Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Yet another VPN Internal Network question...
  •  
kevijones

Messages: 3
Karma: 0
Send a private message to this user
Hi All,

First off, I searched all other questions regarding VPN and I think I have a pretty good handle on the overall configuration, etc.

I am trying a relatively simple test of VPN before I attempt to roll it out to several of our remote employees, etc.

I am able to connect with VPN and can ping the internal network card of the system running KWF. However, and here is the crux of my problem, I cannot ping any other internal system on our network. Incidently, if I PC-Anywhere into this same box I can ping any other system in our network on the local 192.168.1.x network.

Here are my settings for argument sake:

My client network settings when typing IPCONFIG on my client are:


Windows IP Configuration


Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

Ethernet adapter Kerio VPN:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 169.254.41.107
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :


Regarding the KWF server side, the external address of the KWF is 209.101.170.228

The internal network card on that same box is 192.168.1.240

In our case, this KWF box is NOT the internal default gateway. All the internal systems on our LAN have a default gateway of 192.168.1.1.

My traffic rules related to KWF are:

Source Destination Service
VPN Clients Internal LAN ANY
LAN VPN Clients ANY
VPN Clients Firewall ANY
Internet Firewall Kerio VPN

If I PING 192.168.1.240 (the address of the internal network adapter on the KWF system) I can get a response just fine from a client connected via VPN. However, if I try to ping any other internal system I just get a REQUEST TIMED OUT response.

Is the problem that the default gateway on the other systems in our internal network need to default gateway that is set to the internal lan address for the KWF system (192.168.1.240)? If so, this will create a large problem as we use another NAT firewall for our normal outbound communications, etc.

Sorry if this is a STUPID question/problem. Desperately looking for a network genius that has any ideas.

Thanks in advance,

Kevin

--Kevin Jones
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Yes, you need KWF to be the default gateway. ALL your problems are easily explained because KWF is not the default gateway.

Computers send their IP-packets to the destination machine directly if the destination is on the same subnet, or they send it to the default gateway for any other destination. So your pings are reaching their destination, but the answer is never getting back (because it is sent to their default gateway which is not KWF).

That's why you can ping from PC-Anywhere, because essentially your then on the same subnet as your LAN and ping the internal interface of KWF, because then you're still 'within' KWF and KWF itself knows the way back to your VPN client.

This is just how TCP/IP works. Nothing to do with KWF.
  •  
kevijones

Messages: 3
Karma: 0
Send a private message to this user
Thanks, Winkelman!

I appreciate your taking the time to respond.

You indeed confirmed my suspicion!

I hope someday I might be able to return the favor. Too bad TCP isn't smart enough to return a TCP request to the last machine in the route. In other words, just retrace it's path on a return request. There must be a good reason and I am missing something obvious in the grand design of the TCP stack.

I'm just an application programmer. Guess I better stick with that rather than re-engineer what is obviously a great system called the INTERNET! LOL

Thanks again!

--Kevin Jones
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
There is a way out... if you can configure the device that is the default gateway...

Currently, the response to your ping-requests (or any other IP-traffic) from your VPN connection is sent to the default gateway. The response is destined for the IP address of your VPN client. This default gateway can't find this address because a) it's not a public Internet IP address (so your default gateway can't send it through to it's default gateway) and b) not on the local LAN. So the gateway is at a loss.

However, you could define a static route on your default gateway. Let's say KWF's VPN segment is 10.20.x.x. You can instruct your default gateway to use KWF as the gateway for packets destined for 10.20.x.x.

This works just fine. If... your default gateway supports configuring static routes.
  •  
kevijones

Messages: 3
Karma: 0
Send a private message to this user
Fantastic idea! In fact, I was just experimenting with that myself.

I cannot thank you enough. I knew I was close and I have a pretty good handle on TCP/IP in general. I was just trying to make a static route on a test machine internally...but NOT the gateway itself. Now that you mentioned it, it makes a lot more sense to just make 1 static route on the gateway instead of going to each machine individually.

<<UPDATE to this post...>

It now works perfectly. I am only posting this in case others have a need to see what I did. Granted, this only applies if the KWF that you are connecting into is NOT the system that is configured as the default gateway.

I went to the gateway system and created the following route:

route -p ADD 10.1.1.0 MASK 255.255.255.0 192.168.1.240

Note: the -p makes it persistent whenever the system is rebooted. Also, in my case the KWF box is at internal address 192.168.1.240

Hope this helps some future lost soul (like myself) - Smile

Take care and THANKS!!!

-Kevin

[Updated on: Fri, 18 November 2005 12:53]


--Kevin Jones
Previous Topic: SMTP-S and POP-S on non--trasparent proxy server
Next Topic: system requirements
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 02:53:31 CET 2017

Total time taken to generate the page: 0.00367 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.