Sign in with
Sign up | Sign in
Your question

Cannot ping VPN network via D-Link DI-624 wireless router.

Last response: in Networking
Share
Anonymous
December 14, 2004 8:55:14 PM

Archived from groups: comp.dcom.vpn (More info?)

Hi -

I have a user who normally connects his laptop to our network through our
Netscreen 5GT box, using the Netscreen VPN Client v9. His internet
connection is via a cable modem, and this has worked relatively fine up to
now.

Recently, he bought a D-Link DI-624 wireless router, and connected this to
the cable modem via its WAN port. Again, at first this seems to work. The
laptop gains a private IP address on the 192.168.2.x subnet via DHCP from
the router - fine. Using the Netscreen client software, you can make a
connection to our firewall - fine. Unfortunately, when you ping the IP
address of our server - 192.168.0.2, or even the internal IP address of the
firewall - 192.168.0.1, you don't get any reply at all.

To confuse matters, the laptop has recently have Norton Internet Security
2004 installed. However, disabling the personal firewall component doesn't
seem to make any difference.

Oh, and the PPTP and IPSec pass-through boxes have been checked on the
router.

--
Mark Bertenshaw
LEAX Controls Ltd
Anonymous
December 14, 2004 8:55:15 PM

Archived from groups: comp.dcom.vpn (More info?)

On Tue, 14 Dec 2004 17:55:14 +0000, news.plus.net wrote:

> Hi -
>
> I have a user who normally connects his laptop to our network through our
> Netscreen 5GT box, using the Netscreen VPN Client v9. His internet
> connection is via a cable modem, and this has worked relatively fine up to
> now.
>
> Recently, he bought a D-Link DI-624 wireless router, and connected this to
> the cable modem via its WAN port. Again, at first this seems to work. The
> laptop gains a private IP address on the 192.168.2.x subnet via DHCP from
> the router - fine. Using the Netscreen client software, you can make a
> connection to our firewall - fine. Unfortunately, when you ping the IP
> address of our server - 192.168.0.2, or even the internal IP address of the
> firewall - 192.168.0.1, you don't get any reply at all.
>
> To confuse matters, the laptop has recently have Norton Internet Security
> 2004 installed. However, disabling the personal firewall component doesn't
> seem to make any difference.
>
> Oh, and the PPTP and IPSec pass-through boxes have been checked on the
> router.

Many things could be wrong. The numbering implies that you have two
networks, 192.168.0.0/24 and 192.168.2.0/24. Does the D-Link router route
both of these networks? Do the server and firewall (inside interface)
point to the D-Link as their gateway? Does the VPN client point to the
D-Link as its gateway? Are the server and firewall running Windows XP with
the default firewall turned on? If so, can they even ping one another?
Anonymous
December 14, 2004 10:49:31 PM

Archived from groups: comp.dcom.vpn (More info?)

Erik Freitag wrote:
> On Tue, 14 Dec 2004 17:55:14 +0000, news.plus.net wrote:
>
>> Hi -
>>
>> I have a user who normally connects his laptop to our network
>> through our Netscreen 5GT box, using the Netscreen VPN Client v9.
>> His internet connection is via a cable modem, and this has worked
>> relatively fine up to now.
>>
>> Recently, he bought a D-Link DI-624 wireless router, and connected
>> this to the cable modem via its WAN port. Again, at first this
>> seems to work. The laptop gains a private IP address on the
>> 192.168.2.x subnet via DHCP from the router - fine. Using the
>> Netscreen client software, you can make a connection to our firewall
>> - fine. Unfortunately, when you ping the IP address of our server -
>> 192.168.0.2, or even the internal IP address of the firewall -
>> 192.168.0.1, you don't get any reply at all.
>>
>> To confuse matters, the laptop has recently have Norton Internet
>> Security 2004 installed. However, disabling the personal firewall
>> component doesn't seem to make any difference.
>>
>> Oh, and the PPTP and IPSec pass-through boxes have been checked on
>> the router.
>
> Many things could be wrong. The numbering implies that you have two
> networks, 192.168.0.0/24 and 192.168.2.0/24.

That's correct. The 192.168.0.0/24 network contains our company's server
and the internal side of the firewall. The firewall is connected
physically to the internet via another router, although both have public IP
addresses. The 192.168.2.0/24 network is my user's internal network, which
I deliberately set so that I wouldn't conflict with the company's range.

> Does the D-Link router route both of these networks?

The D-Link router routes the user's private network to the internet.

> Do the server and firewall (inside interface) point to the D-Link as their
gateway?

No (see above).

> Does the VPN client point to the D-Link as its gateway?

No, it doesn't. Ah, sorry - it occurred to me that I didn't mention that
the router has NAT turned on. The VPN client software points to the public
IP address of the firewall.

> Are the server and firewall running Windows XP with the default firewall
turned on?

The server is running Win2000 Server, which runs ISA. The firewall is a
stand-alone box. However, I can't see how this affects my situation, since
I can't ping the private side of the firewall from the Netscreen client, and
the server is beyond that point.


--
Mark Bertenshaw
Kingston upon Thames
UK
Related resources
Anonymous
December 14, 2004 10:53:29 PM

Archived from groups: comp.dcom.vpn (More info?)

In addendum to the above, I thought I ought to add the Netscreen client
settings:

Connection Security: Secure
ID Type: IP subnet
Subnet: 192.168.0.0
Mask: 255.255.255.0
Protocol: All
Connect using Secure Gateway Tunnel
ID Type: IP Address


The security policy uses Agressive Mode.

--
Mark Bertenshaw
Kingston upon Thames
UK
Anonymous
December 14, 2004 11:34:12 PM

Archived from groups: comp.dcom.vpn (More info?)

Mark Alexander Bertenshaw wrote:
> In addendum to the above, I thought I ought to add the Netscreen client
> settings:
>
> Connection Security: Secure
> ID Type: IP subnet
> Subnet: 192.168.0.0
> Mask: 255.255.255.0
> Protocol: All
> Connect using Secure Gateway Tunnel
> ID Type: IP Address
>
>
> The security policy uses Agressive Mode.
>
> --
> Mark Bertenshaw
> Kingston upon Thames
> UK
>
>

Have the user remove the dlink router to verify the settings still work.
If it works then your setup is not compatible with a NAT home router.
Consult with netscreen at that point to find out if they have
something to support NAT traversal.

--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Anonymous
December 15, 2004 2:12:25 AM

Archived from groups: comp.dcom.vpn (More info?)

Mike Drechsler - SPAM PROTECTED EMAIL wrote:
> Mark Alexander Bertenshaw wrote:
>> In addendum to the above, I thought I ought to add the Netscreen
>> client settings:
>>
>> Connection Security: Secure
>> ID Type: IP subnet
>> Subnet: 192.168.0.0
>> Mask: 255.255.255.0
>> Protocol: All
>> Connect using Secure Gateway Tunnel
>> ID Type: IP Address
>>
>>
>> The security policy uses Agressive Mode.
>>
>> --
>> Mark Bertenshaw
>> Kingston upon Thames
>> UK
>>
>>
>
> Have the user remove the dlink router to verify the settings still
> work. If it works then your setup is not compatible with a NAT home
> router. Consult with netscreen at that point to find out if they
> have
> something to support NAT traversal.

Well, the VPN worked over the internet when there wasn't a router - just a
cable modem, so you have a point! However, to be fair, whilst I haven't got
the D-Link, my personal home setup includes a NetGear ADSL wireless "router"
in pretty much the same configuration (in terms of NATting), and it seems to
work fine.

--
Mark Bertenshaw
Kingston upon Thames
UK
Anonymous
December 17, 2004 1:02:10 PM

Archived from groups: comp.dcom.vpn (More info?)

Mark Alexander Bertenshaw wrote:
>
> Well, the VPN worked over the internet when there wasn't a router - just a
> cable modem, so you have a point! However, to be fair, whilst I haven't got
> the D-Link, my personal home setup includes a NetGear ADSL wireless "router"
> in pretty much the same configuration (in terms of NATting), and it seems to
> work fine.
>

Outgoing NATting should never be a problem.

Maybe your home router has firewall rules forbidding your port/protocol
combination from getting through?

--
Martin Bodenstedt

www.landtag-bw.de / www.die-bodenstedts.de
Anonymous
December 17, 2004 3:33:53 PM

Archived from groups: comp.dcom.vpn (More info?)

"Martin Bodenstedt" <martin.bodenstedt@gmx.de> wrote in message
news:cpu7ai$8oi$1@news.BelWue.DE...
> Mark Alexander Bertenshaw wrote:
> >
> > Well, the VPN worked over the internet when there wasn't a router - just
a
> > cable modem, so you have a point! However, to be fair, whilst I haven't
got
> > the D-Link, my personal home setup includes a NetGear ADSL wireless
"router"
> > in pretty much the same configuration (in terms of NATting), and it
seems to
> > work fine.
> >
>
> Outgoing NATting should never be a problem.
>
> Maybe your home router has firewall rules forbidding your port/protocol
> combination from getting through?
>
> Martin Bodenstedt

Martin -

Just to be clear, my router is the one that is fine - it's my user's router
which is the one that doesn't work, even though the settings look pretty
similar. As for the protocol rules - there are no rules specifically
forbidding the outgoing ports. And if so, surely I wouldn't have had a VPN
connection in the first place? Looking at the logs, it seems that the
initial handshaking seems to go fine. It's only when I ping a host on the
other side of the firewall when no reply is found.

--
Mark
Anonymous
December 17, 2004 10:35:43 PM

Archived from groups: comp.dcom.vpn (More info?)

Mark Alexander Bertenshaw wrote:
> "Martin Bodenstedt" <martin.bodenstedt@gmx.de> wrote in message
> news:cpu7ai$8oi$1@news.BelWue.DE...
>
>>Mark Alexander Bertenshaw wrote:
>>
>>>Well, the VPN worked over the internet when there wasn't a router - just
>
> a
>
>>>cable modem, so you have a point! However, to be fair, whilst I haven't
>
> got
>
>>>the D-Link, my personal home setup includes a NetGear ADSL wireless
>
> "router"
>
>>>in pretty much the same configuration (in terms of NATting), and it
>
> seems to
>
>>>work fine.
>>>
>>
>>Outgoing NATting should never be a problem.
>>
>>Maybe your home router has firewall rules forbidding your port/protocol
>>combination from getting through?
>>
>>Martin Bodenstedt
>
>
> Martin -
>
> Just to be clear, my router is the one that is fine - it's my user's router
> which is the one that doesn't work, even though the settings look pretty
> similar. As for the protocol rules - there are no rules specifically
> forbidding the outgoing ports. And if so, surely I wouldn't have had a VPN
> connection in the first place? Looking at the logs, it seems that the
> initial handshaking seems to go fine. It's only when I ping a host on the
> other side of the firewall when no reply is found.
>
> --
> Mark

You have 3 options.

1. Upgrade the firmware on the users D-Link router. Myself I have never
known Dlink consumer routers to pass IPSec traffic unless the gateway
VPN router supports some kind of NAT traversal. Perhaps they have
developed a newer firmware that passes standard IPSec session traffic
properly.

2. Change the settings on your VPN gateway at work to use NAT traversal.

3. Replace the D-Link router with something that does support IPsec
session traffic.

--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Anonymous
December 18, 2004 3:40:44 AM

Archived from groups: comp.dcom.vpn (More info?)

Mike Drechsler - SPAM PROTECTED EMAIL wrote:

>> Martin -
>>
>> Just to be clear, my router is the one that is fine - it's my user's
>> router which is the one that doesn't work, even though the settings
>> look pretty similar. As for the protocol rules - there are no rules
>> specifically forbidding the outgoing ports. And if so, surely I
>> wouldn't have had a VPN connection in the first place? Looking at
>> the logs, it seems that the initial handshaking seems to go fine.
>> It's only when I ping a host on the other side of the firewall when
>> no reply is found.
>>
>> --
>> Mark
>
> You have 3 options.
>
> 1. Upgrade the firmware on the users D-Link router. Myself I have
> never known Dlink consumer routers to pass IPSec traffic unless the
> gateway VPN router supports some kind of NAT traversal. Perhaps they
> have developed a newer firmware that passes standard IPSec session
> traffic properly.
>
> 2. Change the settings on your VPN gateway at work to use NAT
> traversal.
>
> 3. Replace the D-Link router with something that does support IPsec
> session traffic.

Mike -

Tbanks for the suggestions. I am bound to try all three of them. But
before that, I think I am going to have to some serious studying. I admit
to being a complete dilletante in this field!

--
Mark Bertenshaw
Kingston upon Thames
UK
Anonymous
December 18, 2004 7:18:39 AM

Archived from groups: comp.dcom.vpn (More info?)

Mark Alexander Bertenshaw wrote:
> Mike Drechsler - SPAM PROTECTED EMAIL wrote:
>
>
>>>Martin -
>>>
>>>Just to be clear, my router is the one that is fine - it's my user's
>>>router which is the one that doesn't work, even though the settings
>>>look pretty similar. As for the protocol rules - there are no rules
>>>specifically forbidding the outgoing ports. And if so, surely I
>>>wouldn't have had a VPN connection in the first place? Looking at
>>>the logs, it seems that the initial handshaking seems to go fine.
>>>It's only when I ping a host on the other side of the firewall when
>>>no reply is found.
>>>
>>>--
>>>Mark
>>
>>You have 3 options.
>>
>>1. Upgrade the firmware on the users D-Link router. Myself I have
>>never known Dlink consumer routers to pass IPSec traffic unless the
>>gateway VPN router supports some kind of NAT traversal. Perhaps they
>>have developed a newer firmware that passes standard IPSec session
>>traffic properly.
>>
>>2. Change the settings on your VPN gateway at work to use NAT
>>traversal.
>>
>>3. Replace the D-Link router with something that does support IPsec
>>session traffic.
>
>
> Mike -
>
> Tbanks for the suggestions. I am bound to try all three of them. But
> before that, I think I am going to have to some serious studying. I admit
> to being a complete dilletante in this field!
>
> --
> Mark Bertenshaw
> Kingston upon Thames
> UK

Routers and firewalls on the client end do tend to throw a monkey wrench
(spanner) :)  into the mix when it comes to VPN.

But you are already ahead of the game if you have things working under
the direct connection to the internet environment. Most people find it
a struggle to get their VPN tunnels to come up under the simplest of
environments.

--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Anonymous
January 28, 2005 1:05:57 AM

Archived from groups: comp.dcom.vpn (More info?)

Hi,

In such situations the following Command Line's command usually solves
all problems:

route add <LAN_IP> mask <LAN_MASK> <router_VAN_IP>
(use add -p for permanent routing -- 2000 and XP only)

for example, when your router has static WAN IP 200.1.1.1 and the LAN
is 192.168.0.*, then:

route add 192.168.0.0. 255.255.255.0 200.1.1.1 should be enough for
pinging into LAN succesfully and for connecting to LAN shares via
their IP addresses (e.g. Strat|Run \\192.168.0.3\ShareName)

Two remarks.
Router needs to have the static WAN IP (or you need to know/quess its
current one)
Remote IP must be in another IP schema than LAN schema. In above case:
e.g. 192.168.1.*. If not, a conflict occurs.


Cheers
Tomek
!