#243169 - 15/04/2005 17:44
Re: VPN Help
[Re: jmwking]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Okay, I'm about ready to strangle someone.
I finally break down and decide that the only way around this for sure is to just use their "GlobalVPN" client software.
It was the thing I wanted to avoid... using third party network clients. But oh well, we bought this thing and now we might as well use it. Right?
I find out this thing isn't licensed for any VPN users. At all. Licenses for the GlobalVPN client software cost extra.
I just bought the one Meatballman linked for me. That pricepoint doesn't include clients. ARGH.
|
Top
|
|
|
|
#243170 - 15/04/2005 17:48
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
That's what you get for ignoring my caveats.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243171 - 15/04/2005 18:16
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
It was the only product I'd seen with a specific instruction sheet on how to do exactly what I wanted to do: Have a windows client dial in to a VPN router. I can't believe something so simple is so fucking hard to find.
And even with a specific instruction sheet for it, even that doesnt work. Argh.
Keep in mind that this is after I'd already bought a Linksys router that was SUPPOSED to do the same thing but couldn't actually.
|
Top
|
|
|
|
#243172 - 15/04/2005 18:31
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Okay, I'm rereading those instructions and they seem to make more sense now for some reason.
So you've successfully gotten remote clients to connect and get assigned 192.168.3.x addresses, right? And that's a separate pool from the .2 network that your in-office machines are on, right? So your problem at this point is that the routing doesn't work.
Let's investigate that.
I imagine that the routing from the .2 network to the .3 clients works fine because their default gateway is the SonicWall already. So your problem is probably that the clients don't know that the .2 network is on the other side of the VPN.
So let's veryify that quickly. Can you set it back up so that your client can connect? Then look at your routing table (route print). Then manually add a route that points the .2 network over the VPN connection. So that should look something like "route add 192.168.2.0 mask 255.255.255.0 192.168.3.x", where that last IP address is the SonicWall's address on the .3 network (which, hopefully, it has).
Then try to ping or something and see what happens. I know this isn't a good permanent solution, but at least you can see if this is what the problem is.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243173 - 15/04/2005 18:43
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 27/02/2003
Posts: 776
Loc: Washington, DC metro
|
Consumer grade stuff doesn't do VPNs elegantly. And support is laughable at best.
I don't know sonicwall stuff at all, but I'm not encouraged from your experiences.
I've been very happy with the Watchguard stuff we use - it's relatively easy to configure, and has good support. I have 15 or so VPN tunnels between offices, and several roaming user connections (including an accountant in suburban London connecting back to our office in Alexandria, VA, and my laptop regularly from pretty much anywhere).
-jk
|
Top
|
|
|
|
#243174 - 15/04/2005 18:52
Re: VPN Help
[Re: jmwking]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
SonicWall claim not to be consumer grade.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243175 - 15/04/2005 19:03
Re: VPN Help
[Re: wfaulk]
|
enthusiast
Registered: 11/06/2003
Posts: 384
|
Quote: SonicWall claim not to be consumer grade.
Yeah, I'll give them that, they are exactly =one= step up from consumer (linksys, dlink) grade.
Watchguard is certainly better though my experiences haven't been as good as others. Then you have bespoke (linux, *bsd) stuff, which requires time and knowledge, but not money.
The upper tiers like Cisco, Checkpoint-1, Nokia, NetScreen, &c. I really like NetScreen, seems to be as poweful as anything else and a whole lot easier to make sense of. Compared to a PIX, oh my, life is soooo good.
--Nathan
|
Top
|
|
|
|
#243176 - 15/04/2005 19:05
Re: VPN Help
[Re: wfaulk]
|
old hand
Registered: 27/02/2003
Posts: 776
Loc: Washington, DC metro
|
Quote: SonicWall claim not to be consumer grade.
I really meant the Linksys...
-jk
|
Top
|
|
|
|
#243177 - 15/04/2005 20:38
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: So you've successfully gotten remote clients to connect and get assigned 192.168.3.x addresses, right? And that's a separate pool from the .2 network that your in-office machines are on, right? So your problem at this point is that the routing doesn't work.
Yes. That is exactly correct.
There's something I wasn't mentioning yet because it's a separate issue, but I can actually only do that if I use a dialup (i.e. not NATed) internet connection. But I was going to tackle THAT after I got a basic connection to the network functioning then go from there. So for now, let's look at what you just said...
Quote: "route add 192.168.2.0 mask 255.255.255.0 192.168.3.x", where that last IP address is the SonicWall's address on the .3 network (which, hopefully, it has).
Oddly, there doesn't really seem to be any ".3" network on the sonicwall at all. I think that's part of the problem.
It refuses to let me enter a proper IP address when it asks for the IP pool to feed the VPN users. So I don't think those addresses are routable at all. I've tried a bunch of variations on the ROUTE ADD command and it won't let me do it because any .3. address always generates a "bad address" error.
|
Top
|
|
|
|
#243178 - 15/04/2005 23:15
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Okay, maybe I misunderstood.
You entered a range of addresses into the SonicWall to be the ones handed out to VPN clients, right? And the VPN clients are successfully getting those IP addresses, right?
Does the SonicWall have an IP address in that range? If you can't see it configured anywhere, maybe you could ping all the addresses in that subnet and see if any other than the one configured on the client itself responds. If so, that's probably the SonicWall.
Hmm. Maybe I should take another tack and get you to post information extracted from the systems and find out whats going on. First let's get info from the VPN client.
Get a VPN client going and then post the output from "route print" and "ipconfig /all". Also try to ping one of your internal IP addresses and then do a "tracert" to that same address. Post all of that info and let's see where that leads us.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243179 - 15/04/2005 23:18
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Oh, and as far as the NAT thing goes, google for l2tp and "nat traversal". That should provide some information. At the same time, let's just attack one problem at a time.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243180 - 15/04/2005 23:25
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: You entered a range of addresses into the SonicWall to be the ones handed out to VPN clients, right? And the VPN clients are successfully getting those IP addresses, right?
Correct.
Quote: Does the SonicWall have an IP address in that range?
It does not.
That's the irony of the whole thing. It won't let me hand out addresses in a range that the sonicwall occupies. I just don't GET that. I mean, what's the point, right. Gah.
Quote: Get a VPN client going and then post the output from "route print" and "ipconfig /all".
I'll PM it to you because some of those addresses are ones I don't want getting attacked externally so I don't want them published world-readable on the BBS.
Doing the tracert to the internal address would be an interesting test, I'll try that, too.
There's also a chance we're just gonna shell out and buy the freaking client licenses and run the globalVPN client software. I *KNOW* that works because I tried it and saw it work right up to the point where I exceeded the license count. And it also conveniently solves the NAT traversal problem, I could see in its log how it recognized the NAT and said okie dokie. So if we decide to do that, then this current problem becomes moot.
|
Top
|
|
|
|
#243181 - 16/04/2005 00:17
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Yeah, ok, the current plan is to just bite the bullet and buy the client licenses for their proprietary VPN client software, and not worry about this any more.
Thanks for all your help, Bitt, and everyone else.
|
Top
|
|
|
|
#243182 - 16/04/2005 00:22
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
See? That's how they getcha!
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243183 - 16/04/2005 02:34
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
You have no idea. Client licenses for this thing are expensive.
But on the good side, the client software is super-easy to install and configure. It prompts them for the IP address, the preshared key, the user name, and the password, and bam they're in. No setups involving digging into the Windows configuration dialog boxes. This is a big bonus because the plan is to have some people installing this stuff who aren't necessarily very computer-literate. So I think it's worth it in this case.
|
Top
|
|
|
|
#243184 - 17/04/2005 12:42
Re: VPN Help
[Re: tfabris]
|
pooh-bah
Registered: 25/08/2000
Posts: 2413
Loc: NH USA
|
Tony, I support Sonicwall VPN with three users who don't know Outlook from Outlook Express and I've had no problems with the client software from SW, fwiw.
-Zeke
_________________________
WWFSMD?
|
Top
|
|
|
|
#243185 - 17/04/2005 13:51
Re: VPN Help
[Re: Ezekiel]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Thanks, that's good to know.
|
Top
|
|
|
|
|
|