WinGate Forums

[CraggY]

I have 2 site connected by vpn. On site A there are about 35 wingate clients all using a windows 2000 server domain. one of the 35 clients is setup as the gateway with wingate installed using a 2mbit dsl line. The address range of this network is 10.10.1.x with a subnet of 255.0.0.0. The windows 2000 server issues all the DHCP data including gateway and dns info. On the second site, site B, there is a windows 2000 professional computer with wingate installed with a 1mbit dsl line and 3 clients. 2 of these clients are running windows 2000 professional and 1 is running an Apache webserver with an internal company website. The address range of this network is 192.168.1.x with a subnet of 255.255.255.0. Wingate issues all the DHCP info for this site.

When I vpn from site B to A i can access all file and printer shares on either site flawlessly but I am unable to access the internal website from site A over the vpn. I can access it locally on site B without a problem but once I disconnect one of the laptops and connect it through vpn from site A I get a timeout after about 5 minutes in internet explorer. The address I use to access the site is http://192.168.1.11:8080/x

I can ping 192.168.1.11 from site A but cant access the website.

Any help would be appreciated.

[Pascal]

Can you browse to the computer and access it's resources ? Without jumping too far ahead of it, this could be an MTU problem.

On some types of connection, there is a reduction in the MTU (Maximum Transmission Unit, which is a measure of the largest packet payload that may be sent over a network interface or point to point link). For instance PPPoE connections reduce the MTU by 8 bytes. The standard MTU for Ethernet is 1500 bytes, which means you can have up to 1500 bytes of payload over Ethernet. The Ethernet frame itself has a 14-byte header, so the actual maximum packet size (as opposed to the MTU) is 1514. WinGate VPN reduces the MTU as well, since the encryption and tunnelling require approx 50 - 60 bytes per packet.

If there are MTU issues, you can find that large (maximum size) packets can be lost. This produces strange effects such as:

Able to connect to a network share, prompted for a password, etc. but unable to browse large directories or transfer files.
Network drive mappings are disconnected and are generally unreliable.

Using Ping, you can send packets of different sizes. WinGate VPN fragments packets (if allowed) when it transfers them across the VPN. Therefore you should be able to send large ping packets successfully across the VPN if everything is working properly. If not, then once you get to a certain size, they will stop working.

To send a packet of a certain size, use the -l switch on the ping command. e.g.

ping 192.168.1.1 -l 1422

This will send a ping packet with a 1422 byte ICMP payload. It is important to note that the actual packet size of the ping packet is 28 bytes larger than this since the IP plus ICMP headers use 26 bytes. Therefore the example above will send a packet of 1450 bytes (not including the Ethernet header). The Ethernet header is not counted because this is stripped off and not transmitted over the VPN.

By working out the ping size that works vs the size that doesn't you can calculate what the effective MTU really is. For dialup connections and some network interfaces, it is then possible to modify the MTU so that your client machines will no longer send packets that are too big.

[CraggY]

I have used a utility called DRtcp to change the mtu on both sites but this hasnt helped my situation at all. Could this be a routing problem? Do I need to set a static route to the apache server on port 8080 or something. If so, how do I do this??

[Pascal]

No, the static route should not be necessary. If you can ping it across the VPN and browse to it (Including opening files) across the VPN then everything else should be working fine.

[CraggY]

The apache server is running on linux. I can ping the address without problem but cant browse any shares because its non microsoft.

[genie]

Try running tcpdump on the linux machine and see what kind of traffic it receives from your client through VPN channel - take a look at TCP options MSS.

[CraggY]

I setup another computer on the network running windows 2000 pro and a website hosted with microsoft IIS. This new site works locally but as with the linux hosted seit it is unaccessible over the vpn. Please can you give me some insight into this as I am getting desperate. Cheers....

[Pascal]

With this new server, can you reach it using normal networking ? I.e. browse, etc. ?

[CraggY]

Yep, not a problem, even installed printer and did a test print over vpn.

[Pascal]

What about telnet to it ? I.e. telnet to the web-server port, to see if you can reach it that way.

[CraggY]

How do I do that???

[Pascal]

From your remote location, run the following from a command prompt:

"telnet <IIS server ip> <IIS server port>"

Then, type "GET filename.html HTTP/1.0" and press <CR> twice.

[CraggY]

I get a reply "could not open connection to host on port 23."

But if I ping the address I get a reply..

[Pascal]

telnet <server ip> <server port>

<server port> should normally be port 80.

[CraggY]

Nope, still the same message. Bizzare...

[Pascal]

This is bizarre. We know the VPN is working, because you can ping and browse to that web-server. The only other thing I can think of is that it is rejecting the packets for some reason (Perhaps because the source address comes from a different subnet ?)

[CraggY]

I disconnected the vpn connection and redialled it.
When I type "telnet 10.10.1.1 80" I get a black screen with a cursor, nomatter waht I type in this screen it gives the response "http/1.1 400 badrequest" Etc. Then boots me out of telnet saying connection to host lost.

[Pascal]

That's good at least, it means you can access the server. So long as it is giving you a response through the VPN, we know that it will accept packets across the VPN. Now it gets more interesting ... somewhere then, when the web-browser does the same thing, it is getting lost.

What happens if you enter http://10.10.1.1:80 in your browser ?

[CraggY]

It sits for ages chewing on the request then displays "page cannot be displayed"

[Pascal]

What version of IE / browser are you using ? And how is the browser configured ? (In terms of access, are you just relying on the default gateway, etc. in the OS, or do you have a proxy / WGIC ?)

[CraggY]

IE 6. I tried both using a proxy server settings in internet options and setting the default gateway but the result was the same either way.

[Pascal]

What are the odds of trying with a different browser ? One of the suggestions coming from the team here was that IE6 has a rather annoying habit of making up its own mind about where to go and what to do. We've seen it ignore proxy / etc. settings, because it believed there was a better way to get FTP access. It might be misbehaving in the same way (Hence, the response from telnet, but nothing from IE)

[CraggY]

I just tried a windows 98 laptop with ie4. the result was the same. I can ping and browse but website.

[larsdennert]

BTW I think the telnet service is off by default in win2k. Linux might not have a RIP listener to route back through the vpn.

[jono659]

Rip 2 for Linux

www.zebra.org

JonO

[CraggY]

I have played around with this problem for ages now and am completely baffled. I can telnet to the linux machine no problem. If I type in the full address into internet explorer bar "http://192.168.1.11:8080/manage" i get asked for a username and password which I type in and when I press enter the text on the bar ontop of the internet explorer screen changes to "Zope on http://192.168.1.11:8080 - Microsoft Internet Explorer" and I get 2 frames on my internet explorer screen but absolutely no page content. The bottom explorer bar has the text "Opening page manage_top_frame at 192.168.1.11....." After about 5 minutes I get the message Action Cancelled. Surely this must be something simple??

[X-Cutionerz]

Greetings,

Add'l testing notes: Verify web access to your network + Verify ISP is not
blocking port 80.

The following will verify access to your website

Take your webserver out of the VPN for now.
o Edit/verify your Apache conf file is listening on port 80.
Restart apache service.
o Edit your router or (wingate) to forward port 80 to your Apache
webserver LAN IP address.
o Test your LAN access to the website: http://192.168.x.x:
o Test your network loopback cabability to the website from a LAN pc
behind your firewall (wingate or router) same as above EXCEPT issue
the FQDN of the site, e.g., http://www.mysite.com. If this does not work
local loop back is not set in your network BUT you can "trick" your network into thinking the http request is coming in from the WAN side by accomplishing the following:
Get a proxy script from Marketscore and paste it in your IE browser under tools/connections/LAN settings. Restart your browser and issue the FQDN to your website. The proxy script provides a "jump" past your firewall, hits the proxy server and returns to your WAN IP the same as a real http WAN request. This assumes your domain name has DNS servers assigned to it.
The above will at least provide you with a way to accomplish testing from behind your firewall as well as prove out your ISP is not interferring with your network directions.

Respectfully,
STeve