Got the VPN client connected...Now what? 1

[defactoITguy]

Ok, I dont' feel right asking this question, since it seems like there should be an easy answer, but here goes:

I have a remote client connected to my Office LAN with a Netgear FVS318v3. It's an all XP environment...I enabled NETBios, but I CANNOT see the computers on either end, despite confirming that the connection is good.

What have I missed?

 

[sicktrick]

can you ping by name or ip address

 

[Spirit]

Are the two local subnets the same? i.e. 192.168.x.x

Have you configured it to only see the VPN server?

Iain

 

[defactoITguy]

Yes, I set up port forwarding on the Router to go to the Server.

I can ping between addresses, but only the outside address of the host. The subnets are:

Host 192.168.0.XX
Client 192.168.101.XX

I only want remote clients to see the server...

I did set up the Win2K server this morning to accept VPN connections, but I don't know if that will help because the router handles the VPN(?).

 

[John Lewis]

In order to see computers in the network neighborhood, network broadcasts must be passed over the VPN. By definition, broadcast traffic should not cross the VPN. Some VPN solutions allow for forcing the broadcasts to be passed, some do not. You may want to check your Netgear configuration to see if there is an option to pass NETBIOS traffic.

If you are not able to pass the broadcasts across the VPN, you should still be able to access the shared resources by IP address. Click Start-->Run, then type \\192.168.0.xx (the IP of the server) and click OK. If you really must have name resolution, configure a WINS server on your network and point the client to it. Another option would be to use a lmhosts file to set static name resolution.

Making a VPN connection directly to the server should allow that name resolution to work for that specific server. You will need to disable the VPN server on the Netgear box and forward the ports to the W2K server. If you are not going to take this approach, there is no need to have the W2K box configured for incoming connections or have any ports forwarded to that machine.

 

[defactoITguy]

I'm a little confused by your advice. (My fault not yours, I'm not exactly qualified to be doing this...)

I have NetBIOS enabled on the router. Since this is a Firewall router, I'm told that I have to forward the port to the server in order to bypass the automatic traffic blocking that is the default for the router. If I'm understanding your post correctly, I don't need to do any port forwarding, and that enabling NetBIOS should bypass the default rules and allow clients to see the network? In Win2K, I think I'll have to set up the usernames for access anyway, which is already done...

So maybe WITH NetBIOS enabled I dont' need port forwarding? Please forgive my persistent questioning...I appreciate your help!

 

[John Lewis]

I was under the impression that the client was connecting to the VPN server built into the FVS318. If this is the case, you do not need any port forwarding.

If you are using another device (perhaps your W2K server) as the VPN server, then you do need TCP 1723 forwarded to that server.

Browsing across a VPN connection is always difficult. Microsoft file sharing simply was not designed to work across different networks. For your best chance:

If you are using the FSV318 as your VPN server, make sure the "Enable Netbios" box is check on the configuration page for the specific tunnel. Also make sure that Netbios over TCP/IP is enabled on all of the computers in question (Network connection properties, select TCP/IP in the components list, click properties, click Advanced, click WINS tab). Finally, the workgroup name on the client computer should match the workgroup name on the LAN. It still might not work. Again, it really was not designed to work across networks.

 

[defactoITguy]

Yeah, you had the correct impression.

I do want to use the VPN server in the Netgear router.

I'll try what you advised me to do and report back.

Thanks for your time--it's very much appreciated...

 

[defactoITguy]

Ok--
so here's what I've done:

1) Enabled NetBIOS over TCP/IP as you've instructed on the host and the client.
2) Closed all the ports on the router except the default VPN
3) Revised my Workgroup setting on the client to match the host.

It's still not working.

Question about TCP/IP stacks...

What parts have to be different.
Here's what they look like now:
Host IP 192.168.0.4
SNM 255.255.255.0
Gateway 192.168.0.1

Client IP 192.168.1.101
SNM 255.255.255.0 (Is this a problem?)
Gateway 192.168.1.1

Do I have an issue here?

 

[defactoITguy]

I also tried pinging the server box from the client with
ping \\192.168.0.4 and ping 192.168.0.4

No response from either.

 

[John Lewis]

I can ping between addresses, but only the outside address of the host

I misread. I took it that you could ping the host network, but reading agian I see that you can only ping the public address of the host. That doesn't really mean much, so we need to back up quite a bit.

First, what are you using for a VPN client? Are you using NetGear's ProSafe? Does it actually connect, and if so how do you know it is connected? When you ping, what message do you receive (request timed out, no route to host, or something else)? By the way, the \\ is not needed for the ping command.

 

[defactoITguy]

Yes, I am using Netgear's Client software. After a long battle of trying to match policies and sort through Netgear's rather poor intuitive connection between the router setup and the client software, I did get it to connect. Of course Netgear says that once you're connected, you should be able to see the network resources on the host LAN. That hasn't happened yet. I know it's connected for 2 reasons: The log viewer says so, at the end of the connection a dialog box says so, and I also opened the router from that desktop and saw that it had me connected under VPN Status.

I pinged: \\192.168.0.4 (server address), 192.168.0.4, and 192.168.0.1 (gateway address). No response from any of them. If I wanted to ping host network, shouldn't I be pinging the gateway address? (I had read somewhere on this forum that someone instructed someone else to write a ping command with the backslashes--must have mis-read it!)

I apologize--I'm in way over my head here. But since I'm connected, I feel like I'm so close. Imagine my disappointment when I couldn't get to the network!!

 

[John Lewis]

I don't have a NetGear client to play with, but I think they use a relabeled SafeNet client, which I am familiar with. If this does not match your configuration options, you may have something different, in which case I may not be much help.

Open the Security Policy Editor (the tunnel configuration application). Click on the connection to your host. You should have a section on the screen labeled "Remote Party Identity and Addressing". In this section:

ID Type: IP Subnet
Subnet: 192.168.0.0
Mask: 255.255.255.0
Protocol: All

The rest should be OK if you are connecting, so leave as is.

Click on the + beside the connection to expand the options, then click on "My Identity". In this section:

Virtual Adapter: Preferred
Internal Network IP Address: 192.168.6.1 (This really could be nearly anything other than 192.168.0.xxx or 192.168.1.xxx -- it should not match one of the existing networks.)

Leave the rest as is, save the connection and answer yes when prompted to reset the connections.

The other possible problem is the XP firewall. Check the firewall to make sure ICMP traffic is allowed.

Try the pings again and post back.

 

[defactoITguy]

Ok--I'll give that a try.

Regarding the firewall, I actually shut them off on both machines, remote and client. I don't even need it on the home network and the Netgear firewall with all the ports closed seems like pretty solid security (please correct me if I'm wrong)

I'll report back soon.
Thanks!

 

[John Lewis]

Opinions differ on the need for a software firewall on a machine that is behind a NAT router. I tend to think that it is not needed, but there are others that seem to think it is.

The argument for the software firewall is that another machine on the local network could become infected with malware and exploit the lack of a firewall to infect the other machines. I tend to think that if a cross infection is going to happen, it will most likely occur over a port that you need to have open to local traffic anyway, so there is not much point.

In any case, good anti-virus is a must. Always.

 

[defactoITguy]

Well-our experiment wasn't successful, but I got to looking at the client configuration and may have discovered a problem that the software can't solve.

My home network (the client) consists of a cable modem, then a router, then another router (wireless). So I'm receiving through 2 NAT negotiations. In the software, it asks for the virtual adapter--and that defaults to the wireless, since my computer can't see the other router. So I'm going to reconnect to the first router and see if that does the job. Am I on the right track here?

It still doesn't explain why I can connect, however. If this doesn't do the job, I'm going to be forced to give up on it, I think.

In response to your last post--I always run anti-virus software, firewalled or not. I don't think I need a firewall on a home network, but in an office where I have 3 people who are absolutely computer oblivious, it's good to have a firewall to limit the damage that they do by downloading things they shouldn't.

 

[John Lewis]

I would not do NAT on both devices, but it should not cause a problem. It is not very efficient, however. If it was going to break things, you should not be able to establish a connection.

On your wireless router:

Turn off the dhcp server.
Connect the wireless router to the first router by a LAN port instead of the WAN port.

This should allow the wireless router to function as a wireless switch instead of a router and eliminate one layer of NAT. If your wireless does not have any wired LAN ports, there should be a configuration option to set it to bridge or AP mode. If you have any quesions about that part, post the manufacturer and model of the wireless.

The wireless connection that you see in the SPE is your wireless card, not the router. Again, if you are making a connection this should not be a problem.

Open the connection monitor and try a few ping commands to the remote network. Do the Secured Packets and Secured Data statistics increase? This would indicate that data is being sent across the connection and perhaps the remote side is not responding. If the "Dropped Packets" increases, something is up with your routing.

On the firewall issue, the point was if something that gets downloaded to the local network is going to cause a problem, it is going to do so over a service that your local network uses. This severly limits the usefulness of a software firewall.

 

[defactoITguy]

Ok, so I eliminated the 2nd router entirely, and tried again. It STILL says I'm connected but still won't allow network resources to be viewed. It still drops every packet when I ping any address on the host network.

I think my problem goes deeper than configuration here. I'm going to stop using up your time trying to help me fix something I probably shouldn't be doing myself anyway.

I REALLY appreciate your help and advice. Despite not having been successful with my VPN, I've learned a LOT from your posts. Thank you very much!

 

[John Lewis]

I really don't think you are far from getting this to work. It has to be a routing issue or something like that. Sorry for the lack of progress, but it is much easier to diagnose these things "hands on".

At any rate, perhaps we have improved the performance of your home network a bit by eliminating the double NAT.

If anything else comes up, feel free to post again.

 

[defactoITguy]

Thank you--I'm going to keep working at it--I just need a couple of days break from it. Getting too frustrated!

Hopefully my next post will be a report on my success!