VPN problem behind home router 2

[vpnprob]

Hello, I am running Checkpoint VPN-1 Secure Client 4.1 SP3 3DES Build 4174 on my laptop. If I connect to my RCN cable modem directly, it works fine. When I try to connect from behind my home router (I've tried LinkSys and Belkin)it does not work. I don't get automatically prompted to sign on to the policy server. So, I click on "log on to policy server" and put my id and pw in. It comes back with "User authenticated". But I don't really have any access to my company's network. I can't get to any of my mapped network drives, can't access company email, can't get to the company intranet. I tried putting my laptop in the home router DMZ area, but that did not work. I tried forwarding port 500, that did not work. My cable company (RCN) registers the MAC address, and the home router can "mimic" it. The router is doing something to prevent the VPN, but I don't know what. I tried SPI on and off. I tried IPSEC passthrough on and off. I tried NAT enabled and disabled. My laptop is running NT. I have the tcpip protocal properties set as follows: 1.obtain IP from DHCP server 2. the DNS domain is set to xxx.com (where xxx is my company) 3. I have my company's primary and secondary WINS servers ip address' listed under the WINS tab property.

Any help would be greatly appreciated.

If I can't get this to work behind my home router, I have to call the cable company each time I need to switch from using my home pc and my laptop, due to them registering the MAC address. What a pain! Is there something other than a router that I could use...switch, bridge, hub? Can any of them "mimic" the MAC address of my home pc (like a router)but still allow me to connect with my laptop? I don't need to have both connected. I would only be on one or the other, but don't want to have to call the cable company each time.

Thanks!

 

[mithrilhall]

Linksys routers can Clone (mimic) MAC addresses. Also, with the Linksys router, did you have the latest firmware upgrade?

 

[jbead]

Hi, I am running the same. Add the ip addresses and computer name into the host file on your computer (won't have any extension next to it and resides in system32 folder). this will definately allow you to access your email. I am working on the problem today regarding network drives and if I solve the problem will get back to you. jbead

 

[Tels]

Sounds like a NAT issue to me....

If you've only got a single internet connection, it's almost certain that the router is altering the packet source, which would play havoc with AH, leading to a failed VPN connection.

AH (Authentication Header) is a security feature where the source address (your laptop) is checksummed and added to the encrypted VPN packet.

Next the router will alter the source address, because your laptop's private network address (192.168.*.*) cannot be reached from the internet.

When the packet reaches the other end, the source address of the packet doesn't add up with the checksum. VPN fails.

The only other method of sharing a public IP is by web proxy, which also doesn't help.

What confirms this for me is the fact your problem goes away when you connect directly - the problem isn't with the connection-sharing router, its the way that ANY similar connection sharing router will mangle the packets.

There are methods to pass packets through unaltered, and your router has an option for this but I myself find this doesn't always work.

Ideally get a router that can initiate a
VPN tunnel as well. We use smoothwall, (

http://www.smoothwall.org)

at both ends of the tunnel.

HopeThisHelps

Tels Mixed Linux/Win2000 Network Administrator

 

[jbead]

Update

I used a comuter that was joined to the domian. I am able to authenticate via radius server using Checkpoint Securclient. I am able to open outlook. I receive the error message that there aren't any servers available to service the log on request. We added info into the host file as well as the lmhost file and made sure there wasn't extension...no luck. It looks like we need to add information to the policy. For some reason it is not recognizing the cached logon information and you are not logging onto the network, though you can authenticate through the firewall.

We are searching for answers to someone that has gone through this. Anyone that has the answer or can point in a direction would be appreciated. Sorry, couldn't get any further, but at the very least you can open outlook. Jbead JBead

 

[vpnprob]

Hi everyone. Thank you for your quick responses. I spent a lot of time on the tech support line with both router companies that I tried (Belkin and Linksys). We just could not get it to work. Belkin support gave me some parms that they wanted my company to add to it's Firewall setup, but my company said no way! The only people in my group that have had success getting to the VPN from behind their home routers are the ones that chose DSL instead of Cable. They hooked up with Verizon DSL, plugged in the connection to their router and the VPN works great from their laptop behind the router. I guess I'll drop the RCN Cable connection and switch over to Verizon DSL. The Cable was a one-way setup anyway. So I still had to have the second phone line in the house for it to dial up each time.
Thanks again!