Installing Wingate VPN & Gateway

Forum for all technical support and trouble shooting of the WinGate VPN.

Moderator: Qbik Staff

Installing Wingate VPN & Gateway

Postby Jeff Andre » Sep 13 03 6:34 am

I'm trying to get your product to work, and having some difficulty.

I've installed the VPN Server software on a machine at Site 1 (Win2K Server). This machine has one NIC with a 192.169.1.3 address. The basic install here seemed to go OK

I installed the Gateway software on a machine at Site 2 (WinXP). This machine has 1 NIC, connected through a router to a cable modem.

We had been using Microsoft VPN software to connect between these machines OK, so I don't think there are any basic networking issues.

I had the cable guys forward port 809 at Site 1 to the private IP address from the cable modem/router. There is no firewall on the cable modem/router at this point.

The Gateway software at Site 2 can connect and access resources on the VPN Server, and can see other machines at Site 1 and access thier resources. So that Gateway machine is working the way I need it to.

Now for the next step. I can see the Gateway machine at Site 2 from the VPN Server at Site 1, but no other machines at Site 1 can see that Gateway machine.

From Site 2, none of the other workstations can see the VPN server, or any other machines at Site 1.

I have installed the RipClient software on all the workstations (not the VPN server or gateway). It is up and running. The VPN Server and Gateway machines are set for Local participation to be "Local Network", which I assume is supposed to tell them to publish the necessary routes to the RipClient software. When I look at the "Routes to be Exported when Local Network is selected" for the VPN Server, this is what I see:

192.168.1.0 / 255.255.255.0
192.168.1.2 / 255.255.255.255

the 192.168.1.2 address is the VPN server itself

On the Gateway machine, the published routes are:

193.168.1.100 / 255.255.255.255

this is the address of the gateway machine

When I look at the workstations that are running the RipClient, none of these addresses show up in the routing table.

It appears that either the VPN Server and Gateway software are not publishing routes for the RipClient to pick up, or something else is preventing them from picking up the routing information. I have the firewall disabled in both machines.

Help!

Jeff Andre'
Jeff Andre
 

Postby labull » Sep 13 03 7:32 am

Jeff,

How do the machines at site 2 connect to the Internet? Is it directly through the router?

Larry
labull
WinGate Guru
 
Posts: 710
Joined: Sep 06 03 1:03 am
Location: Washington, DC - USA

Postby Guest » Sep 13 03 7:37 am

The machines at site 2 connect to a Linksys router/switch, which provides DHCP to that network, and is then connected to a cable modem.

Jeff Andre'
jandre@secondlookhomes.com
Guest
 

Postby labull » Sep 13 03 8:56 am

The machines in site 2 have to know to use the Gateway as the path to Site 1.

You may manually have to add a Route to each of these machines.

You could try

Route add 192.168.1.0 mask 255.255.255.0 193.168.1.100

Then enter

tracert 192.168.1.2

and see what the responses are.

I'm really not confident in this but it couldn't hurt to try.

Larry
labull
WinGate Guru
 
Posts: 710
Joined: Sep 06 03 1:03 am
Location: Washington, DC - USA

Postby Guest » Sep 13 03 9:21 am

That was the first thing I tried. I put in the route, then tried tracert and ping to 192.168.1.2, but got nothing (unknown host).

Any other thoughts?

Why does it appear that the only published route being published from the Gateway machine is it's own address? It seems that if the RipClient were going to pick up a route, it would have to appear in the published list.

If putting in a manual route doesn't solve the problem, it seems that the problem (or part of it) is that the Gateway machine isn't routing at all.

Jeff Andre
jandre@secondlookhomes.com
Guest
 

Postby Guest » Sep 13 03 9:28 am

Another thought just occured to me. How is it that I can access machines at Site 1 from the Gateway machine, but can't access the Gateway machine from those same machines at Site 1?

Jeff Andre
Guest
 

Postby labull » Sep 13 03 9:28 am

This is not expert knowledge and if I'm confused I'm sure I'll get corrected so here goes.

Your configuration of Site 2 is what it think the problem is.

The routing must be from one subnet to another. Typically this would mean you're Gateway machine would have 2 NICs and data from your LAN would come in on one and go out the Internet and the remote network on the other.

Now, how you would do that in your configuration I don't know.

Hopefully a VPN expert will join in before too long and clear this up.

Sorry I couldn't help futher.

Larry
labull
WinGate Guru
 
Posts: 710
Joined: Sep 06 03 1:03 am
Location: Washington, DC - USA

Postby Guest » Sep 13 03 9:31 am

Another minor correction: the VPN server is on a Windows 4.0 server.

Jeff Andre
Guest
 

Postby labull » Sep 13 03 9:46 am

Jeff,

Have you read this document?

http://www.deerfield.com/products/winga ... te_VPN.pdf

It was written by the WinGate VPN developer.

This is why I'm thinking your configuration won't work.

Larry
labull
WinGate Guru
 
Posts: 710
Joined: Sep 06 03 1:03 am
Location: Washington, DC - USA

Re: Installing Wingate VPN & Gateway

Postby Pascal » Sep 13 03 5:58 pm

Jeff Andre wrote:
192.168.1.0 / 255.255.255.0
192.168.1.2 / 255.255.255.255

the 192.168.1.2 address is the VPN server itself

On the Gateway machine, the published routes are:

193.168.1.100 / 255.255.255.255

this is the address of the gateway machine
Jeff Andre'


Hi Jeff,

If I understand this correctly, each end of the VPN Setup has an IP in the 192.168.1.x range. This is not recommended. Although you can do this, you'd need to configure the routes very carefully.

Is it possible to renumber one end ? (E.g. the Gateway side to 192.168.2.x)
Pascal

Qbik New Zealand
pascalv@qbik.com
http://www.qbik.com
Pascal
Qbik Staff
 
Posts: 2623
Joined: Sep 08 03 8:19 pm
Location: Auckland, New Zealand

Postby Jeff Andre » Sep 14 03 11:38 am

Pardon me if I was unclear.

The VPN server has the 192.168.1.x addresses

The VPN Gateway has 193.168.1.x addresses

Jeff Andre'
Jeff Andre
 

Postby Pascal » Sep 15 03 7:57 am

Jeff Andre wrote:Pardon me if I was unclear.

The VPN Gateway has 193.168.1.x addresses

Jeff Andre'


Sorry, misread that as 192 for some strange reason. On the Site 2 Gateway machine, what is the full list of routes if you look in the VPN configuration ?

Second, if you check on the VPN main tab, go to "General". Is the checkbox for "Rip v 2" ticked ?
Pascal

Qbik New Zealand
pascalv@qbik.com
http://www.qbik.com
Pascal
Qbik Staff
 
Posts: 2623
Joined: Sep 08 03 8:19 pm
Location: Auckland, New Zealand

Postby adrien » Sep 15 03 12:10 pm

Couple of things here

193.x.x.x is a public address, so the interface may be deemed external, which could well mess up VPN.

secondly, you say that you are exporting only 192.168.1.100 on the gateway. This means you are only exporting effectively a pinhole route to that machine only. You need to be exporting a route that looks like 192.168.1.0 mask 255.255.255.0 in order for the rest of the subnet to be able to access the VPN.

Adrien
adrien
Qbik Staff
 
Posts: 5406
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby Jeff Andre » Sep 16 03 2:48 am

the 193.x.x.x is a private address behind a router. The router is connected to a cable modem, and it recieves a dynamic IP address from the cable modem. The router is currently providing DHCP for Site 2, but I have a permanent address of 193.168.1.100 for the Gateway machine.

Pascal,

Yes, the "Rip v 2 box is ticked. Unfortunately, I'm at Site 1, so I have to get someone at Site 2 to give me the route list for Site 2. I'm trying to get someone on the phone now, and will post the routes as soon as I get them.

Adrien,

I agree with what you are saying about the pinhole route being the only thing exported, but that's not a choice I made, it is what the VPN software has done by itelf. I agree that a route of 192.168.1.0 MASK 255.255.255.0 should be exported on Site 2, and that the Ripclient on the workstations should pick that up, allowing those machines access to all the other machines on the 192.168.1.0 subnet. This isn't happening, and I don't see a way to "add" a route to be exported.

If I manually add that route to a workstation at Site 2, I still can't access or even ping any 192.168.1.0 addresses. It's like the Gateway machine isn't routing at all.
Jeff Andre
SecondLook Homes, LLC
Jeff Andre
 
Posts: 7
Joined: Sep 16 03 2:25 am
Location: Chapel Hill, North Carolina, USA

Postby Jeff Andre » Sep 16 03 3:01 am

Just thought I'd post one other bit of information.

I can configure the machines & routing at Site 2 just about any way necessary to get this working. One reason we bought the router we have there was to get a Firewall outside of any machines on the subnet, so I wasn't planning on having all machines at Site 2 go through a single machine as a gateway to the Internet, but if that's what it takes to make this work, I can set it up that way. I think that would require me to set up another NIC in that machine, though, and to set up a third subnet address (194.168.1.0) for the workstations, and treat the 193.168.1.100 address as a "public" address as I believe someone suggested. Seems a lot of juggling to get this to work, but if it's what I have to do, so be it.

I suppose that would mean I'd have to do the same thing at Site 1 to get it to work as well. Is that a correct assumption?

I tried taking one workstation and setting it's default gateway to 193.168.1.100 (the gateway server). This didn't work, I still couldn't see the 192.168.1.0 subnet (or VPN server) from that workstation.

It seems to come down to the Gateway machine not exporting routes, and not routing (even if I put in manual routes on the workstations).

The same situation is occuring at Site 1. The VPN server can see the gateway machine at Site 2, but is not exporting routes, nor routing traffic to Site 2 if a manual route is installed on a workstation at Site 1.

Obviously, I missing something basic on both installations. Since the VPN server at Site 1 is WinNT 4.0, and the Gateway server at Site 2 is WinXP, I don't think it's OS related, but could be wrong.

Kindest Regards
Jeff Andre
SecondLook Homes, LLC
Jeff Andre
 
Posts: 7
Joined: Sep 16 03 2:25 am
Location: Chapel Hill, North Carolina, USA

Postby Jeff Andre » Sep 16 03 3:30 am

Routes on Gateway Server:

http://www.secondlookhomes.com/routes.jpg

Kindest Regards
Jeff Andre
SecondLook Homes, LLC
Jeff Andre
 
Posts: 7
Joined: Sep 16 03 2:25 am
Location: Chapel Hill, North Carolina, USA

Postby adrien » Sep 16 03 8:55 am

I think there is a bit of confusion about public and private addresses.

the RFCs (basically standards for the internet) define what are private addresses and what are deemed public addresses. The defined private addresses are:

192.168.X.X
172.10.X.X - 172.31.X.X
10.X.X.X

These are the only private addresses defined. Any other (except for loopback - 127.X.X.X) is deemed a public address, whether it is accessible to the internet (behind a router) or not.

So WinGate is interpreting that 193.X.X.X address as a public address. This means that WinGate will deem the interface to be external, and will only export a pinhole route to it, since it is unsafe to export a route for an external subnet.

You will need to go into Options->Advanced->Network Interfaces, and make sure that this interface is deemed to be internal and trusted before WinGate VPN will offer you a non-custom means of exporting a route for that network.

Adrien
adrien
Qbik Staff
 
Posts: 5406
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby Jeff Andre » Sep 16 03 12:34 pm

I had forgotten that. Someone else set up the subnet at Site 2, and chose the address scheme. I'll change it to 192.168.2.x. That should clear up that issue. I can do that pretty quickly. I'll let you know the result.

Kindest Regards
Jeff Andre
SecondLook Homes, LLC
Jeff Andre
 
Posts: 7
Joined: Sep 16 03 2:25 am
Location: Chapel Hill, North Carolina, USA

Postby Jeff Andre » Sep 16 03 1:58 pm

Ok, so we've made more progress. Correcting the IP address problem had the following results.

Site 1 VPN Server is now publishing an appropriate route to the subnet at Site 1. I can see the Gateway machine at Site 2 from any machine at Site 1 running the Ripclient, so the Ripclient is working at Site 1 as well.

Now for the bad news - the Gateway at Site 2 doesn't appear to be publishing an appropriate routes for machines at Site 2 to see the VPN server or other machines at Site 1.

The good news is that if I manually add a route (192.168.1.0 Mask 255.255.255.0 192.168.2.100) to a workstation at Site 2, then it can see the VPN server and machines at Site 1, and everything seems to work as it should. This says to me that:

1. The Gateway is routing, but not publishing
or
2. The rip client is not picking up the routes

The routes from the Gateway machine are at http://www.secondlookhomes.com/routes.jpg

It seems to me there should be a route of 192.168.1.0 MASK 255.255.255.0 192.168.2.100 as a published route.

What am I missing? We are soooooo close to having this working.


Kindest Regards
Jeff Andre
SecondLook Homes, LLC
Jeff Andre
 
Posts: 7
Joined: Sep 16 03 2:25 am
Location: Chapel Hill, North Carolina, USA

Postby adrien » Sep 16 03 2:33 pm

There are 2 kinds of publishing. In general when we refer to publishing routes in the VPN, we mean that when a node joins the VPN, it tells all the other nodes (offices) in the VPN what subnets are available through it.

The other sort is publishing via RIP broadcasts on the VPN server. The routes that are published by RIP are the routes that that node learned from other nodes (i.e. all the other published routes from other nodes)

This is what the RIP client listens for, so it can learn of routes to other subnets over the VPN.

Are you sure that RIP broadcasts are enabled on the gateway machine in network 2?

Routes that the RIP client creates should show up in the route table of the machine the RIP client is installed on, so it sounds indeed like the RIP server in WinGate VPN is not broadcasting the updates.

Adrien
adrien
Qbik Staff
 
Posts: 5406
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby Jeff Andre » Sep 16 03 4:46 pm

I'll check tomorrow, but I'm sure that it was enabled. I can try re-installing the software on the Gateway machine as well, just to be sure.

Thanks again
Jeff Andre
SecondLook Homes, LLC
Jeff Andre
 
Posts: 7
Joined: Sep 16 03 2:25 am
Location: Chapel Hill, North Carolina, USA


Return to WinGate VPN

Who is online

Users browsing this forum: No registered users and 1 guest

cron