping! Barring some major problems with your TCP/IP configuration, you can type ping and an address and you will get something. Point is, the specific response you get when you ping can be helpful in finding the solution to your problem, so please be more specific.

You talk about pinging the 'local' ip address. If pinging from a vpn client, the local address would be the address of the client. Is that what you mean -- I would suspect not, but not 100% sure what you are pinging. Might want to clarify.

 

[richielmt]

mhkwood you are right I can ping from L2;
static ip assigned to the HQ router
any address on the internet
nothing on the local subnet (HQ) 192.168.1.0

L1 can ping everything

While connected through vpn with L1 I run a tracert to 192.168.1.75 and it takes one hop to resolve.

While connected through vpn with L2 I run a tracert to the same ip and it takes 30 hops returning only asterisks

 

[John Lewis]

So you are getting 'Request timed out' when pinging?

Sounds like a routing issue. Start by verifying that your tunnel is up -- ping the server side of the VPN connection -- not the public IP that you are pointing Sentinel to, but the IP assinged to the VPN when it is created. Bring up the connection, open the statistics for the connection and it should be listed in the details.

If that works, would indicate a routing issue on one end or the other. Since one laptop works, I would suspect a problem on the one that doesn't as opposed to the server end, but anything is possible.

Check your addressing scheme, if the laptop in question is connected to a network other than the VPN, the network address on the client side has to be different than the address on the server side.

If you get that far, post back with some info about your addressing shceme and we'll try a bit more. Also, what are you using for a VPN server?

 

[richielmt]

The connections are as follows:

I can ping the server side with L1 not L2
HQ uses 192.168.1.0
HQ server uses 192.168.1.75
Linksys VPN router uses a static IP from Verizon and a LAN gtwy ip of 192.168.1.1

Where my laptops are located does not matter as much because I have tried this setup from several locations with the same results. I have even gone as far as installing sentinal on a desktop in another location it could not ping the 192.168.1.75 ip either.

My home lan address is 192.168.3.0 my linksys router uses dhcp for the WAN ip.

L1 and L2 connect to the tunnel, I confirmed this by remotely managing the router to check the status in the VPN log. I do not tunnel into two different tunnels, just one. I disconnect L1 than try L2.

I looked at my routing table 9route print)on the laptops and it is identical when connected to the tunnel one difference is the nortel ipsecsch adapter on L1

BTW Both laptops use wireless cards on my home network L1 uses a Cisco and L2 uses a Linksys.

 

[John Lewis]

Still not really enough to rule out a routing problem, but I would tend to lean more toward some kind of firewall software blocking ICMP on client side. Could be the XP ICF, IP security policy, or other firewall software. Several anti-virus vendors are supplying a firewall with their software and not really making that point clear.

 

[richielmt]

So what you are saying is while I am connected to the tunnel check my services to see if ICF was started, because it is not started right now, but has a startup type of Manual which means if a componenet is dependent on the services it will start. None of my network devices has this feature enabled, so I would not know which device would want to start it, if it does start. I will try when I go home for lunch. This is becoming a real issue right now, I have two more request for tunnel access.

 

[richielmt]

What should I be looking for if it is a routing issue?

 

[John Lewis]

Read over the thread again.

The tracert you mentioned sounds odd, I would expect you to see the first reply with times and an IP address, either your IPSec server or the default router for your internet connection. The fact that you do not see a response from anywhere would somewhat confirm that inbound ICMP is being blocked on that computer. This would also cause your ping to give a 'Request timed out'.

Second thing that would somewhat rule out a routing problem is the fact that your routing tables appear to be the same. I would double check, as it is possible that they are similar but not perfect. Either way, each machine should have a line similar to:

192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 1

The first set of xxx.xxx.xxx.xxx should be your public IP (the one assigned by your ISP that you use to make the connection). The second will vary depending upon your exact configuration, but they should NOT be the same on both machines. If the rest of the line looks right, you should be fine.

If that line is not there, I would try to add it.

route add 192.168.1.0 mask 255.255.255.0 xxx.xxx.xxx.xxx

replacing the xxx.xxx.xxx.xxx with the public IP of the IPSec server.

On the note of the firewall, ICF is possible. Sounds like you have checked that. Also remember to check for others, often a firewall is installed with anti-virus software without really explaining that it is bundled with the software.

 

[richielmt]

I can browse the internet with L2 while connected to the tunnel, but cannot with L1 not sure is that matters. Also, L1 Node type is Hybrid and L2 is Peer-to-Peer.

Here is route print from L2 while connected:

Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...02 00 00 00 01 00 ...... SSH Virtual Network Adapter (sshvnic)
0x3 ...00 06 25 30 1b 59 ...... Wireless-B Notebook Adapter #2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.3.1 192.168.3.102 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.3.0 255.255.255.0 192.168.3.102 192.168.3.102 30
192.168.3.102 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.3.255 255.255.255.255 192.168.3.102 192.168.3.102 30
224.0.0.0 240.0.0.0 192.168.3.102 192.168.3.102 30
255.255.255.255 255.255.255.255 192.168.3.102 192.168.3.102 1
255.255.255.255 255.255.255.255 192.168.3.102 2 1
Default Gateway: 192.168.3.1
===========================================================================
Persistent Routes:
None

 

[richielmt]

Correction I can split tunnel with L1 & L2

 

[richielmt]

Got it, but not really I realized that the L1 wireless card works in L2 and I can ping with the Cisco card. Now what should I be looking for in order to configure the linksys card to do the same?