Sign in with
Sign up | Sign in
Your question

VPN through a router that has a dynamic IP; problem?

Last response: in Windows XP
Share
Anonymous
February 1, 2005 6:55:03 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Hi...

I have:

Windows XP Pro SP2 wired via ethernet to BTVOYAGER 2100 ADSL modem/router
and Windows XP Pro SP2 laptop wirelessly connected to the same router.

I am trying to set up a VPN from the desktop to a secure server at work.

In the BTVOYAGER 2100 configuration manager at Virtual Server -> Port
Forwarding - Add new rule, I have:

1) In IP address box I have added the IP of the work server & set the ports
to 1723 (TCP)
2) I have made an exception for port 1723 in the Windows Firewall

The problem I am trying to solve is that the server at work needs to know
which IP the connection is coming from inorder for authentication to succeed;
however, I am told that my ISP, which is BT Broadband creates a new IP
address for my router every time I connect to the internet, which is about
once a day. I have ADSL 1MB/s connection.
The server will only accept an IP address and not a resolved DNS, which I
could have created at www.dyndns.org; is there any way to resolve a dynamic
IP address into a static one, so that I can give the IT guys at work an IP
address that will identify my router.

Thanks...

Charlie
Anonymous
February 3, 2005 12:56:47 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Charles Robertson <CharlesRobertson@discussions.microsoft.com> wrote:

> One last question; am I (home computer) allowed to use the same
> private LAN IP address (192.168.1.3) as my office computer or does
> this have to have a different private LAN IP address?

Not only may you not use the same IP address, you may not use the same IP
sub-net at each end of the VPN link.

If your office network uses 192.168.1.xxx addresses, then you may not use
any 192.168.1.xxx addresses in your home LAN: if necessary you must
reconfigure your router so that it and its dependent LAN use a different IP
sub-net.

--
Robin Walker [MVP Networking]
rdhw@cam.ac.uk
Anonymous
February 3, 2005 12:56:48 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Thanks Robin...

That is very useful information; I will change the relevant IPs and subnet,
so that they do not clash and then send you the results...

However, I do not understand why this is the case?

Surely if the IP I access the server with is an external IP (public), the
server's computers will never see my LAN IP; I do not understand why there
should be a clash...

Thanks...

Charlie

"Robin Walker [MVP]" wrote:

> Charles Robertson <CharlesRobertson@discussions.microsoft.com> wrote:
>
> > One last question; am I (home computer) allowed to use the same
> > private LAN IP address (192.168.1.3) as my office computer or does
> > this have to have a different private LAN IP address?
>
> Not only may you not use the same IP address, you may not use the same IP
> sub-net at each end of the VPN link.
>
> If your office network uses 192.168.1.xxx addresses, then you may not use
> any 192.168.1.xxx addresses in your home LAN: if necessary you must
> reconfigure your router so that it and its dependent LAN use a different IP
> sub-net.
>
> --
> Robin Walker [MVP Networking]
> rdhw@cam.ac.uk
>
>
>
Related resources
Anonymous
February 3, 2005 5:28:13 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Charles Robertson <CharlesRobertson@discussions.microsoft.com> wrote:

> That is very useful information; I will change the relevant IPs and
> subnet, so that they do not clash and then send you the results...
>
> However, I do not understand why this is the case?
>
> Surely if the IP I access the server with is an external IP (public),
> the server's computers will never see my LAN IP; I do not understand
> why there should be a clash...

You said you were setting up a VPN. The effect of the VPN is to set up a
virtual link directly between your LAN addresses and the LAN addresses
behind the office's router: both ends are ignorant of the public IPs of the
router(s) by which you create the VPN connection.

For IP routing to work properly on the virtual link, the IP sub-net at the
far end must be distinct from the IP sub-net at the local end. Once sub-net
is accessed by broadcasting ARPs on the local LAN, the other sub-net is
routed via the VPN gateway.

--
Robin Walker [MVP Networking]
rdhw@cam.ac.uk
Anonymous
February 3, 2005 5:28:14 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Thanks Robin...

I now totally understand what a VPN is.

We have changed our LAN IP and subnet, so that:

Router: 192.168.0.41
Desktop: 192.168.0.43
Laptop: 192.168.0.42
Subnet: 255.255.255.128

The server we are connecting to:

Server: 192.168.1.0
Computer: 192.168.1.193
Subnet: 255.255.255.0

In the log view of the Sonicwall Global VPN Client, the connection gets to
and completes phase 2, which in the help file indicates a successful
connection; so the connection has got behind the server's firewall!
However, when I type in 192.168.1.193 into the Remote Desktop Connection,
after about 30 seconds, I get a message saying that it could not connect with
remote computer.

Do you know why this would be?

Thanks...

Charlie

"Robin Walker [MVP]" wrote:

> Charles Robertson <CharlesRobertson@discussions.microsoft.com> wrote:
>
> > That is very useful information; I will change the relevant IPs and
> > subnet, so that they do not clash and then send you the results...
> >
> > However, I do not understand why this is the case?
> >
> > Surely if the IP I access the server with is an external IP (public),
> > the server's computers will never see my LAN IP; I do not understand
> > why there should be a clash...
>
> You said you were setting up a VPN. The effect of the VPN is to set up a
> virtual link directly between your LAN addresses and the LAN addresses
> behind the office's router: both ends are ignorant of the public IPs of the
> router(s) by which you create the VPN connection.
>
> For IP routing to work properly on the virtual link, the IP sub-net at the
> far end must be distinct from the IP sub-net at the local end. Once sub-net
> is accessed by broadcasting ARPs on the local LAN, the other sub-net is
> routed via the VPN gateway.
>
> --
> Robin Walker [MVP Networking]
> rdhw@cam.ac.uk
>
>
>
Anonymous
February 3, 2005 5:28:14 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Robin I forgot to add that when I generate a report for the VPN connection,
the following lines may be of interest to you; these lines are generated,
when I start the Remote Desktop Connection:


2005/02/03 17:07:07:785
Information 195.152.75.254
calling NetUserGetInfo: Server: \\D289LZ0J, User: charles robertson, level: 3

2005/02/03 17:07:07:786
Information 195.152.75.254
NetUserGetInfo returned: home dir: , remote dir: , logon script:

2005/02/03 17:07:11:502
Information 195.152.75.254
Sending dead peer detection request.

2005/02/03 17:07:11:518
Information 195.152.75.254
Received dead peer detection acknowledgement.

2005/02/03 17:07:28:940
Information 195.152.75.254
Received dead peer detection request.

2005/02/03 17:07:28:941
Information 195.152.75.254
Sending dead peer detection acknowledgement.

2005/02/03 17:15:41:518
Information 195.152.75.254
Sending phase 2 delete for 192.168.1.0/255.255.255.0.

2005/02/03 17:15:41:519
Information 195.152.75.254
Sending phase 1 delete.

2005/02/03 17:15:41:846
Information 195.152.75.254
Starting ISAKMP phase 1 negotiation.

2005/02/03 17:15:42:018
Information 195.152.75.254
Starting aggressive mode phase 1 exchange.

2005/02/03 17:15:42:019
Information 195.152.75.254
NAT Detected: Local host is behind a NAT device.

2005/02/03 17:15:42:020
Information 195.152.75.254
The SA lifetime for phase 1 is 28800 seconds.

2005/02/03 17:15:42:021
Information 195.152.75.254
Phase 1 has completed.

2005/02/03 17:15:42:034
Information 195.152.75.254
Received request for policy version.

2005/02/03 17:15:42:035
Information 195.152.75.254
Sending policy version reply.

2005/02/03 17:15:42:065
Information 195.152.75.254
Received policy change is not required.

2005/02/03 17:15:42:066
Information 195.152.75.254
Sending policy acknowledgement.

2005/02/03 17:15:42:067
Information 195.152.75.254
The configuration for the connection is up to date.

2005/02/03 17:15:49:502
Information 195.152.75.254
Starting ISAKMP phase 2 negotiation with 192.168.1.0/255.255.255.0:*:*:*.

2005/02/03 17:15:49:503
Information 195.152.75.254
Starting quick mode phase 2 exchange.

2005/02/03 17:15:49:534
Information 195.152.75.254
The SA lifetime for phase 2 is 28800 seconds.

2005/02/03 17:15:49:535
Information 195.152.75.254
Phase 2 with 192.168.1.0/255.255.255.0:*:*:* has completed.

2005/02/03 17:15:49:536
Information 195.152.75.254
NetWkstaUserGetInfo returned: user: charles robertson, logon domain: D289LZ0J

2005/02/03 17:15:51:784
Information 195.152.75.254
NetGetDCName failed: Could not find domain controller for this domain.


Could this be something to do with why the Remote Desktop Connection is
failing? I refer to the last 2 entries...

Thanks...

Charlie


"Robin Walker [MVP]" wrote:

> Charles Robertson <CharlesRobertson@discussions.microsoft.com> wrote:
>
> > That is very useful information; I will change the relevant IPs and
> > subnet, so that they do not clash and then send you the results...
> >
> > However, I do not understand why this is the case?
> >
> > Surely if the IP I access the server with is an external IP (public),
> > the server's computers will never see my LAN IP; I do not understand
> > why there should be a clash...
>
> You said you were setting up a VPN. The effect of the VPN is to set up a
> virtual link directly between your LAN addresses and the LAN addresses
> behind the office's router: both ends are ignorant of the public IPs of the
> router(s) by which you create the VPN connection.
>
> For IP routing to work properly on the virtual link, the IP sub-net at the
> far end must be distinct from the IP sub-net at the local end. Once sub-net
> is accessed by broadcasting ARPs on the local LAN, the other sub-net is
> routed via the VPN gateway.
>
> --
> Robin Walker [MVP Networking]
> rdhw@cam.ac.uk
>
>
>
!