I believe I have correctly set up the server that I am trying to tunnel into, which is running NT 4.0. I set up the PPTP protocol and gave it a range of IP addresses that it can use. I am able to VPN into the server, but when I try to tunnel in with PC Anywhere, I get the message "Unable to attach to specified device." I have the following ports enabled, 500, 47, 1723, 5631 and 5632. Is there anything that I could have done wrong in the setup on the server I am trying to tunnel into?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cannot tunnell through VPN 1
- Thread starter mauirlm
- Start date
-
1
- #2
John Lewis
Programmer
If the VPN connects and stays connected, most of the work is done.
Not a lot of info here to deal with, but my guess would be that you are trying to connect to the wrong ip. On your VPN client, connect to the VPN server, open the status box and click on details. There should be two ip addresses listed there, one for the client and one for the server. The server address should be different than the ip that you point your VPN connection to.
Start by trying to ping the server address from there. Assuming that works, try to connect PC Anywhere to that address. If you have firewall software running on the NT VPN server, you may (depending upon the flavor of firewall) have to enable 5631 and 5632 for the interface associated with the VPN. Also, you can close those ports for the interface that is connected to the internet (or on your firewall).
If that doesn't work, and especially if the ping doesn't go through, post back the specific error you are getting, the version of Windows you are running on the client side, ther version of PC Anywhere you are using, what kind of routers/firewalls you have on each end, as well as what kind of connection you are using. Also post back if you don't understand any of the instructions. Would be glad to clarify.
If it does work, post back anyway. Like to know when things go right, too.
Good luck!
Not a lot of info here to deal with, but my guess would be that you are trying to connect to the wrong ip. On your VPN client, connect to the VPN server, open the status box and click on details. There should be two ip addresses listed there, one for the client and one for the server. The server address should be different than the ip that you point your VPN connection to.
Start by trying to ping the server address from there. Assuming that works, try to connect PC Anywhere to that address. If you have firewall software running on the NT VPN server, you may (depending upon the flavor of firewall) have to enable 5631 and 5632 for the interface associated with the VPN. Also, you can close those ports for the interface that is connected to the internet (or on your firewall).
If that doesn't work, and especially if the ping doesn't go through, post back the specific error you are getting, the version of Windows you are running on the client side, ther version of PC Anywhere you are using, what kind of routers/firewalls you have on each end, as well as what kind of connection you are using. Also post back if you don't understand any of the instructions. Would be glad to clarify.
If it does work, post back anyway. Like to know when things go right, too.
Good luck!
- Thread starter
- #3
The details for the VPN show two different IPs, both of which are part of the IPs I set up for RAS. I cannot ping the server address but I can ping the client.
I do not understand you saying that I "can close those ports for the interface that is connected to the internet (or on your firewall) Does that mean they should be closed on the firewall on my LAN on my ISP's firewall?
I do not get an error, only a message "Unable to attach to specified device." I am running W2K. PC anywhere 10.0.1. I have a SoniwWall SOHO/10. My ISP has a firewall, but I am not sure what it is. On the other end is a Linksys BEFSR41W, which is a Router with a 4 port switch. The connection is TCP/IP. Let me know if you need any other info.
I do not understand you saying that I "can close those ports for the interface that is connected to the internet (or on your firewall) Does that mean they should be closed on the firewall on my LAN on my ISP's firewall?
I do not get an error, only a message "Unable to attach to specified device." I am running W2K. PC anywhere 10.0.1. I have a SoniwWall SOHO/10. My ISP has a firewall, but I am not sure what it is. On the other end is a Linksys BEFSR41W, which is a Router with a 4 port switch. The connection is TCP/IP. Let me know if you need any other info.
John Lewis
Programmer
When you try to ping the VPN server address (the RAS address), what response do you get? Request timed out, no route to host, connection refused, unknown host, or something else.
In the details for the VPN, are the two ip's on the same subnet?
In the details for the VPN, are the two ip's on the same subnet?
- Thread starter
- #5
Let's make sure we are on the same page. When you say ping the VPN server address (the RAS address) you mean the WAN coming into the server I am trying to access through the Linksys router, right? I can actually ping that. You do not mean the Server IP which shows up in the details of the VPN, right? When I try to ping that, I get a message "Request Timed Out."
Both the Server IP address and the Client IP address is on the same subnet. I am confused here. What exactly are these addresses? I created them but I am not sure what they are. I assumed they were for each tunneling connection, such as me here at home running PC Anywhere to a PC (host) on the network I am VPNing to. Two of the IP addresses I have set up are used as a Server IP address and Client IP address, of which I can ping the Client IP address. I am not sure what they actually are.
Both the Server IP address and the Client IP address is on the same subnet. I am confused here. What exactly are these addresses? I created them but I am not sure what they are. I assumed they were for each tunneling connection, such as me here at home running PC Anywhere to a PC (host) on the network I am VPNing to. Two of the IP addresses I have set up are used as a Server IP address and Client IP address, of which I can ping the Client IP address. I am not sure what they actually are.
John Lewis
Programmer
Well, we aren't reall on the same page, but that's OK. I think I have enough information to put this together. This might get lengthy, so stick with me.
When I refererred to the VPN server address, I did mean the address from the details of the VPN. You should be able to make a connection to that, but you can't. You have a routing problem.
I am assuming that you are allowing the routers on both sides of your VPN assign addresses to the computers that are connected to them, and that you have not changed the address range that each of them is using, so all of your addresses are similar to 192.168.1.xxx. I am also asuming that you are assigned addresses that are in the same range when you set up RAS. You haven't said (I didn't ask), so if any of that is not correct it might change the solution.
Let's have a short lesson on ip routing and the VPN.
When you create a VPN connection, a virtual network adapter is added to both the VPN client and the VPN server. These new adapters allow both machines to take an additional ip address. These are the addresses that you assigned in the RAS setup. The new addresses do not replace the existing addresses.
An ip address can be broken into two parts, the network address and the host address. In an address like 192.168.1.100, the 192.168.1 is the network portion and the 100 is the host. Any computer that has an address of 192.168.1.xxx is assumed to be connected to the 192.168.1 network and can be reached by sending data out to the local network. A computer with an address of 192.168.2.xxx is on a different network, so the data must be sent through another device to be routed to the remote network.
If there is more than one adapter in a computer, data is sent out on the first adapter that has an address that is on the same network as the destination. If both of your adapters have the same network address, all data is sent out on the first adapter. No data will make it's way to the second adapter. I am thinking this is your first problem to overcome.
If you try to send data to a computer that has a network address that is the same as the computer you are sending from, the data is sent out to the local network. If the computer you are trying to connect is on a different physical network, the data is dropped because there is no way to get it routed to the right place.
Now the solution:
You need to change your ip addressing shceme. Each of your networks needs a unique network address.
First, change the addresses assigned to your home network. The network address should be 192.168.3.0. I'm afraid I can't tell you exactly how to change it for either of your routers, but it should be similar to the process you used to open ports. You will need to change the address of the router to match the network address as well, it should be 192.168.3.1. On some routers, if you change the address of the router, it will adjust the network address pool it uses accordingly.
If you have assigned static addresses to anything attached to your network, you will have to change those as well. Once you have all of the addresses changed on that side, restart everything to load the new addresses and try the VPN again. It should work at this point. You should be able to ping the VPN server address (the one from the VPN details box).
If you want to connect to other machines on your remote network, you will need to change the addresses on the remote network or the addresses assigned to the VPN -- I would change both. Change only the third number, (192.168.xxx.0, change the xxx part). You can use any number between 1 and 126, but it can't be the same as the number on any other subnetwork. Routes would have to be added to direct the traffic through the VPN to the remote network. I would get the basic setup working first, then work on routes. Post back if you need to do this.
Hope this isn't too confusing, would have been much easier to do with pictures. If you don't understand, post back and I will try to clarify.
When I refererred to the VPN server address, I did mean the address from the details of the VPN. You should be able to make a connection to that, but you can't. You have a routing problem.
I am assuming that you are allowing the routers on both sides of your VPN assign addresses to the computers that are connected to them, and that you have not changed the address range that each of them is using, so all of your addresses are similar to 192.168.1.xxx. I am also asuming that you are assigned addresses that are in the same range when you set up RAS. You haven't said (I didn't ask), so if any of that is not correct it might change the solution.
Let's have a short lesson on ip routing and the VPN.
When you create a VPN connection, a virtual network adapter is added to both the VPN client and the VPN server. These new adapters allow both machines to take an additional ip address. These are the addresses that you assigned in the RAS setup. The new addresses do not replace the existing addresses.
An ip address can be broken into two parts, the network address and the host address. In an address like 192.168.1.100, the 192.168.1 is the network portion and the 100 is the host. Any computer that has an address of 192.168.1.xxx is assumed to be connected to the 192.168.1 network and can be reached by sending data out to the local network. A computer with an address of 192.168.2.xxx is on a different network, so the data must be sent through another device to be routed to the remote network.
If there is more than one adapter in a computer, data is sent out on the first adapter that has an address that is on the same network as the destination. If both of your adapters have the same network address, all data is sent out on the first adapter. No data will make it's way to the second adapter. I am thinking this is your first problem to overcome.
If you try to send data to a computer that has a network address that is the same as the computer you are sending from, the data is sent out to the local network. If the computer you are trying to connect is on a different physical network, the data is dropped because there is no way to get it routed to the right place.
Now the solution:
You need to change your ip addressing shceme. Each of your networks needs a unique network address.
First, change the addresses assigned to your home network. The network address should be 192.168.3.0. I'm afraid I can't tell you exactly how to change it for either of your routers, but it should be similar to the process you used to open ports. You will need to change the address of the router to match the network address as well, it should be 192.168.3.1. On some routers, if you change the address of the router, it will adjust the network address pool it uses accordingly.
If you have assigned static addresses to anything attached to your network, you will have to change those as well. Once you have all of the addresses changed on that side, restart everything to load the new addresses and try the VPN again. It should work at this point. You should be able to ping the VPN server address (the one from the VPN details box).
If you want to connect to other machines on your remote network, you will need to change the addresses on the remote network or the addresses assigned to the VPN -- I would change both. Change only the third number, (192.168.xxx.0, change the xxx part). You can use any number between 1 and 126, but it can't be the same as the number on any other subnetwork. Routes would have to be added to direct the traffic through the VPN to the remote network. I would get the basic setup working first, then work on routes. Post back if you need to do this.
Hope this isn't too confusing, would have been much easier to do with pictures. If you don't understand, post back and I will try to clarify.
- Thread starter
- #7
Sorry to take so long in getting back. I have got married in the meantime.
Let me start by saying that at one time, I could tunnell into the computers at my clients. We removed the SonicWall that was there, installed the Linksys BEFSR41W and I set up a range of addresses. Here is a breakdown of addresses
My side the NAT (LAN) side of the SonicWall have addresses of 192.168.169.X on the WAN side going to the ISP is 10.100.16.246. The outside NAT IP address is 66.135.227.246 (this has been altered slightly for security purposes)
On the side I am trying to tunnel into, the NAT addresses are 204.182.234.X. I have 5 addresses in that subnet set aside for RAS. The address on the WAN side is 10.100.16.87. The outside NAT IP address is 66.135.225.87 (again slightly altered for security.) We are all hooked up to the same ISP.
Not sure if I got everything you wrote, but it looks like we are set up all right. What do you think?
Let me start by saying that at one time, I could tunnell into the computers at my clients. We removed the SonicWall that was there, installed the Linksys BEFSR41W and I set up a range of addresses. Here is a breakdown of addresses
My side the NAT (LAN) side of the SonicWall have addresses of 192.168.169.X on the WAN side going to the ISP is 10.100.16.246. The outside NAT IP address is 66.135.227.246 (this has been altered slightly for security purposes)
On the side I am trying to tunnel into, the NAT addresses are 204.182.234.X. I have 5 addresses in that subnet set aside for RAS. The address on the WAN side is 10.100.16.87. The outside NAT IP address is 66.135.225.87 (again slightly altered for security.) We are all hooked up to the same ISP.
Not sure if I got everything you wrote, but it looks like we are set up all right. What do you think?
- Status
Similar threads
- Locked
- Question