Can make VPN connection, but can’t ping server or access resources

10 pts.
Tags:
Firewalls
IP address
Microsoft Windows
Microsoft Windows Server 2003
Network connectivity
Networking
Router configuration
Routers
VPN
I set up PPTP VPN through our D-Link DFL-200 hardware firewall here at our company so that people could access network resources from home. The problem is, when at home, they can make a VPN connection just fine, but they can't ping the file server here at work, nor can they access or see any network resources. Our network is on a 192.168.1.x segment, with a 255x3 subnet. The server/LAN client that I am trying to ping has a 192.168.1.x address. The VPN server has a private gateway of 192.168.1.1, and public gateway of 66.x.x.x. On the VPN server, I have set it up to where it gives out 192.168.2.x addresses to any VPN clients connecting to it. At home, my router's gateway is 192.168.1.x, the home PC is 192.168.1.x with a 255x3 subnet. The VPN client connection gives me a 192.168.2.x address with a 255x4 subnet. I had a technician from D-Link test it on his end, and he was able to both make the VPN connection, and also ping the server and access network resources. I think the problem with most people not being able to access network resources is because their local networks at home are on the same network id (192.168.1.x) as the corporate network (192.168.1.x). Traffic is not getting passed to the corporate network because the VPN client machine sees the destination as being on the local network. Is this what's happening? Is there an easy way I can change something so that users would not have to get into their routers at home and start changing settings (most people are not that tech savvy). What I mean is, is there something I can do on my end here at our company. I should mention there are two NIC's installed on the file server that we are trying to get into from home. The one NIC is disabled. Can I do anything with this? The server here at work is a Windows 2003 server, which is both running DHCP and DNS. The home users have XP operating systems. I've also tried disabling any firewalls on XP, and still no luck. Thanks very much for your help.

Answer Wiki

Thanks. We'll let you know when a new response is added.

We had a similar issue a while ago. Our office uses a different band of firewall, but the problem is the same.

You’re right about the 192.168.1.x addresses conflict. That address is reserved for internal network and is used by a lot of network products by default.

There are 3 solutions:
1) Change the office’s internal IP subnet to a different one. (this is recommended if your network is small)
2) Change the client’s internal IP subnet to a different one. (this is sometime impossible, say , in a hotel)
3) On the firewall, assign a “Virtual IP” for the PPTP. And setup a trusted link between the virtual IP & the office’s internal IP. (this is possible only if your firewall supports it)

Right now, we’re using solution #3 as a quick fix. But we’ll change to solution #1 when there’s time.

4) There is a fourth super-duper easy solution:
Add a line to the windows routing table that has the subnet in question assigned to whatever your VPN interface address is [192.168.2.x] with the lowest metric [1] so all traffic to that subnet is routed over the VPN ,and not the LAN.
route add 192.168.1.0 mask 255.255.255.0 192.168.2.x metric 1

To automate it for the less savvy users create a batch file with the first [insert maximum number of concurrent VPN connections allowed] lines corresponding to the addresses the vpn will assign.
like this:
route add 192.168.1.0 mask 255.255.255.0 192.168.2.1 metric 1
route add 192.168.1.0 mask 255.255.255.0 192.168.2.2 metric 1

Obviously their local network resources will become available again after they disconnect the VPN interface.
I would strongly suggest researching the case when someone attempts to connect from a 192.168.2.x subnet.

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Bfrasure
    193.188.0.1 by default is a class B address, using the 192.168.0.192 or /26 will give the subnet 64 address with 4 subnets which should help with the conflict. .
    40 pointsBadges:
    report
  • Davemd
    Thanks for taking the time to share your opinion. If more of us used your line of thinking, the world would be a better place.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following