none
VPN routing problem

    Question

  • Hi All, 

    I'm having an issue where my VPN client can connect and ping the VPN server, but can't access any other items on my client network.  The server is running Windows server 2003 SP2.

    My internal network is 192.168.15.0/24.  The VPN server is 192.168.15.47 on the internal network, and 192.168.16.47 on a network shared with the router.

    My client connects and gets the IP 192.168.15.109 from the DHCP server.  It can ping both 192.168.15.47 and 192.168.16.47.  However, it cannot ping the domain controller at 192.168.15.45.

    Strangely enough, the domain controller can ping 192.168.15.109 and its arp table shows the MAC of the VPN server.

    One other strange thing is that the VPN server can't ping 192.168.15.109.

    I've checked and there are no packet filters on any of the VPN server's NICs.

    The routing table on the VPN server shows 
    Destination,Network mask,Gateway,Interface,Metric,Protocol
    0.0.0.0,0.0.0.0,192.168.16.1,Local Area Connection 2,1,Network management
    127.0.0.0,255.0.0.0,127.0.0.1,Loopback,1,Local
    127.0.0.1,255.255.255.255,127.0.0.1,Loopback,1,Local
    192.168.15.0,255.255.255.0,192.168.15.47,Local Area Connection,10,Local
    192.168.15.47,255.255.255.255,127.0.0.1,Loopback,10,Local
    192.168.15.109,255.255.255.255,127.0.0.1,Loopback,50,Local
    192.168.15.255,255.255.255.255,192.168.15.47,Local Area Connection,10,Local
    192.168.16.0,255.255.255.0,192.168.16.47,Local Area Connection 2,10,Local
    192.168.16.47,255.255.255.255,127.0.0.1,Loopback,10,Local
    192.168.16.255,255.255.255.255,192.168.16.47,Local Area Connection 2,10,Local
    224.0.0.0,240.0.0.0,192.168.16.47,Local Area Connection 2,10,Local
    224.0.0.0,240.0.0.0,192.168.15.47,Local Area Connection,10,Local
    255.255.255.255,255.255.255.255,192.168.16.47,Local Area Connection 2,1,Local
    255.255.255.255,255.255.255.255,192.168.15.47,Local Area Connection,1,Local

    Any ideas?
    Monday, November 02, 2009 11:13 PM

All replies

  •   If the server can ping the VPN client, you do not have a network problem.

      Ping is pretty unreliable for this sort of thing, especially with most machines now running presonal firewalls. These usually block ICMP echo, which is what ping uses.

      Accessing LAN machines from VPN clients can be tricky because name resolution doesn't work the same way as it does on a LAN. Does the client get the correct DNS address? Does nslookup work for the domain name and/or a server's FQDN?
     
    Bill
    Tuesday, November 03, 2009 12:57 AM
  •  

    Hello,

     

    Thank you for your post here.

     

    Agree with Bill Grant that the VPN connection is OK as you can ping both 192.168.15.47 and 192.168.16.47. I believe that Windows firewall or any other 3rd party firewall block the ICMP echo request on 192.168.15.109 and 192.168.15.45. Please check how it works if you manually add the rule to explicitly allow that.

     

     

    1. In the Windows Advanced firewall console tree, right-click Inbound Rules, and then click New Rule.

    2.  On the Rule Type page, click Custom, and then click Next.

    3. On the Program page, click Next.

    4. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.

    5. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.

    6. Click Next.

    7. On the Scope page, click Next.

    8. On the Action page, click Next.

    9. On the Profile page, click Next.

    10. On the Name page, for Name, type Inbound ICMPv4 Echo Requests, and then click Finish.

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

     

     

     

     

     

     

     

     

    Tuesday, November 03, 2009 7:13 AM
    Moderator
  • Hi All,

    Thanks for your replies.

    I already tried turned off the firewall on the client and there's no firewall on the server(s) I'm trying to reach.  I also tried remote desktop from client to domain controller and that doesn't work but remote deskop from client to vpn server works and remote desktop from vpn server to domain controller works.

    The strangest thing is that I can't ping the VPN client from the VPN server, even with firewalls disabled.  It's almost like the route back to the client isn't working, but you can see it above in the routing table.

    Oh, and when I pinged a server from my VPN client, even though I didn't get a response I saw an entry for the vpn client's IP in the ARP table (to the VPN server's MAC).

    Tuesday, November 03, 2009 3:19 PM
  •   Yes, you will see an ARP record for the VPN client linked to the server's MAC address. Because the VPN client machine is in the same IP subnet as the LAN machines (on subnet addressing) no real IP routing takes place. The server does proxy ARP on the LAN for the remote client, then sends the packet across the point to point link to the remote client.

       If you want a routed solution you have to put the remotes in their own IP subnet (using an address pool on the RRAS server) and route through the RRAS server.

    Bill
    Tuesday, November 03, 2009 11:06 PM