Internet Access on LAN blocked by WinGate VPN

[Ken in Montana]

I am trying to install WinGate VPN on a 3 PC LAN. I have it installed on the sever which also shares the DSL connection via a shared ethernet addapter and DSL modem. When WinGate VPN is running, internet access to othermachines is blocked. When WinGate VPN is stopped, access is fine. Nothing shows up in the Firewall window, and it is disabbled. The other machines do show up in the History window.

Suggestions ? ?

Thanks - Ken in Montana

[Pascal]

Which version of WinGate VPN are you using?

[Ken in Montana]

Hello

I am using WinGate VPN 6.0.3 Build 1005

[Pascal]

That's good. When you look at the different adapters you have, are they marked as "Internal" and "External" correctly?

[Ken in Montana]

I believe so.

The LAN shows internal.

There is also a 1394 which shows as Auto Detect and is currently disabled.

[Pascal]

When you say your Ethernet Adapter is shared - how are you sharing that? Are you using Microsoft's Internet Connection Sharing?

[Ken in Montana]

I am setting this up on 2 of the 3 PC's in the LAN. THe third PC has had no changes and can not access the internet when WinGate VPN is running on the Server. If Wingate VPN is turned off, access is fine. All firewalls have been disabled for now.

The 1394 is not on the server... It is on the first laptop in the LAN.

The two network adapters on the Server do indicate the correct status of Internal and External.

[Ken in Montana]

Yes -

The server has a DSL connection via a network card. It is shared via Network connections sharing (win 2000 pro).

[Pascal]

Okay, just to confirm the setup here because that last post threw me a little bit. You have 3 PCs in your LAN - one is your internet Gateway, connected to the DSL modem with another ethernet adapter connected to your local network. The other two computers use that machine as their internet gateway.

Where are you installing the software? As far as I understand it you're only installing it on the gateway - but the "I am setting this up on 2 of the 3 PC's in the LAN" threw me a bit.

Just want to nut the setup out, because we're going to set it up here. I'm currently suspecting that there might be some interaction between WinGate VPN and ICS that might need some configuration tweaks, but need our QA team to configure a test-rig that is like yours so we can verify what needs to be done.

[Ken in Montana]

You are correct

3 machines - Server (Win 200 pro with Wingate VPN installed) and 2 other pc's

The Server shares the DSL connection over the LAN

The server has 2 network cards, one for the lan, one for the DSL modem.

Internet is available to other PC's when Wingate VPN is Disabled on Server.
No Internet is available if Wingate VPN is running.

Sorry for confusing things.

[Ken in Montana]

Some additional information if necessary -

Lan card in server is assigned 192.168.0.1
DSL card in server does not have specific IP address

Other 2 PC's do not have specific IP addresses

[Pascal]

Got the test rig up and running. On your server setup open the ENS properties. (GateKeeper -> VPN -> Extended Networking). Disable support for multiple-subnetworks.

In my case, that made it all work fine - VPN access was available, etc. Genie is just checking the ENS code to see where it could cause problems, etc. (Disabling that). Will post back if there is anything.

[Ken in Montana]

Shazam - Works fine.

Thanks for the help. I will check back for future posts.

...and will most liklely be back for more help....

[Ken in Montana]

OK - It looks like it is working - I have the laptop on a dial up connection and I can see the server on the VPN.

However, I can't see anything beyond that. How do I access files and map drives. It does not show up in Entire Network in Explorer?

[Pascal]

The first thing to do would be to check if the laptop can actually ping the server's internal IP. Then, we know that your tunnel is setup correctly, etc.

Seeing the machine in the VPN UI simply means that the control channel (TCP) has communicated it's knowledge about it's end of the network to the remote network's VPN Node. The tunnel is still required to be up and working before that information will travel across the MS network level.

It is possible, especially if your DSL device provides NAT/Firewall that it is blocking / preventing the traffic coming back in on port 809 (UDP). Another thing to be sure of is that File and Printer sharing is enabled on the appropriate adapters.

[Ken in Montana]

No ping responce from laptop to server or server to laptop

[Pascal]

Alright, that means that somewhere along the line your tunneled packet is being blocked. In our setup it wasn't blocked by ICS/etc. so I suspect your DSL Adapter might be to blame.

When you have the VPN connected, can you do a "tracert <internal-ip>" to see how far it goes before the packet disappears? I suspect you'll see it hit the VPN Node and not go any further than that.

Does your DSL Adapter provide port forwarding / virtual servers or something similar to that? If it does, make sure that you have port 809 UDP allowed to come through to your VPN Server. Our VPN Setup Guide (Under WhitePapers in http://www.wingate.com/resources.php) has a good listing of tests and scenarios you need to go through when you are experiencing these kinds of problems.

[Ken in Montana]

Should is assign fixed local IP address to each of my network PC's, or will it work to keep everything dynamic?

[Pascal]

Depends on where you are assigning the dynamic IPs from. If you are doing that from the gateway to the client PCs, that's fine. (In fact, Microsoft recommends that if you're using ICS, don't they?)

However, if you have to setup port translations / forward / virtual servers for your ADSL device then I'd recommend keeping the server's ip fixed. (Internal, at least)

[Ken in Montana]

I found my next hurdle. I have MSN/Qwest DSL service. MSN purchased and provided the DSL modem direct from Arescom (Arescom NetDSL 800) According to QWest support, they had them hard programmed with a firewall and a subnet mask of 255.255.255.252. QWest says this limits the modem to 3 IP's

Server = 192.268.0.1
DSL Modem = 192.168.1.1
Lan card for modem = 192.168.1.2

http://bespin.org/~merwin/arescom/ give me a Setup program and instructions that are supposed to allow me to disable the modem firewall and forward IP's and Ports. However, the program can not detect the modem.

Does this sound right. Just hand it to MSN to keep us down.

I have ordered a different DSL modem (ActionTEC GT701) QWest says this should be able to handle the setup.

Any comments?

After that we have the issue local LAN vs. Remote client.

The laptop is on a docking station during the day on the LAN. Every night it goes home to work via the VPN. Can the laptop have a different subnet than the lan os it won;t mess up the VPN when it is remote. Does that make sence...

I changed the from a dynamic IP to a fixed 192.168.3.1 and it would not see the LAN. What next?

[Pascal]

What operating system do you have on the laptop? With XP you can specify an alternative configuration (Which will be one way to go). You can then specify the office network in the fixed config (OR use DHCP) and switch to an alternative configuration (XP does that automatically) when you plug it into the home network.

Secondly, the joining machine itself does not need to have a fixed IP. We recommend that the server has a fixed IP / name to find it by - and generally it simplifies the configuration if you have a fixed internal IP for the VPN Server. The joiner doesn't need that though. So, you could switch the laptop to DHCP, have the VPN Server issue it an IP when you're on your network at the office; have your local network at home serve it an IP when you're there.

That said, unless it's on a local area network at home; you don't even need the private IP at that time.

[Ken in Montana]

My laptop is WinXP Pro

Home LAN

ActiontTEC 1524 DSL Modem/Router provided by QWest - 192.168.1.1
NetGear WGT624 Wireless Router/hub - 192.168. ? . ?

I can't remember which assigns IP's to the LAN.

Would it make sence to change the Home IP range to 192.168.20.*** ?

Both Home and Office would have DHCP assign IP's to the laptop as needed.

Do I need to configure anything on my home Router/NAT/Firewall ?

[Pascal]

instructions that are supposed to allow me to disable the modem firewall and forward IP's and Ports. However, the

You don't need to disable the firewall. All you need to do is make sure that port 809 UDP and port 809 TCP will successfully traverse it.

[Pascal]

ActiontTEC 1524 DSL Modem/Router provided by QWest - 192.168.1.1 Would it make sence to change the Home IP range to 192.168.20.*** ?

Definately. Your two networks should be on different subnets. Remember, WG VPN is a routing solution (As per the Setup Guide). If your remote networks share a private subnet range, then you have to setup very very specific routing for it all to work happily together. That amount of configuration is normally more pain than it is to just renumber one network (As you are suggesting here)

Do I need to configure anything on my home Router/NAT/Firewall ?

If there is an intermediary NAT, then it is possible that you might need to setup the port forwarding there as well.

[Ken in Montana]

Thanks for all of the help.

The specs for both ActionTEC modems say they support VPN as pass through (contingent upon opperating system setup)

As soon as I get the new modem I will try the setup and see what goes from there.

Did I see correctly in another chat that Qbik has a test VPN. Is that a VPN I can try to connect to as a test of my setup?

Can you e-mail me a config file for it ?

[Pascal]

Remember- Qbik VPN is a different protocol to other VPN systems. So, it might not conform to what the modem deems 'VPN pass through'.

Yes, we do have a test VPN. Let me see if I can dig the config up from Matt, then I'll send it to you.

*edit* - On it's way ...

[Ken in Montana]

Hello - I'm back

I have worked through many of the hurdles (routers & IP's). I have set up the Wingate Test VPN and connected successfully. I have been able to ping the server in the office from the laptop, but can't connect to the VPN beyond that. Suggestions?

[Pascal]

Machines on that LAN needs to know about the VPN as well. They have to:

(a) Use the VPN Server as their gateway
(b) Have static routes through to your home network
(c) Have the RIP client listening and the VPN Node must be publishing learned routes

[Ken in Montana]

I'm not trying to reach the LAN, just the server. Can I e-mail you my VPN config file for you to try?

[Pascal]

Sure. However, give me a bit more explanation then, because you said you are "able to ping the server in the office, but can't connect to the VPN beyond that".

So, you can't ping anything on the VPN? When I get the config file, which machines should I be trying to reach?