Category Archives: VPN

VPN

CISCO VPN not working from Home Wifi

Today a new customer of mine complainted about his inability to connect to his HQs through CISCO VPN connection, when he goes over his home wifi connection, or some public/other home places wifi hot spots.

Well my answer was rather fast…

The customers lan ip addresses are dhcp pooled by a CISCO 800 family router that spreads a network of 192.168.1.0 255.255.255.0

How common….come on!!!!

Most of home/soho routers use this particular range. The problem and its cause is almost obvious…

Let’s have an easy example:

External client connected through home wifi has local ip address 192.168.1.100 and 192.168.1.254 as a gateway.

The user fires up a vpn connection (cisco/microsoft/etc) in order to connect to a server inside his corporate network that has an ip of 192.168.1.200

The client will try to find the recipient (stated in the packet header) in his local lan and not on the other side. That’s easy to understand if you simply hit a route print command on your cmd.

IPv4 Route Table
===================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.100 20

192.168.1.0 255.255.255.0 On-link 192.168.1.100 276

192.168.1.100 255.255.255.255 On-link 192.168.1.100 276

192.168.1.100 255.255.255.255 On-link 192.168.1.100 276

The first line says that for any destination ask your gateway

The second says that for any ip address in your family ip range ASK YOURSELF-NOT THE GATEWAY, eg. find the recipient server in your lan. Of course the second rule supersedes the first….

As you may understand any try to connect to the remote server will fail, even if the vpn is connected, since the packet will never leave the gateway and will never reach the other end.

The customer, has a complete AD inside his corporate lan and lot of remote sites going around. Personally I think it was quite stupid to use a commercial/home ip range for this type of network…. Now since I cannot change any of the ip ranges inside the corporate lan I have only 2 options

  1. Visit his house and change the ip range pooled by his home router. Pretent that problem is fixed and wait till he visits another network with the problematic range (a hotel or another hot spot). Sorry not my type….
  2. The second option is to chase my NPS (Network Philosophers Stone), using nats, other router pools and God help us what else….

Be very cautious on your network designs…Someone in the future may curse you!!!!

Creativepeople.gr

Advertisements

VPN network problems on multigateway infrastructures

Many people ask me about VPN network problems that they face, when they have multigateway environments in their infrastructure. So I decided to share some of my experience on this.
Let’s have a simple scenario,  showed on the sketch below.
Some VPN users connect through VPN (IPsec, L2TP etc) to your local LAN and use some of your internal apps. The problem some of us have faced in the past, is the fact that they can reach some servers, but they cannot reach some others, or they may ping (reach a server) but somehow the application they use does not work they way it supposed to. This may happen due to different gateways. For example, I have a FreePBX supporting my internal lan for VOIP apps, and this server has a gateway of eg. 10.0.10.1. The internal DHCP addresses clients to gateway 10.0.10.2. If VPN clients -having served their IP needs through that DHCP- they will never be able to register their account on the PBX.
The reason is simple when you put things down in pen and paper…
The packet that leaves the VPN computer/device and has a header of the ip/name of the server hosting the application will reach the server. But the server having a different gateway than the one the VPN client has will never post his response to the client. And that’s because it sends its response packet through another way –gateway to be exact!
So if you want to avoid this you should carefully design your DHCP server according to the gateways your services servers have and your external clients as well.
This may also happen when you have an Exchange server with gateway on one ISA, but is published through another ISA. You may access your OWA/OMA/Activesync only when your Exchange has as gateway the ISA that publishes his services.
I had a discussion with a colleague on that and we suggested putting a second NIC in order our server to have both gateways. Multiple gateways though may cause other problems, sometimes not seen directly… From my point of view you should check your actual needs and infrastructure prior going to such a solution.
Have a good day with less IT issues J
%d bloggers like this: