+PeterUK MVC Posted April 25, 2014 MVC Share Posted April 25, 2014 So I'm wondering if someone knows the reason for this because it just seems odd. With a setup of two NIC one is WAN and is LAN and ICS WAN to LAN and setup a Windows as a incoming VPN server with a IP range in ICS. What XP can do is a client can connect to the VPN server for XP as a default gateway and use the internet. But setup in the same way in 7 is a client connects to the VPN server for 7 as a default gateway but no internet. Why is that? thanks Link to comment Share on other sites More sharing options...
Phemo Posted April 25, 2014 Share Posted April 25, 2014 Haven't played around with a 2 NIC solution in XP, but I have had Windows 7 working as a PPTP VPN server before with no problem. The only thing I found I had to do is manually assign an IP range for VPN clients to use (under TCP/IP settings in Incoming Connections) instead of leaving it set to DHCP. With that I have had connections coming in with the use default gateway option ticked and all has worked fine whereas it wouldn't work when set to DHCP. Have you tried that yet? Actually scratch that, first I should ask if the connected clients are getting an IP address that you'd expect them to get? Link to comment Share on other sites More sharing options...
+PeterUK MVC Posted April 25, 2014 Author MVC Share Posted April 25, 2014 Sure I'm getting a VPN connection over PPTP and even a self signed cert over L2TP/IPSec but no internet over the VPN server and with XP as the VPN server you can get internet with default gateway option ticked for the client but not with 7 as the VPN server. Link to comment Share on other sites More sharing options...
TPreston Posted April 25, 2014 Share Posted April 25, 2014 Run ipconfig /all on the 7 installation. Most of these issues are caused by incorrect static addressing. Link to comment Share on other sites More sharing options...
+PeterUK MVC Posted April 25, 2014 Author MVC Share Posted April 25, 2014 ipconfig /all from windows 7 Windows IP Configuration Host Name . . . . . . . . . . . . : _ Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adaper (Emulated) Physical Address. . . . . . . . . : 00-68-9D-7F-74-44 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 82.36.206.233(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.254.0 Lease Obtained. . . . . . . . . . : 25 April 2014 14:22:07 Lease Expires . . . . . . . . . . : 02 May 2014 14:22:03 Default Gateway . . . . . . . . . : 82.36.206.1 DHCP Server . . . . . . . . . . . : 62.253.131.201 DNS Servers . . . . . . . . . . . : 127.0.0.1 NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adaper (Emulated) #2 Physical Address. . . . . . . . . : 00-24-2D-5F-34-33 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.137.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Enabled PPP adapter RAS (Dial In) Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : RAS (Dial In) Interface Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.137.3(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{9615A284-8CAC-4FFD-A374-D7F8B8ED7B49}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter isatap.{8E89C79D-B054-4EE0-9062-D8E232083ADF}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Teredo Tunneling Pseudo-Interface: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter 6TO4 Adapter: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft 6to4 Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2002:5224:cee9::5224:cee9(Preferred) Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 127.0.0.1 NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Windows 7 sets the LAN NIC ICS to 192.168.137.1 which I changed to 192.168.137.2 in XP VPN ICS setup its 192.168.0.1 changed to 192.168.137.2 either way ICS works for the LAN but the main problem is no internet over the VPN from 7 that XP VPN server can do. I have tried setting IPEnableRouter in regedit that does not help. In XP the Node Type is listed as unknown. Link to comment Share on other sites More sharing options...
TPreston Posted April 25, 2014 Share Posted April 25, 2014 Whats up with the 127.0.0.1 dns ? Is it an internal dns server ? If so you should specify it on the internal NIC and configure the forwarders eg Ethernet adapter DMZ Network: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #4 Physical Address. . . . . . . . . : 00-15-5D-13-4D-02 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.0.2.3(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.2.1 NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter Server network: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #3 Physical Address. . . . . . . . . : 00-15-5D-13-4D-00 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.0.0.21(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 10.0.0.11 10.0.0.12 NetBIOS over Tcpip. . . . . . . . : Disabled ?? You can try to ping 8.8.8.8 or the 82.36.206.233 from a vpn client to eliminate dns being the cause. Link to comment Share on other sites More sharing options...
+PeterUK MVC Posted April 25, 2014 Author MVC Share Posted April 25, 2014 Whats up with the 127.0.0.1 dns ? Is it an internal dns server ? If so you should specify it on the internal NIC and configure the forwarders eg I got Bind running and even if a set a DNS for the client to use like 8.8.8.8 that dose not help You can try to ping 8.8.8.8 or the 82.36.206.233 from a vpn client to eliminate dns being the cause. can ping 192.168.137.3 not 8.8.8.8 or the 82.36.206.233 from a vpn client Link to comment Share on other sites More sharing options...
TPreston Posted April 25, 2014 Share Posted April 25, 2014 Then that just leaves NAT/ICS since you are using RRAS you could disable ICS entirely and have RRAS do the NAT. http://technet.microsoft.com/en-us/library/dd458971.aspx Link to comment Share on other sites More sharing options...
+PeterUK MVC Posted April 25, 2014 Author MVC Share Posted April 25, 2014 http://technet.microsoft.com/en-us/library/dd458971.aspx I don't seem to have that option in windows 7 pro Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 25, 2014 MVC Share Posted April 25, 2014 Ok lets get some basic info here, what IP is the remote box getting? What IP does it have on its network? How about just doing a traceroute example C:\>tracert -d 8.8.8.8 Tracing route to 8.8.8.8 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.1.253 2 19 ms 21 ms 30 ms 24.13.xx.xx 3 11 ms 11 ms 10 ms 68.85.131.153 And see if you go down the vpn even. Link to comment Share on other sites More sharing options...
+PeterUK MVC Posted April 26, 2014 Author MVC Share Posted April 26, 2014 For the VPN the client gets 192.168.137.4 VPN connected tracert -d 8.8.8.8 Tracing route to 8.8.8.8 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 192.168.137.3 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 ^C VPN not connected tracert -d 8.8.8.8 Tracing route to 8.8.8.8 over a maximum of 30 hops 1 1 ms <1 ms <1 ms 192.168.137.2 2 * * * Request timed out. 3 9 ms 7 ms 10 ms 62.252.175.225 4 9 ms 10 ms 8 ms 81.96.0.153 5 11 ms 13 ms 10 ms 81.96.0.145 6 11 ms 11 ms 11 ms 212.250.14.202 7 21 ms 21 ms 22 ms 72.14.198.97 8 17 ms 17 ms 17 ms 209.85.255.76 9 15 ms 15 ms 19 ms 209.85.244.24010 21 ms 22 ms 20 ms 72.14.232.13411 23 ms 21 ms 21 ms 216.239.49.4512 * * * Request timed out.13 22 ms 24 ms 21 ms 8.8.8.8 Trace complete. Has anyone done this setup in windows 7 pro for testing? Link to comment Share on other sites More sharing options...
TPreston Posted April 26, 2014 Share Posted April 26, 2014 Then its a NAT issue I don't seem to have that option in windows 7 pro What are you using for the vpn ? I thought you already had routing and remote access enabled if not you enable it in the program and features section of the control panel its the same as the windows server guide for nat and vpn then Link to comment Share on other sites More sharing options...
+PeterUK MVC Posted April 26, 2014 Author MVC Share Posted April 26, 2014 What are you using for the vpn ? I thought you already had routing and remote access enabled if not you enable it in the program and features section of the control panel its the same as the windows server guide for nat and vpn then Its the windows 7 VPN and yes routing and remote access is enabled the link you gave Applies To: Windows Server 2008 R2. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 26, 2014 MVC Share Posted April 26, 2014 Why is when on the vpn is network the same as when not on the vpn? Your first hop is just .3 vs .2 ?? He should be getting an IP on the remote network.. Where did you come up with 192.168.137?? And your vpn server is directly on the public internet - your not behind a router? IPv4 Address. . . . . . . . . . . : 82.36.xx.xx(Preferred) so for example - just setup vpn on one of my VMs that is on a different network segment.. Bing bang zoom I am using the internet through its connection PPP adapter VPN Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : VPN Connection Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.3.201(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 0.0.0.0 DNS Servers . . . . . . . . . . . : 192.168.3.253 NetBIOS over Tcpip. . . . . . . . : Enabled C:\>tracert -d 8.8.8.8 Tracing route to 8.8.8.8 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 192.168.3.202 <--- this is vpn server IP 2 1 ms 1 ms 1 ms 192.168.3.253 <--- this is gateway on that network 3 25 ms 25 ms 29 ms 24.13.xx.xx 4 12 ms 14 ms 11 ms 68.85.131.153 Currently using neowin while connected this way. Here is my vpn clients normal network interface C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : i5-w7 Primary Dns Suffix . . . . . . . : local.lan Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : local.lan Ethernet adapter Local: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetLink Gigabit Ethernet Physical Address. . . . . . . . . : 18-03-73-B1-0D-D3 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.253 DNS Servers . . . . . . . . . . . : 192.168.1.253 NetBIOS over Tcpip. . . . . . . . : Enabled so on the vpn machine PPP adapter RAS (Dial In) Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : RAS (Dial In) Interface Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.3.202(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Enabled This is really just click and done - no weird setting to change or anything. But from what you have posted your vpn machine has a public IP, and then you came up with this 192.168.137 network?? Which is the same network as your remote network? And your vpn machine would have to nat the vpn connection, which doesn't happen - normally the vpn client just gets an IP on the vpn servers network. Link to comment Share on other sites More sharing options...
TPreston Posted April 26, 2014 Share Posted April 26, 2014 Its the windows 7 VPN and yes routing and remote access is enabled the link you gave Applies To: Windows Server 2008 R2. Its the same thing though just setup nat with routing and remote access, It will probably solve your issue ICS isn't dependable. Link to comment Share on other sites More sharing options...
+PeterUK MVC Posted April 26, 2014 Author MVC Share Posted April 26, 2014 Like the title says ?VPN something XP can do that 7 can't.? I'm more interested in someone running windows 7 pro with the following setup. Like I said windows 7 pro is setup in the same way as XP pro for the VPN server XP works for the client to get internet over the VPN windows 7 pro does not. SO it is my belief that M$ has removed the ability that can't be done in windows 7 pro so it might be that the 7 Ultimate is whats needed which needs confirming. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 26, 2014 MVC Share Posted April 26, 2014 So XP vpn server has a public IP, and you give the remote vpn client an IP address on its own remote network? And your saying that works? Link to comment Share on other sites More sharing options...
+PeterUK MVC Posted April 26, 2014 Author MVC Share Posted April 26, 2014 So XP vpn server has a public IP Its a swap in place where the XP VPN server was for windows 7 for the VPN. and you give the remote vpn client an IP address on its own remote network? And your saying that works? In the XP setup yes. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 26, 2014 MVC Share Posted April 26, 2014 Before I look into this - will have to fire up my xp vm and check if it does nat out of the box when you enable vpn, etc. May I ask why are you exposing a windows 7 machine directly to the internet with a public IP in the first place? What are you trying to accomplish? There is more than likely a better option then running a vpn on windows 7 pro box or XP directly exposed to the public net. And your using PPTP as well - which is just deprecated as all F___!! And not secure and just plain should die ;) Also did you do anything with ICS in XP? Link to comment Share on other sites More sharing options...
+PeterUK MVC Posted April 26, 2014 Author MVC Share Posted April 26, 2014 May I ask why are you exposing a windows 7 machine directly to the internet with a public IP in the first place? Why is that so wrong? Honestly how are we going to deal with IPv6 if people don't trust their firewalls? Plus I trust the security of ICS by M$ then a NAT router. And your using PPTP as well - which is just deprecated as all F___!! And not secure and just plain should die ;) Like I said I also have a self signed cert over L2TP/IPSec Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 26, 2014 MVC Share Posted April 26, 2014 Your not on ipv6 from what I saw.. I run ipv6 - but I have a firewall between the internet and my global address on my boxes.. Ie my /64 is routed through a firewall "Plus I trust the security of ICS by M$ then a NAT router." Yeah that would prob u only -- I sure don't agree with that assessment ;) So you are running ICS then - so what are the details of this setup? My question was more to how this private address is suppose to access the internet through your public connection - something has to nat it. And since you don't have a router it that would do it, then the vpn server would have to do it. Which is not how I believe it works out of the box even in XP. Unless you have also enabled ICS? Which you prob did not setup in w7?? Do you have more than 1 public IP from your ISP.. So all devices on your network have public IPs?? Most routers these days, or you could surely buy one that does supports inbound VPN.. Would be a better way to provide vpn inbound vs running it on a desktop OS ;) I for example I have inbound vpn on my router (openvpn) and use it almost daily from work. I route through my home internet connection if needed, etc. I am going to fire up my XP vm and put it on my dmz segment and do a default vpn inbound.. It has been a long time since done really much of anything with XP.. But I don't recall it doing NAT out of the box if you turn on vpn.. So you must of enabled ICS on it.. Which did you do that on windows 7? Seems we are missing details of the setup. Link to comment Share on other sites More sharing options...
+PeterUK MVC Posted April 26, 2014 Author MVC Share Posted April 26, 2014 My question was more to how this private address is suppose to access the internet through your public connection - something has to nat it. By ICS that how the XP setup is done with the VPN and it works. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 26, 2014 MVC Share Posted April 26, 2014 ICS is not setup out of the box when you enabled a VPN inbound connection on XP.. I just did it and there is NO nat going on.. So what did you setup on the XP box for ICS? You would have to duplicate that on your windows 7 setup. So here is my workstation connected to the XP vpn So which is a more normal setup I get an IP from that network. The 192.168.3.206, and when I go to the internet see the traceroute I go through the other side of the vpn.. See how my 1st hop from the trace above is the IP of the xp vpn interface. .205 Now as you see when I capture traffic leaving the XP box - it did not NAT the IP of the remote vpn client to its normal network interface IP of .204.. It keeps the IP address of the client - it did not NAT anything.. So in your setup.. How would a 192.168.x.x address talk to your public connection? Notice above in the capture of a ping to 8.8.8.8 the source IP is the actual IP address of the vpn client - not the IP of the vpn server interface. This capture is done on my router on the 192.168.3.0/24 interface.. Ie the path the vpn server takes to get to the internet.. Ie that 192.168.3.253 hop in the trace. So how are you setup to NAT the 192.168.137 address you hand to your remove vpn client so that it can talk out your public IP based vpn server connection? Link to comment Share on other sites More sharing options...
+PeterUK MVC Posted April 26, 2014 Author MVC Share Posted April 26, 2014 This is how the XP box was setup for a working VPN client to get internet over which I'm trying to set in the same way for windows 7. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 26, 2014 MVC Share Posted April 26, 2014 Yeah I don't think you can make this work with ICS and windows 7.. While you can for sure share you internet connection.. with other clients on local network there that changed to 192.168.137 network. And through the vpn you can access other devices on this remote local network. C:\>ipconfig Windows IP Configuration PPP adapter VPN Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.137.10 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 0.0.0.0 Ethernet adapter Local: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.1.100 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.253 I can ping the ics interface C:\>ping 192.168.137.1 Pinging 192.168.137.1 with 32 bytes of data: Reply from 192.168.137.1: bytes=32 time=1ms TTL=127 Reply from 192.168.137.1: bytes=32 time=1ms TTL=127 Ping statistics for 192.168.137.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms But even if I add a manual route to use 192.168.137.1 it goes down the tunnel to get to 1 but doesn't get to it. C:\>route add 8.8.8.8 mask 255.255.255.255 192.168.137.1 OK! C:\>tracert -d 8.8.8.8 Tracing route to 8.8.8.8 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 192.168.137.2 2 * * * Request timed out. Still trying to understand why anyone would do this? What exactly are you trying to accomplish.. Access to your vpn server network is easy enough. But why do you need to route traffic through this vpn, then use ics to get to the internet.. ? Link to comment Share on other sites More sharing options...
Recommended Posts