Cannot ping computer after connecting to VPN

You can use this tool to play with IP addresses to see if they will work together:

http://www.nicholshayes.co.uk/GatewayNode2Node.html

 

Bill,

I'm still having problems with the VPN. I tried the "route add" as you outlined, but I got the following message:

The route addition failed: Either the interface index is wrong or the gatway does not lie on the same network as the interface. Check the IP Address Table for the machine.

I figured that I still had something incorrect within the command. I changed it to the following and didn't get the error message. But I didn't get any type of confirmation, just back to a C:/. I think the problem may be that I'm not exactly sure what the command is doing. I chaged it to this:

route add Default gateway from my router mask Subnet mask shown under VPN in ipconfig IP address given to me by VPN server

Is that correct? I also noticed that when I connect to the VPN, I loose my internet connection. One other thing, when I connect to the VPN, I get the connection notification in my taskbar. When I click on that and go to details I see that the bottom 2 listings are the same. It says:

Device Name WAN Miniport (PPTP)
Device Type vpn
Server Type PPP
Transports TCP/IP
Authentication MS CHAP V2
Encryption MPPE 128
Compression MPPC
PPP multilink framing Off
Server IP address 192.168.1.100
Client IP address 192.168.1.100

Is that normal? Thanks again for your time!

 

Route is a command line, and only reports errors.
Route print will show you the existing table with your changes.

The loss of the internet is because you chose to use the remote Gateway. When you do this the Gateway address is that of the remote router, with all traffic over the VPN tunnel. This is normal. You have a choice: preserve the internet on your local connection but loose the ability to ping and other services on the remote site; use the remote Gateway so that you can have name resolution and ping; or use the VPN tunnel to launch remote desktop on the target machine and have both.

For you planned Chicago office, you need to implement WINS or LMHOSTS to resolve netbios naming without using the remote Gateway. This will preserve your internet connection, and allow name resolution on the remote LAN.

Your route add command should have allowed you to ping the remote site. Did it do so?

 

No it did not, the request timed out.

I know you had said before about hardware purchases. Am I having these problems because of the hardware I'm using? Would it be easier if my company was to purchase an actual VPN router and an endpoint for Chicago? If so, can you make some suggestions on what I would need and maybe comment on the backup solutions you mentioned earlier.

Thanks!

 

I was able to get the VPN up and running from my home to the office. I can access share by using the ip address in the address bar of Windows Explorer. I still haven't figured out the name resolution part, but that's something for down the road.

Anyway, now I have some new questions.

Is a VPN a "2-way Street "? Meaning, can I access the shares on the client from the server? I am able to ping the client from the server, but typing in the ip address in Windows Explorer gives me an error. Any thoughts?

 

Accessing shares over a VPN is problematic if you are running over broadband. The main problem is bandwidth. You are limited by the slowest part of the connection - that is the upload speed. Most broadband systems are asymmetrical, which means that upload speed is slower than download. Usually it is a lot slower.

In my experience, this means that normal Microsoft file sharing grinds to a halt. You can access shares if you have the full path, but not reliably. Trying to browse a share can be painfully slow if it works at all.

The simplest solution is to use FTP. FTP has a much lower overhead than file sharing and works a lot more reliably over narrow bandwidth connections such as VPN.

 

I don't know if that will be a problem in this case. I am running fiber at my house (5Mbps down & 2Mbps up) and we have a T1 at work. Shouldn't that be fast enough?

 

Yes, with that bandwidth you should be able to access shares I would think.

The simplest solution is to access the shares via the IP address if you don't have name resolution working:

\\ipaddress\sharename

Where ipaddress is the IP Address of the PC or Server you connect to.

If you are connecting into a Windows server, you may well find that NetBIOS name resolution won't work, but DNS name resolution will. NetBIOS names are single word names such as server1 or ibmpc. Internet site names are examples of DNS names. They have a hierarchical structure like www.windowsbbs.com.

So say you have a server called myserver, and your company's internal DNS namespace is company.local. Connecting to a server share via NetBIOS name, you'd use something like this:

\\myserver\sharename

This may well not work over VPN.

However, you may find that you can connect via the server's DNS name:

\\myserver.company.local\sharename

 

Once the VPN is established, I can access the server files from my house, but I just can't access the home files from the server location. Almost like the VPN is a "one way street ". Based on all the problems I'm having, we decided to bag the software VPN and go with a hardware VPN.

I'm looking at picking up 2 DLink DI-808HV's for the hardware. Hopefully that will do the trick. Has anyone used the 808HV's? Is a hardware VPN more stable and easier to set up than a software VPN?

Thanks!

 

I prefer hardware VPN systems. I've not used the DLink units you've highlighted. The DI-804HV looks very similar - less ports - but if this is adding to an existing network, you should not need the ports. The 804 is significantly cheaper that the 808.

I used to really like D-Link, but I'm not such a fan anymore. Have a look at some of the cheap Netgear firewalls. In general, I've found Netgear gear to be easier to use and get to work.

 

I looked into the NetGear products, but they all seem to be VPN switches. I didn't see any that were VPN Routers, that's why I was looking at the DLink. Right now we are using a Linksys BEFSR41 Router which is attached to a HP ProCurve 2650 Switch. I was just going to remove the Linksys and replace it with the DLink.

 

A 48 port switch and a good one at that! How many IPs is your ISP giving you? Do you have more than one? If so and assuming you've a reasonable size network (20 plus users), I'd keep the linksys router, turn off NAT, and use a hardware firewall.

 

Only 1 IP address from the ISP. The switch is definately overkill for what we need, but better to spend a little more and be ready for the future. Right now, we have 15 PC's in the building, but a couple of them are only used to interface with our instrumentation. I have one sitting on the floor beside my desk that the HDD died in and a new "server" that needs to be set up.

So much work, so little time. Nothing like being hired as a Chemist and then spending 1/2 my time doing IT stuff.

I read that the DLink has a built in firewall and was planning on using that. Do you think that would be sufficient?

EDIT -> I just found out that our new Laboratory in Indiania was unable to get a T1 line, so they are stuck with DSL until fiber is rolled out in that area. It's going to have a dynamic IP address, which I'm sure will result in the VPN getting dumped everytime the IP address changes. I was looking into DynDNS.org. Am I on the right track? It seems like the DLink supports DynDNS.org.

If I register with the website and point the VPN Router in that direction, will we be able to maintain a stable VPN?

 

Personally, I'd alway put a small business network larger than SOHO behind a dedicated firewall. Not a router with some firewall functions, but rather a dedicated firewall. For example: a small Cisco Pix, watchguard, or sonicwall. I use a Netasq firewall on my main network. I like it a lot, but it is quirky (it's French after all).

However, I do err toward the cautious on firewalls. You wouldn't be alone in running a 15 user network behind one of the Netgear or DLINK firewalls mentioned earlier. A compromise solution that I have used on a small network is a Draytek 2800 router. These have broadband modems incorporated, stateful packet inspection firewall and won't break the bank. They also have VPN server functionality.

If only one end is dynamically assigned, you can still set up a site to site VPN. However, you will need to initiate it from the dynamic end.

 

Well, I'm back.

I have the two DI-804HV's set-up and apparently connected. The "status" states that the IKE is established and I am able to ping any PC on the remote side of the tunnel. The problem is that I am unable to browse the shares. I tried using \\192.168.1.55 in windows explorer and I receive the unable to connect.

Any thoughts?

EDIT -> I almost forgot the most important thing......I am able to remote desktop to the 2 PC's at work that I have enabled for remote access. How weird is that??

 

I think I figured it out. I placed both of the PC's in the DMZ just for a quick test and was still unable to access the network shares. After removing both of the PC's from the DMZ, I shut off the Windows firewall and can now access the shares.

Can anyone tell me how to configure the Windows firewall to allow network share access.

Thanks!

 

• Go into "Network Connections" in control panel
• Right click on the active network connection and select properties
• Click on the Advanced tab
• In the firewall section, click on the "Settings" button
• Click on Exceptions tab
• Select "File and Print Sharing "

 

It was already listed as an exception on both machines. The PC at work is configured the same as my machine at home and I know for a fact that I am able to access network shares when I'm at work. I'm guessing that there is a different port used when over a VPN????

Thanks again for your help Reggie!!!!!

 

I figured it out. I had to change the default windows firewall "file and print sharing" exception scope from "My network (subnet) only" to a custom setting that includes both networks. This is what worked for me:

192.168.1.1/255.255.255.0,192.168.0.0/255.255.255.0