Hi -

I have a user who normally connects his laptop to our network through our
Netscreen 5GT box, using the Netscreen VPN Client v9.  His internet
connection is via a cable modem, and this has worked relatively fine up to
now.

Recently, he bought a D-Link DI-624 wireless router, and connected this to
the cable modem via its WAN port.  Again, at first this seems to work.  The
laptop gains a private IP address on the 192.168.2.x subnet via DHCP from
the router - fine.  Using the Netscreen client software, you can make a
connection to our firewall - fine.  Unfortunately, when you ping the IP
address of our server - 192.168.0.2, or even the internal IP address of the
firewall - 192.168.0.1, you don't get any reply at all.

To confuse matters, the laptop has recently have Norton Internet Security
2004 installed.  However, disabling the personal firewall component doesn't
seem to make any difference.

Oh, and  the PPTP and IPSec pass-through boxes have been checked on the
router.

--
Mark Bertenshaw
LEAX Controls Ltd

[ Post a follow-up to this message ]

On Tue, 14 Dec 2004 17:55:14 +0000, news.plus.net wrote:

> Hi -
>
> I have a user who normally connects his laptop to our network through our
> Netscreen 5GT box, using the Netscreen VPN Client v9.  His internet
> connection is via a cable modem, and this has worked relatively fine up to
> now.
>
> Recently, he bought a D-Link DI-624 wireless router, and connected this to
> the cable modem via its WAN port.  Again, at first this seems to work.  Th
e
> laptop gains a private IP address on the 192.168.2.x subnet via DHCP from
> the router - fine.  Using the Netscreen client software, you can make a
> connection to our firewall - fine.  Unfortunately, when you ping the IP
> address of our server - 192.168.0.2, or even the internal IP address of th
e
> firewall - 192.168.0.1, you don't get any reply at all.
>
> To confuse matters, the laptop has recently have Norton Internet Security
> 2004 installed.  However, disabling the personal firewall component doesn'
t
> seem to make any difference.
>
> Oh, and  the PPTP and IPSec pass-through boxes have been checked on the
> router.

Many things could be wrong. The numbering implies that you have two
networks, 192.168.0.0/24 and 192.168.2.0/24. Does the D-Link router route
both of these networks? Do the server and firewall (inside interface)
point to the D-Link as their gateway? Does the VPN client point to the
D-Link as its gateway? Are the server and firewall running Windows XP with
the default firewall turned on? If so, can they even ping one another?

[ Post a follow-up to this message ]

Mark Alexander Bertenshaw wrote:
> In addendum to the above, I thought I ought to add the Netscreen client
> settings:
>
> Connection Security: Secure
> ID Type: IP subnet
> Subnet: 192.168.0.0
> Mask: 255.255.255.0
> Protocol: All
> Connect using Secure Gateway Tunnel
> ID Type: IP Address
>
>
> The security policy uses Agressive Mode.
>
> --
> Mark Bertenshaw
> Kingston upon Thames
> UK
>
>

Have the user remove the dlink router to verify the settings still work.
If it works then your setup is not compatible with a NAT home router.
Consult with netscreen at that point to find out if they have
something to support NAT traversal.

--
WARNING!  Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)

[ Post a follow-up to this message ]

Mike Drechsler - SPAM PROTECTED EMAIL wrote:
> Mark Alexander Bertenshaw wrote: 
>
> Have the user remove the dlink router to verify the settings still
>   work. If it works then your setup is not compatible with a NAT home
>   router. Consult with netscreen at that point to find out if they
> have
> something to support NAT traversal.

Well, the VPN worked over the internet when there wasn't a router - just a
cable modem, so you have a point!  However, to be fair, whilst I haven't got
the D-Link, my personal home setup includes a NetGear ADSL wireless "router"
in pretty much the same configuration (in terms of NATting), and it seems to
work fine.

--
Mark Bertenshaw
Kingston upon Thames
UK

[ Post a follow-up to this message ]

Mark Alexander Bertenshaw wrote:
>
> Well, the VPN worked over the internet when there wasn't a router - just a
> cable modem, so you have a point!  However, to be fair, whilst I haven't g
ot
> the D-Link, my personal home setup includes a NetGear ADSL wireless "route
r"
> in pretty much the same configuration (in terms of NATting), and it seems 
to
> work fine.
>

Outgoing NATting should never be a problem.

Maybe your home router has firewall rules forbidding your port/protocol
combination from getting through?

--
Martin Bodenstedt

www.landtag-bw.de / www.die-bodenstedts.de

[ Post a follow-up to this message ]

Mark Alexander Bertenshaw wrote:
> "Martin Bodenstedt" <martin.bodenstedt@gmx.de> wrote in message
> news:cpu7ai$8oi$1@news.BelWue.DE...
> 
>
> a
> 
>
> got
> 
>
> "router"
> 
>
> seems to
> 
>
>
> Martin -
>
> Just to be clear, my router is the one that is fine - it's my user's route
r
> which is the one that doesn't work, even though the settings look pretty
> similar.  As for the protocol rules - there are no rules specifically
> forbidding the outgoing ports.  And if so, surely I wouldn't have had a VP
N
> connection in the first place?  Looking at the logs, it seems that the
> initial handshaking seems to go fine.  It's only when I ping a host on the
> other side of the firewall when no reply is found.
>
> --
> Mark

You have 3 options.

1. Upgrade the firmware on the users D-Link router.  Myself I have never
known Dlink consumer routers to pass IPSec traffic unless the gateway
VPN router supports some kind of NAT traversal.  Perhaps they have
developed a newer firmware that passes standard IPSec session traffic
properly.

2. Change the settings on your VPN gateway at work to use NAT traversal.

3. Replace the D-Link router with something that does support IPsec
session traffic.

--
WARNING!  Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)

[ Post a follow-up to this message ]

Mike Drechsler - SPAM PROTECTED EMAIL wrote:
 
>
> You have 3 options.
>
> 1. Upgrade the firmware on the users D-Link router.  Myself I have
> never known Dlink consumer routers to pass IPSec traffic unless the
> gateway VPN router supports some kind of NAT traversal.  Perhaps they
> have developed a newer firmware that passes standard IPSec session
> traffic properly.
>
> 2. Change the settings on your VPN gateway at work to use NAT
> traversal.
>
> 3. Replace the D-Link router with something that does support IPsec
> session traffic.

Mike -

Tbanks for the suggestions.  I am bound to try all three of them.  But
before that, I think I am going to have to some serious studying.  I admit
to being a complete dilletante in this field!

--
Mark Bertenshaw
Kingston upon Thames
UK

[ Post a follow-up to this message ]

Mark Alexander Bertenshaw wrote:
> Mike Drechsler - SPAM PROTECTED EMAIL wrote:
>
> 
>
>
> Mike -
>
> Tbanks for the suggestions.  I am bound to try all three of them.  But
> before that, I think I am going to have to some serious studying.  I admit
> to being a complete dilletante in this field!
>
> --
> Mark Bertenshaw
> Kingston upon Thames
> UK

Routers and firewalls on the client end do tend to throw a monkey wrench
(spanner)  into the mix when it comes to VPN.

But you are already ahead of the game if you have things working under
the direct connection to the internet environment.  Most people find it
a struggle to get their VPN tunnels to come up under the simplest of
environments.

--
WARNING!  Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)

[ Post a follow-up to this message ]

Hi,

In such situations the following Command Line's command usually solves
all problems:

route add <LAN_IP> mask <LAN_MASK> <router_VAN_IP>
(use add -p for permanent routing -- 2000 and XP only)

for example, when your router has static WAN IP 200.1.1.1 and the LAN
is 192.168.0.*, then:

route add 192.168.0.0. 255.255.255.0 200.1.1.1 should be enough for
pinging into LAN succesfully and for connecting to LAN shares via
their IP addresses (e.g. Strat|Run \\192.168.0.3\ShareName)

Two remarks.
Router needs to have the static WAN IP (or you need to know/quess its
current one)
Remote IP must be in another IP schema than LAN schema. In above case:
e.g. 192.168.1.*. If not, a conflict occurs.


Cheers
Tomek

[ Post a follow-up to this message ]