Death Inc

Hoping someone might have an idea about this one...

Long and involved story but basically we've got a branch office that has lost its ADSL  (which is actually an MPLS connection into our private network)

It's looking like it will be at least a week until its resolved. So I've been trying to setup a VPN from the local server there using a Next-G USB internet dongle, into our firewall at corp. office. (It's not possible to get onto the MPLS through any other internet connection). The idea was to share the VPN connection on the server and change all the PC's to use the server for their gateway instead of the ADSL modem/router.

Now we've had VPN in place for a while, for mobile users to connect in and get an RDP session to their PC's and I've set up tunnels in interface mode between two routers... but I can't get traffic to go from corp office to the remote site.

I'm using an L2TP VPN with the windows client, I can connect from the remote site fine - but going the other way is just completely blocked.

Now I know its not a configuration problem with the firewall because I can connect to it using my iphone's L2TP client and I can ping and connect to it in both directions... but when its a windows PC on the other end, it only goes from remote client to firewall.

I've tried with a test laptop with a clean install of XP SP3, and the server at the remote site is 2003 SP2. No joy with either.
There is no firewall on the windows machines. Windows FW is disabled and I even killed the ICS/FW service to make sure as part of testing. It does it even on a clean install of XP SP3.
It's not a routing problem from our corp office as I'm pinging/tracerouting from the CLI on the firewall - it drops completely dead after the firewall, yet the iphone client happily responds. With the routes and firewall rules set up I can ping the iphone from our corp office PC's, no luck with the windows clients.

Any ideas? I'm tearing my hair out over this one.... We've got them running with RDP but I'd like to get a few other services running as well which requires transmitting both ways...

hey Dk, are you still having issues? any chance you can draw a rudimentary diagram just so the main hop points/firewalls/nw segments.

There's nothing to put on a diagram except the remote client and the firewall.


I'm certain it's a windows config issue as the iPhone works with the same client ip, I've tried setting win server up using rras instead of just creating a VPN connection and sharing it but no difference.

Have you tried tethering your iphone to the server or test client at the remote site and then trying the L2TP VPN?
We had an issue in the past with Telstra 3G modems that would could connect up fine to the internet, then appear to VPN ok (various clients), but they were then failing to add a route to their route tables for the Gateway on the subnet that they had connected to at head office. Optus modems, various cable/dsl connections all worked fine... it appears a piece of propriety software we were running was causing this to happen.

comparing a route table from a working vpn compared to the non-working showed the issue...

I have already tried that, it doesn't seem to connect at all when tethered through the iPhone.


I did find that the shitty Telstra connection manager software doesn't set the routes correctly but even after adding them manually it only allows traffic out, not back in.


The Telstra thing Gives a class a private ip (10.230.x.x) so maybe it's something funky on their nextg network

(http://img851.imageshack.us/img851/6074/vpnq.jpg)

So is this something what your talkin about? and your trying to share the 3g connection of the server to all of the staff in the remote office?

Your L2TP i take it is publicly accessible via the public rtr? via IP or name? you 3g Card where does it terminate? in the .corp VPN cloud or publicly out on the web with telstra?

Hi Donut, I had a problem once were the vpn didn't like me coming from 10. Private address range but as soon as I change to a 198. Range it was all good.

That diagram looks correct although its just complicating things- The VPN works perfectly one way from dialer to firewall, I just can't send traffic back down it once its established (unless its an iphone)

No I'm trying to share the VPN connection (tried both ICS and RRAS)-  this part is already working, but as said above only one way. That's enough for RDP but I wanted to get it working both ways for AD and email etc

The 3g dongle is nothing special, its a standard one you can buy at any telstra shop - it connects straight to the public internet but for some reason telstra gives a 10.x address.

The L2TP VPN is publicly accessible via the firewall appliance. It has a public static IP and I'm connecting with the IP in the client VPN config. The router in front of it is not owned or managed by us. When I say I can't ping the VPN clients, I am trying from the firewall's CLI - so its not a problem with routes on the corp network (as evidenced by the fact that I can ping the iphone when it connects)



Mone I did read something about that - there's apparently a reg key you can change to allow that, I tried it but it made no difference.

if RPD from the branch get into the head office via the  shared VPN connection of the Server then i would look at your firewall. check to see what src/dst ports and protocols are allowed through.

Just because the  firewall(Cisco,Juniper,ect) allows a inbound VPN connection doesn't mean that it will allow all the trafic originating over the VPN to where ever.

As I've said, the firewall config is correct. All ports and protocols are allowed both ways to and from the vpn clients. I can connect to services running on the iPhone using the same VPN and client IP.

is the iphone using the server shared vpn connection so it's using the wifi at the branch office? and not it's own data connection. because if's using it's own data all that proves is that Public_Internet>Public_VPN_IP works.

With that you server that is starting the connection should be able to connecting in via the VPN and query ad. If not then you have a prob at your server.

Forgot about ISC for the time and get 1 thing to work perfectly.

No I'm using the iPhones own VPN client over its own data connection, there is no wifi at the remote site.

I'm not sure what the distinction here is between public Internet to public VPN working, as the Internet connection on the server IS a public connection.

I'm not worried about ICS as its already working! Even without sharing the connection I can't go back to the remote site when the tunnel is up.
I can access all services such as AD etc at corp office from the remote site but corp office network can't see anything at the remote site.

I've explained all this in my previous posts, I'm starting to feel like a broken record....

I am quite certain it is a problem on the windows server at this point, I am hoping someone with experience using the windows VPN server can suggest a solution.

now i get it, i must of missed that part.

Could you change it to an IPSec VPN or a pip ?

not sure if you said it but can you ping the IP off the server's VPN connection? not the 3g.

Well the issue with IPSEC is that 2003 doesn't support it for clients with dynamic public IP's, and no dial-on-demand. So when the nextG internet drops out and reconnects with a different IP it will need to be reconfigured.
PPTP has some security issues so is not an option - I don't think it would make much difference though anyway.

PIP's not really an option, don't think it can be configured on the windows end - besides this is only supposed to be a temporary solution, don't want to go to the effort of buying new equipment and setting that sort of thing up

I just tethered my iphone to my PC and found that the phone also gets a public IP address in the 10.0.0.0/8 range, then creates a 172.16.0.0/16 network, and the PC gets an IP in this range. I'd say that this NAT is why I can't connect to the VPN using the windows client when tethered to the phone but it works using the phone's own VPN client. Moreover it appears that my phone seems to be on the exact same network as the nextG dongles so I don't think there's anything funny going on regarding telstra's network.


which IP? The VPN clients get an address in our corp office's private network, (192.168.0.0/24) which I can ping from the firewall to the iphone but not to the windows box. (no other services can be reached on the windows box for that matter)
From the server it can ping the client address it gets at corp office and everything else on the corp network. (The local network at the remote site is a different subnet to corp office).

Scratch that

Ok if you trace from a client machine within the corp network out to the VPN clients how far do you get? try to the Iphone then the sever.

Traceroute goes directly from firewall to VPN client, no hops in between, in the case of the windows box it drops dead after the firewall.

just for entertainment value have your tried not using the built in network creator and use a 3rd party vpn client.

Finally you've suggested something I haven't already tried!

What's a good free VPN client for windows? (please don't suggest the Cisco one as it doesn't work with ICS and so is useless for my needs - is rather the users can RDP than nothing at all)

hey if you didn't want my suggestions you could of said so. We all have our own process for this stuff.


For the client sorry have no idea, i've only used cisco thick and thin clients. what does google.com say?

Suggestions are welcome, it just seems like you hadn't bothered to read the thread because you asking a lot of questions that id already answered....

Anyway I'll look into it tomorrow. Google seems to think Cisco or windows are the only free ones

shrewsoft it's free, 64bit compatible

sweet will check it out, thanks