Win XP VPN Client Connects to Remote LAN but NOTHING else works

[duBe68]

Hi, I'm a complete NOOBIE with all things networkable, so please forgive me.
As a result of constant vandalisim at my business, I've recently installed a couple of Axis IP Cameras, which are attached to my Billion ADSL Router.
I've created both a PPTP and a L2TP LAN-to-LAN VPN entries in the work router that I was hoping would allow me to connect to the cameras from home.
When I create NEW NETWORK connection on my laptop at home (using XP Network Connection Wizard), the resultant connection tells me that I can connect to the work router via the VPN's. This is confirmed by the work router indicating that the tunnel is active & connected.
Problem is, I cannot do anything with the connections, I even lose all access to IE browsing until I close the VPN connection.
Sorry for the convoluted question, but I really don't know what is wrong, so I don't know what to include.
I'd be most grateful for your assistance.

 

[burtsbees]

If you want to browse the internet while vpn'd in, then you need to allow split tunneling...right click the connection icon in the task bar, tcp/ip properties, advanced, and somewhere there should be a box that is checked by default (use remote gateway)---you'll want to uncheck this and voila---split-tunneling. Also, the vpn pool that hands out addresses to the XP client cannot be NATted back out, or you will not be able to connect. I would just port forward in the router to allow http access from the outside. Then you just hit the public IP address in a local browser. HTTP is port 80. ADSL will change all the time, so I would register a free domain-name under dyndns.org, so that you can always hit the camera web page via domain name no matter what the IP address changes to.

Burt

 

[burtsbees]

If you use ssl, then that is 443 that needs to be forwarded (HTTPS). I would do this instead of a vpn.

Burt

 

[duBe68]

Thanks Burtsbees,
this forum really should have a user-group of "NOVICE", as that's exactly what I am.

I don't really want to browse the internet per se, but I can see why this would be handy.

I'm not at all across what you mean by:
"...the vpn pool that hands out addresses to the XP client cannot be NATted back out..."
Would you mind "dumbing" this down for me?

I have a DynDNS account for my work router, so I guess at least I've done one thing right. I use the DynDNS hostname in the VPN settings, so I know that works, as the tunnel is up (both the client & work router indicate this is so).

What I don't get is that although the tunnel is up, and a LAN-to-LAN connection, I can't reach any LAN IP address at work via the VPN.

Thanks again

 

[burtsbees]

With that basic of a router doing the VPN, you may be out of luck. You may want to go with a Cisco 837, which is relatively cheap (around $125 on Ebay).
The vpn address being NATted back out---NAT=Network Address Translation---this must occur for the nodes in your network to reach the internet because private IP addresses (RFC1918), like 192.168.x.x are not routable on the internet---the outgoing interface has a public IP address which IS routable on it---NAT translates the private IP address to this public IP address so that it can go out to the internet. The rule for VPNs is that once the tunnel is established, you are now a part of the network---your vpn address cannot be NATted back out.
Like I said---I would not even use a VPN---I would just port forward the web page requests to the private IP addresses of your cameras. This is called port forwarding, or static NAT.

Burt

 

[duBe68]

Thanks Burt,
I'm a bit lost by all that, so I hope the following clarifies things:

I'm led to believe that PortForwarding is much less secure than VPN, so I'd really like to get VPN up if I can as I don't want others to "happen bye" my camera feeds.

I've executed a TraceRoute (just learned about this function) and it goes nowhere; all "Request Timed Out".

As a matter of interest, I've jammed in another Billion Router on the client side, set up a VPN Dialout that matches a VPN Dialin on the work router.

As you may have guessed, I'm able to use the connection as expected & I can gain all access to the work LAN via the VPN.

My problem is that I cannot always use a router as I generally work mobile via my 3G connection.

So if I can sort out why the MS Win XP VPN connection doesn't allow me to do this, I'd be a very happy camper.

Cheers
duBe

 

[duBe68]

I've tried a couple of software VPN clients and still no luck.

Can anyone suggest anything else?

Thanks

 

[smah]

First and foremost, does the camera behavior that you're looking for work correctly from inside the work network?

Second, are the 2 networks using different IP address ranges?

Third,

If you want to browse the internet while vpn'd in, then you need to allow split tunneling

by itself is not exactly true and allowing spit tunneling has significant security implications.

 

[duBe68]

Thanks smah,
1. Yes, the cameras do work as expected via both the internal network & also via a ROUTER to ROUTER initiated VPN PPTP connection. However, does not from a WIN XP to ROUTER initiated VPN PPTP connection.

2. Yes, I've set the work network to be 192.168.22.*** and remote is 192.168.1.***

3. As for split-tunnelling, this is a by-product of perhaps a misunderstanding of what I'm trying to achieve. I don't want to browse the internet via the VPN, I just want to get to my cameras. So although I've learned what split-tunnelling can be used for, I don't really want to initiate it in this circumstances.

Thanks again
duBe

 

[duBe68]

Hi again folks,
I've got my laptop going again, but now it won't connect to any XP VPN connections, so I've obviously mucked something up there big time, gotta keep investigating that.

In the meantime, I've tried using my friend's laptop to connect via a XP VPN and although I can connect, as always, I'm not able to reach any LAN resources.

Curiously enough, with my friend's laptop, I get the following error when connecting with the XP VPN:

*************************
One or more requested network protocols did not connect successfully.

TCP/IPCP connected successfully.

IPX/SPX or compatible CP reported error 733: A connection to the remote computer could not be completed. You might need to adjust the protocols on this computer. For further assistance, click More Info or search Help and Support Center for this error number.

Press Accept to use the connection as is, or Hang Up to disconnect.
**************************

Could this have any impact on the problems I'm having with the XP VPN connection?

And if so, could anyone advise how to rectify this?

Thanks again
duBe

 

[duBe68]

Hi again,
I received some excellent advice from a Tek-Tips member linney regarding losing comms after uninstalling SP3:

http://www.tek-tips.com/faqs.cfm?fid=4625

The Winsock fix mentioned absolutely fixed my loss of comms problem, now just gotta get the original problem solved & it's happy days.

 

[burtsbees]

smah---how is that not entirely true? Unless you mean that the user could browse the internet by using the internet connection on the vpn...
Also, I disagree about the security risk. There is one, but IMHO there is a misnomer in some cases---the risk would be that if an attacker compromises the user's network, he/she then has free reign on the vpn network as well, using the user's computer that makes the vpn connection as the gateway, or vice-versa---it just gives an attacker one more computer to use to compromise. Someone has to compromise in the first place for this to happen.

Burt

 

[smah]

Yes, that's what I mean - That statement is not etirely true because split tunneling is not required to browse the internet - it only changes the gateway that internet traffic passes through.

As for the possibility of comprising the work network via the remote computer, it's possible severity and likelyhood are relative the the user and conditions. For example for the sake of discussion, let's say the remote user's PC has no antivirus or firewall software and is running Windows Me or something silly like that, but the remote network's gateway has a very thorough security system in place utilizing firewalls, proxy server, antivirus, etc. When the remote user is browsing via the work network's gateway, everything is reasonably secure; but if allowed to access the internet directly there is the potential to quickly have a comprimised system accessing the work network. With the split tunneling scenario, the security of the network is dependent upon that remote user & their remote system and those things can not always be controlled the way the network admin might like.

 

[burtsbees]

Okay. Didn't know if thee was a new trick out there or something I wasn't aware of...we seem to be on the same page there then, I just wasn't specific enough.

Burt