I am trying to set up a VPN from my house into my office. I am using two 3-Com OfficeConnect Internet Forewall 25 units with the VPN Upgrade. The firewall in the house logs that the connection is being attempted but the one in the office never seems to see the attempt. I have a similar problem with a different twist when I use my laptop to VPN to the office. If I am on a Dial-Up Connection then the tunnel is OK and I can see my office LAN no probs, if I am in a hotel on a high spped network or at a friends house using their LAN then the tunnel is created but nothing will pass through it. I think that the Firewall to Firewall problem is something to do with the web proxy but I am not sure and could really use some help - I have already paid someone to try to sort it out and it cost me a lot (several hundred pounds) of money and he was a waste of space. I have no idea if using another network to VPN to the office is a similar problem or not but again please can someone help.

If you need any more information I will post whatever you require.

Please help, as this has been flattening my pea sized brain for about two months now and I think it's gone on holiday now!! to mars

hi and :welcome: to the site , now where is stu when you need him , fear not , help will be at hand soon i reckon :D :D :D :D

Glad to see someone has a decent taste in music - a rarity these days


:D

Hi andyflashlite & :welcome:

I eventually set up a VPN into my office from home, but it took a lot of effort, and only truly worked when I'd done a lot of faffing about, and spent some time trawling through M$ newsgroups. I was trying to connect my home Windows XP Home desktop or work WIn XP Pro laptop into my office M$ SBS2000 server system. I haven't tried the dial up system.

Can you confirm the OS on your home PC & Laptop, together with the OS on your office network?

You say you connect to a firewall in the office, and with a firewall at home. Presumably both are set with the VPN port open? Is the office LAN firewall connected directly to the server, and only to the server (a 2 Network card, NIC) on the server setup) or is there just the one NIC to the server?

When you connect from home via your home router, does this have the same range of IP addresses as the office LAN? This can confuse the DNS settings which doesn't know where to search. Use different ranges, i.e. they should not both be using 192.168.0.xxx. or similar.

Sorry, I guess I forgot to be a bit more accurate with what I said.

The 3-Com Firewall's themselves do the authentication and IKE. It doesn't amtter what the OS is on either end as it isn't the OS that is setting up the VPN. My "cunning" :rolleyes: ploy was to use this so that I didn't have to set up RAS or anything else on my server (win2k server, FYI). The VPN Upgrade for the OfficeConnect Internet Firewall 25 comes with a VPN client (SoftNet PK from Safenet, if I remember right) which I upgraded to Soft-Remote when I had problems initially. That didn't make any difference. The laptop to office VPN is initiated on the laptop with a ping to the LAN ip of the office firewall and the soft-remote initiates the vpn from this. It works fine when the laptop is on a DUN connection to my other ISP (Plusnet) but when I am on another lan the tunnel is created (the logs show this) but nothing will go through it.

The Firewall to Firewall VPN is initiated from my house by pinging the LAN ip of the office firewall. The house Firewall log shows that the IKE has been initiated but it never appears on the office firewall.

Hope this makes sense to someone 'cause I am fed up of staying in the office till 3 or 4 in the morning - the whole point is that I can come home and carry on working from here when I have to. :(

(SoftNet PK from Safenet, if I remember right)(

Hi welcome to the forum.

The safenet software can have some flakey moments, not security wise but sometimes it just wont click until you remake its config file. Some versions use a config file like a .wgx from the watchguard system or some use digital certificates.

Try re-running the setup and try again. I know it sounds a bit basic but this has worked for me a few times. Once it works, it works for years, if it doesnt work first time then you are wasting your time.

Terry

I don't think I'm explaining this very well. The safenet software is working fine, it is not a problem.

The problem is that it will not allow any traffic to pass through the tunnel when it is connected on another lan. When connected via a dun connection it is fine (slow but fine). I aggre that the software is a bit weird but once I actually put the same :erm: shared secret in at each end it worked fine.

It doesn't matter what the lan IP address range is - I've tried it on several lans each with a different range - it still connects the tunnel but won't let anything through

Ok, the only way I've connected up via VPN is direct into my server, from my home network. I've just used the standard windows setup software, nothing extra. Don't have a router/firewall at the office - the firewall is software as part of the server SBS2000 (which runs over the top of Win"K server).

Lots of questions, but perhaps no answers, but may give someone more clues as to where to look:
You say you can make a connection, presumably you get messages that it has all authenticated OK?
The user name you are accessing the office network on has full remote access rights?
Is the server fully patched?
If you are authenticated, does an IPConfig/All command (using the dos command prompt) give any odd messages?
Can you ping any part of the network by specific IP address, or even the computer names, when you are authenticated.
Does anything happen if at your windows Run command you type the line "\\servername (file:///servername)" ?
Do you have any software firewall running on your local PC or the server, as well as on the 3-com things?
Presumably you have followed 3-com's guidance as to how to set up their the firewall router things to speak to each other over VPN?

OK

From the top

THIS APPLIES ONLY TO THE LAPTOP CLIENT TO FIREWALL VPN FROM A DUN CONNECTION, NOTHING ELSE

(You say you can make a connection, presumably you get messages that it has all authenticated OK?)

Yes, I am authenticated OK I can ping all of the office LAN, access files, server shares etc... Everything is as it should be on this connection. The client software logs agree as does the client monitor.

(The user name you are accessing the office network on has full remote access rights?)


Yes, the user name has full local machine admin rights and is a member of every domain admin group that exists (a bit over the top, but i tried it to be on the safe side. The client machine has rights to be a member of the domain and so on.

(Is the server fully patched?)

Not sure - I don't think so but that doesn't cause a problem because the DUN VPN works - authentication is not an issue because the authentication is taken care of by the shared secret being in place on the client software on the laptop and on the office firewall.

(If you are authenticated, does an IPConfig/All command (using the dos command prompt) give any odd messages?
Can you ping any part of the network by specific IP address, or even the computer names, when you are authenticated.)


Nope, everything is A OK. Yes I can ping fine, cannot use names as I haven't done the LMHosts file yet, I'll get to that when I can get it all working OK. :)

(Does anything happen if at your windows Run command you type the line "\\servername (file:///servername)" ?)

Yup, the server runs what it should do when I do that - a stock system on IIS.

(Do you have any software firewall running on your local PC or the server, as well as on the 3-com things?)

No, I went for hardware firewalls over software ones- I am a bit paranoid when it comes to security, have managed never (touch wood) to get hacked or infected in the office since I set up the network 5 years ago.

(Presumably you have followed 3-com's guidance as to how to set up their the firewall router things to speak to each other over VPN?)

I have a few trees worth of pdf's fault finding, knowledge base articles, google groups search results blah, blah, blah...................................

Tried all of them to no avail. Every thing that I have read says that what I have done is correct and that I should not be having any problems. The whole reason that I decided to use the Firewalls to do the VPN thing is that I didn't need the hastle of setting up RAS, VPN and Radius on my server. It was supposed to be easy, honest!! :confused:

I can just about handle the laptop only connecting on a DUN but my problem is that I cannot even get the two firewalls to talk. I am getting NOTHING on the office one when I initiate the IKE on the house one. The house log shows initiation and the office log shows nothing.

The logs are on the physical firewalls so it is not a data transfer thing. All of my logons have full admin rights on everything (not the done thing but it works for me).

I am thinking that it appears to be something to do with the packets not having the correct source IP address on them because of the proxy. The ISP that I use for a DUN connection is PlusNet and they do not use web caching and I do not have any problems.

Any thoughts?
(I am beginning to think I am going to have to pay a VERY serious amount of money to get this set up as the only people that I can come up with that SHOULD know what to do are a company called Consilium, and that's going to cost me at least a thousand or two.)

Which is NOT what I want to be doing :mad:

seems a bit simple so sorry if you have already done it


have you talked to your network administator

:erm:

that'll be me then

Just wondered if anyone knows anyone or any company that knows how to sort this out.

It is really doing my head in. Everything in all of the paperwork and on all of the sites that I have looked at says that I should be up and running.

:mad: BUT I'M NOT :mad:

Anyone??

:erm:

that'll be me then



so go on then , talk to yourself , sorry mate , only pulling your leg :D :D :D :D

That's ok, bud, it's when I start punching myself that I get a bit worried :D


It's getting more than a little annoying 'cause I have normally managed to get things up and running by this time (I do all of the IT stuff in the Company (it's my company) and although it takes me a while sometimes I have always got there in the past). This just doesn't want to behave :mad:

I'm clutching at straws here as your setup is a lot different to mine in that my VPN goes directly into the server's WAN NIC, and the server runs the firewall.

As I hinted at at in my intial posting, can you confirm that there is a completely different IP address range being used on you office LAN, including the firewall, compared to you home IP including it's firewall? The DNS has no chance of resolving if that is the case.

Your office server, is it a one NIC or two NIC setup? If it is a two NIC setup, I know there is a DNS setup issue with the second NIC, that it needs to point to the servers internal IP addy? Also check the binding order of the NICs (in network properties, advanced), the internal NIC should be first. I've also seen references to a registry edit that might be needed if your've got SP4 on your server.

As for admin of your own office network, I'm in a similar boat, everything I don is self taught in the experienc of life, and yes I've called in so called consultants who claim to be experienced but in fact just take your dosh and mess your system up for you. Once bitten twice shy.

And yes it is a pain if it don't work first time round. It took me months to get my VPN to work, and that was following all the gudiance I could find. Reformatted my office server, and it worked straight from the box!

MGC,

(As I hinted at at in my intial posting, can you confirm that there is a completely different IP address range being used on you office LAN, including the firewall, compared to you home IP including it's firewall? The DNS has no chance of resolving if that is the case.)

My office LAN range is 192.168.1.*, my home LAN range is 192.168.2.*

I had to set it like this because the firewalls wouldn't accept the same LAN range.

Just realised as well, DNS won't resolve over a normal VPN, my firewall to firewall VPN will (if it ever works) 'cause it allows pass through of netbios but my laptop to office VPN won't unless I do the LMHosts file at each end. (I think :shrug: )

(Your office server, is it a one NIC or two NIC setup? )

It has 2 NIC's but only one is in use. The network is set up so that the firewall lan port goes to a switch and then out to the server and the client pc's. The idea was to take the load off the server and let it serve.

I think I'm at the opint where I might (very nervously) patch the office server up to SP4 with all of the updates.

If anyone knows of any problems with patching W2k server up to that level please could you let me know 'cause I'd rather know in advance than find out the wrong way and have to do another 48 hr shift sorting it out (did one of them already when I set it up the first time :dunce: )

Thanks in advance

Andy

Well, my VPN took a about an hour to sort out, here's what I have:
At home I use XP's built-in VPN client. At work I have an IPcop firewall (www.ipcop.org (http://www.ipcop.org/)) - this is a Linux firewall distro that I have serving 9 UK domains. I setup a Win2k server as a RRAS server, using domain authentication via a policy setup in AD. The firewall forwards GRE & tcp 1723 to the RRAS server (PPTP connection). That's it, job done. I'm working on using certificates to authenticate next, so I can use L2TP, just having probes getting XP to use them :-(
Oh, I only use one nic on the server cos otherwise I lose domain visibility, contrary to what MS says, this works fine. (I think u'd need the two nic scenario if the server was internet facing, and u would have to use the filters RRAS sets up for u). This setup has been working flawlessly (and securely) for the last 8 months.