Cannot ping computer after connecting to VPN

Hello everyone, I was wondering if someone could help me with my VPN setup. I have a good bit of experience setting up small networks, but never a VPN. My company is opening a new facility in Chicago and we would like them to be able to access our database. I am attempting to create a test VPN between my machine at work and my PC at home in preparation for the database sharing.

After a couple of attempts, I am now able to log onto the VPN from my house, but I am unable to access any PC's on my workgroup. I have internet access during the VPN session, but a ping command to the machine at work results in a timeout. My home is running 192.168.0.X and work is running 192.168.1.X so I know that's not the problem. I have configured the router to forward ports 50, 500 & 1723 to my PC at work. I have also enabled PPTP & IPSec passthrough on the router. Prior to doing this, I was unable to get past the "Verifying Username and Password" step. But now I can connect.

My PC at work is running XP Pro and my machine at home is running MCE. At work we have a static IP (T1) and the facility in Chicage will be running DSL, as a T1 is not available. I have seen some hardware VPN solutions, but I was hoping to use the VPN built in to XP so we could save some money. Is this the wrong choice?

I have read some things about Wins & RRAS, but that seems to be specific to Server 2003, so I don't think that's an option. I have also seen a lot of information about problems with name resolution when using XP's VPN. Some people suggested using DHCP to solve that problem. I think I enabled DHCP, but I'm not sure. Under the TCP/IP properties for the VPN connection, I checked the box that says "Assign TCP/IP addresses automatically using DHCP ". Was that correct? I also have the box checked that says "Allow callers to access my local area network ".

A couple of other things I almost forgot. Do I need to change the workgroup name on my PC to match the workgroup name at work? I didn't think that I would have to, since we have 2 different workgroups here and I can access both from my work PC. Also, the PC I am connecting to from home, has 2 NIC's. I have read that this can be a problem, but I have the one that's not in use disabled.

I hope I have explained everything sufficiently and appreciate everyones help. Thanks and have a great day!

 

Ping has nothing to do with DHCP.

This statement:

Requires the netmask on both ends for it to make any sense.
If the subnet and netmask are identical on both ends, you will have serious problems.

Ping is blocked by routers and software firewalls. It also is not a good test if what you are worried about is NETBIOS name resolution.

. if you cannot ping, it is a router setting and/or a firewall setting on the client;

. if you cannot resolve NETBIOS names, it is not a DHCP issue.

Please describe in detail your hardware and software:

. do routers at either or both ends provide a valid VPN endpoint?
. What client software are you using at each end?
. For the Gateway portion of the vpn client, are you setting for a local or remote Gateway IP?

 

I'm not sure what all that means, but I'll do some research tomorrow and see if I can translate.

Thanks for your help so far.

I'll do the best I can here answering your questions, but I'm new at this, so please bear with me.

1.) I'm running a D-Link DI-624 Turbo with firmware v2.42, which is the most recent firmware I can use if I want to maintain my XBL compatibility with this router.

At work we are using a Linksys BEFSR41 v2 running firmware v1.46.2 which is the most recent available on the Linksys website.

2.) I'm not using anything for the VPN other than what's buit into XP. Maybe this is my problem?

3.) Under TCP/IP settings for my home machine, the box is checked that says "use default gateway on remote network ".

I hope I was able to answer your questions sufficiently and appreciate your help. Thanks!

 

When the ping fails, does it fail if you:

. ping computername
. ping the computer's IP address?

Second question:
Do you have the expectation that multiple users will access the database at one time; or is it your intention they take turns? Is it your expectation that there can be multiple remote and local users of the database at the same time.

Third question:
What database software do you intend to be/are using?

Fourth question:
Is the remote access to the database a very occasional thing, or something that is required on demand often?

I think I can resolve the ping question you have, but the experiment you are running may not be testing the workplace needs of your organization. This, for example, scares me:

I assume this router is also handling all LAN traffic routing and all internet traffic routing for the local workplace now.

 

I have been pinging the computer's IP address. It is set up with a static IP.

For now, there will only be one user connected to the database via the VPN. I'm sure that will change as the facility in Chicago grows, but for right now, there is only one person that will need access. There are about 4 to 6 people on our LAN that access the database.

It's an Access database with a LIMS front end. The one we are using right now is an inhouse application, but we have a programmer writing new software that should be done by March.

That depends on workload. Right now, there are 2 people on the LAN that use it pretty much all day. Then there are others, who may only be connected occasionally. The person in Chicago will probably be connected all day.

It only handles the internet traffic. The T1 line is attached to that, and then one single Cat 5e cable from there to the HP ProCurve 2650 Switch. Then from there to a Levitron GigaMax 5e and then off the the individual workstations.

Thanks Bill.

 

Sorry for all the questions.

Is the LIMS front-end web based?

 

No problem at all. I really appreciate your help. On a side note, I must say that I am absolutely shocked by your knowledge of computers. I have had a blast the past couple of days reading your posts. I can see why Microsoft made you an MVP.

Anyway, the LIMS front-end is not web based. The user inputs data relating to the sample and then the LIMS transfers that data to the access database through a mapped network drive.

My intention was to create the VPN for the user in Chicago and then map a drive to our server from their location.

 

That is very kind of you, thank you.

I will return later today with some suggestions. I really think you want to use hardware VPN end point routers at each end. The one for the office obviously should support more than one VPN tunnel.

I am sorry, I forgot to answer your question while thinking about your issue.

Lets configure a Home XP VPN software client -- to -- Work XP VPN software client

• The subnets for both end points must be unique.
  I think you are OK on this, but check the subnet masks:
  Home: 192.168.0.x Mask: 255.255.255.0
  Work: 192.168.1.x Mask: 255.255.255.0
• On the Work client as "HOST "
  How to enable TCP Forwarding under Windows XP
  http://support.microsoft.com/default.aspx?scid=kb;en-us;315236&Product=winxp
• Add the Route:
  Lets say that ipconfig /all shows for the VPN adapter:
  IP: 192.168.1.110 mask 255.255.255.0
  Start, Run, CMD
  route add 192.168.1.0 mask 255.255.255.0 192.168.1.110
  
  (Do not use the /P "Persistent" switch with the Route command. You do not know what IP you will obtain each time.)

Test. You should be able to ping. If not, there is a firewall setting on either end-point that is preventing this. Check the ICMP settings. Make sure that the Linksys router is not set to block WAN requests.

For the other way around, just change the settings as appropriate.

 

We were exploring a hardware solution while looking into setting up an offsite backup. Backup is currently done in house, but I do admit that sometimes I forget to take it home with me.

We found one company that does backup and VPN together:

www.bitleap.com

I was just trying to be a hero and save the company some money.

I'll check the subnet masks when I get home. I know the one here, at work, is the standard 255.255.255.0.

I'm pretty confused here. I think you are starting to get over my head, but I'll do some reading and post back with questions.

Ok, I'm back. I checked out your link and I had done that yesterday. I believe I found that suggestion on this website and decided I would give it a try. Not exactly sure what it did, but I did it anyway

I just checked the router and apparently "Block WAN requests" was enabled. So I disabled that. I also did the ipconfig /all and here are the results:

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix .:
Description.........: Internal RAS Server interface for dial in clients
Dhcp Enabled......: No
IP Address..........: 192.168.1.100
Subnet Mask.......: 255.255.255.0
Default Gateway..:

I noticed that there is no default gateway listed, is that normal? Also, the IP address of this machine (Work) is 192.168.1.111, not the 192.168.1.100 that is listed. I think the one at home is 192.168.0.102.

 

For the moment, make the registry edit suggested in the MSFT KB article on the work VPN endpoint computer. You can go ahead and do it on both, for testing purposes.

The route add would be done on the Home VPN computer, if Home -to- Work. Or vice-versa depending on how you are testing.

I would keep backup and VPN in-house.
We are not talking about a lot of money on hardware.

For the remote client computer, purchase a router that supports at least one VPN tunnel. If it is an office site as you suggested, purchase an VPN end-point router that supports more than one tunnel.

Budget Guess:
Chicago: around US$ 30 - 70
Main Worksite: around US$ 120

Backup:

There are a lot of ways to bell this cat. Given that the size of your organization is relatively small, I will later comment on this as well.

Best regards,
Bill Castner

 

Ok, I'll do this when I get home. It's tough not being in two places at once. I would get my wife to make the changes, but she doesn't seem to get along with things that have circuit boards.

So, for my example, I would use the following for the home computer:

Start, Run, cmd

route add Default gateway at home mask 255.255.255.0 IP address shown for VPN adapter at home

This won't effect the operation of my network at home, will it? I am finally able to get my Xbox 360, ReplayTV and PC to play nice together and I don't want to risk messing anything up. Microsoft's MCX software is a bear to get set up properly.

We normally have about 1.5GB of data to back up and I use two different programs for the backup. XP Pro's backup takes care of most of the files and I also use Caddaiss BackupOnDemand for the database application. XP has a problem with the database backup because of the record locking security permissions.

So I want one for Chicago that supports one tunnel and another for the main office that supports multiple tunnels? Any suggestions for what to use? I'll start doing some research and see what I can come up with.

Great! I can't thank you enough for spending your time helping me out.

Thanks,
Nathan

 

Just a quick note:

. None of the changes will effect your local network. Remember that the confuration changes is being made to the "logical" VPN adapter, not the physical network adapter you use for your LAN.

. This entry bothers me: [/quote]Connection-specific DNS Suffix .:
Description.........: Internal RAS Server interface for dial in clients
Dhcp Enabled......: No
IP Address..........: 192.168.1.100
Subnet Mask.......: 255.255.255.0
Default Gateway..: [/quote]

If in creating the connection you set the logical VPN adapter properties this way, I believe it to be a mistake. (Although setting a static IP is a great idea).

Start, Network Connections, and right click the VPN connection, Properties. Scroll down to "Internet Protocol TCP/IP" and click the Properties button.

Since it appears that the Linksys router is the DHCP server for your LAN, lets not assign static IPs within the scope of addresses Linksys uses for DHCP; usually 192.168.1.100 -- 192.168.1.149

You know better than I if static IPs were assigned outside this DHCP scope. Lets make a wild guess that is easily changed:

IP: 192.168.1.55 (Note - a static IP outside the IPs used by the DHCP service)
Subnet: 255.255.255.0
Gateway: 192.168.1.1 (But note you have in software already declared that you will use the remote Gateway. I am tempted to leave this entry empty, but for the moment set it as the above. I will get back to you because I do not remember how I have set this in the past. If the issue persists, remove this Gateway address. I seem to remember not specifying a Gateway on the adapter, but I will check.)

 

That's what I thought, but I just wanted to be sure.

Actually, I just let the network connection wizard set up the VPN for me.

Under the Networking tab, when I click properties for the TCP/IP I get the following:

1.) Option to allow callers to access my local area network.
2.) TCP/IP address assignment. The box is checked saying "Assign TCP/IP addresses automatically using DHCP.

The other option is "Specify TCP/IP address" The grayed out entries are from 10.0.0.10 to 10.0.0.20. Then there is a line that says "Total = 11 "

The last option checked says "Allow calling computer to specify it's own IP address "

Do you mean that the PC's I've set up with static IP address, should not be in that range?

Basically I started at 192.168.1.101 and went from there when I set up the IP addresses.

Are you talking about the TCP/IP settings for the LAN? So I should just leave the default gateway address blank?

 

You can use all addresses without issue, as long as the Linksys has its DHCP server turned off.

It would have saved you some record keeping to leave it enabled. As I explained, as long as you use static IPs outside the defined DHCP scope of the DHCP server on the router, they work without issue. The way DHCP works and the way your cable plant is configured, the little Linksys would have been happy to provide DHCP addressing to all of your clients.

While still allowing static IP assignments when you needed them.

If on the Linksys its DHCP server is disabled, the issue is moot.

The hard part of VPN is that you have two independent sites.
If you are configuring dial-up VPN connectoids, think of yourself as the Client connecting to a remote Host. Otherwise you will get hopelessly lost.

Check your home router settings when configuring from the workplace. Does your Home router support DHCP, and if so, is it enabled? Is this how addresses are issued for computers connected at Home? Those questions and their answers tell you how to answer the question asked in the quoted passage above.

Similarly, when at Home and configuring for access to the worksite, you need to go through the same checklist of questions. The only DHCP server I saw from your cable plant description was the little Linksys. If you have its DHCP server disabled, you need to answer the question I quoted differently with a static ip when setting up the connectoid on your Home machine.

 

It was enabled, but I just disabled it. I'm going to do some reading and see if I can figure out what DHCP is. I think that would make it easier on your when trying to explain these things to me.

I believe it does, because everything is on a dynamic IP at home. But I will check when I get home.

EDIT -> Not to get too far off topic, but after doing some reading it looks like the TCP/IP is the actual protocol that the PC's use to communicate? The DHCP server just supplies the appropriate addresses to the PC's as requested. So that would mean if I manually assign IP addresses in the same range used by the DHCP server, they could later be assigned by the DHCP server and cause a conflict? Is that why you were saying to use addresses outside the range of the DHCP server if it was enabled on the router?

I think I have a slight understanding of how DHCP works on a LAN, but I'm not sure how it works when I initiate the VPN? I guess I have to manually assign an IP address if DHCP is disabled on the Linksys because there will be no server to assign me an address. On the other hand, if I were to assign addresses outside of the DHCP server's range for the office PC's and left the DHCP server enabled in the Linksys then it would take care of assigning my PC an address when I connect the VPN?

 

When you set your Internet Protocl TCP/IP settings to automatic for assigning a workstation IP and/or DNS server addresses, you are asking for a DHCP server on the LAN to handle the job.

It keeps an internal table so as to avoid assigning duplicate IP addresses. It issues what are called "leases" so that addresses can expire and be renewed. (If not, and it used a new IP every time, you would run out of addresses to use).

Usually you find sites that either let the router handle the chore, likely true or should be both at your Home and Work site; or use a formal Server that includes a DNS server, WINS server, and DHCP server, although all are optional.

In large LANs you need two things:

. Non-duplicated addresses
. Some way to reserve or otherwise create static entries for service applications (Web Server, for example), Printers, and other devices.

For you worksite, I would have made static two entries:
. the database server
. your workstation if it is to be a software VPN tunnel endpoint

All the rest I would have let the little Linksys handle DHCP.

At Home, you likely have DHCP enabled on your router. If ever you need regular access to your home computer from a remote site, I would make a static setting for that workstation as well.

A mixture of DHCP-assigned addresses, reserved addresses still handled by the DHCP server (Your linksys router model does not have this feature), and pure static IP assignments is common.

If you have "automaticly" determine my IP address and/or DNS server addresses enabled, XP makes a broadcast request for an available DHCP server. At work, for example, if DHCP was enabled on the Linksys, it would respond with a positive acknowledgement. A little diaglogue then begins behind the scenes where the Linksys assigns an IP for the workstation, provides it subnet mask and DNS server information, and issues a "lease" that can always be renewed.

I am shortening things, as I do not want to write a treatise. But that is all that DHCP is essentially about.

 

Apparently I edited my last post at the same time you made your post. So, it looks like I have a handle on how DHCP works.

Here is what I plan on doing to try and get things in line.

1.) Turn DHCP back on in the router.
2.) Return all PC's in the office to automatically acquire their IP addresses from the Linksys, except for my machine and the database server.
3.) Give my machine and the database server an IP address out of the DHCP server's normal range. Such as 192.168.1.55.
4.) Enable TCP forwarding on my PC at home.
5.) Try the VPN again.
6.) Explore VPN hardware and dive further into the backup solutions we were going to talk about.

Does that sound like a good course of action.

 

Sounds like a darn good start.

At the very least if your are testing Office-to-Home, I do not think any other changes at the Home site are needed, other than this:

. The remote (Home) target machine should have a static, and not DHCP determined address.

One other note that I keep forgetting to mention: You only need to port-forward from the router 1723 TCP if using PPTP tunnels.
For IPSec tunnels you need ports:
UDP Port 1701
UDP Port 500

And, be sure the router firmware at Home and Office are now the latest versions. PPTP needs GRE Protocol 47 enabled (that is what the choice in router setup for PPTP is all about), and for IPSec you need IP Protocol 50 (ESP) -- again, that is what the router setup choice was all about.

Whether the router actually passes this protocol is often a question of how updated is its firmware. Linksys had several issues getting this right, so check. And check the Home router as well.

Now that both Home and Office computers have static entries for their IPs, the Port-forward should always work, and need not be changed.

Last note: if this works (Office-to-Home) using static IPs, with both end point routers forwarding port 1723 to the static IP, then my earlier advice about using ROUTE.EXE to add a new route can use the /P peristence switch so that you do not have to type the router add string more than once.

 

Ok, I turned off the DHCP server in my D-Link router and gave the home PC a static IP address. There is also an option for "Static DHCP" so I disabled that as well.

Do I need to do this on both routers, or just on the office side?

The Linksys at work is running the most current version. My D-Link at home is a couple versions behind, because the newer versions haven't been approved by Microsoft for XBL compatibility.

Here is where I am so far:

1.) I turned back on the DHCP server at work and put all the PC's back to acquire IP address automatically, except for 3 PC's. The VPN Server, Database Server and the Accountant's machine all have static IP addresses outside of the range of the Linksys Router.
2.) Turned off DHCP on my D-Link router at home and assigned my PC a static IP address.
3.) Enabled TCP forwarding on my home PC.
4.) Typed the following into a command prompt:

route add 192.168.1.0 mask 255.255.255.0 192.168.0.145

I received an error about the mask. I then ran ipconfig /all and saw that the VPN was assigining me a Subnet Mask of 255.255.255.255, instead of the normal 255.255.255.0. I'm guessing that is the problem?

 

route
Look again at what I wrote earlier. Your route is invalid. 192.168.1.0 is not accessible to a subnet 192.168.0.x with a subnet mask of 255.255.255.0

This however would be valid:
route add 192.168.1.0 mask 255.255.255.0 192.168.1.145

I will paste them side-by-side so you can see my issue:

Code:

bad : route add 192.168.1.0 mask 255.255.255.0 192.168.0.145
good: route add 192.168.1.0 mask 255.255.255.0 192.168.1.145