Re: problem with VPN running on static IP address
- From: "Bill Grant" <not.available@online>
- Date: Tue, 3 May 2005 17:09:20 +1000
When the VPN connects, what is displayed if you click on the icon on the
client and select Details? Do you see the 172.22.0 x addresses for the
client and server? What happens if you try to ping the server's internal IP
address of 172.22.0.1 ? What error message do you get? Can you ping the
client from the server?
You should have a point-to-point connection between the client and
server. There isn't really anywhere for the traffic to go except across the
link. Do you have firewall software on the client?
Scott Abel wrote:
> Ok, I stand corrected on the second route. However, what you said
> about DNS/WINS can only take this off topic. I absolutely am NOT
> attempting to resolve hostnames at this point. The first step is to
> establish IP connectivity, and I'm not there yet.
>
> The problem is that I cannot ping or otherwise connect to the server's
> inside IP address (whether it is the additional internal loopback
> adapter I set up or the virtual VPN endpoint). I've tried using
> telnet with various port numbers that I know are running. I've tried
> using \\IPADDRESS. It doesn't work.
>
> I can see that my vpn client is connected by looking in the list of
> clients on the server (I can access the server via RDC through the
> outside interface). However, my client has no connectivity to the
> vpn server. All I get are timeouts, whether it's telnet on various
> ports, ping, etc.
>
> I still don't see where the route is to my 10.x.x.x address that I
> used as the internal loopback adapter. The only route I get is to
> the 172.x.x.x address that I used for the VPN internal network. I
> can ping neither on the server. As I mentioned, I also tried it
> without using an internal loopback adapter defined as the inside
> interface. Neither configuration works.
>
> "Bill Grant" wrote:
>
>> I can't see why you are confused by those routes on the client.
>> The first is a subnet route through the VPN connection. It means
>> that all traffic for a 172.22 address will be sent through the
>> tunnel.
>>
>> The second route indicates that 172.22.0.2 is this machine, so
>> don't send packets addressed to it anywhere! Traffic for the server
>> will be addressed to 172.22.0.1 and will go across the VPN link.
>>
>> The thing to remember about VPN is that it is simply an IP
>> connection. It doesn't carry LAN broadcasts. The client should be
>> able to ping the server by IP address (unless you have turned that
>> off on the server), but that's all. To ping by name or use file
>> sharing by name you will need some form of name resolution. So you
>> need DNS or WINS at the server end, and the client needs to get the
>> correct DNS/WINS at connection time. It you don't have WINS/DNS, you
>> fall back to HOSTS or LMHOSTS files.
>>
>> Scott Abel wrote:
>>> I'm interested in what you said about being able to access the vpn
>>> server through the "virtual" interface. I've been trying to get
>>> this to work for days and have had no success.
>>>
>>> I'm trying to do the same thing Tim is, and have also locked myself
>>> out many times. I've done a lot of work on firewalls so I
>>> understand why I've locked myself out (if you don't understand the
>>> difference between TCP and TCP-established, you stand a good chance
>>> of locking yourself out), but it is still frustrating.
>>>
>>> I've gotten the vpn to connect, but looking at the routes it gives
>>> me I don't see how it could possibly work. I give it a range to
>>> use for vpn client addresses: 172.22.0.1 - 172.22.0.250. It takes
>>> the first address 172.22.0.1 as the "virtual" interface, and then
>>> assignes them starting with 172.22.0.2 to clients that connect via
>>> vpn. Then it delivers the following routes to the client:
>>>
>>> 172.22.0.0 255.255.0.0 172.22.0.2 172.22.0.2
>>> so far, so good. It looks as though I connect to the "virtual"
>>> interface through my vpn client PPP virtual interface.
>>>
>>> But then it also gives me this route:
>>> 172.22.0.2 255.255.255.255 127.0.0.1 127.0.0.1
>>> (!!)
>>> how is this supposed to work? I connect to the vpn through my local
>>> loopback interface?
>>>
>>> I can't ping the virtual interface 172.22.0.1, or anything on the
>>> vpn server, needless to say.
>>>
>>> I'm really disappointed in the lack of good documentation on what
>>> should be a simple task.
>>>
>>> I have a remote server that has a single outside interface. I've
>>> tried creating a special loopback internal interface, using the
>>> built-in loopback interface and neither one seems to work as the
>>> inside interface. I'm not sure why it needs that, the virtual
>>> interface used as the VPN endpoint ought to give vpn clients access
>>> to the vpn server for file sharing purposes (subject to packet
>>> filtering limitations), but it doesn't.
>>>
>>> I've also tried vpn standalone with some manual tweaking, vpn plus
>>> NAT and neither one seems to let me just access the files on the vpn
>>> server, which is all I really want to do!
>>>
>>> I also studied the howtonetworking site that Bill recommended,
>>> studied it in great detail, and found it to be of no use in
>>> explaining this basic task.
>>>
>>> I'm ready to just punt on RRAS and put in a $30 D-link vpn firewall.
>>> Too bad my ISP hasn't agreed to let me do that ...
>>>
>>>
>>> "Bill Grant" wrote:
>>>
>>>> A VPN (Virtual Private Network) allows a client to connect to a
>>>> private LAN through the Internet. It is similar to a RAS
>>>> connection, except it uses the Internet as the carrier rather than
>>>> a communication line.
>>>>
>>>> The reason why two NICs are used in the standard config is
>>>> this. One NIC is the connection to the private LAN and the second
>>>> is the connection to the Internet. The client connects to the
>>>> public NIC, and the VPN traffic is then tunnelled through this
>>>> connection. On arrival the packet is unencapsulated and decrypted,
>>>> then forwarded to the private LAN.
>>>>
>>>> If the server has only a private IP, then the initial
>>>> connection must be made to a router with a public address, and the
>>>> VPN connection forwarded to the server across the LAN. If the
>>>> server has only a public IP, the VPN connection is made to that
>>>> interface. The only private interface is the "virtual" interface
>>>> which the server creates to be the VPN endpoint. The VPN client
>>>> can access only the VPN server itself.
>>>>
>>>> To configure a machine with one NIC to act as a remote access
>>>> server, use the manual config option in the RRAS setup wizard.
>>>>
>>>> Tim_Mac wrote:
>>>>> hi robert,
>>>>> it's not a DC, and there is only one NIC. the server roles
>>>>> configured are: file server, application server, streaming media
>>>>> server. the server is in a datacenter as a stand-alone web
>>>>> server, connected to their network via one NIC, with a static IP
>>>>> address. i just read on another post that you need 2 nics to have
>>>>> a VPN. why on earth? what good is the second NIC if it doesn't
>>>>> connect to anywhere!?
>>>>>
>>>>> i want remote clients to be able to access a shared folder, over a
>>>>> secure web connection. and i gather VPN using incoming
>>>>> connections is the simplest way of doing this. i understand that
>>>>> if i use incoming connections the NAT stuff is configured
>>>>> automatically. i absolutely can't afford to try setting up
>>>>> incoming connections again, without knowing for sure that it
>>>>> won't block off web traffic, or the remote desktop connection.
>>>>>
>>>>> really appreciate any help. i can post my security configuration
>>>>> xml file (from SCW) if that's any use.
>>>>> tim
.
- References:
- Re: problem with VPN running on static IP address
- From: Bill Grant
- Re: problem with VPN running on static IP address
- From: Scott Abel
- Re: problem with VPN running on static IP address
- From: Bill Grant
- Re: problem with VPN running on static IP address
- From: Scott Abel
- Re: problem with VPN running on static IP address
- Prev by Date: Re: problem with VPN running on static IP address
- Next by Date: Assigning IP addresses with IAS authentication
- Previous by thread: Re: problem with VPN running on static IP address
- Next by thread: Re: Remote client access to srv behind router
- Index(es):
Relevant Pages
|
Loading
