VPN something XP can do that 7 can't.

[+PeterUK MVC]

Yeah I don't think you can make this work with ICS and windows 7..  While you can for sure share you internet connection.. with other clients on local network there that changed to 192.168.137 network.

But thats what I'm saying it does work with the XP setup.

[+BudMan MVC]

Let me fire that up and see.. I would assume if it does something different in how ics is done with xp vs w7 then

 

What I just don't get is why does it matter.. ICS has been crap since it came out with XP.. It serves NO Purpose when you the wireless router you can pick up for $20 provides this feature plus so much more..  Why would anyone be using ICS in this day and age?  If you want to do nat in software - then just run an actual router distro.. Or run a server version of windows were you have more features and control of say what dhcp options get sent to your clients not a desktop OS meant for desktoping ;)  Not routing traffic for other networks.

 

Question for you - what is the client in this setup?  XP - you show setting a default gateway of 192.168.137.2...  Hmm wonder that your using the same network in both locations has something to do with it??  Let me try that.

 

edit:  Ah I can not test this without a rework of my setup..  I would have to change the network my physical workstation is on to match this ics 192.168.137 network.. Would take down my rest of my physical network when I change my router settings to that network, or would have to run it in conjunction, etc..  If I change my workstation to be that network, it can not get to the other segment the W7 vm is running on, etc. Too much hassle for what amounts to nonsense -- go buy a $20 router and be done with it..  Then your remote client can vpn into your windows 7 box just fine, and your router can handle the nat.

[trek]

have you tried disabling ipv6 on all the interfaces on the vpn concentrator machine?

[+PeterUK MVC]

Question for you - what is the client in this setup?  XP - you show setting a default gateway of 192.168.137.2...  Hmm wonder that your using the same network in both locations has something to do with it??  Let me try that.

Dose not matter what the client is, in XP when you setup ICS the LAN IP is 192.168.0.1 which can be changed to any you just lose DHCP & DNS so you setup clients in the LAN with static IP's and piont to the gateway.

 

A Client LAN side can connect to the VPN server with it getting 192.168.137.4 and use the internet over the VPN or a  Client from the internet can connect to the VPN server and get internet from ICS over the VPN.

[+BudMan MVC]

"A Client from the internet can connect to the VPN server and get internet from ICS over the VPN."

 

Let me see the route table from this setup from the vpn client.  You show what looks like a remote of setting a default gateway to the IP address of your ICS interface IP -- which it would need to be able to get to the internet and be natted.  But you can not set this in windows 7 as a client on the vpn connection setttings.. Even if you let client set its own IP..

 

So how are you setting the default gateway on the vpn client to the vpn servers ICS interfaces IP?

 

Well you are correct sure - it does work on XP..

 

PPP adapter VPN Connection:                                                         
                                                                                    
   Connection-specific DNS Suffix  . :                                              
   Description . . . . . . . . . . . : VPN Connection                               
   Physical Address. . . . . . . . . :                                              
   DHCP Enabled. . . . . . . . . . . : No                                           
   Autoconfiguration Enabled . . . . : Yes                                          
   IPv4 Address. . . . . . . . . . . : 192.168.137.3(Preferred)                     
   Subnet Mask . . . . . . . . . . . : 255.255.255.255                              
   Default Gateway . . . . . . . . . : 0.0.0.0                                      
   DNS Servers . . . . . . . . . . . : 192.168.3.253                                
   NetBIOS over Tcpip. . . . . . . . : Enabled                                      
                                                                                    
Ethernet adapter Local:                                                             
                                                                                    
   Connection-specific DNS Suffix  . :                                              
   Description . . . . . . . . . . . : Broadcom NetLink Gigabit Ethernet       
   Physical Address. . . . . . . . . : 18-03-73-B1-0D-D3                            
   DHCP Enabled. . . . . . . . . . . : No                                           
   Autoconfiguration Enabled . . . . : Yes                                          
   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)                     
   Subnet Mask . . . . . . . . . . . : 255.255.255.0                                
   Default Gateway . . . . . . . . . : 192.168.1.253                                
   DNS Servers . . . . . . . . . . . : 192.168.1.253                                
   NetBIOS over Tcpip. . . . . . . . : Enabled                                      
                                                                                    
C:\>ping 8.8.8.8                                                                    
                                                                                    
Pinging 8.8.8.8 with 32 bytes of data:                                              
Reply from 8.8.8.8: bytes=32 time=24ms TTL=45                                       
Reply from 8.8.8.8: bytes=32 time=26ms TTL=45                                       
                                                                                    
Ping statistics for 8.8.8.8:                                                        
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),                            
Approximate round trip times in milli-seconds:                                      
    Minimum = 24ms, Maximum = 26ms, Average = 25ms                                  
Control-C                                                                           
^C                                                                                  
C:\>tracert -d 8.8.8.8                                                              
                                                                                    
Tracing route to 8.8.8.8 over a maximum of 30 hops                                  
                                                                                    
  1     1 ms     1 ms     1 ms  192.168.137.2                                       
  2     2 ms     1 ms     1 ms  192.168.3.253                                       
  3    28 ms    29 ms    19 ms  24.13.xx.xx                                      
  4    12 ms    12 ms    12 ms  68.85.131.153                                     

 

But what makes no sense as you see the first hop is down the tunnel - and then next hop is my router gateway on the vpn servers "wan" connection..

 

So XP VPN by default routes the vpn connection through the ICS (nat) - while windows 7 is not.  I don't see anywhere in the gui atleast to configure this stuff.

[+PeterUK MVC]

So how are you setting the default gateway on the vpn client to the vpn servers ICS interfaces IP?

Well this is the thing it just works in XP with no need to play with the route table.

[+PeterUK MVC]

Here is a route print for the XP VPN server setup which the ICS LAN IP is 192.168.137.9 and the client (LAN @192.168.137.1) connects this and gets internet over the VPN.

 

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      82.36.206.1   82.36.206.233       20
      82.36.206.0    255.255.254.0    82.36.206.233   82.36.206.233       20
    82.36.206.233  255.255.255.255        127.0.0.1       127.0.0.1       20
   82.255.255.255  255.255.255.255    82.36.206.233   82.36.206.233       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    192.168.137.0    255.255.255.0    192.168.137.9   192.168.137.9       20
    192.168.137.1  255.255.255.255    192.168.137.9   192.168.137.9       20
    192.168.137.3  255.255.255.255        127.0.0.1       127.0.0.1       50
    192.168.137.4  255.255.255.255    192.168.137.3   192.168.137.3       1
    192.168.137.9  255.255.255.255        127.0.0.1       127.0.0.1       20
  192.168.137.255  255.255.255.255    192.168.137.9   192.168.137.9       20
        224.0.0.0        240.0.0.0    82.36.206.233   82.36.206.233       20
        224.0.0.0        240.0.0.0    192.168.137.9   192.168.137.9       20
  255.255.255.255  255.255.255.255    82.36.206.233   82.36.206.233       1
  255.255.255.255  255.255.255.255    192.168.137.9   192.168.137.9       1
Default Gateway:       82.36.206.1
===========================================================================
Persistent Routes:
  None

[+John Teacake MVC]

If its OpenVPN On some Windows 7/8 systems, internet traffic is not properly routed through the VPN. In such a case the client.ovpn file must be edited, adding these lines at the end:

 

route-method exe

route-delay

route-metric 512

route 0.0.0.0 0.0.0.0

[+PeterUK MVC]

 

If its OpenVPN...

 

Its not but thanks. This is all about windows doing the VPN server were something XP can do that 7 can't.

[+BudMan MVC]

Its not that windows 7 can't -- it is more XP routes traffic that it shouldn't actually.  That traffic is not sent to the gateway IP of XP is it?  So seems XP sends the traffic through its nat to the gateway, while not sure what the windows 7 routing table does with it - I would guess it sends it out your wan interface without natting it first.

 

Get a router and your done.

[+PeterUK MVC]

Its not that windows 7 can't -- it is more XP routes traffic that it shouldn't actually.

Thats just over seeing what was possible to not be possible which we know is and not agreeing with me that this is something XP can do that 7 can't and why has M$ now messed this up that may be due to the TCP stack or removed support for it to only be in server OS's.

[+BudMan MVC]

Not sure what you think they removed?

Packet goes down the vpn tunnel - it has a destination IP on it, lets say 8.8.8.8 In the routing table of the vpn server. What interface does the vpn server throw the packet out of. Does it send it through the nat or not?

If w7 looks at its routing table and sends it out the interface as its default route

in what you posted in your xp box

Default Gateway: 82.36.xx.xx

Why would it be sourced after the NAT.. I would fire up a sniffer on both the xp box and the w7 box and try and see what is going on. My "guess" is that XP sends the traffic through the ICS nat, so it works. While w7 just sends the traffic out your wan (82.36.x.x) interface without natting it.

Either way, your wanting a desktop OS to provide the feature set of a VPN router/firewall - while it does have the ability to allow inbound VPN. Its more designed to access the vpn box itself, or connectivity to devices on that vpn's local network.. Not route that traffic out some wan/internet connection.

Again - what exactly are you trying to accomplish here. I would not suggest XP or W7 or any sort of desktop OS for what it seems like your wanting to do. If you want to leverage them - putting a $20 router between your network and internet would allow for this. Or better yet have the edge router/firewall handle these sorts of connections. Ir route this traffic through my openvpn connection all the time.

Tracing route to 209.141.xx.xx over a maximum of 30 hops

1 123 ms 118 ms 124 ms 10.0.200.1

2 147 ms 135 ms 154 ms 24.13.xx.xx

3 155 ms 142 ms 144 ms 68.85.131.153

4 136 ms 143 ms 140 ms 68.87.230.53

So you see in the above trace - this is through my vpn connection to my home box from work.. It goes down the tunnel.. Then per my routing and nat rules on my firewalls it is sent out the appropriate connection to get to the destination.

So my vpn client gets an IP on the 10.0.200 network

Ethernet adapter vpn:

Connection-specific DNS Suffix . : local.lan

IPv4 Address. . . . . . . . . . . : 10.0.200.6

Subnet Mask . . . . . . . . . . . : 255.255.255.252

Default Gateway . . . . . . . . . :

Now I have not pushed a default route down this tunnel, but I have pushed a route from the vpn connection for this specific address. Which I can see in the vpn clients routing table.

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.56.41.1 10.56.41.225 10

10.0.200.1 255.255.255.255 10.0.200.5 10.0.200.6 30

10.0.200.4 255.255.255.252 On-link 10.0.200.6 286

10.0.200.6 255.255.255.255 On-link 10.0.200.6 286

10.0.200.7 255.255.255.255 On-link 10.0.200.6 286

<snipped>

209.141.xx.xx 255.255.255.255 10.0.200.5 10.0.200.6 30

<snipped>

This is an extension of my routers networks.. So the vpn client gets an IP on segment connected too the firewall/router - the router then routes/nats the traffic as told to do.

I can find no way to work with the setup in a desktop OS for these sorts of features - maybe there is something you can do in the registry. But this OS is not really designed for this sort of thing. While the server versions of windows have ability to do more advanced routing/natting/etc/

So while XP might of routed the traffic to your benefit, not sure I would say it was correct or that w7 removed something - you could look at it that w7 is doing it correctly ;) But without some deeper insight into details of ICS setup. Which I have never bothered to investigate to be honest because its pretty much useless feature set, if you ask me left over from the days before cheap soho nat routers ;) Why you might used dialup to access the internet and needed a way to have other home machines leverage this connection, etc.

If you explain exactly what your wanting to do - happy to work out the best practice/cheapest way to accomplish it.

[+PeterUK MVC]

Not sure what you think they removed?

 

Think you do if you had set it up your end you would understand instead of guessing.

 

While w7 just sends the traffic out your wan (82.36.x.x) interface without natting it.

Runed Wireshark its not doing that when ICS is enabled.

[+BudMan MVC]

I have set it up on my end.. And it works as you described in XP, but does not in W7.. From what I can tell XP should of never done what it does in the first place. There is NO setting that I can find that says in the vpn to allow traffic out my wan interface from the vpn client. What there is a setting that says allow traffic to my local network.

It works just fine in W7 if windows 7 is behind a NAT router and does not have to nat the traffic. I will fire up a sniffer on box my xp vm and my w7 vm and watch watch the source on the IP is..

What your wanting it to do is allow it access to your internet connection, not the "local" and you want the desktop to NAT this for you as well. Why should it do that - XP shouldn't really do it either, its a security issue if you ask me!

[+PeterUK MVC]

I have set it up on my end.. And it works as you described in XP, but does not in W7.. From what I can tell XP should of never done what it does in the first place.

Why because 7 is newer then XP? XP does what it does because it meant too would you disagree if Windows Server 2008 R2 is able to do the same setup and work just like XP?

[+BudMan MVC]

2008 is server version and has full routing support, etc.

http://technet.microsoft.com/en-us/library/cc770798(v=ws.10).aspx

Install and Enable the Routing and Remote Access Service

The Routing and Remote Access service in the Windows Server? 2008 family provides:

Virtual private network (VPN) remote access and dial-up services.

Multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and network address translation (NAT) routing services.

---

I can do some sniffing when I get home - doing so remotely would require me to use 2 different vms, etc. And bit a pain to setup.. Curious do you have the IP helper service running on w7? I have it off -- will turn it back on when I get a chance to test this.

Still don't really understand that point of this conversation.. If XP does what you want - then continue to use it. Or do it correctly with a simple router ;)

[+PeterUK MVC]

2008 is server version and has full routing support, etc.

 

So does XP it seems being that it able to do what you think it shouldn?t. Thats my take on this whole thing.

 

I will fire up a sniffer on box my xp vm and my w7 vm and watch watch the source on the IP is..

If ICS is enabled it does not do this and I need ICS enabled.

 

What your wanting it to do is allow it access to your internet connection, not the "local" and you want the desktop to NAT this for you as well. Why should it do that - XP shouldn't really do it either, its a security issue if you ask me!

I do find it odd why you would jump to that conclusion in any case.

[+PeterUK MVC]

Found one workaround for 7 but only tested working in L2TP/IPSec over NATT (UDP) and ESP (protocol 50) (not tested ESP) dose not work for PPTP.

 

In the VPN server setup for the from and to IPs put in one IP down from your WAN IP in the from box and in the To box put the WAN IP.

 

This only works without ICS which on the connecting client gets the VPN IP of your WAN IP which goes over the VPN and sources out the WAN interface and MAC as if you was at the server end making the connections with that WAN IP.