BM38 VPN IP Connectivity/Routing

CONFIG:
NW65SP6
BM38SP5ir1
WSOCK6N
NWLIB6J
TCP681J
CLIENT 3.8.11
VPN client connects and authenticates, unable to ping any private IP
addresses other than the BM server private IP address. Client connects to
other BM38 VPN servers without issues.
Any ideas?
JoeK

cpremo,
Thanks for your input. Followed all of what was in that posting with no
success. Here is what we have;
Clean/fresh new install of
NW65SP6
BM38
BM38SP5
BM38SP5_IR1
wsock6n
nwlib6j
tcp681j
Only BM service installed was VPN
VPN tunnel is 192.168.1.1 Mask 255.255.255.0
VPN IP Pool 192.168.1.10 to 192.168.1.100
TCPCON show IP forwarding enabled
Server default route is the public router
Route table shows the private network.
Private network router has a static route of 192.168.0.0 Mask 255.255.0.0
When connecting with a public IP address, authentication succeeds. Unable to
ping the servers local private IP address or any other private IP address.
When connecting from behind a WNR854T router configured with a 192.168.2.0
network and DHCP for that network, we are able to ping all private IP
addresses.
Obviously there is a routing issue, but I am at a loss in isolating it.
Looking for some input from the forum's knowledge base.
thanks.
JoeK
Thanks for you input. We have followed
"cpremo" <[email protected]> wrote in message
news:[email protected]..
>
> Check out my posts in the thread titled:
>
> New BM 3.9 VPN only server on a NW 6.5 SP7 eDir8.8 SP2 server not
> working
>
> Had the same problem and worked it out as described in this discussion
> thread.
>
>
> --
> cpremo
> ------------------------------------------------------------------------
> cpremo's Profile: http://forums.novell.com/member.php?userid=6450
> View this thread: http://forums.novell.com/showthread.php?t=312427
>

Similar Messages

Using Applescript to connect to VPN and add routes

I posted this in the wrong place last night, but actually managed to get an answer to it. Here is the original post:
I need to be able to set some routes upon opening a particular VPN connection so I did some searching and found a really simple Applescript that does the job. Problem is it tries to set the routes before the VPN actually connects so the routes don't go in.
I added in a 10 second delay which does the trick, but I'm thinking there has to be a way to do this that waits until the VPN actually connects before continuing - so if it takes 5 seconds or 10 or whatever, it waits.
The other thing I'm doing that I think is bad is I'm sending a route delete command before sending the add command. Why? Because if I don't and for some reason the route is partially in the table, it doesn't give an error and ends up not routing. Again, probably a better way to do this.
Here is my current script:
-- Connect Work VPN
tell application "System Events"
tell current location of network preferences
set VPNservice to service "Work" -- name of the VPN service
if exists VPNservice then connect VPNservice
end tell
end tell
delay 10
set gateway to "x.x.x.x" -- omitted here for security
do shell script "route delete 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route delete 192.168.20.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.20.0/24 " & gateway with administrator privileges
From the response I received, I modified the script to this:
tell application "System Events"
tell current location of network preferences
set VPNservice to service "Work" -- name of the VPN service
if exists VPNservice then connect VPNservice
repeat until (connected of current configuration of VPNservice)
delay 1
end repeat
end tell
end tell
set gateway to "x.x.x.x" -- omitted here for security
do shell script "route delete 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route delete 192.168.20.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.20.0/24 " & gateway with administrator privileges
That seems to work perfectly, but I'm still wondering if there is a better way of handling the routes. Suggestions?
Thanks.

I realize the VPN gateway should add the routes, but it's not and they don't seem to want it to. No idea why.
As for deleting/adding the routes, yes it does seem wrong to do this or pointless. The reason I'm doing this is for what I found in my testing of the script which was if the script hung for some reason and the route did not fully go into the table, I would be unable to add it with the script when I ran it again.
I'm probably not explaining it that well, but when I couldn't route after trying to run my script initially, I tried manually running the add route command and I'd get an error. Thus, I deleted/added the route and than it worked again.
As pointless as it seems it works every time. I'm sure there's a better/cleaner/smarter way of doing this, but I don't know enough about Applescript to do any more. At this point I can probably remove the delete command, though, since it should run properly each time.

Remote access VPN with Cisco Router - Can not get the Internal Lan .

Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
end

Dear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon

No Internet access after cisco vpn client connection

Hi Experts,
Kindly check below config.the problem is vpn is connected but no internet access
on computer after connecting vpn
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.10.10 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.14.12 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.240 255.255.2
55.240
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool testpool 192.168.14.240-192.168.14.250
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list INSIDE_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set setFirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
username testuser password IqY6lTColo8VIF24 encrypted
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
address-pool testpool
tunnel-group mphone ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:059363cdf78583da4e3324e8dfcefbf0
: end
ciscoasa#

Hi Harish,
Please check the o/ps below and route print in attached file
Latest ASA Config
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.10.10 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.14.12 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.0 255.255.255
.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.15.240-192.168.15.250
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set setFirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
group-policy mphone internal
group-policy mphone attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dubai_splitTunnelAcl
username testuser password IqY6lTColo8VIF24 encrypted privilege 15
username testuser attributes
vpn-group-policy mphone
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
username khans attributes
vpn-group-policy mphone
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
address-pool testpool
tunnel-group mphone ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:12308d7ff6c6df3d71181248e8d38ba8
: end
ciscoasa#
Route Print after vpn connection
C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x40003 ...00 24 01 a2 e6 f1 ...... D-Link DFE-520TX PCI Fast Ethernet Adapter -
Packet Scheduler Miniport
0x250004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedule
r Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.211 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.211 192.168.10.211 20
192.168.10.211 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.211 192.168.10.211 20
192.168.14.0 255.255.255.0 192.168.15.1 192.168.15.240 1
192.168.15.0 255.255.255.0 192.168.15.240 192.168.15.240 20
192.168.15.240 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.15.255 255.255.255.255 192.168.15.240 192.168.15.240 20
213.42.233.97 255.255.255.255 192.168.10.1 192.168.10.211 1
224.0.0.0 240.0.0.0 192.168.10.211 192.168.10.211 20
224.0.0.0 240.0.0.0 192.168.15.240 192.168.15.240 20
255.255.255.255 255.255.255.255 192.168.10.211 192.168.10.211 1
255.255.255.255 255.255.255.255 192.168.15.240 192.168.15.240 1
Default Gateway: 192.168.10.1
===========================================================================
Persistent Routes:
None
C:\>
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : asu
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 7:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DFE-520TX PCI Fast Ethernet A
dapter
Physical Address. . . . . . . . . : 00-24-01-A2-E6-F1
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.211
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 213.42.20.20
195.229.241.222
Ethernet adapter Local Area Connection 8:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.15.240
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Tiger VPN (PPTP) connection issues

Hello everyone.
I'm having major issues trying to connect to office VPN from home; hoping someone can point me in the right direction. (And my profound apologies in advance for the long post -- just trying make sure to include enough detail to debug whatever might be happening)
At the office we have a 3Com OfficeConnect VPN Firewall sitting in front of a Microsoft 2003 Exchange server. (3Com product page for this VPN box is http://www.3com.com/products/en_US/detail.jsp?tab=features&sku=3CR870-95&pathtyp e=purchase). Home connection is a Linksys WRT54GL wireless router in front of a broadband cable modem. PPTP pass-through is enabled in the router config.
At home I have a WinXP-SP2 laptop and my G4 Powerbook (OS 10.4.7) sitting side-by-side. From the XP laptop, I can get into the VPN using XP's built-in client without any problems. The DNS lookup and authentication steps take about 2-3 seconds combined. Once the connection is established, both external sites (cnn.com) and internal sites (intranet.companyname.local) load in a browser window without any appreciable delay. I can also access Windows shared drives on the internal network without problems, including large (10's of MB or more) file copies to/from the XP laptop's HD.
On the Powerbook, using Tiger's built-in VPN client, I can connect OK (though the authentication step takes a bit longer, about 4-5 seconds), but after that, almost nothing works. I can ping the internal DNS server, but after a few pings with reasonable delays (~15 millisecond range), the round-trip times suddenly jump to handfuls of seconds. In the browser, trying to load an internal webpage (http://intranet.companyname.local) times out before anything shows up on screen. In Finder, using Go>Connect to Server... very slowly establishes the connection (~10-15 seconds or longer), and sometimes opens a Finder window... but then invariably times out. I have never once had the connection remain stable enough to transfer so much as a single file from the shared volume onto the Powerbook's Desktop before it times out and disconnects.
On the XP machine, relevant(?) VPN config settings are:
require secured password
require data encryption (disconnect if none)
PPTP VPN
LCP extensions enabled
software compression enabled
multi-link negotiation for single link connections DISABLED
server type = PPP
transports = TCP/IP
authentication = MS CHAP
encryption = MPPE 128
compression = none
PPP multilink framing = off
and, once the VPN connection is established, parameters are (from "ipcofig /all"):
Windows IP Configuration
Host Name . . . . . . . . . . . . : (companyname)-hj2
Primary Dns Suffix . . . . . . . : (companyname).local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : (companyname).local
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2915ABG Network Connection
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
PPP adapter (ConnectionName):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.0.70
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 172.16.0.70
DNS Servers . . . . . . . . . . . : 172.16.0.11
finally, results of "ping -n 10 (InternalServer)":
Pinging (InternalServer).(companyname).local [172.16.0.5] with 32 bytes of data:
Reply from 172.16.0.5: bytes=32 time=4ms TTL=128
Reply from 172.16.0.5: bytes=32 time=10ms TTL=128
Reply from 172.16.0.5: bytes=32 time=10ms TTL=128
Ping statistics for 172.16.0.5:
Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 10ms, Average = 9ms
On the Powerbook, I have a VPN (PPTP) connection set up with "Send all traffic over VPN connection" unchecked. In the Network panel of System Preferences, I have tried manually adding (and removing) "local, (companyname).local" in the Search Domains line, and manually adding (and removing) the IPs of our internal DNS servers (172.16.0.5, 172.16.0.11) under the TCP/IP tab. Proxies are turned off in all cases.
With those settings, the relevant(?) parts of running "ifconfig" from a Terminal window after starting the VPN are as follows:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::XXX:XXXX:XXXX:XXXX%en1 prefixlen 64 scopeid 0x5
inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
ether XX:XX:XX:XX:XX:XX
media: autoselect status: active
supported media: autoselect
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
lladdr XX:XX:XX:XX:XX:XX:XX:XX
media: autoselect <full-duplex> status: inactive
supported media: autoselect <full-duplex>
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1444
inet 172.16.0.69 --> 172.16.0.11 netmask 0xffff0000
The associated connection log from Internet Connect is:
Tue Jul 18 08:50:57 2006 : PPTP connecting to server 'vpn.(companyname).com' (XXX.XXX.XXX.XXX)...
Tue Jul 18 08:50:57 2006 : PPTP connection established.
Tue Jul 18 08:50:58 2006 : using link 0
Tue Jul 18 08:50:58 2006 : Using interface ppp0
Tue Jul 18 08:50:58 2006 : Connect: ppp0 <--> socket[34:17]
Tue Jul 18 08:50:58 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xb851f701> <pcomp> <accomp>]
Tue Jul 18 08:50:58 2006 : rcvd [LCP ConfReq id=0x1 <mru 1492> <auth chap MS> <magic 0x80697000>]
Tue Jul 18 08:50:58 2006 : lcp_reqci: returning CONFACK.
Tue Jul 18 08:50:58 2006 : sent [LCP ConfAck id=0x1 <mru 1492> <auth chap MS> <magic 0x80697000>]
Tue Jul 18 08:50:58 2006 : rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
Tue Jul 18 08:50:58 2006 : sent [LCP ConfReq id=0x2 <magic 0xb851f701>]
Tue Jul 18 08:50:58 2006 : rcvd [LCP ConfAck id=0x2 <magic 0xb851f701>]
Tue Jul 18 08:50:58 2006 : sent [LCP EchoReq id=0x0 magic=0xb851f701]
Tue Jul 18 08:50:58 2006 : rcvd [CHAP Challenge id=0x1 <4f0656add65818c2>, name = "Guest"]
Tue Jul 18 08:50:58 2006 : sent [CHAP Response id=0x1 <0000000000000000000000000000000000000000000000004c86e5ccf08b95431034ef14706021 d358dc21b96a59157301>, name = "(UserName)"]
Tue Jul 18 08:50:58 2006 : rcvd [LCP EchoRep id=0x0 magic=0x80697000]
Tue Jul 18 08:50:58 2006 : rcvd [CHAP Success id=0x1 "Authentication succeeded, welcome!"]
Tue Jul 18 08:50:58 2006 : CHAP authentication succeeded: Authentication succeeded, welcome!
Tue Jul 18 08:50:58 2006 : Disabling 40-bit MPPE; MS-CHAP LM not supported
Tue Jul 18 08:50:58 2006 : sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfReq id=0x1 <addr 172.16.0.11> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Tue Jul 18 08:50:58 2006 : sent [IPCP TermAck id=0x1]
Tue Jul 18 08:50:58 2006 : rcvd [CCP ConfReq id=0x1 <mppe +H +M +S +L -D -C>]
Tue Jul 18 08:50:58 2006 : sent [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
Tue Jul 18 08:50:58 2006 : rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
Tue Jul 18 08:50:58 2006 : rcvd [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
Tue Jul 18 08:50:58 2006 : sent [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
Tue Jul 18 08:50:58 2006 : MPPE 128-bit stateless compression enabled
Tue Jul 18 08:50:58 2006 : sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Tue Jul 18 08:50:58 2006 : sent [IPV6CP ConfReq id=0x1 <addr fe80::020a:95ff:fea5:564c>]
Tue Jul 18 08:50:58 2006 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Jul 18 08:50:58 2006 : rcvd [LCP ProtRej id=0x1 80 57 01 01 00 0e 01 0a 02 0a 95 ff fe a5 56 4c]
Tue Jul 18 08:50:58 2006 : rcvd [LCP ProtRej id=0x2 82 35 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01]
Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfRej id=0x1 <ms-dns3 0.0.0.0>]
Tue Jul 18 08:50:58 2006 : sent [IPCP ConfReq id=0x2 <addr 0.0.0.0> <ms-dns1 0.0.0.0>]
Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfNak id=0x2 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:50:58 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:01 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:01 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:04 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:04 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:07 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:07 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:08 2006 : rcvd [IPCP ConfReq id=0x1 <addr 172.16.0.11> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Tue Jul 18 08:51:08 2006 : ipcp: returning Configure-REJ
Tue Jul 18 08:51:08 2006 : sent [IPCP ConfRej id=0x1 <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Tue Jul 18 08:51:08 2006 : rcvd [IPCP ConfReq id=0x2 <addr 172.16.0.11>]
Tue Jul 18 08:51:08 2006 : ipcp: returning Configure-ACK
Tue Jul 18 08:51:08 2006 : sent [IPCP ConfAck id=0x2 <addr 172.16.0.11>]
Tue Jul 18 08:51:08 2006 : ipcp: up
Tue Jul 18 08:51:08 2006 : local IP address 172.16.0.69
Tue Jul 18 08:51:08 2006 : remote IP address 172.16.0.11
Tue Jul 18 08:51:08 2006 : primary DNS address 172.16.0.11
The problem is that despite this apparently successful negotiation, the VPN connection doesn't really work. If I type "intranet" into the browser URL bar, it doesn't pick it up as "intranet.companyname.local" and instead treats this as a search query, which it passes to google... which times out. If I type "intranet.companyname.local" into the URL bar instead, it appears to do the DNS lookup correctly... but then times out again.
Ping times look like this at first:
PING (InternalServer).(companyname).local (172.16.0.5): 56 data bytes
64 bytes from 172.16.0.5: icmp_seq=0 ttl=128 time=16.605 ms
64 bytes from 172.16.0.5: icmp_seq=1 ttl=128 time=15.920 ms
64 bytes from 172.16.0.5: icmp_seq=2 ttl=128 time=16.154 ms
^C
--- (InternalServer).(companyname).local ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 15.920/16.226/16.605/0.284 ms
... but then if I try it again two seconds later:
PING (InternalServer).(companyname).local (172.16.0.5): 56 data bytes
64 bytes from 172.16.0.5: icmp_seq=0 ttl=128 time=727.144 ms
64 bytes from 172.16.0.5: icmp_seq=1 ttl=128 time=1727.030 ms
64 bytes from 172.16.0.5: icmp_seq=2 ttl=128 time=2727.260 ms
64 bytes from 172.16.0.5: icmp_seq=3 ttl=128 time=3726.747 ms
64 bytes from 172.16.0.5: icmp_seq=4 ttl=128 time=5723.986 ms
64 bytes from 172.16.0.5: icmp_seq=5 ttl=128 time=5719.810 ms
64 bytes from 172.16.0.5: icmp_seq=6 ttl=128 time=6720.334 ms
64 bytes from 172.16.0.5: icmp_seq=7 ttl=128 time=6719.848 ms
^C
--- (InternalServer).(companyname).local ping statistics ---
15 packets transmitted, 8 packets received, 46% packet loss
round-trip min/avg/max/stddev = 727.144/4224.020/6720.334/2176.543 ms
OK, enough for now. Can anyone spot what I might be doing wrong, and/or suggest something to try to remedy this? If there is any additional logging/debug info that would be useful, please ask and I will track it down.
Thanks very much in advance!!! /HJ

Problem not entirely solved, but mostly working now. It turns out the issue was with the 3Com OfficeConnect VPN box. It was causing all sorts of headaches and had to be manually power cycled at least once a week, so we ditched it and got a Linux-based Firewall/VPN appliance (http://www.ingate.com/ingate_vpn.php).
Now I can connect and mount Windows drives via SMB (both the command line and the Finder's "Connect to Server" approach seem to work). Performance still exhibits annoying lags at random times, and occasionally the VPN connection disconnects for no good reason, but at least I can get at my files from home. The other issues -- such as being able to resolve "xxx.yyy.local" addresses in the browser by making sure I hit the internal DNS server before any external ones -- all seem to be network configuration issues on my end.
In short, my guess is that the 3Com box was causing issues with some low-level timing parameters or other related settings in how the VPN connection was being established. I was just starting to teach myself about ARP tables, NTLMv2 authentication, and the like when we replaced it with the new firewall.
Hope this helps.
/Heywood

Mac Lion VPN client connectivity

We are looking to get VPN client connectivity from Mac Lion laptops to a Cisco ASA. Windows users work ok, and Mac can connect but they will not resolve internal dns addresses so they will not pass any data. Is there any special configuration needed on the ASA or MAC?

Hi
Could you post the log from the client and the router please?

How to configure full tunnel with VPN client and router?

I know the concept of split tunnel....Is it possibe to configure vpn client and router full tunnel or instead of router ASA? I know filter options in concentrators is teher options in ISR routers or ASA?

I think it is possible. Following links may help you
http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

ASA 5505 & VPN Cellular connection

We have a ASA 5505 setup with VPN and using Cisco client 5.0. The VPN works without a problem if we use normal internet access (from home, motel, etc). However if we use a cellular wi-fi hotspot or tether a phone it will connect to the vpn but will not allow us to get on the office network. Anyone have this problem or know a solution

Hello greentw1972,
I have ran in to this issue several times. This is mainly caused by Cisco VPN client's compatibility issues with the 3G-Dongle/Tethering-device. I have seen several workarounds for this but the best one I have found is to use a Open source vpn client.
I have used Shrewsoft VPN client and it has worked nicely without any issues so far
Find the links below for further information.
The 3rd link will show you how exactly you need to transfer information from Cisco VPN client to Shrewsoft client.
Shrewsoft latest VPN client download link : www.shrew.net/download/vpn/vpn-client-2.2.0-rc-2.exe
Shrewsoft Web site : www.shrew.net
Installation instruction as Cisco VPN alternative : http://superuser.com/questions/312947/how-to-configure-shrewsoft-vpn-to-connect-to-cisco-vpn-server
Plese rate this post if helpful

How can i delay the present of direct connected route?

Hi, I got 2 3550SMI switch interconnecting by Etherchannel. Each 3550 has an uplink to its upstream router (R1-SW1=SW2-R2). R1 and R2 connects to the remote site routers (say R3 and R4).
With EIGRP redistribute connected, R1 update the direct connected network via WAN link A to R3 where R2 does the same thing updating R4 via WAN link B.
The failover is fine after SW2 powered off. However, problem occured when I powered up SW2. During the bootup of SW2, there was carrier signal which brought up the ethernet port of R2 and the direct connected route presented in R2 then updating R4. Some of the traffic had started to come over from R4 via WAN link B to R2 while SW2 is still booting. (or Etherchannel was not yet ready). As a result, workstation connecting to SW1 cannot be reached for those traffic came from R4->R3->SW2.
I have tried to use "carrier-delay 60"on the ethernet port of R2. It seems solve the problem since the direct connected route delay 60sec. Within that 60 sec, no update via EIGRP from R2 to R4 so that all traffic still went through R3->R1. After that 60 sec, SW2 had already bootup and the etherchannel was also ready.
However, i can only do it with C3725 router. I've tried 1750, 25xx, 26xx and 3640-12.3T but the behavior was not expected (route still present immediately after carrier signal detected).
My questions are:
Is that command valid on Eth or FE interface?
Is there any different using that command with diff. router series, eg. ISR (18xx,28xx,38xx)?
Is there any condition that I could make it work? (at least 3725 worked)
Is there any other way to delay the present of that direct connected route?
Thanks.

Hello,
instead of the 'carrier-delay' command, you could try to change the EIGRP hello and hold-time intervals (which default to 5 and 15 seconds respectively on broadcast media such as Ethernet), in order to delay EIGRP convergence. So, on your Ethernet interfaces when you use the interface commands:
ip hello-time eigrp x 60
ip hold-time eigrp x 180
the redistributed routes will show up only after 60 seconds, which effectively does the same as the 'carrier-delay'...
Can you try that and see if that works for you ?
Regards,
GP

Mail won't work when VPN is connected

I use VPN to blog for a newspaper, from home. I don't access the company's internal mail system--I just use VPN to get through security and use wordpress on the in-house servers.
But when I connect with VPN, mail stops working (for gmail, verizon.net, hotmail). I otherwise have full access to the internet; I can get gmail through the web, for example. But since I use Mail extensively, I'd like to be able to have it and VPN active at the same time.
My current workaround is just to use VPN for posting, then I get out. But this is a big hassle. Is there a mail setting that I can change that will let it work while (Cisco) VPN is active?
(I'm a freelancer using my own iMac, so I get no tech support from work.)

http://docs.info.apple.com/article.html?path=Mac/10.6/en/11941.html
Any chance that you have "Send all traffic over VPN connection" enabled ?
I use the OSX internal VPN to connect to my Office PC and can use Mail while VPN-connected.
Stefan

Using "route-target import" only connected routes?

When using the route-target import, the only routes imported are ones directly connected on one of the other PE routers. How does one get the advertised routes and the connected routes imported?
PE1 -- PE2
|
|
PE3
Customer's remote site attaches to PE1 which peers to PE2. PE2 connects to Customer HQ.
Another VRF (100:110) provides a centralized service that will be used by several different customers. Some of the subnets for this shared service are directly connected to PE2 while other subnets are directly connected to PE3.
Since PE1 and PE2 were already peered, I thought all that was needed was an import statement to get the routes from the shared service vrf into the customer's vrf.
PE1:
ip vrf customer1
rd 100:105
route-target export 100:105
route-target import 100:105
route-target import 100:110
When I do a 'show ip route vrf Customer1' the only routes that appear are the ones directly connected to PE2. I then peered PE1 to PE3, creating a full mesh but no other routes appeared in the routing table.
PE1 -- PE2
\ |
\ |
\ PE3
I plan to use an export map and import map to filter the networks to the desired ones, but in this example, should not all routes be seen from the shared services VRF (100:110)?
Thanks!

Frank,
Performing the import on one PE doesn't cause that one PE to start advertising the imported prefixes to other member of the same VRF on other PEs.
If you want the prefixes from the shared services VRF to show up in the customer VRF on all PEs, you need to import RT 100:10 in VRF Customer1 on all PEs.
Hope this helps,

VPN auto connect leads problem when accessing the private url in my app through HttpClient

Hi,
I have app to execute my WCF service through HttpClient(). I configured my SSL VPN in sonicwall mobile connect with auto connect option. So when accessing my internal WCF service, Wp 8.1 asks the VPN connection screen. If I follow the screen, VPN
has connected and return to my App. But here I received "An error has ocurred. While sending request to server" in Wp 8.1 screen. Even if I debug through visual studio I couldn't catch or track the actual error in code. Below the code I am using
for your reference. Kindly help me in this regard.
try
HttpClientHandler handler = new HttpClientHandler(); ;
handler.AllowAutoRedirect = false;
HttpClient httpClient = new HttpClient(handler);
httpClient.MaxResponseContentBufferSize = 256000;
HttpResponseMessage response = await httpClient.GetAsync("http://172.0.0.11/xxxxx/Service1.svc/xxxxCheck/" + usr.username + "/" + App.DeviceId + "/" + usr.password);
response.EnsureSuccessStatusCode();
string content = await response.Content.ReadAsStringAsync();
List<EmcUserResult> userres = JsonConvert.DeserializeObject<List<EmcUserResult>>(content);
if (userres.FirstOrDefault().Allowed == "TRUE")
NavigationService.Navigate(new Uri("/MainPage.xaml", UriKind.Relative)); // call MainPage
else
MessageBox.Show("This User was blocked. Contact admin.");
catch (Exception ex)
MessageBox.Show(ex.Message);

I recommend that you check the network traffic by using either Wireshark or Fiddler to see what's going on with the request.
Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.
NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined
objects and unknown namespaces.

Port/Connection Routing through Share Internet Connection...need help

Alright here's the situation: I have a Linux server that I bought for cheap from a friend and its upstairs in my bedroom. The router and dsl is downstairs and the server has to stay up in the bedroom. I don't have the cabling to run all the way up and thats tacky anyway. And linux doesnt have wireless support for my wireless card. Sooo I've turned on connection sharing with my new iMac that is in the bedroom as well and internet is coming through airport, while the connection shared with the server is wired. In airport, out eth0 to server.
Ok, so what I'm wanting to do is experiment with multiple types of servers on linux (i.e. Samba, FTP, Mail, etc) but I need to figure out a quick fix on routing or forwarding those connections routes and ports through the mac to the linux box. The linux box has no problem reaching the internet and has its own static ip but is also showing up on network 192.168.0 when the rest of my network is 192.168.1
Any third party free programs for adding advanced routing or easier setup and more features to the OSX internet sharing? Or maybe a tweak ya'll know of?

Hi Aaron,
flying buttress is a GUI for the UNIX firewall built into OSX. It has more functionality than the GUI in the sharing preferences.
By sharing network connection from another mac it will be on a differnent subnet to the rest of your LAN. The mac that is setup as the gateway is effectively acting as a gateway like your router is. So therefore your linux box is behind 2 NAT devices. You would need to setup up 2 sets of NAT rules.
This is quite an advanced setup for someone just experimenting.
I don't have the cabling to run all the way up and thats tacky anyway. And linux doesnt have wireless support for my wireless card.
Cable does not have to look tacky. It can be installed neatly if use use conduit or tack it to the skirting board. Also given that wireless cars cost about £20 you could easily get your linux box connected to your router.

Can't put the computer into sleep if VPN is connected

I think I have found a win7 bug. The problem is that I can't put my computer into sleep if VPN is connected. The VPN client I used is Microsoft VPN client. The VPN works fine. But if I click sleep button with VPN connected, the computer screen turns
black, the fan speeds up, and the signal light tells me the computer is still on, not in sleep mode. When I try to wake up my computer by tapping the enter key, space, or moving the mouse, it just doesn't work at all: the fan speeds faster and faster
and the computer heats up. The only thing I can do now to save my computer from darkness is to hit and hold the power button, powering off the computer. The sleep function works just fine if the VPN is disconnected. I can easily wake my computer up by tapping
the enter key. I don't know whether this problem is only present on my computer or universally present on all win7 computers.
The following is my system info:
OS Name Microsoft Windows 7 Ultimate
Version 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer Microsoft Corporation
System Manufacturer LENOVO
System Model IdeaPad Y460
System Type X86-based PC
Processor Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz, 2534 Mhz, 2 Core(s), 4 Logical Processor(s)

Hi,
Please collect the report for the further troubleshooting. Note:Please do the following steps when VPN is connected.
1. Click Start, type in “cmd”, right click it and choose “Run as administrator”.
2. Type in the following command.
Powercfg –energy
3. Find the report file in the location showed in Command window.
4.
Upload it.
Kim Zhou
TechNet Community Support

I use VPN to connect to my school. FX 3.6 worked great, FX 4 b not.

Hello there,
I use VPN to connect to my school, it used to worked great with my previous version of FX 3.6 in Windows XP.
I am now using a new PC with Windows 7 and FX 4 beta, but VPN would not work. I installed JAVA successfully but this did not solve the problem. VPN at my school uses JAVA or ActiveX. Please advise.
Thanks.

Hi
If you're trying to connect using the server's name you have to know which host server to use to resolve the name. If you don't know simply use its IP address:
eg: instead of: smb://servername
use: smb://IPaddress (this would be the private non-routable IP address)
This should work? Depending which VPN Method you're using to Tunnel to the host network and how the host network is configed it may not do name resolution that well.
If it used to work in the past it may have been because a static entry for the host network's DNS Server was placed in your Network Preferences Pane? Or if your connection was via PPTP or L2TP appropriate LAN settings were assigned once the connection was made to the host site? In other words a set of IP addresses matching the host site's LAN IP topology.
Perhaps the current method you're using now of building the VPN Tunnel is via IPSec IKE/ISKAMP? In which case you may have to 'tell' your remote network which DNS Server to use at the host site for name resolution.
A possible reason why it 'works' for the Windows side is because name resolution - most of the time - gets by without using fully qualifiable domain names. For example pinging an IP address in DOS to find a name works (most of the time) if you simply supply just the server name. This is not necessarily the case on the mac.
Tony

BM38 VPN IP Connectivity/Routing

Similar Messages

Maybe you are looking for