XP VPN to FVS318: only ping router

[hughami]

I've successfully set up a home based XP VPN PC client to office based FVS318v2 using XP's IPSec policies, thanks to the excellent info on this site. Before this, I'd also set up FVS318v2 to FVS318v2 site to site VPN.

The site to site and the XP vpn tunnels both have the same problem, only the office based router where the VPN tunnel terminates can be pinged. Addresses on the same subnet as the office router can't be pinged (but all are pingable using the office FVS318 diagnostics, or when the laptop is physically connected to office subnet).

Office subnet is 172.16.0.0/255.255.0.0 and the PC XP subnet is 192.168.4.0/255.255.255.0.

Ping speed over the VPN tunnel is <30ms with no packets lost. I think this is a routing issue, but I'm not sure what static routes I should add - I've experimented, but to no available.

I only enable the appropriate VPN tunnel one at time for each test.

I can't see any errors in the logs on the office FVS318, but those logs are only for the WAN i/f.

 

[dloz]

It sounds like either your vpn end point is not correctly forwarding traffic or your pc is getting bad settings from the vpn. I am not familiar with the FVS318v2 so could you post the output of ipconfig /all and route print commands from the xp box while the vpn is connected.

 

[hughami]

Here is the output from ipconfig (TIA):

C:\Documents and Settings\Neil>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Fishbourne
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes

Ethernet adapter Wireless Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell TrueMobile 1300 WLAN Mini-PCI C
ard
Physical Address. . . . . . . . . : 00-90-4B-79-A4-2D
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.4.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.4.1
DHCP Server . . . . . . . . . . . : 192.168.4.1
DNS Servers . . . . . . . . . . . : 192.168.4.1
Lease Obtained. . . . . . . . . . : Monday, April 03, 2006 3:30:57 PM
Lease Expires . . . . . . . . . . : Tuesday, April 04, 2006 3:30:57 PM

 

[hughami]

Changing and testing one thing at a time, I got a bit further. I discovered that there was a netmask mismatch, that was subnetting my class B network to a class C.

I fixed that and was finally able to ping the machines on the 172.16.0.0/255.255.0.0 subnet. I wasn't able to ping any machines on our 10.159.241.0/255.255.255.0 subnet, all of which are easily accessible when my laptop is physically connected to the 172.16.0.0 subnet.

I decided to temporarily put all of the lan hanging off the netgear VPN router into the 10.159.241.0/255.255.255.0 subnet. This made more machines accessible over the VPN tunnel (both the XP IPsec vpn and the netgear site to site VPN had the same amount of access).

However, the main UNIX server 10.159.241.10 is still unpingable (can be pinged from the VPN router diagnostic). The Netgear VPN router 10.159.241.30 has a lan port connected to a trusted lan segment of the Netscreen router 10.159.241.1 (not under our control as it's owned and operated by our franchise's tech support team).

In the office, when my laptop is connected to the network, ever machine is accessible, but once I VPN in, the 10.159.241.10 server and 10.159.241.1 gateway can no longer be accessed.

Is this a routing issue on the 10.159.241.1 router or 10.159.241.10 server?

 

[hughami]

Based on the tracert output, I'd say it's a routing problem - is it because the Netscreen is dropping the return packet routing, because it's not configured to recognize the static addresses I'm using? I can't get the Netscreen to issue a DHCP to the lan side of the Netgear, so I had to use a static 10.159.241.30 address to get it on the same segment.

C:\Documents and Settings\Neil>tracert 10.159.241.10

Tracing route to 10.159.241.10 over a maximum of 30 hops

1 1 ms 2 ms 1 ms 192.168.2.2
2 3 ms 9 ms 3 ms 192.168.2.1
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

C:\Documents and Settings\Neil>tracert 10.159.241.30

Tracing route to 10.159.241.30 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 192.168.2.2
2 2 ms 2 ms 3 ms 192.168.2.1
3 * * * Request timed out.
4 * * * Request timed out.
5 31 ms 31 ms 30 ms 10.159.241.30

 

[dloz]

Do you have any access to the Unix server? If so try running a traceroute out from it to the 172 vpn device. Also run ifconfig -a and netstat -rn to display the route and interface information. It's going to be difficult to troubleshoot if you don't have access to the unix server and netscreen. Are the other machines on the 10 network behind the netscreen. If so then a route needs to be added to the unix box to go thru the vpn device to reach the 172. network.

 

[hughami]

I found a couple of problems: the Sonicwall/10 router I configured as a bridge between the 172.16.0.0/255.255.0.0 (connected to it's LAN port) and 10.159.241.0/255.255.255.0 (WAN port) segments is part of it. When VPN tunneling, the Sonicwall rejects packets from the tunnel because the address is spoofed, despite all of it's security being disabled, apart from DHCP being blocked on both ports.

The other problem: depending on which router I traverse, the logs either report the home based VPN router's private/public address or the wireless access router address my laptop is connected to.

Now I've figured that out, I can configure some of the devices I'm trying to reach to accept the private IP ranges that they're rejecting from the VPN tunnel.

As for the UNIX server, I found out that the tech folks had disabled all routing on it and set it's gateway to the Netscreen, which is rejecting all routes and packets from any device it didn't serve a DHCP address to.

However, they did throw me one concession, they'll set up free access to my stores business server through secure web/telnet VPN. Meantime, I get access to everything else I control over my own private VPN .

Thanks again for your help.