Default Gateway when connected to VPN

Similar Messages

• Clients cannot ping the default gateway when connected to SSID

  Here is my environment,
  My controller is vWLC installed in ESXi which has to vNet Cards configured with all vlans(4095), then it is connected to a 3560 switch with trunk. The configuration of the switch interface is as belows:
  LS3560CG#sh run int fa0/1
  Building configuration...
  Current configuration : 138 bytes
  interface FastEthernet0/1
  description To_WLC
  switchport trunk encapsulation dot1q
  switchport mode trunk
  spanning-tree portfast
  end
  The IP of management interface of WLC is 10.10.10.90, VLAN is 10, DHCP primary is 10.10.10.1 which is in the 3560, the DHCP pool is configured as blows:
  LS3560CG#sh run int fa0/1
  Building configuration...
  Current configuration : 138 bytes
  interface FastEthernet0/1
  description To_WLC
  switchport trunk encapsulation dot1q
  switchport mode trunk
  spanning-tree portfast
  end
  The SSID is BYOD and I can connect the SSID and get the IP address such as 10.10.10.118/24, but for now, i cannot ping 10.10.10.1, but i can ping 10.10.10.90:
  Can anyone help me with this? Thanks

  Hi Scott
  Correct! I have resolved this a few minutes earlier. I have assigned the vSwitch to Promiscuous Mode but forgot to switch it to "Accept", the default value is "Reject"
  Thanks so much!

• Can't access non-VPN resources when connected to VPN

  I need to access web based resources over a VPN for work. My admin gave me the connection parameters, and I can connect to the VPN and access what I need, no problem. But when connected to VPN, I can't access websites, Subversion repositories, Skype, etc. that are not on the VPN.
  On Windows, there's a connection property on VPN connections called "Use default gateway". With that option cleared on my Windows machine, I can access both VPN and non-VPN resources simultaneously. I can't spot anything equivalent in the VPN connection in Network Preferences.
  So I guess the question is: what network settings on Mac (Snow Leopard) will enable me to access both VPN and normal resources simultaneously?

  I have found a workaround. It isn't optimal, and it's disappointing that VPN is so poorly supported on Mac. Though the specific IPs are probably applicable only to the particular VPN I connect to, maybe the general idea can be of help to others and your network admins can supply the particular IPs you need.
  1. My Admin had me open Network Preferences, select the VPN connection, click the Tools icon at the bottom, and select Set Service Order. In that dialog, move the VPN connection to the bottom of the list (my EVDO modem that gets me my internet connection is fist in the list). Apply this change.
  2. Next, my admin asked me to run the following in Terminal, once when VPN was not connected (but internet was connected), and again with VPN connected, and send him the output:
  *netstat -nr*
  3. After looking at the terminal output, admin told me to run the following in Terminal with the VPN connected:
  *sudo route add -net 10.123 -netmask 255.255.0.0 10.123.50.1*
  After disconnecting both VPN and Internet connection and reactivating each in turn (internet, then VPN), I was able to access both VPN and non-VPN resources simultaneously.
  The bad news is that every time I need to connect I have to run route add in Terminal and enter my password. I will probably make a shell script to at least run the command so I don't have to remember it.
  Here's hoping this helps if others bump into this pernicious little problem.

• Can't Browse Web when connected to VPN

  Hi, 
  I got interested in networks about a year ago.  We had some spare networking kit lying around in our office and I decided to set up a lab.
  I've been able to configure NAT w/ PAT  on a cisco 3825.
  I've got 1 access list, "Overloading" my OUTSIDE int, and a few "ip nat inside source static..." entries to handle my port forwards.
  It's a very basic setup.
  The router died recently, so I got a cheap replacement form ebay.  Setting it all up was WAY easier than last time, so I decided to try something new.... VPN.
  I'd previously had a port forward to a computer that was a VPN server, but I was able to use Cisco CCP to help me configure VPN.  Yes, technically cheating for all you CLI-heads out there, so sorry-- to make you happy, I did thoroughly inspect and spent extra time appreciating the code it wanted to inject to my router.  
  Now, I've got VPN working, and I can access all the PC's on the LAN I'm VPN'ing to, but -- I can't access the web when connected to VPN.
  I've fiddled with the access list, trying to make it ANY/ANY.
  I'm not really sure what to do.
  I looked around and most of the stuff out there is for a site-to-site, or PAT running on a tunnel... 
  My issue is pretty basic, probably.  I just cant access outside when on VPN.
  I'm more than willing to have another translation method.
  I've attached my router config.
  Can you have a look and let me know what would need changing...
  Really appreciate any insight.
  Thanks,
  Brian

  Hello Brian,
  Basically this is the VPN group:
  crypto isakmp client configuration group open
   key (something)
   dns 192.168.1.1 8.8.8.8
   domain something.com
   pool SDM_POOL_1
   save-password
   backup-gateway 192.168.1.1
   max-users 5
   netmask 255.255.255.0
   banner ^Cyou have connected to the vpn-ings!.  well done!    ^
  I see that you are doing tunnel all, and you are not split tunneling on this configuration, what you can do is to use split tunnel, under this configuration as follow:
  ip access-list extended SPLIT_TUNNEL
  permit ip XXXXX XXXXX 192.168.1.0 0.0.0.255
  XXXXX --> are the inside subnets
  Then under this:
  crypto isakmp client configuration group open
  acl SPLIT_TUNNEL
  This will allow you to have access to the internal subnets through the tunnel and have access to internet through the internet connection on your computer.
  For further details take a look to this document:
  - http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html
  Don't use Any on your ACL statements for split tunneling purposes.
  Let me know how it works out!
  Please don't forget to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• Users can only connect to RD farm website and cannot remote into terminal server , when connected via VPN

  Hello,
  I have a RD farm using 3 Win 2012 servers (1 broker and 2 session host), for internal use only, have not
  configured gateway for internet access.
  Users are able to connect to RD farm website and remote into terminal server, within office
  but can only connect to RD farm website and cannot remote into terminal server , when connected via VPN
  Its takes long time at securing connection and fails.
  Thanks

  Hi,
  Thank you for your posting in Windows Server Forum.
  First of all I would suggest you to configure RD gateway role on your server and pass all the connection through it because it’s a best practice to use RD Gateway in RDS Farm. 
  Apart from this, if you are not using RD Gateway then you must check that you have successfully forwarded port 3389 for RDS to access via VPN. Also check that you have made configuration under IIS Manager to enable Forms Authentication. Please check
  this link.
  In addition, please refer beneath article for additional details.
  1. How to Access Windows Remote Desktop Over the Internet
  2. Remote Desktop Services in Windows 2008 R2 – Part 3 – RD Web Access & RemoteApp
  (For reference)
  Hope it helps! 
  Thanks,
  Dharmesh

• Kerberos issue when connecting via VPN

  Hi,
  I am have some issues when connecting via VPN.
  The following kdc log is issued when I log via VPN
  May 02 12:12:21 ATHENA.MYDOMAIN.LAN krb5kdc[163](info): DISPATCH: repeated (retransmitted?) request from 192.168.2.5, resending previous response
  May 02 12:12:21 ATHENA.MYDOMAIN.LAN krb5kdc[163](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.5: UNKNOWN_SERVER: authtime 1146535939, [email protected] for ldap/[email protected], Server not found in Kerberos database
  I also have a system log May 2 12:12:21 ATHENA DirectoryService[41]: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
  This logs only happen while logging through VPN.
  Any idea?
  Cheers
  Ben

  Hi,
  When using your VPN are yo using Terminal LIcense or Remote Desktop Connection?
  Please do the following to save form settings:
  1. Only 1 module should be open when using form settings.
      Close other modules that doesn't need.
  2. Close the module after changed. To make sure the settings are saved.
  3. Always close all the module before exiting SBO program, use the click FIle and Exit habit.
  4. Terminal Licensing should be use when connecting remotely.
  Thanks.
  Clint

• Default Gateway address for multiple VPN users/clients

  Hello,
  We need some help with a VPN setup for a school project.
  What we want to do:
  We would like to have aprox. 10 different VPN uses that can connect to our Windows Server 2012 R2 which is setup as a VPN server, by the Role called Remote access. And the VPN server is working and we are able to connect to it from another location/computer.
  Our current setup:
  We have a Cisco router, that are configured with 10 Vlans, from Vlan 10 to Vlan 20, and a managament Vlan called Vlan 100.
  The Cisco router is also acting as DHCP server, so inside each Vlan the DHCP gives IP addresses to that specific Vlan, Ex: Vlan 10 has a 192.168.10.0/24 network. Vlan 11 has a 192.168.11.0/24 network, and so on. Vlan 100 has 192.168.100.0/24 This Vlan 100
  has connection to all the Vlans.
  We have internet connection on the Router on port 0 and each Vlan are connected to the internet.
  We have setup the VPN server with a static IP configuration so it is inside Vlan 100 with a Default gateway, like 192.168.100.1 So the VPN server is connected to the internet.
  In AD we have created a User and assigned a static IP address in the user properties, under the Dial-In tab. Here we give this user this IP 192.168.10.225
  Now when we connect to the VPN server useing this user, we have no connection to any of the Vlans (ping) and no internet. When we in cmd write ipconfig we can see that our VPN connection has this IP 192.168.10.225 but a Subnet called 255.255.255.255 and
  a Default gateway called 0.0.0.0
  We would like the user to recieve the correct IP settings like: If we connect with our user, it should recieve the IP as it does, but also a subnet called 255.255.255.0 and a default gateway called 192.168.10.1
  How is this achieved?
  The reason we want this is: We want to create a VPN user for each Vlan. So a user with permission to access Vlan 10 but are not able to see the other Vlans, and then a new user to access Vlan 11 but not able to see the other vlans, and so on.
  Hope someone is able to help us to understand how this is done.
  Thank you in advance.

  Hi,
  In brief, we can't achieve this. Normally, we would not do this.
  Usually, we use firewall or ACL to restrict the remote users.
  For example, 192.168.10.100 is assigned to user1 and 192.168.10.101 is assigned to user2. We can use firewall to restrict 192.168.10.100 to access 192.168.10.0/24 and 192.168.10.101 to access 192.168.11.0/24.
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Problems accessing 1 remote desktop when connected with VPN

  Hi everyone,
  I have an ASA 5505 and have a problem where when I connect through VPN I can RDP into a server using its internal address but I cannot RDP to another server using its internal address.
  The one I can connect to has an IP of 192.168.2.10 and the one I cannot connect to has an IP of 192.168.2.11 on port 3390.
  Both rules are configured exactly the same except for the IP addresses and I cannot see why I cannot connect to this one server.
  I am also able to connect to my camera system with an IP 192.168.2.25 on port 37777 and able to ping any other device on the internal network.
  I've also tried pinging it and telneting to port 3390 with no success.
  Here is the config.
  ASA Version 8.4(4)1
  interface Ethernet0/0
  switchport access vlan 3
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan2
  nameif inside
  security-level 100
  ip address 192.168.2.2 255.255.255.0
  interface Vlan3
  nameif outside
  security-level 0
  ip address 10.1.1.1 255.255.255.0
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CTSG-LAN-OUT
  range 10.1.1.10 10.1.1.49
  object network CTSG-LAN-IN
  subnet 192.168.2.0 255.255.255.0
  object service RDP3389
  service tcp destination eq 3389
  description To DC
  object network SERVER-IN
  host 192.168.2.10
  object network SERVER-OUT
  host 10.1.1.50
  object network CAMERA-IN-TCP
  host 192.168.2.25
  object network CAMERA-OUT
  host 10.1.1.51
  object service CAMERA-TCP
  service tcp destination eq 37777
  object network SERVER-Virt-IN
  host 192.168.2.11
  object network SERVER-Virt-OUT
  host 10.1.1.52
  object service RDP3390
  service tcp destination eq 3390
  description To VS for Master
  object network CAMERA-IN-UDP
  host 192.168.2.25
  object service CAMERA-UDP
  service udp destination eq 37778
  object network CTSG-LAN-OUT-VPN
  subnet 10.1.1.128 255.255.255.128
  object network SERVER-Virt-IN-VPN
  host 192.168.2.11
  object network SERVER-IN-VPN
  host 192.168.2.10
  object network CAMERA-IN-VPN
  host 192.168.2.25
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  access-list inside1_access_in remark Implicit rule: Permit all traffic to less secure networks
  access-list inside1_access_in extended permit ip any any
  access-list outside_access_in extended permit object RDP3389 any host 192.168.2.10
  access-list outside_access_in extended permit object RDP3390 any host 192.168.2.11
  access-list outside_access_in extended permit object CAMERA-TCP any host 192.168.2.25
  access-list outside_access_in extended permit object CAMERA-UDP any host 192.168.2.25
  pager lines 24
  logging enable
  logging buffer-size 10240
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool RAVPN 10.1.1.129-10.1.1.254 mask 255.255.255.128
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static SERVER-IN-VPN SERVER-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
  nat (inside,outside) source static CAMERA-IN-VPN CAMERA-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
  nat (inside,outside) source static SERVER-Virt-IN-VPN SERVER-Virt-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
  object network CTSG-LAN-IN
  nat (inside,outside) dynamic interface
  object network SERVER-IN
  nat (inside,outside) static SERVER-OUT service tcp 3389 3389
  object network CAMERA-IN-TCP
  nat (inside,outside) static CAMERA-OUT service tcp 37777 37777
  object network SERVER-Virt-IN
  nat (inside,outside) static SERVER-Virt-OUT service tcp 3390 3390
  access-group inside1_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP
  -DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment terminal
  subject-name CN=SACTSGRO
  crl configure
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.2.0 255.255.255.0 inside
  telnet timeout 15
  ssh 192.168.2.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 15
  dhcpd auto_config inside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username admin password xxxxx encrypted privilege 15
  username admin attributes
  vpn-group-policy DfltGrpPolicy
  tunnel-group CTSGRA type remote-access
  tunnel-group CTSGRA general-attributes
  address-pool RAVPN
  tunnel-group CTSGRA ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:0140431e7642742a856e91246356e6a2
  : end
  Thanks for your help

  Ok,
  So you basically have configured the router so that you can connect directly to the ASA using the Cisco VPN Client. And also the objective was to in the end only allow traffic to the LAN through the VPN Client connection ONLY.
  It would seem to me to achieve that, you would only need the following NAT configurations
  VPN Client NAT0 / NAT Exempt / Identity NAT
  object network LAN
  subnet 192.168.2.0 255.255.255.0
  object network VPN-POOL
  subnet 10.1.1.128 255.255.255.128
  nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
  The purpose of the above NAT configuration is simply to tell the ASA that dont do any kind of NAT when there is traffic between the LAN network of 192.168.2.0/24 and the VPN Pool of 10.1.1.128/25. This way if you have any additional hosts on the LAN that need to be connected to, you wont have to make any form of changes to the NAT configurations for the VPN client users. You just allow the connections in the ACL (explained later below)
  Default PAT
  object-group network DEFAULT-PAT-SOURCE
  network-object 192.168.2.0 255.255.255.0
  nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  This configurations purpose is just to replace the earlier Dynamic PAT rule on the ASA. I guess your router will be doing the translation from the ASA "outside" interface IP address to the routers public IP address and this configuration should therefore allow normal Internet usage from the LAN.
  I would suggest removing all the other NAT configuration before adding these.
  Controlling VPN clients access to internal resources
  Also I assume that your current VPN client is configured as Full Tunnel. In other words it will tunnel all traffic to the the VPN connection while its active?
  To control the traffic coming from the VPN Client users I would suggest that you do the following
  Configure "no sysopt connection permit-vpn" This will change the ASA operation so that connections coming through a VPN connections ARE NOT allowed by default to bypass the "outside" interface ACL. Therefore after this change you can allow the connections you need in the "outside" interface ACL.
  Configure any rules you need regarding the VPN client connections to the "outside" interface ACL. Though I guess they already exist since you are connecting there without the VPN also
  I cant guarantee this with 100% certainty but it would seem to me that the above things should get you to the point where you can access the internal resources ONLY after when you have connected to the ASA through the VPN client connection. Naturally take precautions like configuration backups if you are going to do major configuration changes. Also if you are remotely managing the ASA then you also have the option to configure a timer on the ASA after which it will automatically reload. This could help in situations where a missconfiguration breaks you management connection and you have no other way to connect remotely. Then the ASA would simply reboot after the timer ran out and also reboot with the original configuration (provided you hadnt saved anything in between)
  Why are you using a different port for the other devices RDP connection? I can understand it if its used through the Internet but if the RDP connection would be used through the VPN Client only then I dont think there is no need to manipulate the default port of 3389 on the server or on the ASA.
  Also naturally if there is something on the actual server side preventing these connections then these configuration changes might not help at all.
  Let me know if I have understood something wrong
  - Jouni

• Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS

  In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
  on this computer" and un-checked "Use simple certificate selection".
  My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
  client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
  drop down.
  Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
  TIA,
  -Rick

  Hi Rick,
  Thank you for your patience.
  According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
  know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• General Settings not retained when connecting via VPN

  Forum,
  We have a user who connects to SAP via a VPN connection. Since then they have found that any form settings/column amendments made are not being retained when next logging into SAP.
  When these changes were made direct in the office, they are retained.
  My question. Is there any differences in how the settings are retained within SAP when accessing via a VPN?
  Regards,
  Juan

  Hi,
  When using your VPN are yo using Terminal LIcense or Remote Desktop Connection?
  Please do the following to save form settings:
  1. Only 1 module should be open when using form settings.
      Close other modules that doesn't need.
  2. Close the module after changed. To make sure the settings are saved.
  3. Always close all the module before exiting SBO program, use the click FIle and Exit habit.
  4. Terminal Licensing should be use when connecting remotely.
  Thanks.
  Clint

• Panic when connecting to VPN

  Hi
  We have several users who are getting panics when connecting to our VPN from home. They are configured to use either PPTP or IPSEC (they can choose either) and it happens across multiple macbooks, though not all, and when connecting to either type of VPN.
  The panic logs show the following but my eye is drawn to what looks like a Sonnet SATA driver, which strikes me as odd. Any ideas ?
  Sun May 15 13:56:58 2011
  panic(cpu 1 caller 0x2aab59): Kernel trap at 0x01aae1e0, type 14=page fault, registers:
  CR0: 0x8001003b, CR2: 0x00000000, CR3: 0x00100000, CR4: 0x00000660
  EAX: 0x00000000, EBX: 0x00000000, ECX: 0x0054fdea, EDX: 0x447b1000
  CR2: 0x00000000, EBP: 0x52f63f28, ESI: 0x00000004, EDI: 0x00000000
  EFL: 0x00010246, EIP: 0x01aae1e0, CS:  0x00000008, DS:  0x00000010
  Error code: 0x00000000
  Backtrace (CPU 1), Frame : Return Address (4 potential args on stack)
  0x52f63d08 : 0x21b510 (0x5d9514 0x52f63d3c 0x223978 0x0)
  0x52f63d58 : 0x2aab59 (0x59aeec 0x1aae1e0 0xe 0x59b0b6)
  0x52f63e38 : 0x2a09b8 (0x52f63e50 0x447b10c8 0x52f63f28 0x1aae1e0)
  0x52f63e48 : 0x1aae1e0 (0xe 0x48 0x9300010 0x10)
  0x52f63f28 : 0x554254 (0x447b1000 0x930bcc0 0x0 0x4bca4b54)
  0x52f63f78 : 0x22fd0d (0x930bcc0 0x89b21dc 0x52f63fc8 0x550788)
  0x52f63fc8 : 0x2a06dc (0x863ea0 0x0 0x2a06eb 0xa0f6ee4)
        Kernel Extensions in backtrace (with dependencies):
           com.sonnettech.driver.SonnetSATA(2.2.5)@0x1a9e000->0x1abbfff
              dependency: com.apple.iokit.IOATAFamily(2.5.1)@0x1a91000
              dependency: com.apple.iokit.IOPCIFamily(2.6)@0x927000
  BSD process name corresponding to current thread: kernel_task
  Mac OS version:
  10J869
  Kernel version:
  Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
  System model name: MacBookPro5,2 (Mac-F2268EC8)
  System uptime in nanoseconds: 6185013429022
  unloaded kexts:
  com.apple.iokit.IOATABlockStorage          2.6.0 (addr 0x58ec9000, size 0x57344) - last unloaded 6108231979777
  loaded kexts:
  com.sonnettech.SonnetSATABlockStorage          2.2.5
  com.sonnettech.driver.SonnetSATA          2.2.5
  com.apple.driver.AppleRAID          4.0.6 - last loaded 6145052191856
  com.apple.filesystems.webdav          1.8.2
  com.apple.filesystems.afpfs          9.7
  com.apple.nke.asp_tcp          5.0
  com.apple.driver.AppleBluetoothMultitouch          54
  com.apple.driver.AppleHWSensor          1.9.3d0
  com.apple.filesystems.autofs          2.1.0
  com.apple.driver.AGPM          100.12.19
  com.apple.driver.AppleMikeyHIDDriver          1.2.0
  com.apple.driver.AppleMikeyDriver          1.9.9f12
  com.apple.kext.AppleSMCLMU          1.5.0d3
  com.apple.driver.AudioAUUC          1.54
  com.apple.driver.AppleLPC          1.4.12
  com.apple.driver.AppleUpstreamUserClient          3.5.4
  com.apple.driver.AppleMCCSControl          1.0.17
  com.apple.driver.SMCMotionSensor          3.0.0d4
  com.apple.driver.AppleHDA          1.9.9f12
  com.apple.Dont_Steal_Mac_OS_X          7.0.0
  com.apple.driver.AudioIPCDriver          1.1.6
  com.apple.driver.AppleIntelPenrynProfile          17
  com.apple.driver.ACPI_SMC_PlatformPlugin          4.5.0d5
  com.apple.driver.AppleGraphicsControl          2.8.68
  com.apple.GeForce          6.2.6
  com.apple.driver.AppleUSBTCButtons          200.3.2
  com.apple.driver.AppleUSBTCKeyboard          200.3.2
  com.apple.driver.AppleIRController          303.8
  com.apple.iokit.SCSITaskUserClient          2.6.5
  com.apple.iokit.IOAHCIBlockStorage          1.6.3
  com.apple.driver.AirPortBrcm43224          427.36.9
  com.apple.driver.AppleSmartBatteryManager          160.0.0
  com.apple.driver.AppleAHCIPort          2.1.5
  com.apple.BootCache          31
  com.apple.AppleFSCompression.AppleFSCompressionTypeZlib          1.0.0d1
  com.apple.nvenet          2.0.15
  com.apple.driver.AppleFWOHCI          4.7.1
  com.apple.driver.AppleUSBHub          4.1.7
  com.apple.driver.AppleUSBEHCI          4.1.8
  com.apple.driver.AppleUSBOHCI          4.1.5
  com.apple.driver.AppleEFINVRAM          1.4.0
  com.apple.driver.AppleRTC          1.3.1
  com.apple.driver.AppleHPET          1.5
  com.apple.driver.AppleACPIButtons          1.3.5
  com.apple.driver.AppleSMBIOS          1.6
  com.apple.driver.AppleACPIEC          1.3.5
  com.apple.driver.AppleAPIC          1.4
  com.apple.driver.AppleIntelCPUPowerManagementClient          105.13.0
  com.apple.security.sandbox          1
  com.apple.security.quarantine          0
  com.apple.nke.applicationfirewall          2.1.11
  com.apple.driver.AppleIntelCPUPowerManagement          105.13.0
  com.apple.driver.IOBluetoothHIDDriver          2.4.0f1
  com.apple.driver.AppleMultitouchDriver          207.10
  com.apple.driver.AppleProfileReadCounterAction          17
  com.apple.driver.AppleSMBusController          1.0.8d0
  com.apple.driver.AppleSMBusPCI          1.0.8d0
  com.apple.driver.AppleProfileTimestampAction          10
  com.apple.driver.AppleProfileThreadInfoAction          14
  com.apple.driver.AppleProfileRegisterStateAction          10
  com.apple.driver.AppleProfileKEventAction          10
  com.apple.driver.AppleProfileCallstackAction          20
  com.apple.iokit.IOFireWireIP          2.0.3
  com.apple.iokit.IOATAFamily          2.5.1
  com.apple.driver.DspFuncLib          1.9.9f12
  com.apple.iokit.IOSurface          74.2
  com.apple.iokit.IOBluetoothSerialManager          2.4.0f1
  com.apple.iokit.IOSerialFamily          10.0.3
  com.apple.iokit.IOAudioFamily          1.8.0fc1
  com.apple.kext.OSvKernDSPLib          1.3
  com.apple.driver.AppleHDAController          1.9.9f12
  com.apple.iokit.IOHDAFamily          1.9.9f12
  com.apple.iokit.AppleProfileFamily          41
  com.apple.driver.AppleSMC          3.1.0d3
  com.apple.driver.IOPlatformPluginFamily          4.5.0d5
  com.apple.nvidia.nv50hal          6.2.6
  com.apple.NVDAResman          6.2.6
  com.apple.iokit.IONDRVSupport          2.2
  com.apple.iokit.IOGraphicsFamily          2.2
  com.apple.driver.BroadcomUSBBluetoothHCIController          2.4.0f1
  com.apple.driver.AppleUSBBluetoothHCIController          2.4.0f1
  com.apple.iokit.IOBluetoothFamily          2.4.0f1
  com.apple.driver.AppleUSBMultitouch          206.6
  com.apple.iokit.IOUSBHIDDriver          4.1.5
  com.apple.driver.AppleUSBMergeNub          4.1.8
  com.apple.driver.AppleUSBComposite          3.9.0
  com.apple.iokit.IOSCSIMultimediaCommandsDevice          2.6.5
  com.apple.iokit.IOBDStorageFamily          1.6
  com.apple.iokit.IODVDStorageFamily          1.6
  com.apple.iokit.IOCDStorageFamily          1.6
  com.apple.driver.XsanFilter          402.1
  com.apple.iokit.IOAHCISerialATAPI          1.2.5
  com.apple.iokit.IOSCSIArchitectureModelFamily          2.6.5
  com.apple.iokit.IO80211Family          314.1.1
  com.apple.iokit.IOAHCIFamily          2.0.4
  com.apple.iokit.IONetworkingFamily          1.10
  com.apple.iokit.IOFireWireFamily          4.2.6
  com.apple.iokit.IOUSBUserClient          4.1.5
  com.apple.iokit.IOUSBFamily          4.1.8
  com.apple.driver.NVSMU          2.2.7
  com.apple.driver.AppleEFIRuntime          1.4.0
  com.apple.iokit.IOHIDFamily          1.6.5
  com.apple.iokit.IOSMBusFamily          1.1
  com.apple.kext.AppleMatch          1.0.0d1
  com.apple.security.TMSafetyNet          6
  com.apple.driver.DiskImages          289
  com.apple.iokit.IOStorageFamily          1.6.2
  com.apple.driver.AppleACPIPlatform          1.3.5
  com.apple.iokit.IOPCIFamily          2.6
  com.apple.iokit.IOACPIFamily          1.3.0

  ...happens across multiple macbooks...The panic logs show the following but my eye is drawn to what looks like a Sonnet SATA driver, which strikes me as odd. Any ideas ?
  I don't have an answer, but are these Macbook Pros with the ExpressCard slot?  (17" MBP or older 15" MBPs.)  If so, then do these users have external hard drives?  Sonnet does make some ExpressCard SATA adapters so perhaps a driver update is needed.
  http://eshop.macsales.com/Search/Search.cfm?Ntk=Primary&Ns=P_Popularity%7c1&Ne=8 050&N=4294967277&Ntt=PCMCIA+AND+Express34

• Cant send emails from gmail or yahoo when connected to vpn

  I use a vpn to mask my IP address. When I am connected through my VPN I cannot send emails from my gmail or yahoo accounts through thunderbird
  If i disconect vpn they go through fine

  Just a guess, but if you change the outgoing server name to an IP address such as 74.125.136.108 for Gmail, does it work?
  https://support.hidemyass.com/entries/24893686-SMTP-Sending-emails-while-connected-to-VPN#thunderbird

• ITunes won't play via Airport Express when connected to VPN

  Once connected to VPN iTunes just won't work but still plays on my computer. I believe it has something to do with the firewall but I do not know how to get around it. Can anyone help? I would love to listen to music via my stereo speakers while doing work...Thanks!

  Is this what you are looking for? http://docs.info.apple.com/article.html?artnum=93396
  or
  http://docs.info.apple.com/article.html?artnum=108071

• Can't send mail when connected to vpn

  I'm hooked up with a private vpn service using OpenVpn. Everything works beautifully -- except that I can't send mail (receiving is no problem) because the SMTP ports offered through Mail 4.5 (ports 25, 465, 587) are blocked by many VPN providers as an anti-spam measure. I can't use port 993 with SSL because I live in Monaco, which has one ISP -- and it does not provide or support secure email (which is one of the reasons I want the VPN).
  Is there another port I can select for SMTP, or some configuration tricks I'm missing? Thanks...:)

  Hello Brian,
  Basically this is the VPN group:
  crypto isakmp client configuration group open
   key (something)
   dns 192.168.1.1 8.8.8.8
   domain something.com
   pool SDM_POOL_1
   save-password
   backup-gateway 192.168.1.1
   max-users 5
   netmask 255.255.255.0
   banner ^Cyou have connected to the vpn-ings!.  well done!    ^
  I see that you are doing tunnel all, and you are not split tunneling on this configuration, what you can do is to use split tunnel, under this configuration as follow:
  ip access-list extended SPLIT_TUNNEL
  permit ip XXXXX XXXXX 192.168.1.0 0.0.0.255
  XXXXX --> are the inside subnets
  Then under this:
  crypto isakmp client configuration group open
  acl SPLIT_TUNNEL
  This will allow you to have access to the internal subnets through the tunnel and have access to internet through the internet connection on your computer.
  For further details take a look to this document:
  - http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html
  Don't use Any on your ACL statements for split tunneling purposes.
  Let me know how it works out!
  Please don't forget to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• I have a Airport Express I use primarily for AirPlay with my iPhone 4 (iOS6.1.3). Is there a way to set AirPlay as the default audio when connected to wifi?

  At the moment, when I re-connect to wifi (come home), I must select AirPlay as the desired audio.
  I know this is managble, but it would work a lot more easily if it was possible to select a default for AirPlay, or iPhone.

  I would suggest that you perform a "soft" reset on the AirPort Extreme Base Station (AEBS) that you just got from eBay. This type of reset will temporarily (5 minutes) disable both the base station and wireless security passwords so that you can access it with the AIrPort Utility to make the necessary changes.