VPN Connection Help
25 May 2004, 10:00 AM
#1
VPN Connection Help
Guys,
Do any of you know what the following could be.
I'm trying to setup a VPN connection to a remote location over an ADSL line, this is easily done, and appears to work....but
I wanted to use VNC to connect to a remote PC, it fails saying "Failed to connect to server", I cant ping any of the remote locations either.
The guys responsible for the remote router & network say there are no restrictions in place, and it must be something restricting access at our side.
How come, if the VPN connection connects correctly(although I can't browse their network)?
Thanks,
Shaun
Do any of you know what the following could be.
I'm trying to setup a VPN connection to a remote location over an ADSL line, this is easily done, and appears to work....but
I wanted to use VNC to connect to a remote PC, it fails saying "Failed to connect to server", I cant ping any of the remote locations either.
The guys responsible for the remote router & network say there are no restrictions in place, and it must be something restricting access at our side.
How come, if the VPN connection connects correctly(although I can't browse their network)?
Thanks,
Shaun
25 May 2004, 10:14 AM
#2
Scooby Regular
The VPN only tells you that the TCP/IP connection between the two end-points has been established. It does nothing for routing packets or determining what protocols can be used across it.
Default TCP port for VNC is 5900 (for the viewer) and 5800 (for the web browser plug-in).
If you can't ping the remote devices, then there's a routing issue. You need a route defined at your end to get the packet to the remote location and they need a route setup to get the reply back to you.
Stefan
Default TCP port for VNC is 5900 (for the viewer) and 5800 (for the web browser plug-in).
If you can't ping the remote devices, then there's a routing issue. You need a route defined at your end to get the packet to the remote location and they need a route setup to get the reply back to you.
Stefan
25 May 2004, 10:24 AM
#3
Scooby Regular
Join Date: Apr 2003
Location: Location: Location:
Posts: 1,097
Likes: 0
Received 0 Likes
on
0 Posts
You can either use the LMHOSTS file to create associations between a server name and an IP address, or (easier) use the WINS number on your local machine, that way you can ping or browse to the name of the remote server and forget about IP addresses altogether.
25 May 2004, 10:37 AM
#4
Scooby Regular
Remember IP addressing is the underlying structure for any higher-level service such as host files, LMHOSTS, WINS or DNS.
You need to get IP working first, then you can ask what you need to resolve hostnames. If you want to browse the remote network then you'll either need to use LMHOSTS or WINS as Jiggerypokery suggested.
You can't browse with just IP alone since the NetBios names Windows aren't broadcasted across routes - just the local network segments.
Stefan
You need to get IP working first, then you can ask what you need to resolve hostnames. If you want to browse the remote network then you'll either need to use LMHOSTS or WINS as Jiggerypokery suggested.
You can't browse with just IP alone since the NetBios names Windows aren't broadcasted across routes - just the local network segments.
Stefan
25 May 2004, 10:44 AM
#5
Scooby Regular
Join Date: Jun 2002
Location: Perth, Western Australia
Posts: 1,866
Likes: 0
Received 0 Likes
on
0 Posts
You might want to check, if you're running a software firewall at your end, that it's not blocking netbios calls from the remote network. I had that problem when VPNing from home to work.
Mark
Mark
28 May 2004, 10:28 AM
#6
Originally Posted by markr1963
You might want to check, if you're running a software firewall at your end, that it's not blocking netbios calls from the remote network. I had that problem when VPNing from home to work.
Mark
Mark
OK, firstly we didn't setup the ADSL stuff here, another company did it for us.
However, I know that the guy in work who is looking into this for me can setup a VPN from his home to the remote site in question without any problems.
So your theory is probably more correct. I generally don't get involved in comms stuff, but I'm now having to get involved because of external grief coming my way from a customer requiring remote support NOW
Any further guiding would be greatly appreciated.
Thanks,
Shaun
28 May 2004, 10:45 AM
#7
Scooby Regular
I had this last week - it was my software firewall (Sygate).
Disabling it didnt work, I had to completely remove all traces of it from the PC.
VPN is now fine
Disabling it didnt work, I had to completely remove all traces of it from the PC.
VPN is now fine
Trending Topics
28 May 2004, 11:20 AM
#8
Scooby Regular
If he does a tracert command it should show him where the pings are being blocked. e.g. if it stops at his IP address, then most likely a local firewall problem.
VPN theory is pretty basic. All you need is gateways and encryption/password settings to establish a link (done at both ends). If the VPN link is up and you can't even ping then it's something pretty basic that's not working.
Forget NETBIOS or any other high-level service (i.e. network browsing, VNC, etc..) until you can get basic PING comms between two devices across the VPN - anything else just confuses the issue.
That's not to say that some high-level software (such as a personal firewall) is blocking comms. Make sure any firewall logs traffic or better yet is set to prompt you when access is blocked.
Get the basic PING working first before worrying about running additional services across it. Keep it simple when it comes to IT.
Stefan
VPN theory is pretty basic. All you need is gateways and encryption/password settings to establish a link (done at both ends). If the VPN link is up and you can't even ping then it's something pretty basic that's not working.
Forget NETBIOS or any other high-level service (i.e. network browsing, VNC, etc..) until you can get basic PING comms between two devices across the VPN - anything else just confuses the issue.
That's not to say that some high-level software (such as a personal firewall) is blocking comms. Make sure any firewall logs traffic or better yet is set to prompt you when access is blocked.
Get the basic PING working first before worrying about running additional services across it. Keep it simple when it comes to IT.
Stefan
28 May 2004, 11:59 AM
#9
Originally Posted by ozzy
Keep it simple when it comes to IT.
Stefan
Stefan
Ozzy,
I'm a firm believer in that statement.
Was going to try what you said, but someone has been fecking about with things as the VPN connection cannot be established at present.
I'll try later.
Thanks,
Shaun
28 May 2004, 01:17 PM
#10
urban
Any *single* user should be able to connect without the need for lmhosts file in the majority of cases (as DHCP will allocate an IP to the machine therefore making it appear as a local machine on the same IP segment) but if you're connecting from a network to another network, don't forget there will be a local IP range and a remote IP range and just the connection will have an IP allocated. The local machines have to know where to look to access the remote network. Also, you will have problems if you are both using the same IP range in your networks.
Lmhosts should at least include the name of the primary server or RAS server at the remote location and it's IP address.
But I guess we need to know how your VPN is set up - is it MS VPN and RAS or is it router to router only?
Any *single* user should be able to connect without the need for lmhosts file in the majority of cases (as DHCP will allocate an IP to the machine therefore making it appear as a local machine on the same IP segment) but if you're connecting from a network to another network, don't forget there will be a local IP range and a remote IP range and just the connection will have an IP allocated. The local machines have to know where to look to access the remote network. Also, you will have problems if you are both using the same IP range in your networks.
Lmhosts should at least include the name of the primary server or RAS server at the remote location and it's IP address.
But I guess we need to know how your VPN is set up - is it MS VPN and RAS or is it router to router only?
28 May 2004, 01:57 PM
#11
Puff,
OK, asking a developer things like "How's it setup" is probably a real bad idea.
Just reading your post,
Their router IP address is a 194.222.168.xx address
The machine on their network with VNC installed on is 192.168.0.xxx (static address I believe?)
My router address is 192.168.1.xxx (I think, based on my default gateway)
My machine address is 192.168.1.xx (static)
My server address is 192.168.1.xx (static)
My problem at the moment, is that the guy who actually knows about this stuff is on a course for 3 fecking days, he just rang me last night to tell me that he's able to get it working from home.
I've also got a really fecking grumpy customer at the moment. You probably know the kind, wants something done and RIGHT FECKING NOW, but hes about 140 miles away
If the tracert output helps in anyway, then i'm happy to email it or PM it to someone.
Thanks a lot guys,
Shaun
OK, asking a developer things like "How's it setup" is probably a real bad idea.
Just reading your post,
Their router IP address is a 194.222.168.xx address
The machine on their network with VNC installed on is 192.168.0.xxx (static address I believe?)
My router address is 192.168.1.xxx (I think, based on my default gateway)
My machine address is 192.168.1.xx (static)
My server address is 192.168.1.xx (static)
My problem at the moment, is that the guy who actually knows about this stuff is on a course for 3 fecking days, he just rang me last night to tell me that he's able to get it working from home.
I've also got a really fecking grumpy customer at the moment. You probably know the kind, wants something done and RIGHT FECKING NOW, but hes about 140 miles away
If the tracert output helps in anyway, then i'm happy to email it or PM it to someone.
Thanks a lot guys,
Shaun
28 May 2004, 02:10 PM
#13
Scooby Regular
Are you connecting a networ -> network VPN connection. i.e. are you using the VPN support on your router (if any)?
DNS, WINS, LMHOSTS are all irrelevant until the VPN is established and you can actually route packets from your private LAN (192.168.1.x) to their private LAN (192.168.0.x).
You need to know the public IP address of their VPN gateway and your own public IP Address (your router, if it's a network VPN connection).
If it's using basic IPSec, then all you need to specifiy on either end is:-
Their public gateway IP address
Their subnet addressing (i.e. 192.168.0.x/255.255.255.0)
The shared secret VPN password
AND
Your public gateway IP address
Your subnet addressing (i.e. 192.168.1.x/255.255.255.0)
The same shared secret VPN password
It get's more complicated when you start introducing certificates and encryption methods. For that anyone would need to know the exact make/model of the devices at both ends hosting the VPN tunnel.
Stefan
DNS, WINS, LMHOSTS are all irrelevant until the VPN is established and you can actually route packets from your private LAN (192.168.1.x) to their private LAN (192.168.0.x).
You need to know the public IP address of their VPN gateway and your own public IP Address (your router, if it's a network VPN connection).
If it's using basic IPSec, then all you need to specifiy on either end is:-
Their public gateway IP address
Their subnet addressing (i.e. 192.168.0.x/255.255.255.0)
The shared secret VPN password
AND
Your public gateway IP address
Your subnet addressing (i.e. 192.168.1.x/255.255.255.0)
The same shared secret VPN password
It get's more complicated when you start introducing certificates and encryption methods. For that anyone would need to know the exact make/model of the devices at both ends hosting the VPN tunnel.
Stefan
28 May 2004, 02:34 PM
#14
Originally Posted by ozzy
Are you connecting a networ -> network VPN connection. i.e. are you using the VPN support on your router (if any)?
DNS, WINS, LMHOSTS are all irrelevant until the VPN is established and you can actually route packets from your private LAN (192.168.1.x) to their private LAN (192.168.0.x).
You need to know the public IP address of their VPN gateway and your own public IP Address (your router, if it's a network VPN connection).
If it's using basic IPSec, then all you need to specifiy on either end is:-
Their public gateway IP address
Their subnet addressing (i.e. 192.168.0.x/255.255.255.0)
The shared secret VPN password
AND
Your public gateway IP address
Your subnet addressing (i.e. 192.168.1.x/255.255.255.0)
The same shared secret VPN password
It get's more complicated when you start introducing certificates and encryption methods. For that anyone would need to know the exact make/model of the devices at both ends hosting the VPN tunnel.
Stefan
DNS, WINS, LMHOSTS are all irrelevant until the VPN is established and you can actually route packets from your private LAN (192.168.1.x) to their private LAN (192.168.0.x).
You need to know the public IP address of their VPN gateway and your own public IP Address (your router, if it's a network VPN connection).
If it's using basic IPSec, then all you need to specifiy on either end is:-
Their public gateway IP address
Their subnet addressing (i.e. 192.168.0.x/255.255.255.0)
The shared secret VPN password
AND
Your public gateway IP address
Your subnet addressing (i.e. 192.168.1.x/255.255.255.0)
The same shared secret VPN password
It get's more complicated when you start introducing certificates and encryption methods. For that anyone would need to know the exact make/model of the devices at both ends hosting the VPN tunnel.
Stefan
I know we are using PPTP, not IPSec
Their public IP Address is 194.222.198.63
The PC address I want to use eventually is 192.168.0.111
Our Router Address is 192.168.1.254
My PC address is 192.168.1.15
The routers at both ends are Vigor 2600's
:Confused:
Thanks,
Shaun
28 May 2004, 02:44 PM
#15
Scooby Regular
If you have XP on your PC, you could just create a new VPN connection using the dial-in PPTP settings. You'll just need a username/password setup on the remote router.
If you want a router -> router connection then all the settings will be in the Vigor 2600's. A default route on your side to your own router is all that's needed.
The remote PC you want to connect to must have a route back to the other Vigor 2600. Either it's the default route or another router has a route definition for your network.
Stefan
If you want a router -> router connection then all the settings will be in the Vigor 2600's. A default route on your side to your own router is all that's needed.
The remote PC you want to connect to must have a route back to the other Vigor 2600. Either it's the default route or another router has a route definition for your network.
Stefan
28 May 2004, 02:51 PM
#17
Scooby Regular
So, in the above example you would need to know the following:-
your public IP address
their public IP address
their router would need a definition for your LAN connection, so that it can authenticate you and tell other devices about the route to your network.
Likewise your router will need a definition to their LAN, so that it knows how to get packets for their network to them over the VPN link.
There's some manuals for your router here
You just need to decide whether you want a tele-worker VPN connection i.e. one PC on your network to their LAN or a LAN->LAN VPN i.e. all your PC's to all their PC's.
Stefan
your public IP address
their public IP address
their router would need a definition for your LAN connection, so that it can authenticate you and tell other devices about the route to your network.
Likewise your router will need a definition to their LAN, so that it knows how to get packets for their network to them over the VPN link.
There's some manuals for your router here
You just need to decide whether you want a tele-worker VPN connection i.e. one PC on your network to their LAN or a LAN->LAN VPN i.e. all your PC's to all their PC's.
Stefan
28 May 2004, 03:03 PM
#18
Originally Posted by ozzy
This covers the basic LAN -> LAN VPN setup on a router.
Stefan
Stefan,
The tracert shows this(with the VPN connected)
C:\Documents and Settings\shaun>tracert 194.222.198.63
Tracing route to ballyrashane.demon.co.uk [194.222.198.63]
over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 192.168.1.254
2 30 ms 40 ms 40 ms lns-1.managedbroadband.co.uk [217.79.96.209]
3 30 ms 30 ms 30 ms f0-0.core1.tchx.lon.uk.griffin.com [217.79.96.1]
4 40 ms 30 ms 30 ms linx-1.router.demon.net [195.66.224.12]
5 40 ms 40 ms 30 ms anchor-service-2-3-8.router.demon.net [194.159.7.205]
6 40 ms 31 ms 30 ms anchor-inside-2-g3-0-0-293.router.demon.net [194.70.98.61]
7 30 ms 30 ms 30 ms anchor-access-2-s292.router.demon.net [194.70.98.66]
8 50 ms 50 ms 60 ms gyle-du-99.access.demon.net [194.159.254.99]
9 * * * Request timed out.
10 * * * Request timed out.
11 * ^C
C:\Documents and Settings\shaun>
Shaun
28 May 2004, 03:08 PM
#20
Scooby Regular
BTW, if I tracert that address it times out at the same router
8 50 ms 50 ms 60 ms gyle-du-99.access.demon.net [194.159.254.99]
Doesn't really tell us that much as the clients router may reject ICMP ping commands.
Stefan
8 50 ms 50 ms 60 ms gyle-du-99.access.demon.net [194.159.254.99]
Doesn't really tell us that much as the clients router may reject ICMP ping commands.
Stefan
28 May 2004, 03:16 PM
#21
Originally Posted by ozzy
BTW, if I tracert that address it times out at the same router
8 50 ms 50 ms 60 ms gyle-du-99.access.demon.net [194.159.254.99]
Doesn't really tell us that much as the clients router may reject ICMP ping commands.
Stefan
8 50 ms 50 ms 60 ms gyle-du-99.access.demon.net [194.159.254.99]
Doesn't really tell us that much as the clients router may reject ICMP ping commands.
Stefan
Doesn't really tell us that much as the clients router may reject ICMP ping commands.
Shaun
28 May 2004, 03:22 PM
#22
Scooby Regular
Yes.
If the VPN is connected or not and you try to ping a public IP address, then it will just use the routes from your local ISP's router to find it.
It will ONLY route packets across the VPN if the router has the VPN link defined.
So, if you ping 194.xxx.xxx.xxx, then it'll ask your router (default gateway) how the heck to get there. If it doesn't know, it asks it's default gateway and (being a correct, registered public address) your ISP's router (the one your ADSL one dials into) should tell it the route list.
If you ping a private IP address i.e. 192.168.x.x then as this isn't a public address your router and any other shouldn't have a clue where that is.
If you have the VPN connections defined, then when you ping that address your router should know it's at the other end of the VPN tunnel, bring up the connection and then route packets across it. At the lower level, yes it's using the same route to get to the 194 address, but since it's encapsulated you shouldn't see these routes appear in your tracert.
You should get something like:-
tracert 192.168.0.10
192.168.1.254 - your router
192.168.0.254 - their router (I just picked this address)
192.168.0.10 - the destination
Stefan
If the VPN is connected or not and you try to ping a public IP address, then it will just use the routes from your local ISP's router to find it.
It will ONLY route packets across the VPN if the router has the VPN link defined.
So, if you ping 194.xxx.xxx.xxx, then it'll ask your router (default gateway) how the heck to get there. If it doesn't know, it asks it's default gateway and (being a correct, registered public address) your ISP's router (the one your ADSL one dials into) should tell it the route list.
If you ping a private IP address i.e. 192.168.x.x then as this isn't a public address your router and any other shouldn't have a clue where that is.
If you have the VPN connections defined, then when you ping that address your router should know it's at the other end of the VPN tunnel, bring up the connection and then route packets across it. At the lower level, yes it's using the same route to get to the 194 address, but since it's encapsulated you shouldn't see these routes appear in your tracert.
You should get something like:-
tracert 192.168.0.10
192.168.1.254 - your router
192.168.0.254 - their router (I just picked this address)
192.168.0.10 - the destination
Stefan
28 May 2004, 03:25 PM
#23
Scooby Regular
We have an IPSec VPN between two offices. Here's the tracert route from my PC to one of our servers in the remote office.
U:\>tracert 192.168.54.10
Tracing route to 192.168.54.10 over a maximum of 30 hops
1 1 ms 3 ms 3 ms net-liv-bskyb [192.168.10.10]
2 3 ms 1 ms 2 ms svr-liv-fw1 [192.168.10.1]
3 * * * Request timed out.
4 38 ms 38 ms 42 ms 192.168.54.10
Trace complete.
U:\>
The first is my default router (an internal Cisco router)
Second is our firewall's private address
Third is the timeout from our remote firewall (ICMP ping disabled)
Forth is the final response from the remote server
It doesn't show any of the public IP addresses because as far as my PC is concerened they don't exist - it's the two firewall's at each office that make the networks appear locally. All the routes in between are hidden to the client. This is why it's called a Virtual Private network.
Stefan
U:\>tracert 192.168.54.10
Tracing route to 192.168.54.10 over a maximum of 30 hops
1 1 ms 3 ms 3 ms net-liv-bskyb [192.168.10.10]
2 3 ms 1 ms 2 ms svr-liv-fw1 [192.168.10.1]
3 * * * Request timed out.
4 38 ms 38 ms 42 ms 192.168.54.10
Trace complete.
U:\>
The first is my default router (an internal Cisco router)
Second is our firewall's private address
Third is the timeout from our remote firewall (ICMP ping disabled)
Forth is the final response from the remote server
It doesn't show any of the public IP addresses because as far as my PC is concerened they don't exist - it's the two firewall's at each office that make the networks appear locally. All the routes in between are hidden to the client. This is why it's called a Virtual Private network.
Stefan
28 May 2004, 03:29 PM
#24
Stefan,
OK, what you're saying all makes sense to me, but to be honest its all way to fecking complicated for me. I'll just hold my hands up and say "Sorry folks, but the guy who can really sort something out will do it on Tuesday".
And make up some real good excuse as to why its not going to help going on site(won't be difficult, source code here etc).
Thanks for all you guidance Stefan, its very much appreciated.
All the best,
Shaun
OK, what you're saying all makes sense to me, but to be honest its all way to fecking complicated for me. I'll just hold my hands up and say "Sorry folks, but the guy who can really sort something out will do it on Tuesday".
And make up some real good excuse as to why its not going to help going on site(won't be difficult, source code here etc).
Thanks for all you guidance Stefan, its very much appreciated.
All the best,
Shaun
28 May 2004, 03:34 PM
#25
Scooby Regular
OK Shaun. It's difficult trying to explain it to anyone just in writing. If you get the guy to show you what needs doing and explain it, then you shouldn't have any problems. It really isn't as difficult as it may appear.
Cheers,
Stefan
Cheers,
Stefan
Thread
Thread Starter
Forum
Replies
Last Post
Mattybr5@MB Developments
Full Cars Breaking For Spares
12
18 November 2015 07:03 AM