VPN - PPTP problem

[Pythagorus]

Hi guys,

So I have a Windows Server 2008 R2 server in my SOHO lan, and I configured PPTP.
I also have a modem/router from my ISP (2wire) that I configured to forward PPTP (1723) to the server.

I can connect to the VPN fine, it authenticates, but when I ping computers local to the network of the VPN, i can't get a response (it fails). Doing an ipconfig, I see I get assigned an IP that corresponds to my network configuration (type 192.168.0.X for the sake of example)

Anybody has an idea of what could be the potential cause of this?

 

[serpretetsky]

this article seems kind of old, but i think it applies to you
http://www.isaserver.org/tutorials/allowing_outbound_ping_and_pptp_connections.html

edit: oh, one more thing, i think windows server is setup by default to deny ICMP (ping) requests.

 

[/usr/home]

If you set it as your gateway, can you browse the internet through the VPN tunnel? Is the firewall on on the server?

 

[Pythagorus]

this article seems kind of old, but i think it applies to you
http://www.isaserver.org/tutorials/allowing_outbound_ping_and_pptp_connections.html

edit: oh, one more thing, i think windows server is setup by default to deny ICMP (ping) requests.

Well, I don't have ISA installed... and when I ping my windows server, it replies!

If you set it as your gateway, can you browse the internet through the VPN tunnel? Is the firewall on on the server?

#1: no, when I ping an address (google for instance), it fails... haha :S
#2: yes and the ports are open (inbound and outbound rules are green for PPTP and GRE)

 

[Exavior]

Once you get it working I would drop PPTP and use something that is actually secure

 

[Pythagorus]

Once you get it working I would drop PPTP and use something that is actually secure

l2tp over ipsec?

 

[/usr/home]

SSTP even would be better.

 

[Pythagorus]

Would be great to get it working though... still no clue :S

 

[Pythagorus]

Well it's very easy, the modem I have (2wire) isn't allowing the GRE protocol to go through thus data can't go.

SSTP would be the the next alternative, but I only have 1 IP and i'm already using 443 for HTTPS....

L2TP over IPSec would then be the next choice... now to find a decent how to tutorial =D

 

[athlon1.2]

So you have 192.168.0.x on the LAN and your VPN clients also get 192.168.0.x? You need to assign the VPN clients something else and then set a static route in your router.

 

[Pythagorus]

Yea athlon...

Well for the sake of the real example, my LAN is 10.10.0.X
So, when a VPN client is connected, he would get a 10.10.0.X IP too no? I thought the DHCP server the VPN server was on (basically my router at that point that acts as a DHCP server) would assign the VPN clients an IP, that is that the VPN server would dispatch the DHCP request to the gateway?

So then I guess I'm wrong?

 

[athlon1.2]

Let's say you have the VPN server 10.10.0.0.100 and another machine 10.10.0.200 and a subnet mask of 255.255.255.0, Your VPN client, let's say 10.10.0.10 sends a request to 10.10.0.200 and that goes through 10.10.0.100 to 10.10.0.200. 10.10.0.200 sends the request directly back to 10.10.0.10 but since it's not on the same lan segment and instead it's a VPN client that traffic actually needs to go back to 10.10.0.100 and then to the VPN client.

So let's say you have your VPN clients be on 192.168.50.0/24 and you set a static route for the same with a route of 10.10.0.100. Now the VPN client on 192.168.50.50 sends a request to 10.10.0.200, it goes to 10.10.0.100 (VPN gateway) and then to 10.10.0.200. 10.10.0.200 sees it's not on the local network segment so it sends it to the default gateway. The default gateway sees there's a static route on the LAN and directs the traffic to the VPN gateway which in turn sends it to the VPN client.

 

[Pythagorus]

So what are you proposing?

That I add a static route in the VPN server? i.e. that I reserve a block of IP's on the same subnet that the VPN server will assign to the VPN client?

I was following this tutorial to set the VPN up

BTW i'm using the modem/router that my ISP gave me.
As such, I can't configure the router as tightly as a regular router.

 

[Exavior]

I know my wireless router doesn't like PPTP and wouldn't ever work. L2TP worked just fine.

You should be fine with how you have it setup. That is now mine is at my work. It uses the DHCP server of the network. So everyone regardless of if they are vpn or actually on the LAN gets the same IP range assigned to them. Didn't setup any special static routes or anything. That said, once you log into the VPN server you can't browse the internet through it. Have wanted to check to see if that is part of my problem or if it is the fact that my VPN server isn't my firewall.