Cannot ping VPN network via D-Link DI-624 wireless router.

Archived from groups: comp.dcom.vpn (More info?)

Hi -

I have a user who normally connects his laptop to our network through our
Netscreen 5GT box, using the Netscreen VPN Client v9. His internet
connection is via a cable modem, and this has worked relatively fine up to
now.

Recently, he bought a D-Link DI-624 wireless router, and connected this to
the cable modem via its WAN port. Again, at first this seems to work. The
laptop gains a private IP address on the 192.168.2.x subnet via DHCP from
the router - fine. Using the Netscreen client software, you can make a
connection to our firewall - fine. Unfortunately, when you ping the IP
address of our server - 192.168.0.2, or even the internal IP address of the
firewall - 192.168.0.1, you don't get any reply at all.

To confuse matters, the laptop has recently have Norton Internet Security
2004 installed. However, disabling the personal firewall component doesn't
seem to make any difference.

Oh, and the PPTP and IPSec pass-through boxes have been checked on the
router.

--
Mark Bertenshaw
LEAX Controls Ltd
11 answers Last reply
More about cannot ping network link wireless router
  1. Archived from groups: comp.dcom.vpn (More info?)

    On Tue, 14 Dec 2004 17:55:14 +0000, news.plus.net wrote:

    > Hi -
    >
    > I have a user who normally connects his laptop to our network through our
    > Netscreen 5GT box, using the Netscreen VPN Client v9. His internet
    > connection is via a cable modem, and this has worked relatively fine up to
    > now.
    >
    > Recently, he bought a D-Link DI-624 wireless router, and connected this to
    > the cable modem via its WAN port. Again, at first this seems to work. The
    > laptop gains a private IP address on the 192.168.2.x subnet via DHCP from
    > the router - fine. Using the Netscreen client software, you can make a
    > connection to our firewall - fine. Unfortunately, when you ping the IP
    > address of our server - 192.168.0.2, or even the internal IP address of the
    > firewall - 192.168.0.1, you don't get any reply at all.
    >
    > To confuse matters, the laptop has recently have Norton Internet Security
    > 2004 installed. However, disabling the personal firewall component doesn't
    > seem to make any difference.
    >
    > Oh, and the PPTP and IPSec pass-through boxes have been checked on the
    > router.

    Many things could be wrong. The numbering implies that you have two
    networks, 192.168.0.0/24 and 192.168.2.0/24. Does the D-Link router route
    both of these networks? Do the server and firewall (inside interface)
    point to the D-Link as their gateway? Does the VPN client point to the
    D-Link as its gateway? Are the server and firewall running Windows XP with
    the default firewall turned on? If so, can they even ping one another?
  2. Archived from groups: comp.dcom.vpn (More info?)

    Erik Freitag wrote:
    > On Tue, 14 Dec 2004 17:55:14 +0000, news.plus.net wrote:
    >
    >> Hi -
    >>
    >> I have a user who normally connects his laptop to our network
    >> through our Netscreen 5GT box, using the Netscreen VPN Client v9.
    >> His internet connection is via a cable modem, and this has worked
    >> relatively fine up to now.
    >>
    >> Recently, he bought a D-Link DI-624 wireless router, and connected
    >> this to the cable modem via its WAN port. Again, at first this
    >> seems to work. The laptop gains a private IP address on the
    >> 192.168.2.x subnet via DHCP from the router - fine. Using the
    >> Netscreen client software, you can make a connection to our firewall
    >> - fine. Unfortunately, when you ping the IP address of our server -
    >> 192.168.0.2, or even the internal IP address of the firewall -
    >> 192.168.0.1, you don't get any reply at all.
    >>
    >> To confuse matters, the laptop has recently have Norton Internet
    >> Security 2004 installed. However, disabling the personal firewall
    >> component doesn't seem to make any difference.
    >>
    >> Oh, and the PPTP and IPSec pass-through boxes have been checked on
    >> the router.
    >
    > Many things could be wrong. The numbering implies that you have two
    > networks, 192.168.0.0/24 and 192.168.2.0/24.

    That's correct. The 192.168.0.0/24 network contains our company's server
    and the internal side of the firewall. The firewall is connected
    physically to the internet via another router, although both have public IP
    addresses. The 192.168.2.0/24 network is my user's internal network, which
    I deliberately set so that I wouldn't conflict with the company's range.

    > Does the D-Link router route both of these networks?

    The D-Link router routes the user's private network to the internet.

    > Do the server and firewall (inside interface) point to the D-Link as their
    gateway?

    No (see above).

    > Does the VPN client point to the D-Link as its gateway?

    No, it doesn't. Ah, sorry - it occurred to me that I didn't mention that
    the router has NAT turned on. The VPN client software points to the public
    IP address of the firewall.

    > Are the server and firewall running Windows XP with the default firewall
    turned on?

    The server is running Win2000 Server, which runs ISA. The firewall is a
    stand-alone box. However, I can't see how this affects my situation, since
    I can't ping the private side of the firewall from the Netscreen client, and
    the server is beyond that point.


    --
    Mark Bertenshaw
    Kingston upon Thames
    UK
  3. Archived from groups: comp.dcom.vpn (More info?)

    In addendum to the above, I thought I ought to add the Netscreen client
    settings:

    Connection Security: Secure
    ID Type: IP subnet
    Subnet: 192.168.0.0
    Mask: 255.255.255.0
    Protocol: All
    Connect using Secure Gateway Tunnel
    ID Type: IP Address


    The security policy uses Agressive Mode.

    --
    Mark Bertenshaw
    Kingston upon Thames
    UK
  4. Archived from groups: comp.dcom.vpn (More info?)

    Mark Alexander Bertenshaw wrote:
    > In addendum to the above, I thought I ought to add the Netscreen client
    > settings:
    >
    > Connection Security: Secure
    > ID Type: IP subnet
    > Subnet: 192.168.0.0
    > Mask: 255.255.255.0
    > Protocol: All
    > Connect using Secure Gateway Tunnel
    > ID Type: IP Address
    >
    >
    > The security policy uses Agressive Mode.
    >
    > --
    > Mark Bertenshaw
    > Kingston upon Thames
    > UK
    >
    >

    Have the user remove the dlink router to verify the settings still work.
    If it works then your setup is not compatible with a NAT home router.
    Consult with netscreen at that point to find out if they have
    something to support NAT traversal.

    --
    WARNING! Email address has been altered for spam resistance.
    Please remove the -deletethispart-. section before replying directly.
    Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
  5. Archived from groups: comp.dcom.vpn (More info?)

    Mike Drechsler - SPAM PROTECTED EMAIL wrote:
    > Mark Alexander Bertenshaw wrote:
    >> In addendum to the above, I thought I ought to add the Netscreen
    >> client settings:
    >>
    >> Connection Security: Secure
    >> ID Type: IP subnet
    >> Subnet: 192.168.0.0
    >> Mask: 255.255.255.0
    >> Protocol: All
    >> Connect using Secure Gateway Tunnel
    >> ID Type: IP Address
    >>
    >>
    >> The security policy uses Agressive Mode.
    >>
    >> --
    >> Mark Bertenshaw
    >> Kingston upon Thames
    >> UK
    >>
    >>
    >
    > Have the user remove the dlink router to verify the settings still
    > work. If it works then your setup is not compatible with a NAT home
    > router. Consult with netscreen at that point to find out if they
    > have
    > something to support NAT traversal.

    Well, the VPN worked over the internet when there wasn't a router - just a
    cable modem, so you have a point! However, to be fair, whilst I haven't got
    the D-Link, my personal home setup includes a NetGear ADSL wireless "router"
    in pretty much the same configuration (in terms of NATting), and it seems to
    work fine.

    --
    Mark Bertenshaw
    Kingston upon Thames
    UK
  6. Archived from groups: comp.dcom.vpn (More info?)

    Mark Alexander Bertenshaw wrote:
    >
    > Well, the VPN worked over the internet when there wasn't a router - just a
    > cable modem, so you have a point! However, to be fair, whilst I haven't got
    > the D-Link, my personal home setup includes a NetGear ADSL wireless "router"
    > in pretty much the same configuration (in terms of NATting), and it seems to
    > work fine.
    >

    Outgoing NATting should never be a problem.

    Maybe your home router has firewall rules forbidding your port/protocol
    combination from getting through?

    --
    Martin Bodenstedt

    www.landtag-bw.de / www.die-bodenstedts.de
  7. Archived from groups: comp.dcom.vpn (More info?)

    "Martin Bodenstedt" <martin.bodenstedt@gmx.de> wrote in message
    news:cpu7ai$8oi$1@news.BelWue.DE...
    > Mark Alexander Bertenshaw wrote:
    > >
    > > Well, the VPN worked over the internet when there wasn't a router - just
    a
    > > cable modem, so you have a point! However, to be fair, whilst I haven't
    got
    > > the D-Link, my personal home setup includes a NetGear ADSL wireless
    "router"
    > > in pretty much the same configuration (in terms of NATting), and it
    seems to
    > > work fine.
    > >
    >
    > Outgoing NATting should never be a problem.
    >
    > Maybe your home router has firewall rules forbidding your port/protocol
    > combination from getting through?
    >
    > Martin Bodenstedt

    Martin -

    Just to be clear, my router is the one that is fine - it's my user's router
    which is the one that doesn't work, even though the settings look pretty
    similar. As for the protocol rules - there are no rules specifically
    forbidding the outgoing ports. And if so, surely I wouldn't have had a VPN
    connection in the first place? Looking at the logs, it seems that the
    initial handshaking seems to go fine. It's only when I ping a host on the
    other side of the firewall when no reply is found.

    --
    Mark
  8. Archived from groups: comp.dcom.vpn (More info?)

    Mark Alexander Bertenshaw wrote:
    > "Martin Bodenstedt" <martin.bodenstedt@gmx.de> wrote in message
    > news:cpu7ai$8oi$1@news.BelWue.DE...
    >
    >>Mark Alexander Bertenshaw wrote:
    >>
    >>>Well, the VPN worked over the internet when there wasn't a router - just
    >
    > a
    >
    >>>cable modem, so you have a point! However, to be fair, whilst I haven't
    >
    > got
    >
    >>>the D-Link, my personal home setup includes a NetGear ADSL wireless
    >
    > "router"
    >
    >>>in pretty much the same configuration (in terms of NATting), and it
    >
    > seems to
    >
    >>>work fine.
    >>>
    >>
    >>Outgoing NATting should never be a problem.
    >>
    >>Maybe your home router has firewall rules forbidding your port/protocol
    >>combination from getting through?
    >>
    >>Martin Bodenstedt
    >
    >
    > Martin -
    >
    > Just to be clear, my router is the one that is fine - it's my user's router
    > which is the one that doesn't work, even though the settings look pretty
    > similar. As for the protocol rules - there are no rules specifically
    > forbidding the outgoing ports. And if so, surely I wouldn't have had a VPN
    > connection in the first place? Looking at the logs, it seems that the
    > initial handshaking seems to go fine. It's only when I ping a host on the
    > other side of the firewall when no reply is found.
    >
    > --
    > Mark

    You have 3 options.

    1. Upgrade the firmware on the users D-Link router. Myself I have never
    known Dlink consumer routers to pass IPSec traffic unless the gateway
    VPN router supports some kind of NAT traversal. Perhaps they have
    developed a newer firmware that passes standard IPSec session traffic
    properly.

    2. Change the settings on your VPN gateway at work to use NAT traversal.

    3. Replace the D-Link router with something that does support IPsec
    session traffic.

    --
    WARNING! Email address has been altered for spam resistance.
    Please remove the -deletethispart-. section before replying directly.
    Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
  9. Archived from groups: comp.dcom.vpn (More info?)

    Mike Drechsler - SPAM PROTECTED EMAIL wrote:

    >> Martin -
    >>
    >> Just to be clear, my router is the one that is fine - it's my user's
    >> router which is the one that doesn't work, even though the settings
    >> look pretty similar. As for the protocol rules - there are no rules
    >> specifically forbidding the outgoing ports. And if so, surely I
    >> wouldn't have had a VPN connection in the first place? Looking at
    >> the logs, it seems that the initial handshaking seems to go fine.
    >> It's only when I ping a host on the other side of the firewall when
    >> no reply is found.
    >>
    >> --
    >> Mark
    >
    > You have 3 options.
    >
    > 1. Upgrade the firmware on the users D-Link router. Myself I have
    > never known Dlink consumer routers to pass IPSec traffic unless the
    > gateway VPN router supports some kind of NAT traversal. Perhaps they
    > have developed a newer firmware that passes standard IPSec session
    > traffic properly.
    >
    > 2. Change the settings on your VPN gateway at work to use NAT
    > traversal.
    >
    > 3. Replace the D-Link router with something that does support IPsec
    > session traffic.

    Mike -

    Tbanks for the suggestions. I am bound to try all three of them. But
    before that, I think I am going to have to some serious studying. I admit
    to being a complete dilletante in this field!

    --
    Mark Bertenshaw
    Kingston upon Thames
    UK
  10. Archived from groups: comp.dcom.vpn (More info?)

    Mark Alexander Bertenshaw wrote:
    > Mike Drechsler - SPAM PROTECTED EMAIL wrote:
    >
    >
    >>>Martin -
    >>>
    >>>Just to be clear, my router is the one that is fine - it's my user's
    >>>router which is the one that doesn't work, even though the settings
    >>>look pretty similar. As for the protocol rules - there are no rules
    >>>specifically forbidding the outgoing ports. And if so, surely I
    >>>wouldn't have had a VPN connection in the first place? Looking at
    >>>the logs, it seems that the initial handshaking seems to go fine.
    >>>It's only when I ping a host on the other side of the firewall when
    >>>no reply is found.
    >>>
    >>>--
    >>>Mark
    >>
    >>You have 3 options.
    >>
    >>1. Upgrade the firmware on the users D-Link router. Myself I have
    >>never known Dlink consumer routers to pass IPSec traffic unless the
    >>gateway VPN router supports some kind of NAT traversal. Perhaps they
    >>have developed a newer firmware that passes standard IPSec session
    >>traffic properly.
    >>
    >>2. Change the settings on your VPN gateway at work to use NAT
    >>traversal.
    >>
    >>3. Replace the D-Link router with something that does support IPsec
    >>session traffic.
    >
    >
    > Mike -
    >
    > Tbanks for the suggestions. I am bound to try all three of them. But
    > before that, I think I am going to have to some serious studying. I admit
    > to being a complete dilletante in this field!
    >
    > --
    > Mark Bertenshaw
    > Kingston upon Thames
    > UK

    Routers and firewalls on the client end do tend to throw a monkey wrench
    (spanner) :) into the mix when it comes to VPN.

    But you are already ahead of the game if you have things working under
    the direct connection to the internet environment. Most people find it
    a struggle to get their VPN tunnels to come up under the simplest of
    environments.

    --
    WARNING! Email address has been altered for spam resistance.
    Please remove the -deletethispart-. section before replying directly.
    Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
  11. Archived from groups: comp.dcom.vpn (More info?)

    Hi,

    In such situations the following Command Line's command usually solves
    all problems:

    route add <LAN_IP> mask <LAN_MASK> <router_VAN_IP>
    (use add -p for permanent routing -- 2000 and XP only)

    for example, when your router has static WAN IP 200.1.1.1 and the LAN
    is 192.168.0.*, then:

    route add 192.168.0.0. 255.255.255.0 200.1.1.1 should be enough for
    pinging into LAN succesfully and for connecting to LAN shares via
    their IP addresses (e.g. Strat|Run \\192.168.0.3\ShareName)

    Two remarks.
    Router needs to have the static WAN IP (or you need to know/quess its
    current one)
    Remote IP must be in another IP schema than LAN schema. In above case:
    e.g. 192.168.1.*. If not, a conflict occurs.


    Cheers
    Tomek
Ask a new question

Read More

VPN Wireless Router Networking