1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN tunnel established but cannot get out of VPN router

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by lookinpanubb, Oct 9, 2005.

  1. lookinpanubb

    lookinpanubb Network Guru Member

    Hi, I have configured my BEFVP41 as shown in the Greenbow guide and I have configured my Greenbow client in the same way. I have no problem establishing the VPN tunnel, but once the tunnel is open I can only ping the VPN router and nothing else connected to the LAN side of the router.
    I have tried several variations of the configuration is this is my current config.

    Router
    Local Secure Group: 10.10.0.0 / 255.255.0.0
    Remote Secure Group: any
    Remote Security Gateway: any

    Greenbow
    VPN Client Address: 10.10.10.99
    Remote LAN Address: 10.10.0.0 / 255.255.0.0

    If I've missed any relevant configuration settings, please let me know and I'll post those as well. Thanks!
     
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    Have you checked to see if you have the firewall up on the computers you want to access?

    Doc
     
  3. lookinpanubb

    lookinpanubb Network Guru Member

    Yes, there is not firewall. If I plug my laptop directly into the VPN router I can ping the target machine and get to everywhere that I need.

    Alex
     
  4. DocLarge

    DocLarge Super Moderator Staff Member Member

    Okay,

    you've lost me. You just stated that when you plug your laptop directly into the vpn router, you can ping and move anywhereyou need to. Did you mean to say when you plug into the "modem" you can go anywhere (i.e., ping, access files)?

    From the top, how exactly are you connecting to your vpn connection?

    laptop-->modem-->internet<--modem<--befpvp41<--server

    Is this close?

    Doc
     
  5. lookinpanubb

    lookinpanubb Network Guru Member

    Sorry to add confusion. I was referring to an alternate way that I was connecting. You have diagramed the way that I want to connect but am unable to reach my target machines. Here's the actual picture:

    internet --> befvp41 --> WRT54G --> server1 and server2

    Connecting latop --> befvp41, can reach server1 and server2

    Connecting laptop --> internet --> tunnel can only ping the LAN ip of the befvp41.

    Alex
     
  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    Okay,

    I'm still not tracking here.

    I think you're still leaving out an important peace, and that is basically where your "modem" is located. You "cannot" use the befvp41 router "without" an cable/xdsl modem, so where exactly is your modem located in your diagram?

    Additionally, is the vpn segment you're trying to reach on "the same" segment or are you connecting across the internet? The diagram you drew appears to show that you are in fact trying to make the connection on the same segment as opposed to being across the internet...

    Doc
     
  7. lookinpanubb

    lookinpanubb Network Guru Member

    I currently have two broadband Internet connections. I have a road runner cable connection. I have been plugging directly into this modem with my laptop to get on the Internet and act as a client. I also have a FiOS connection which is acting as my destination. I imagine that there is a "modem" somewhere, but all I can see if the CAT5 jack in my wall. This connection is connected to the BEFVP41.

    Case 1
    Connecting latop --> rr modem --> Internet --> befvp41 --> WRT54G --> server1 and server2

    Case 2
    Connecting latop --> befvp41, can reach server1 and server2

    Case 1 does not work, so I tried case 2. Connected directly to the same router, no tunnel. I assumed that this would be "similar" to the tunnel case except that the tunnel client would be virtually on the befvp41's LAN.

    Sorry to be making things so confusing. I thought it would help by adding my experience when connecting directly to the befvp41. But this is only a test case and not what I am intending to do.

    Alex
     
  8. lookinpanubb

    lookinpanubb Network Guru Member

    In case that still wasn't clear ;)

    laptop-->RR modem-->internet<--"FiOS modem"<--befpvp41<--WRT54G<--server
     
  9. lookinpanubb

    lookinpanubb Network Guru Member

    Any ideas, anyone? I'm guessing that it's a routing problem, but I don't know what the problem is or where to fix it.

    Alex
     
  10. DocLarge

    DocLarge Super Moderator Staff Member Member

    Back :)

    Alright, I'm going to make some assumptions

    1) You have straight thru CAT5 running from one of the BEFVP41's LAN ports to one of the LAN ports on the WRT54G, thereby making the WRT function as a switch.

    2) Or, do you have CAT5 running from the BEFVP41 to the WAN port of the WRT, thus creating another subnet?

    In the case of number 1, make sure that the WRT has an ip address that matches the BEFVP41's IP scheme (if the BEFVP41 is 10.10.10.1 then the WRT should be 10.10.10.2). All devices that are connecting to the WRT should be using the same IP scheme also and will be able to pass information "to" and from the BEVP41 via the WRT that's now acting as a bridge/switch/repeater.

    If your configuration is more like #2, then you need to make sure you configure the BEFVP41's dhcp server to give out "one" ip address. Then, run CAT5 (as stated above) to the WRT's WAN port; also configure the WRT's LAN IP scheme and make sure it's "not" the same as the LAN IP scheme that the BEFVP41 is running (this is the difference when connecting to the WAN port as opposed of connecting to the LAN port in the first scenario). Once the WRT pulls the IP made available by the BEFVP41, the WRT's WAN port is configured to pass traffic "to" and "from" the BEFVP41 "and" any computers connected on the WRT's LAN segment. Also, you may need to forward port 500 on the BEFVP41 to whatever ip address the WRT pulled. Once you've done all of this, you should be able to connect to your server "as long" as it has the same IP scheme as the WRT.

    Doc

    I personally think
     
  11. lookinpanubb

    lookinpanubb Network Guru Member

    Yeah, I knew I left something out in my description! :)

    Ok, more detailed diagram of my network:

    BEFVP41
    - subnet 10.10.10.0
    - DHCP server is turned on to hand out 10.10.10.120 +
    WRT54G
    - subnet 10.10.9.0
    - DHCP server is turned on to hand out 10.10.9.120+
    - WAN IP statically defined as 10.10.10.200

    BEFVP41's LAN port is connected to WRT54G's WAN port with CAT5. BEFVP41 also have another machine connected to it's LAN side.

    In Greenbow I have the VPN client IP being assigned as 10.10.10.99. I also tried 10.10.9.99 and saw the same results. I can ping 10.10.10.1, but nothing else. I have several ports being forwarded to 10.10.10.200 and they are working, but I cannot reach these from the VPN client either when tring to go to 10.10.10.200.

    Machines on the LAN side of both the WRT54G and BEFVP41 have no problem reaching the Internet and I have no problem reaching the machine on the LAN side of the WRT54G through the forwarded port from the Internet.

    However, when I am tunneled into the BEFVP41 I can't reach anything except being able to ping the BEFVP41. I would think that I would, at least, be able to reach the machine on the LAN side of the BEFVP41. I have the tunnel's Remote Secure Group set to 10.10.0.0 subnet 255.255.0.0.

    Again, thank you soooo much for your help thus far!

    Alex
     
  12. lookinpanubb

    lookinpanubb Network Guru Member

    Oh, and I forgot to mention. When I forwarded port 500 to the WRT54G I could no longer open the tunnel.
     
  13. DocLarge

    DocLarge Super Moderator Staff Member Member

    Okay, this sounds like configuration is the issue.

    If you're able to use greenbow without forwarding 500 (it was just an idea I thought I'd have you try), then you may just need to try mapping a drive.

    Then next time you connect with greenbow go to the run command on your computer and type in the ip address of the machine you're trying to get to with vpn. Let's say if the distant end computer has an ip address of 10.10.10.15, you'd type the following in the "run" text box: \\10.10.10.15\sharename

    Where you see "sharename" is where you would put the name of the directory you given vpn users share access to. So, if you shared a folder out called "vpn" for vpn users, you would enter this string in the "run" box: \\10.10.10.15\vpn

    Try this...

    Doc
     
  14. lookinpanubb

    lookinpanubb Network Guru Member

    Doc, I tried to connect to

    \\10.10.10.120\test (target connected to BEFVP41)
    \\10.10.9.105\test (target connected to WRT54G)

    In both cases, after a tiresome wait, I received the message 'Network path was not found'. The shares do appear to be working if I connect my laptop directly to the same network (no tunneling involved).

    Alex
     
  15. lookinpanubb

    lookinpanubb Network Guru Member

    Doc, what was trying to map to the drive supposed to do? What I really want to be able to do is to connected to a machine via Remote Desktop. I have the necessary ports open, but as evidenced above I can't reach any of the machines through the VPN.
     
  16. DocLarge

    DocLarge Super Moderator Staff Member Member

    Mapping the port was just an exercise in seeing if you could reach any of your shared folders.

    If you are connected and are getting "network path not found" you may have an MTU issue, or the path is not correct. Download Dr TCP and use it to change your mtu size on your computer to 1350, first; I know this works because that's what I had to do. After that, provided I entered the path in properly, I was able to access and transfer files. As far as your remote desktop goes, I never use that feature; I prefer Radmin from Famatech.

    I may take a look at remote desktop, though, to see what differences there are...

    Doc
     
  17. lookinpanubb

    lookinpanubb Network Guru Member

    Ok, I'll give it a shot. Perhaps a silly question. Where should I be changing the MTU? On the remote machine with the VPN client? Thanks!!

    Alex
     
  18. lookinpanubb

    lookinpanubb Network Guru Member

    Ok, well I changed the MTU on my laptop to 1350. Same results. :( The tunnel seems pretty nicely stable, but I just can't reach any machine on the LAN side of the vp41.

    I tested the shared drives from other machines on the LAN and I can access them. But still nothing through the VPN tunnel.

    Alex
     
  19. lookinpanubb

    lookinpanubb Network Guru Member

    Self bump....anyone?
     
  20. DocLarge

    DocLarge Super Moderator Staff Member Member

    Lookinpanubb,

    it "must" be a setting, dude. What else have you looked at recently?

    Doc
     
  21. lookinpanubb

    lookinpanubb Network Guru Member

    I haven't made any setting changes that we haven't already discussed. I bought the VP41 and configured it exactly the way the turotial states the very first time. I have GreenBow installed of two different client machines configured the way stated in the tutorials and both function the same...which is to say that they don't work.
    Is there something diagnostically that I can do?
     
  22. wcutler123

    wcutler123 Guest

    The way I resolved gateway to gateway tunneling problem is to enable the protocol nwlink/netbios on both computers on each end. Then I was able to see the other side.
     

Share This Page