Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » VPN
  •  
TheMouse

Messages: 10
Karma: 0
Send a private message to this user
Hi,

When client is connected to server only server is pingable Sad Client dont see any other system ( and only server in lan can ping client system ). Where are my mistake is?

Thanks for any help!
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Do you have the proper Traffic Rules to allow traffic from the VPN to/from the LAN?
  •  
TheMouse

Messages: 10
Karma: 0
Send a private message to this user
Thats what i've got.
index.php?t=getfile&id=1145&private=0
Everything looks right ... but im new to KWR so mabye i miss something ...

Same thing for client vpn or tunnel.
Im using w2k3 DNS and KWR DHCP. DNS is on the same machine.
Is DNS used somehow in that moment?

Thanks for help Smile

  • Attachment: traffic.PNG
    (Size: 50.04KB, Downloaded 1416 times)

[Updated on: Tue, 13 November 2007 07:41]

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Problem with routing table?

And I know you can only connect from VPN to LAN and vice versa based on IP addresses, not based on host names. Can't you even ping a host by IP address on your LAN from the VPN? (And check if you are able to ping that host from the LAN itself...)
  •  
TheMouse

Messages: 10
Karma: 0
Send a private message to this user
Where can be my mistake? Plz help me Smile

Thats what ive got :
Main server, DNS, KWR and ext.IP is on it, directly connected to LAN.
Remote clients that should work with my LAN.
LAN scope is 172.26.0.0
Servers/reserved in 172.26.1.0
Users in 172.26.2-4.0
VPN in 172.26.5.0
Im using KWR's DHCP ( or i can configure w2k3 of course )

And one more question :
KWR VPN has ip 172.26.5.1 what for he need it? Why not to use same ip as server has?
Anyway VPN has 255.255.255.0 mask, and lan has 255.255.0.0, mabye problem is here? I cant change mask in KWR - tells me that mask is wrong ...

[Updated on: Wed, 14 November 2007 11:29]

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Quote:

LAN scope is 172.26.0.0
Servers/reserved in 172.26.1.0
Users in 172.26.2-4.0
VPN in 172.26.5.0


Please also specify the accompanying subnet masks...

It seems to me there's no reason to have servers, clients etc. in different subnets, so I assume you use the subnet mask 255.255.0.0. This would avoind having to route traffic between them. But then... you'd also have the VPN in the same subnet which is impossible. The VPN should be (by definition) in another subnet and routed to your other subnet(s) (by KWF in this case).
  •  
TheMouse

Messages: 10
Karma: 0
Send a private message to this user
SOLVED
First of all i've checked subnets and everything was ok, but nothing changed with vpn clients, after that i disconnected all clients, removed all additional routes, restart KWR and ... it's working!!! Smile

Still not working DNS .. but, at least its finally working Smile

Thanks a lot winkelman! Cool

[Updated on: Wed, 14 November 2007 11:29]

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
I can tell you why 'company' DNS doesn't work; unfortunately I don't know how to solve it though. Perhaps someone else knows the solution?

DNS does not work because (in my investigations):

The client PC basically has two network adapters: the 'real' physical network adapter (NIC) and the virtual Kerio VPN adapter. When connected with VPN, essentially the PC has two valid (but separate) network connections. Based on the destination IP addresses and such the PC knows onto with connection it should send out the respective packets. But DNS is another matter... the PC will use the DNS server as setup for your physical NIC.

You can verify this by going into a command prompt, entering the 'Name Server Lookup' tool (command 'nslookup') and requesting a lookup by typing 'www.google.com'. This will return an IP address, but also informs you which DNS server was used. You'll notice it's the one setup for your physical NIC. Obviously, that DNS server does not know about hosts on your companies LAN. That's why you can't connect to company computers by domain name. The DNS lookup fails.

That is essentially could work is also easily verified. In nslookup you can specify another DNS server by typing 'server x.x.x.x' (where xxx is the IP address of your company's DNS server, probably KWF itself). When you now request 'www.google.com' you'll see it's your LAN's DNS server that is answering. And obviously, now you can do DNS requests of hosts on your corporate LAN as well.

Unfortunately I don't know of a way to automatically shift the DNS requests to your company's DNS server when (and only when) your VPN connection goes up.
  •  
TheMouse

Messages: 10
Karma: 0
Send a private message to this user
Yesterday i've joined one system by vpn to my local domain, after that my DNS start working so now i can use host names, but i still cant see all systems in domain by expanding "My Net. Places"->"Microsoft Windows Network" ... i can see one domain system, vpn system but not servers or something else, also i can see systems in workgroups Smile Thats strange ... Today i move more systems to my new domain so later its will be easier to investigate this situation.

[Updated on: Thu, 15 November 2007 08:37]

  •  
Zeljko

Messages: 7
Karma: 0
Send a private message to this user
You can use syntax \\IPadresss ( \\192.168.2.20) to get access to specific computer.

Problem why network name can't be used is that vpn client when it is connected to server have two ip address (one for connection to vpn server, and other for connection to local machine) and network managment cannot determine witch address is right for use. When you tray to connect to shared directory on vpn client (using netbios name) Microsoft network return error 52 (a duplicate name existson the network).

For conversion hostname to ip address you can use IPA.exe utility.

Zeljko
Previous Topic: Traffic blocked when connecting to VPN
Next Topic: XMAS SALES:N95..$350 USD,PS3..$350 USD..SIDEKICK 3..$150 USD
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 22:43:27 CET 2017

Total time taken to generate the page: 0.00439 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.