VPN help

[Guest]

Welcome, Guest. Please login or register.

1 Hour 1 Day 1 Week 1 Month Forever

Login with username, password and session length

22/06/2023, 10:15 AM Syklone - ..... hi

18/02/2023, 07:10 PM Damit - https://discord.gg/fYqDFYx

18/02/2023, 07:09 PM Damit - join us on Discord https://discord.com/inv... ite/fYqDFYx

29/11/2022, 12:19 PM BoHiCa - YESSSSSS

26/10/2022, 04:27 PM Victor9-5 - yooooooooooooo!

21/05/2021, 06:19 AM DonutKing - First post

28/08/2020, 08:39 AM Damit - its because we are all on discord now mrx

29/07/2020, 07:42 PM MrX - Its a bit dead round here

29/07/2020, 07:42 PM MrX - Anybody playing COD 

26/03/2020, 10:52 AM Epsoma - Hey Team. Locked down in self isolation. Hope you all are good.

View All

[DonutKing]

Hoping someone might have an idea about this one...

Long and involved story but basically we've got a branch office that has lost its ADSL  (which is actually an MPLS connection into our private network)

It's looking like it will be at least a week until its resolved. So I've been trying to setup a VPN from the local server there using a Next-G USB internet dongle, into our firewall at corp. office. (It's not possible to get onto the MPLS through any other internet connection). The idea was to share the VPN connection on the server and change all the PC's to use the server for their gateway instead of the ADSL modem/router.

Now we've had VPN in place for a while, for mobile users to connect in and get an RDP session to their PC's and I've set up tunnels in interface mode between two routers... but I can't get traffic to go from corp office to the remote site.

I'm using an L2TP VPN with the windows client, I can connect from the remote site fine - but going the other way is just completely blocked.

Now I know its not a configuration problem with the firewall because I can connect to it using my iphone's L2TP client and I can ping and connect to it in both directions... but when its a windows PC on the other end, it only goes from remote client to firewall.

I've tried with a test laptop with a clean install of XP SP3, and the server at the remote site is 2003 SP2. No joy with either.
There is no firewall on the windows machines. Windows FW is disabled and I even killed the ICS/FW service to make sure as part of testing. It does it even on a clean install of XP SP3.
It's not a routing problem from our corp office as I'm pinging/tracerouting from the CLI on the firewall - it drops completely dead after the firewall, yet the iphone client happily responds. With the routes and firewall rules set up I can ping the iphone from our corp office PC's, no luck with the windows clients.

Any ideas? I'm tearing my hair out over this one.... We've got them running with RDP but I'd like to get a few other services running as well which requires transmitting both ways...

[IcEd_RuSsIaN]

hey Dk, are you still having issues? any chance you can draw a rudimentary diagram just so the main hop points/firewalls/nw segments.

[DonutKing]

There's nothing to put on a diagram except the remote client and the firewall.


I'm certain it's a windows config issue as the iPhone works with the same client ip, I've tried setting win server up using rras instead of just creating a VPN connection and sharing it but no difference.

[naf]

Have you tried tethering your iphone to the server or test client at the remote site and then trying the L2TP VPN?
We had an issue in the past with Telstra 3G modems that would could connect up fine to the internet, then appear to VPN ok (various clients), but they were then failing to add a route to their route tables for the Gateway on the subnet that they had connected to at head office. Optus modems, various cable/dsl connections all worked fine... it appears a piece of propriety software we were running was causing this to happen.

comparing a route table from a working vpn compared to the non-working showed the issue...

[DonutKing]

I have already tried that, it doesn't seem to connect at all when tethered through the iPhone.


I did find that the shitty Telstra connection manager software doesn't set the routes correctly but even after adding them manually it only allows traffic out, not back in.


The Telstra thing Gives a class a private ip (10.230.x.x) so maybe it's something funky on their nextg network

[IcEd_RuSsIaN]

So is this something what your talkin about? and your trying to share the 3g connection of the server to all of the staff in the remote office?

Your L2TP i take it is publicly accessible via the public rtr? via IP or name? you 3g Card where does it terminate? in the .corp VPN cloud or publicly out on the web with telstra?

[Mone]

Hi Donut, I had a problem once were the vpn didn't like me coming from 10. Private address range but as soon as I change to a 198. Range it was all good.

[DonutKing]

That diagram looks correct although its just complicating things- The VPN works perfectly one way from dialer to firewall, I just can't send traffic back down it once its established (unless its an iphone)

and your trying to share the 3g connection of the server to all of the staff in the remote office?

No I'm trying to share the VPN connection (tried both ICS and RRAS)-  this part is already working, but as said above only one way. That's enough for RDP but I wanted to get it working both ways for AD and email etc

The 3g dongle is nothing special, its a standard one you can buy at any telstra shop - it connects straight to the public internet but for some reason telstra gives a 10.x address.

The L2TP VPN is publicly accessible via the firewall appliance. It has a public static IP and I'm connecting with the IP in the client VPN config. The router in front of it is not owned or managed by us. When I say I can't ping the VPN clients, I am trying from the firewall's CLI - so its not a problem with routes on the corp network (as evidenced by the fact that I can ping the iphone when it connects)



Mone I did read something about that - there's apparently a reg key you can change to allow that, I tried it but it made no difference.

[IcEd_RuSsIaN]

No I'm trying to share the VPN connection (tried both ICS and RRAS)-  this part is already working, but as said above only one way. That's enough for RDP but I wanted to get it working both ways for AD and email etc

if RPD from the branch get into the head office via the  shared VPN connection of the Server then i would look at your firewall. check to see what src/dst ports and protocols are allowed through.

Just because the  firewall(Cisco,Juniper,ect) allows a inbound VPN connection doesn't mean that it will allow all the trafic originating over the VPN to where ever.

[DonutKing]

As I've said, the firewall config is correct. All ports and protocols are allowed both ways to and from the vpn clients. I can connect to services running on the iPhone using the same VPN and client IP.

[IcEd_RuSsIaN]

is the iphone using the server shared vpn connection so it's using the wifi at the branch office? and not it's own data connection. because if's using it's own data all that proves is that Public_Internet>Public_VPN_IP works.

With that you server that is starting the connection should be able to connecting in via the VPN and query ad. If not then you have a prob at your server.

Forgot about ISC for the time and get 1 thing to work perfectly.

[DonutKing]

No I'm using the iPhones own VPN client over its own data connection, there is no wifi at the remote site.

I'm not sure what the distinction here is between public Internet to public VPN working, as the Internet connection on the server IS a public connection.

I'm not worried about ICS as its already working! Even without sharing the connection I can't go back to the remote site when the tunnel is up.
I can access all services such as AD etc at corp office from the remote site but corp office network can't see anything at the remote site.

I've explained all this in my previous posts, I'm starting to feel like a broken record....

I am quite certain it is a problem on the windows server at this point, I am hoping someone with experience using the windows VPN server can suggest a solution.

[IcEd_RuSsIaN]

now i get it, i must of missed that part.

[Syklone]

Could you change it to an IPSec VPN or a pip ?

[IcEd_RuSsIaN]

not sure if you said it but can you ping the IP off the server's VPN connection? not the 3g.