Re: Setting up site to site VPN with RV042s


"Roy Hills" <royhills@xxxxxxxxxxx> wrote in message
news:eaop239i3p3aoirrg3n7840n34c0uasmr8@xxxxxxxxxx
On Sun, 22 Apr 2007 16:39:44 -0700, "Fred Marshall"
<fmarshallx@xxxxxxxxxxxxxxxxxxxx> wrote:

Thanks! Well, at this stage I have the VPN connecting and can ping
through
it. However, I can't map drives using the IP addresses of their hosts.

If you can ping then the VPN is working, assuming that the ping packets
(ICMP echo and echo reply are actually going over the VPN and not just
being routed of course).

All I see on the hub are pretty much ISAKMP Informational packets of 126
bytes each - going one way and then the other. Occasionally there's a
ping
from one VPN device public address to the other VPN device public
address -
and a reply.

That's weird. What you should see is some IKE (or ISAKMP, it's the same
thing) activity when the VPN connects. This will use UDP port 500 or
maybe
4500 if you're using NAT Traversal. Once the VPN is established, you
shouldn't see much IKE traffic other than the occasional re-keying (maybe
once every hour).

When you send data over the VPN (like the ping packets), then you should
see ESP (Encapsulating Security Payload) traffic, which is IP protocol 50.
You should see one ESP packet for each ping request and reply. Most
sniffers will decode ESP to show the SPI numbers, but they won't be able
to
decode what's inside because it's encrypted.

You shouldn't be seeing plain ping going over the wire, because that
suggests that it's not going over the VPN.

Roy

Roy,

Thanks. Well, I set up firewall rules in the VPN routers of all possible
combinations:
inside IP to inside IP
inside IP to outside IP
outside IP to inside IP
outside IP to outside IP
entered each of these rules for the WAN interface and the LAN interface for
a total of 8 rules
Then, denied all traffic.
Any of these can be disabled so I've been trying with them and without them
and selectively so.

I found that LAN interface inside IP to inside IP was *necessary* for the
VPN to work.
That makes sense to me as the LAN interface is unencrypted / outside the
tunnel.

I found that WAN interface outside IP to outside IP when enabled caused
those outside/outside pings to show up. But, I found no failures when the
outside/outside rule was disabled. Yes, this would be outside the tunnel.

I have no explanation for why I see the packets I do with the sniffer I'm
using (Ethereal) . I should think the results might vary according to which
set of security features are set up.

Thanks,

Fred


.

Relevant Pages

  • RE: VPN via extended firewall toSBS2003
    ... VPN via extended firewall toSBS2003 ... >I can ping the IP number of the server, ... >> Please make sure that the corporate LAN and the remote XP computer's local network are not sharing ... >> Bill Peng ...
    (microsoft.public.windows.server.sbs)
  • Cant Ping My Own IP Address
    ... I was running a VPN ... Another computer attached to the same router has ... trouble getting out to the Internet and this second machine can ping ... The WINS settings are to enable LMHOSTS lookup and the NetBIOS is set ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Unable to ping a workstation
    ... Networking, Internet, Routing, VPN Troubleshooting on ... How to Setup Windows, Network, VPN & Remote Access on ... started the workstation does not ping. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Cant Ping My Own IP Address
    ... I was running a VPN ... Ever since then my Internet connectivity is VERY sporadic. ... > trouble getting out to the Internet and this second machine can ping ... > I also tried connecting the VPN again and disconnecting it. ...
    (microsoft.public.windowsxp.general)
  • Re: VPN Routing Problem
    ... Adding the correct route via the route ... I've run the ipconfig command on client and server and some ... On the VPN Server subsequent to a successful VPN connection from the vpn ... Results of trying to Ping the KWF6 host by name from the VPN client ...
    (alt.os.windows-xp)