Re: problem with VPN running on static IP address
- From: "Scott Abel" <ScottAbel@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 2 May 2005 23:00:02 -0700
Ok, I stand corrected on the second route. However, what you said about
DNS/WINS can only take this off topic. I absolutely am NOT attempting to
resolve hostnames at this point. The first step is to establish IP
connectivity, and I'm not there yet.
The problem is that I cannot ping or otherwise connect to the server's
inside IP address (whether it is the additional internal loopback adapter I
set up or the virtual VPN endpoint). I've tried using telnet with various
port numbers that I know are running. I've tried using \\IPADDRESS. It
doesn't work.
I can see that my vpn client is connected by looking in the list of clients
on the server (I can access the server via RDC through the outside
interface). However, my client has no connectivity to the vpn server. All I
get are timeouts, whether it's telnet on various ports, ping, etc.
I still don't see where the route is to my 10.x.x.x address that I used as
the internal loopback adapter. The only route I get is to the 172.x.x.x
address that I used for the VPN internal network. I can ping neither on the
server. As I mentioned, I also tried it without using an internal loopback
adapter defined as the inside interface. Neither configuration works.
"Bill Grant" wrote:
> I can't see why you are confused by those routes on the client. The
> first is a subnet route through the VPN connection. It means that all
> traffic for a 172.22 address will be sent through the tunnel.
>
> The second route indicates that 172.22.0.2 is this machine, so don't
> send packets addressed to it anywhere! Traffic for the server will be
> addressed to 172.22.0.1 and will go across the VPN link.
>
> The thing to remember about VPN is that it is simply an IP connection.
> It doesn't carry LAN broadcasts. The client should be able to ping the
> server by IP address (unless you have turned that off on the server), but
> that's all. To ping by name or use file sharing by name you will need some
> form of name resolution. So you need DNS or WINS at the server end, and the
> client needs to get the correct DNS/WINS at connection time. It you don't
> have WINS/DNS, you fall back to HOSTS or LMHOSTS files.
>
> Scott Abel wrote:
> > I'm interested in what you said about being able to access the vpn
> > server through the "virtual" interface. I've been trying to get this
> > to work for days and have had no success.
> >
> > I'm trying to do the same thing Tim is, and have also locked myself
> > out many times. I've done a lot of work on firewalls so I understand
> > why I've locked myself out (if you don't understand the difference
> > between TCP and TCP-established, you stand a good chance of locking
> > yourself out), but it is still frustrating.
> >
> > I've gotten the vpn to connect, but looking at the routes it gives me
> > I don't see how it could possibly work. I give it a range to use for
> > vpn client addresses: 172.22.0.1 - 172.22.0.250. It takes the first
> > address 172.22.0.1 as the "virtual" interface, and then assignes them
> > starting with 172.22.0.2 to clients that connect via vpn. Then it
> > delivers the following routes to the client:
> >
> > 172.22.0.0 255.255.0.0 172.22.0.2 172.22.0.2
> > so far, so good. It looks as though I connect to the "virtual"
> > interface through my vpn client PPP virtual interface.
> >
> > But then it also gives me this route:
> > 172.22.0.2 255.255.255.255 127.0.0.1 127.0.0.1
> > (!!)
> > how is this supposed to work? I connect to the vpn through my local
> > loopback interface?
> >
> > I can't ping the virtual interface 172.22.0.1, or anything on the vpn
> > server, needless to say.
> >
> > I'm really disappointed in the lack of good documentation on what
> > should be a simple task.
> >
> > I have a remote server that has a single outside interface. I've
> > tried creating a special loopback internal interface, using the
> > built-in loopback interface and neither one seems to work as the
> > inside interface. I'm not sure why it needs that, the virtual
> > interface used as the VPN endpoint ought to give vpn clients access
> > to the vpn server for file sharing purposes (subject to packet
> > filtering limitations), but it doesn't.
> >
> > I've also tried vpn standalone with some manual tweaking, vpn plus
> > NAT and neither one seems to let me just access the files on the vpn
> > server, which is all I really want to do!
> >
> > I also studied the howtonetworking site that Bill recommended,
> > studied it in great detail, and found it to be of no use in
> > explaining this basic task.
> >
> > I'm ready to just punt on RRAS and put in a $30 D-link vpn firewall.
> > Too bad my ISP hasn't agreed to let me do that ...
> >
> >
> > "Bill Grant" wrote:
> >
> >> A VPN (Virtual Private Network) allows a client to connect to a
> >> private LAN through the Internet. It is similar to a RAS connection,
> >> except it uses the Internet as the carrier rather than a
> >> communication line.
> >>
> >> The reason why two NICs are used in the standard config is this.
> >> One NIC is the connection to the private LAN and the second is the
> >> connection to the Internet. The client connects to the public NIC,
> >> and the VPN traffic is then tunnelled through this connection. On
> >> arrival the packet is unencapsulated and decrypted, then forwarded
> >> to the private LAN.
> >>
> >> If the server has only a private IP, then the initial connection
> >> must be made to a router with a public address, and the VPN
> >> connection forwarded to the server across the LAN. If the server has
> >> only a public IP, the VPN connection is made to that interface. The
> >> only private interface is the "virtual" interface which the server
> >> creates to be the VPN endpoint. The VPN client can access only the
> >> VPN server itself.
> >>
> >> To configure a machine with one NIC to act as a remote access
> >> server, use the manual config option in the RRAS setup wizard.
> >>
> >> Tim_Mac wrote:
> >>> hi robert,
> >>> it's not a DC, and there is only one NIC. the server roles
> >>> configured are: file server, application server, streaming media
> >>> server. the server is in a datacenter as a stand-alone web server,
> >>> connected to their network via one NIC, with a static IP address.
> >>> i just read on another post that you need 2 nics to have a VPN.
> >>> why on earth? what good is the second NIC if it doesn't connect to
> >>> anywhere!?
> >>>
> >>> i want remote clients to be able to access a shared folder, over a
> >>> secure web connection. and i gather VPN using incoming connections
> >>> is the simplest way of doing this. i understand that if i use
> >>> incoming connections the NAT stuff is configured automatically. i
> >>> absolutely can't afford to try setting up incoming connections
> >>> again, without knowing for sure that it won't block off web
> >>> traffic, or the remote desktop connection.
> >>>
> >>> really appreciate any help. i can post my security configuration
> >>> xml file (from SCW) if that's any use.
> >>> tim
>
>
>
.
- Follow-Ups:
- Re: problem with VPN running on static IP address
- From: Bill Grant
- Re: problem with VPN running on static IP address
- References:
- Re: problem with VPN running on static IP address
- From: Bill Grant
- Re: problem with VPN running on static IP address
- From: Scott Abel
- Re: problem with VPN running on static IP address
- From: Bill Grant
- Re: problem with VPN running on static IP address
- Prev by Date: Re: Reverse DNS
- Next by Date: Re: problem with VPN running on static IP address
- Previous by thread: Re: problem with VPN running on static IP address
- Next by thread: Re: problem with VPN running on static IP address
- Index(es):
Relevant Pages
|
