Sign in to follow this  
Followers 0

VPN something XP can do that 7 can't.


43 posts in this topic

Posted

So I'm wondering if someone knows the reason for this because it just seems odd.

 

With a setup of two NIC one is WAN and is LAN and ICS WAN to LAN and setup a Windows as a incoming VPN server with a IP range in ICS.

 

What XP can do is a client can connect to the VPN server for XP as a default gateway and use the internet. But setup in the same way in 7 is a client connects to the VPN server for 7 as a default gateway but no internet.

 

Why is that? thanks

VPN%20something%20XP%20can%20do%20that%2

Share this post


Link to post
Share on other sites

Posted

Haven't played around with a 2 NIC solution in XP, but I have had Windows 7 working as a PPTP VPN server before with no problem.  The only thing I found I had to do is manually assign an IP range for VPN clients to use (under TCP/IP settings in Incoming Connections) instead of leaving it set to DHCP.  With that I have had connections coming in with the use default gateway option ticked and all has worked fine whereas it wouldn't work when set to DHCP.  Have you tried that yet?

 

Actually scratch that, first I should ask if the connected clients are getting an IP address that you'd expect them to get?

Share this post


Link to post
Share on other sites

Posted

Sure I'm getting a VPN connection over PPTP and even a self signed cert over L2TP/IPSec but no internet over the VPN server and with XP as the VPN server you can get internet with default gateway option ticked for the client but not with 7 as the VPN server.

Share this post


Link to post
Share on other sites

Posted

Run ipconfig /all on the 7 installation. Most of these issues are caused by incorrect static addressing.

Share this post


Link to post
Share on other sites

Posted

ipconfig /all from windows 7

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : _
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adap
er (Emulated)
   Physical Address. . . . . . . . . : 00-68-9D-7F-74-44
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 82.36.206.233(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : 25 April 2014 14:22:07
   Lease Expires . . . . . . . . . . : 02 May 2014 14:22:03
   Default Gateway . . . . . . . . . : 82.36.206.1
   DHCP Server . . . . . . . . . . . : 62.253.131.201
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adap
er (Emulated) #2
   Physical Address. . . . . . . . . : 00-24-2D-5F-34-33
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.137.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.137.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{9615A284-8CAC-4FFD-A374-D7F8B8ED7B49}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{8E89C79D-B054-4EE0-9062-D8E232083ADF}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:5224:cee9::5224:cee9(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 127.0.0.1                                
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Windows 7 sets the LAN NIC ICS to 192.168.137.1 which I changed to 192.168.137.2 in XP VPN ICS setup its 192.168.0.1 changed to 192.168.137.2 either way ICS works for the LAN but the main problem is no internet over the VPN from 7 that XP VPN server can do. 

I have tried setting IPEnableRouter in regedit that does not help.

 

In XP the Node Type is listed as unknown.

Share this post


Link to post
Share on other sites

Posted

Whats up with the 127.0.0.1 dns ? Is it an internal dns server ? If so you should specify it on the internal NIC and configure the forwarders eg

 

Ethernet adapter DMZ Network:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #4
   Physical Address. . . . . . . . . : 00-15-5D-13-4D-02
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.2.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.2.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

 

Ethernet adapter Server network:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #3
   Physical Address. . . . . . . . . : 00-15-5D-13-4D-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.21(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.0.0.11
                                       10.0.0.12

   NetBIOS over Tcpip. . . . . . . . : Disabled

 

??

You can try to ping 8.8.8.8 or the 82.36.206.233 from a vpn client to eliminate dns being the cause.

Share this post


Link to post
Share on other sites

Posted

Whats up with the 127.0.0.1 dns ? Is it an internal dns server ? If so you should specify it on the internal NIC and configure the forwarders eg

I got Bind running and even if a set a DNS for the client to use like 8.8.8.8 that dose not help

 

 

You can try to ping 8.8.8.8 or the 82.36.206.233 from a vpn client to eliminate dns being the cause.

 

can ping 192.168.137.3 not 8.8.8.8 or the 82.36.206.233 from a vpn client

Share this post


Link to post
Share on other sites

Posted

Then that just leaves NAT/ICS since you are using RRAS you could disable ICS entirely and have RRAS do the NAT.

 

http://technet.microsoft.com/en-us/library/dd458971.aspx

Share this post


Link to post
Share on other sites

Posted

Ok lets get some basic info here, what IP is the remote box getting?  What IP does it have on its network? 

 

How about just doing a traceroute

 

example

C:\>tracert -d 8.8.8.8                              
                                                    
Tracing route to 8.8.8.8 over a maximum of 30 hops  
                                                    
  1    <1 ms    <1 ms    <1 ms  192.168.1.253       
  2    19 ms    21 ms    30 ms  24.13.xx.xx     
  3    11 ms    11 ms    10 ms  68.85.131.153     

 

And see if you go down the vpn even.

Share this post


Link to post
Share on other sites

Posted

For the VPN the client gets 192.168.137.4

 

VPN connected tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  192.168.137.3
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5  ^C

 

VPN not connected tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  192.168.137.2
  2     *        *        *     Request timed out.
  3     9 ms     7 ms    10 ms  62.252.175.225
  4     9 ms    10 ms     8 ms  81.96.0.153
  5    11 ms    13 ms    10 ms  81.96.0.145
  6    11 ms    11 ms    11 ms  212.250.14.202
  7    21 ms    21 ms    22 ms  72.14.198.97
  8    17 ms    17 ms    17 ms  209.85.255.76
  9    15 ms    15 ms    19 ms  209.85.244.240
10    21 ms    22 ms    20 ms  72.14.232.134
11    23 ms    21 ms    21 ms  216.239.49.45
12     *        *        *     Request timed out.
13    22 ms    24 ms    21 ms  8.8.8.8

Trace complete.

 

Has anyone done this setup in windows 7 pro for testing?

Share this post


Link to post
Share on other sites

Posted

Then its a NAT issue

 

I don't seem to have that option in windows 7 pro

What are you using for the vpn ? I thought you already had routing and remote access enabled if not you enable it in the program and features section of the control panel its the same as the windows server guide for nat and vpn then

Share this post


Link to post
Share on other sites

Posted

What are you using for the vpn ? I thought you already had routing and remote access enabled if not you enable it in the program and features section of the control panel its the same as the windows server guide for nat and vpn then

Its the windows 7 VPN and yes routing and remote access is enabled the link you gave Applies To: Windows Server 2008 R2.

Share this post


Link to post
Share on other sites

Posted

Why is when on the vpn is network the same as when not on the vpn?  Your first hop is just .3 vs .2 ??

 

He should be getting an IP on the remote network..

 

Where did you come up with 192.168.137??

 

And your vpn server is directly on the public internet - your not behind a router?

 

IPv4 Address. . . . . . . . . . . : 82.36.xx.xx(Preferred)

 

so for example - just setup vpn on one of my VMs that is on a different network segment..  Bing bang zoom I am using the internet through its connection

 

PPP adapter VPN Connection:                                                 
                                                                            
   Connection-specific DNS Suffix  . :                                      
   Description . . . . . . . . . . . : VPN Connection                       
   Physical Address. . . . . . . . . :                                      
   DHCP Enabled. . . . . . . . . . . : No                                   
   Autoconfiguration Enabled . . . . : Yes                                  
   IPv4 Address. . . . . . . . . . . : 192.168.3.201(Preferred)             
   Subnet Mask . . . . . . . . . . . : 255.255.255.255                      
   Default Gateway . . . . . . . . . : 0.0.0.0                              
   DNS Servers . . . . . . . . . . . : 192.168.3.253                        
   NetBIOS over Tcpip. . . . . . . . : Enabled                              
                                                                          

C:\>tracert -d 8.8.8.8                            
                                                  
Tracing route to 8.8.8.8 over a maximum of 30 hops
                                                  
  1     1 ms     1 ms     1 ms  192.168.3.202     <--- this is vpn server IP
  2     1 ms     1 ms     1 ms  192.168.3.253     <--- this is gateway on that network
  3    25 ms    25 ms    29 ms  24.13.xx.xx      
  4    12 ms    14 ms    11 ms  68.85.131.153   

 

Currently using neowin while connected this way.  Here is my vpn clients normal network interface

 

C:\>ipconfig /all                                                                  
                                                                                   
Windows IP Configuration                                                           
                                                                                   
   Host Name . . . . . . . . . . . . : i5-w7                                       
   Primary Dns Suffix  . . . . . . . : local.lan                                   
   Node Type . . . . . . . . . . . . : Broadcast                                   
   IP Routing Enabled. . . . . . . . : No                                          
   WINS Proxy Enabled. . . . . . . . : No                                          
   DNS Suffix Search List. . . . . . : local.lan                                   
                                                                          
Ethernet adapter Local:                                                            
                                                                                   
   Connection-specific DNS Suffix  . :                                             
   Description . . . . . . . . . . . : Broadcom NetLink Gigabit Ethernet      
   Physical Address. . . . . . . . . : 18-03-73-B1-0D-D3                           
   DHCP Enabled. . . . . . . . . . . : No                                          
   Autoconfiguration Enabled . . . . : Yes                                         
   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)                    
   Subnet Mask . . . . . . . . . . . : 255.255.255.0                               
   Default Gateway . . . . . . . . . : 192.168.1.253                               
   DNS Servers . . . . . . . . . . . : 192.168.1.253                               
   NetBIOS over Tcpip. . . . . . . . : Enabled                                   

 

 

so on the vpn machine

 

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.3.202(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

 

This is really just click and done - no weird setting to change or anything.  But from what you have posted your vpn machine has a public IP, and then you came up with this 192.168.137 network??  Which is the same network as your remote network?  And your vpn machine would have to nat the vpn connection, which doesn't happen - normally the vpn client just gets an IP on the vpn servers network.

Share this post


Link to post
Share on other sites

Posted

Its the windows 7 VPN and yes routing and remote access is enabled the link you gave Applies To: Windows Server 2008 R2.

Its the same thing though just setup nat with routing and remote access, It will probably solve your issue ICS isn't dependable.

Share this post


Link to post
Share on other sites

Posted

Like the title says

Share this post


Link to post
Share on other sites

Posted

So XP vpn server has a public IP, and you give the remote vpn client an IP address on its own remote network?  And your saying that works?

Share this post


Link to post
Share on other sites

Posted

 

So XP vpn server has a public IP

Its a swap in place where the XP VPN server was for windows 7 for the VPN.

 

 

and you give the remote vpn client an IP address on its own remote network?  And your saying that works?

In the XP setup yes.

Share this post


Link to post
Share on other sites

Posted

Before I look into this - will have to fire up my xp vm and check if it does nat out of the box when you enable vpn, etc.  May I ask why are you exposing a windows 7 machine directly to the internet with a public IP in the first place?  What are you trying to accomplish?  There is more than likely a better option then running a vpn on windows 7 pro box or XP directly exposed to the public net.

 

And your using PPTP as well - which is just deprecated as all F___!!  And not secure and just plain should die ;)

 

Also did you do anything with ICS in XP?

Share this post


Link to post
Share on other sites

Posted

 May I ask why are you exposing a windows 7 machine directly to the internet with a public IP in the first place?

Why is that so wrong? Honestly how are we going to deal with IPv6 if people don't trust their firewalls? Plus I trust the security of ICS by M$ then a NAT router.

 

And your using PPTP as well - which is just deprecated as all F___!!  And not secure and just plain should die ;)

Like I said I also have a self signed cert over L2TP/IPSec

Share this post


Link to post
Share on other sites

Posted

Your not on ipv6 from what I saw..  I run ipv6 - but I have a firewall between the internet and my global address on my boxes.. Ie my /64 is routed through a firewall

 

"Plus I trust the security of ICS by M$ then a NAT router."

Yeah that would prob u only -- I sure don't agree with that assessment ;)  So you are running ICS then - so what are the details of this setup?

 

My question was more to how this private address is suppose to access the internet through your public connection - something has to nat it.  And since you don't have a router it that would do it, then the vpn server would have to do it.  Which is not how I believe it works out of the box even in XP.  Unless you have also enabled ICS?  Which you prob did not setup in w7??

 

Do you have more than 1 public IP from your ISP..  So all devices on your network have public IPs??

 

Most routers these days, or you could surely buy one that does supports inbound VPN..  Would be a better way to provide vpn inbound vs running it on a desktop OS ;)  I for example I have inbound vpn on my router (openvpn) and use it almost daily from work.  I route through my home internet connection if needed, etc.

 

I am going to fire up my XP vm and put it on my dmz segment and do a default vpn inbound..  It has been a long time since done really much of anything with XP.. But I don't recall it doing NAT out of the box if you turn on vpn.. So you must of enabled ICS on it..  Which did you do that on windows 7?

 

Seems we are missing details of the setup.

Share this post


Link to post
Share on other sites

Posted

My question was more to how this private address is suppose to access the internet through your public connection - something has to nat it.

By ICS that how the XP setup is done with the VPN and it works.

Share this post


Link to post
Share on other sites

Posted

ICS is not setup out of the box when you enabled a VPN inbound connection on XP.. I just did it and there is NO nat going on..  So what did you setup on the XP box for ICS?  You would have to duplicate that on your windows 7 setup.

 

So here is my workstation connected to the XP vpn

 

post-14624-0-24285600-1398519481.png

 

So which is a more normal setup I get an IP from that network. The 192.168.3.206, and when I go to the internet see the traceroute I go through the other side of the vpn..

 

post-14624-0-95134200-1398519630.png

 

See how my 1st hop from the trace above is the IP of the xp vpn interface.  .205

 

Now as you see when I capture traffic leaving the XP box - it did not NAT the IP of the remote vpn client to its normal network interface IP of .204..  It keeps the IP address of the client - it did not NAT anything.. So in your setup.. How would a 192.168.x.x address talk to your public connection?

 

post-14624-0-87501400-1398519751.png

 

Notice above in the capture of a ping to 8.8.8.8 the source IP is the actual IP address of the vpn client - not the IP of the vpn server interface.  This capture is done on my router on the 192.168.3.0/24 interface.. Ie the path the vpn server takes to get to the internet..  Ie that 192.168.3.253 hop in the trace.

 

So how are you setup to NAT the 192.168.137 address you hand to your remove vpn client so that it can talk out your public IP based vpn server connection?

Share this post


Link to post
Share on other sites

Posted

This is how the XP box was setup for a working VPN client to get internet over which I'm trying to set in the same way for windows 7.

VPN%20something%20XP%20can%20do%20that%2

Share this post


Link to post
Share on other sites

Posted

Yeah I don't think you can make this work with ICS and windows 7..  While you can for sure share you internet connection.. with other clients on local network there that changed to 192.168.137 network.

 

And through the vpn you can access other devices on this remote local network.

 

C:\>ipconfig                                              
                                                          
Windows IP Configuration                                  
                                                          
                                                          
PPP adapter VPN Connection:                               
                                                          
   Connection-specific DNS Suffix  . :                    
   IPv4 Address. . . . . . . . . . . : 192.168.137.10     
   Subnet Mask . . . . . . . . . . . : 255.255.255.255    
   Default Gateway . . . . . . . . . : 0.0.0.0            
                                                          
Ethernet adapter Local:                                   
                                                          
   Connection-specific DNS Suffix  . :                    
   IPv4 Address. . . . . . . . . . . : 192.168.1.100      
   Subnet Mask . . . . . . . . . . . : 255.255.255.0      
   Default Gateway . . . . . . . . . : 192.168.1.253    

 

I can ping the ics interface

C:\>ping 192.168.137.1                                   
                                                         
Pinging 192.168.137.1 with 32 bytes of data:             
Reply from 192.168.137.1: bytes=32 time=1ms TTL=127      
Reply from 192.168.137.1: bytes=32 time=1ms TTL=127      
                                                         
Ping statistics for 192.168.137.1:                       
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:           
    Minimum = 1ms, Maximum = 1ms, Average = 1ms        

 

But even if I add a manual route to use 192.168.137.1 it goes down the tunnel to get to 1 but doesn't get to it.

 

C:\>route add 8.8.8.8 mask 255.255.255.255 192.168.137.1   
 OK!                                                     

 

C:\>tracert -d 8.8.8.8                                
                                                      
Tracing route to 8.8.8.8 over a maximum of 30 hops    
                                                      
  1     1 ms     1 ms     1 ms  192.168.137.2         
  2     *        *        *     Request timed out.  

 

Still trying to understand why anyone would do this?  What exactly are you trying to accomplish..  Access to your vpn server network is easy enough.  But why do you need to route traffic through this vpn, then use ics to get to the internet..  ?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.