|
Home > Archive > VPN > December 2004 > tunnel established but can't ping remote network apart vpn router
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
tunnel established but can't ping remote network apart vpn router
|
|
| Philippe Torres 2004-11-13, 7:45 am |
| client : saferemote vpn client on win XP
server : Zyxel Zywall 50
Connexion goes up but i just can receive ping replies from the remote lan ip
of the zyxel router.
Pinging any pc on the remote network do not return any reply.
Adding a static route on the remote lan PCs don't change anything :
route add <vpn client wan ip> mask 255.255.255.255 <vpn router lan ip>
Anyone met this kind of trouble ?
| |
| Steve Hatch 2004-11-17, 2:45 am |
| Philippe Torres wrote:
> client : saferemote vpn client on win XP
> server : Zyxel Zywall 50
>
> Connexion goes up but i just can receive ping replies from the remote lan ip
> of the zyxel router.
>
> Pinging any pc on the remote network do not return any reply.
>
> Adding a static route on the remote lan PCs don't change anything :
> route add <vpn client wan ip> mask 255.255.255.255 <vpn router lan ip>
>
> Anyone met this kind of trouble ?
>
>
This sounds like IKE phase one is completing, but phase two is not.
Verify the your local and remote networks are defined as EXACT mirror
linages. Just masking the networks differently can prevent ESP
communications.
Forgive me for possibly being to basic :-)
Other things to check:
Encryption method (match)
IKE Protection (match)
Session lifetime (match)
Re-key timer (match)
Re-key data counter (match)
Network definitions (mirror)
Endpoint addresses (mirror)
Perfect forward Secrecy (match)
Vendor ID (match)
Network definitions (mirror)
Endpoint addresses (mirror)
Steve H.
| |
| Montgaillard 2004-11-17, 7:45 am |
|
"Steve Hatch" <steve@vpn-guru.com> a écrit dans le message de
news:419B00A3.7070901@vpn-guru.com...
lan ip[vbcol=seagreen]
> This sounds like IKE phase one is completing, but phase two is not.
> Verify the your local and remote networks are defined as EXACT mirror
> linages. Just masking the networks differently can prevent ESP
> communications.
>
> Forgive me for possibly being to basic :-)
>
No problem with that. Your help is very welcome Steve.
This is the log from my ipsec client (saferemote) on the roaming PC :
<-----begin---->
11-17: 13:36:02.743 My Connections\New Connection - Initiating IKE Phase 1
(IP ADDR=< "Zyxel VPN router Wan IP" > )
11-17: 13:36:02.764 My Connections\New Connection - SENDING>>>> ISAKMP OAK
MM (SA, VID 2x)
11-17: 13:36:03.364 My Connections\New Connection - RECEIVED<<< ISAKMP OAK
MM (SA, VID)
11-17: 13:36:03.465 My Connections\New Connection - SENDING>>>> ISAKMP OAK
MM (KE, NON, VID 3x)
11-17: 13:36:04.306 My Connections\New Connection - RECEIVED<<< ISAKMP OAK
MM (KE, NON)
11-17: 13:36:04.426 My Connections\New Connection - SENDING>>>> ISAKMP OAK
MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
11-17: 13:36:05.077 My Connections\New Connection - RECEIVED<<< ISAKMP OAK
MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
11-17: 13:36:05.077 My Connections\New Connection - Established IKE SA
11-17: 13:36:05.077 MY COOKIE 46 a6 c9 ad 8c b3 50 44
11-17: 13:36:05.077 HIS COOKIE f4 3e 3e 5d 8a e1 18 6c
11-17: 13:36:05.077 My Connections\New Connection - Initiating IKE Phase 2
with Client IDs (message id: 8DEDA251)
11-17: 13:36:05.077 Initiator = IP ADDR=< "roaming PC ISP-allocated
dynamic IP address" >, prot = 0 port = 0
11-17: 13:36:05.077 Responder = IP SUBNET/MASK=10.0.0.0/255.0.0.0, prot =
0 port = 0
11-17: 13:36:05.077 My Connections\New Connection - SENDING>>>> ISAKMP OAK
QM *(HASH, SA, NON, ID 2x)
11-17: 13:36:05.758 My Connections\New Connection - RECEIVED<<< ISAKMP OAK
QM *(HASH, SA, NON, ID 2x)
11-17: 13:36:05.758 My Connections\New Connection - SENDING>>>> ISAKMP OAK
QM *(HASH)
11-17: 13:36:05.758 My Connections\New Connection - Loading IPSec SA
(Message ID = 8DEDA251 OUTBOUND SPI = 326FBD8B INBOUND SPI = 37F11EC0)
<----end----->
It seems Phase 1 is OK. Phase 2 seems to go fine as well. The VPN client
issues a pop-up to tell the connection has been established.
Then i can ping 10.0.0.102 (the remote lan ip address of the zyxel) but any
other ping to a 10.x.x.x PC fails.
I must say that the remote lan PC do not have 10.0.0.102 as the default
gateway.
There is an other gateway on the remote lan for mail and internet access.
The Zyxel (10.0.0.102) is reserved to VPN access from the outside.
Could it be a source of the problem and what can i do to solve it ?
> Other things to check:
>
> Encryption method (match)
3DES on both sides
> IKE Protection (match)
SHA1 on both sides
> Session lifetime (match)
match
> Re-key timer (match)
> Re-key data counter (match)
0 Mb on the client side, no parameter like that on the vpn server side
> Network definitions (mirror)
classic private networks : 10.0.0.0/255.0.0.0 and a public IP on the other
> Endpoint addresses (mirror)
??
Is endpoint the LAN IP on both sides or the WAN ip ?
I have no LAN on the client side, just a public address
> Perfect forward Secrecy (match)
disabled
> Vendor ID (match)
??
> Network definitions (mirror)
> Endpoint addresses (mirror)
| |
| Helmut Gaishauser 2004-11-22, 2:45 am |
| "Montgaillard" <nospam@nospam.net> schrub am 17 Nov 2004:
Hi,
>
> "Steve Hatch" <steve@vpn-guru.com> a écrit dans le message de
> news:419B00A3.7070901@vpn-guru.com...
> lan ip
>
> It seems Phase 1 is OK. Phase 2 seems to go fine as well. The VPN
> client issues a pop-up to tell the connection has been established.
> Then i can ping 10.0.0.102 (the remote lan ip address of the zyxel)
> but any other ping to a 10.x.x.x PC fails.
> I must say that the remote lan PC do not have 10.0.0.102 as the
> default gateway.
This is a ZyWall50 IIRC. I have the same setup. You need to define a
forward firewall-rule from WAN to LAN for your remote IP address. I
just tried it. No rule, no ping. With firewallrule I can access the
whole LAN (or whatever address I specify in the Firewallrule).
> There is an other gateway on the remote lan for mail and internet
> access. The Zyxel (10.0.0.102) is reserved to VPN access from the
> outside. Could it be a source of the problem and what can i do to
> solve it ?
> Should be no issue.
--
cheers /"\ ASCII Ribbon Campaign
hELMUT \ /
X No HTML in
/ \ email & news
| |
| Montgaillard 2004-11-23, 5:45 pm |
|
"Helmut Gaishauser" <6ofeight@web.de> a écrit dans le message de
news:Xns95A96D0988B426ofeight@ID-120281.user.dfncis.de...
> "Montgaillard" <nospam@nospam.net> schrub am 17 Nov 2004:
>
> Hi,
>
> This is a ZyWall50 IIRC. I have the same setup. You need to define a
> forward firewall-rule from WAN to LAN for your remote IP address. I
> just tried it. No rule, no ping. With firewallrule I can access the
> whole LAN (or whatever address I specify in the Firewallrule).
>
I have a dynamic IP address on the roaming PC so i don't know how to write
this rule.
Even disabling the zywall firewall does not solve that :-(
| |
| Helmut Gaishauser 2004-11-24, 2:45 am |
| "Montgaillard" <nospam@nospam.net> schrub am 24 Nov 2004:
>
> I have a dynamic IP address on the roaming PC so i don't know how to
> write this rule.
>
> Even disabling the zywall firewall does not solve that :-(
>
Hm, strange one. As I (and You) read in another thread about SafeRemote
and Zywall problems, I suggest You try just to be sure another VPN
clientsoftware. I am unsing TheGreenBow-Client. There is a 30-day
unlimited trialversion available.
Would be interessing, if the problem lies within the combination of
ZyWall/SoftRemoteLT.
--
cheers /"\ ASCII Ribbon Campaign
hELMUT \ /
X No HTML in
/ \ email & news
| |
| Montgaillard 2004-12-06, 8:45 pm |
|
"Montgaillard" <nospam@nospam.net> a écrit dans le message de
news:co0hav$p43$1@apollon.grec.isp.9tel.net...
>
> "Helmut Gaishauser" <6ofeight@web.de> a écrit dans le message de
> news:Xns95A96D0988B426ofeight@ID-120281.user.dfncis.de...
> I have a dynamic IP address on the roaming PC so i don't know how to write
> this rule.
>
> Even disabling the zywall firewall does not solve that :-(
>
I finally solved my problem. It was a routing problem.
The PCs i tried to reach must have a default gateway pointing to the Zywall
to send the pings back to the vpn client. Kind of basic for most fo you i
guess
but you learn the hard way everyday.
The Zywall must also have a default route to send whatever he doesn't know
as destination address,
which is the case for a roaming pc, to the next router on the internet.
It wasn't firewall related but a routing problem.
The problem i have now is telling the PCs to direct the usual internet
(http, ftp and mail) traffic
to the former LAN gateway (a win2000/ISA server) and direct only VPN traffic
back to the second gateway (Zywall).
I just solve a problem to face a greater one it seems.
Could any one help ?
|
|
|
|
|