Host not accessible over DSL to DSL routers

Forum for all technical support and trouble shooting of the WinGate VPN.

Moderator: Qbik Staff

Host not accessible over DSL to DSL routers

Postby wmason » Sep 20 03 12:34 pm

I have installed the client on my laptop and the VPN Server in my office. Both systems are running Windows XP Pro (SP1)and connected to LAN's behind DSL routers.

I've opened port 809 on both routers.
QUESTION 1: Do I only need to open port 809 on the server saide router? When I'm traveling I have no control over the firewall on the client side (using the laptop in a hotel or customer site).

The office subnet is 192.168.1.x and laptop is connected to subnet 192.168.2.x. I've disabled the Wingate firewall on each side.

When I attempt to connect from the laptop, the tunnel comes up and looks OK, but the office machine shows "not accessible". I've installed the RIP2 client on the office machine, but this does not help.

I've read the VPN whitepaper, but that has not helped in getting this working. Connecting two machines over DSL router to DSL router would
seem to be a common enough environment that I would think that you would have examples of doing that readily available.
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

Postby adrien » Sep 20 03 1:03 pm

you should only need to set up pinholes at the server end. On the client end, it should connect out fine.

What events do you get logged in the history window on the client? Does it log one about the port being changed?

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby adrien » Sep 20 03 1:22 pm

Hi

I think you may have found a problem in our VPN design.

I think we can fix it very easily.

Basically it seems we do not cope very well if a server is behind a NAT and there are more than one VPN client connecting.

I will do some more investigation. Would you be willing to test a newer version to fix this? We are very close to releasing 5.0.8 (VPN 1.0.8) and I will do some more testing to make sure this works.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby wmason » Sep 20 03 2:32 pm

Hello Adrien,

You are correct that the server is behind a NAT, however, I have only been connecting with a single VPN client (so far).

Yes, I would be willing to test a newer version.

I'm glad to see that you've taken the product back from Deerfield. I was very frustrated with their lack of support.

Regards,
Warren
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

Postby adrien » Sep 20 03 5:02 pm

One other thing

Make sure you opened both TCP (Control Channel) and UDP (VPN data tunnel) on port 809.

Single client should probably actually work. Still looking though - some of it will depend on what your local NAT does when it pinholes the connection in.

If you look in the server VPN log files, what do you see when a connection is made? You may need to enable debug logging for VPN.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby wmason » Sep 22 03 8:36 am

Port 809 is opened for both TCP and UDP on both DSL gateways.

I have been able to use pcAnywhere from the laptop to the same office machine, so I know that port forwarding from the DSL gateway does work.

For some reason, when I try it now, I'm getting different symptoms.
The message I'm getting on the client now is:
"The VPN connection to 'WHMINC VPN' has failed. Connection refused by Remote Host ". There is no log entry on the remote host.

I've gotten to the point before where I could see the machines on the remote (office) network, but was not able to browse the host machine.
I'm not sure what has changed, that is now preventing the tunnel from connecting.
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

Postby wmason » Sep 22 03 8:47 am

One other thing. I noticed in your response on one of the other threads that RIP2 should NOT be installed on the gateway machine.

Based on messages I saw on the Deerfield forum, I installed the RIP2 client on the gateway machine. This may explains the regression in behavior. I presume that I should remove it.
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

Postby adrien » Sep 23 03 11:19 am

yes, definitely take it off that machine.

I found a bug related to that also on Sat, where if the RIP client is installed on a WinGate VPN machine, it prevents the VPN manager from loading, so you will not get any VPN connections.

I also now here in the lab have VPN working through 2 NATs (and even piped through a TCP and UDP mapping proxy as well), so we should be able to help you out

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby wmason » Sep 24 03 7:37 pm

There did not appear to be a way to remove the RIP2 client, per se, but I did uncheck the RIP2 checkbox on the General properties tab.

Now I when I attempt to connect from the remote I get the message:
"Connection to remote host timed out". There are no messages in in the gateway log. I was getting farther than this before.
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

Postby wmason » Sep 24 03 7:56 pm

One more thing.

I normally have Norton Internet Security (firewall) running on both machines.

When I disable NIS on both machines, the message I get when I attempt to connect is: "Connection refused by remote host". Again, no messages appear in the gateway log.
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

Postby adrien » Sep 25 03 2:49 am

To Stop the RIP client from running, you can go into the control panel -> Administrative Tools->Services and disable it.

Or you can run the command line command on it Ripclient.exe /u

I think that will uninstall it.

Disabling the RIP checkbox in GateKeeper only means you don't do RIP broadcasts. You will need to stop the RIP client in order for the VPN manager to start up and get a connection. You will also need to restart the engine to get the VPN manager to start again.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby wmason » Sep 25 03 5:04 am

Thanks. I disabled and removed the RIP2 service on the gateway. Now I am back where I started.

The remote now shows "Connected: SSL control channel negotiated" and now have an icon for the host Windows network. When I expand the icon for the host network, the gatewate machine is visible, but shows as "not accessible".
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

Postby adrien » Sep 25 03 8:16 am

OK, looks like we're getting somewhere...

What routes are exported from the remote gateway machine that is showing as inaccessible?

Also what sort of license is on there - it will give you values for number of VPNs to join, host and number of clients behind the gateway.
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby wmason » Sep 25 03 6:34 pm

License info on the laptop shows VPN Type=Remote Client, Can join=unlimited. Can host=1. Computers behind VPN=1.

The office machine shows VPN Type=Server, Can Join = unlimited, Can host=1, Computers behind VPN=unlimited.

Looking at the local network on the host shows the following published routes: 1) Behind NAT translated. 2) 192.168.1.0/255.255.255.0 (disabled) 3) 192.168.1.101/255.255.255.255

Looking at the host VPN properties the 192.168.1.0 route shows as Not Published. I tried changing that route to published. After changing it, it no longer appears as disabled, but the gateway machine still appears as "Not Acessible" at the remote client.
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

Postby adrien » Sep 26 03 10:31 pm

I think you are going to need our new drivers and engine to fix this.

We are just about to release them, but if you would rather not wait (and are prepared to be a bit of a test case) then I can send them through to you early - probably less pain than waiting and/or trying to get this current config working.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby wmason » Sep 27 03 5:11 am

Yes, please go ahead and send the beta drivers.
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

Postby wmason » Sep 29 03 4:08 pm

Hello Adrien,

In an earlier post you had indicated that you had gotten NAT to NAT routing working in the lab? Was this with the beta drivers, or by adding routes? If it was by adding routes, what routes did you need to add?

Interestingly, from the VPN client (192.168.2.200), I can ping the office DSL router (192.168.1.1), but I can not ping the gateway machine (192.168.1.101).

However, from the gateway machine (192.168.1.101), I get "host unreachable" when I try to ping either the remote DSL router (192.168.2.1) or the remote client (192.168.2.200).

Since the only published routes on the host were 192.168.1.0 and 192.168.1.101, there did not appear to be a route to the remote machine. So I tried adding a route for 192.168.2.0 via 192.168.1.101, but that didn't help.
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

Postby adrien » Sep 29 03 10:43 pm

Hi

Just sent the files, so they should be coming through soon.

One thing to note though, is that you shouldn't manually create routes on the VPN Gateway machines to other branches of the VPN, as this will create conflicts with the routes learned from these other branches when they connect.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby wmason » Sep 30 03 6:40 pm

Adrien, thanks for the beta drivers.

I installed on both the remote client and the gateway machine. I'm not seeing any change in symptoms. The tunnel connects just fine, but the gateway machine still appears as "not accessible".

On the gateway log, I see "Local network of <remote> has joined <host-vpn>" and "Tunnel to node local network of <remote-client> with ID 2 active".
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

1.0.8 drivers cause Blue Screen on reboot

Postby wmason » Oct 01 03 6:59 am

After installing the 1.0.8 drivers, and rebooting, I get a blue screen halt upon booting the remote client. Please see my message in the 1.0.8 driver thread for details.
wmason
 
Posts: 21
Joined: Sep 20 03 12:09 pm

Postby adrien » Oct 02 03 7:21 pm

Hi

I note your other thread - if you are willing to keep going I am happy to help.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland


Return to WinGate VPN

Who is online

Users browsing this forum: No registered users and 24 guests

cron