Can't talk between VPN'd client and Linux server.

Hello,

I have two Linux servers running the latest AS Redhat.

My VPN server is a basic Windows 2003 machine, supporting pptp, (I
don't have certificate installed yet for l2tp)

Client machine is Windows XP.

All patches/updates have been applied to all machines.

These machines are all running on the same departmental level subnet.

Client attaches to VPN without issue, makes pptp connection, and I can
see all windows based resources on the local network. I can ping other
windows machines, I can connect to shares, I can access web pages which
are ordinarily blocked by the firewall...

With the exception of my two Linux machines.

>From my VPN machine, I can ping/connect to the web services/ssh to the
two linux machines, I can do the same from any local windows client.
>From the linux machine, I can ping all the local windows
servers/clients.

However, I cannot ping the VPN client from the linux machines (I can
ping, and as I write this, I am connected to the VPN client via remote
desktop, from this local machine), nor can I pull up the web page
hosted on the linux machine.

Now here it gets even worse.

If I connect to the main campus VPN connection, then I CAN see the web
page hosted on the linux machines (I cannot ping though, as ICMP is
blocked at our department firewall...)

Any help would be greatly appreciated!!

This forum is for Windows Firewall Discussion. You may wish to post this to
microsoft.public.win2000.networking.

And to try to be of help, you may want to sniff on the Linux servers, see
if they are even getting the packets from the VPN client. Your entire setup
is not clear, and you may be experiencing a simple route issue ( if the
Linux boxes don't know where to send packets to the VPN client's subnet
etc. ) A sniff of a simple PING should help you determine where to look.
Post back in the appropriate forum and I'll try to help more.

--
--
Dusty Harper
Microsoft Corporation
----------------------------------------------------------------------------
This posting is provided "AS IS", with NO warranties and confers NO rights
----------------------------------------------------------------------------

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hello,
>
> I have two Linux servers running the latest AS Redhat.
>
> My VPN server is a basic Windows 2003 machine, supporting pptp, (I
> don't have certificate installed yet for l2tp)
>
> Client machine is Windows XP.
>
> All patches/updates have been applied to all machines.
>
> These machines are all running on the same departmental level subnet.
>
> Client attaches to VPN without issue, makes pptp connection, and I can
> see all windows based resources on the local network. I can ping other
> windows machines, I can connect to shares, I can access web pages which
> are ordinarily blocked by the firewall...
>
> With the exception of my two Linux machines.
>
>>From my VPN machine, I can ping/connect to the web services/ssh to the
> two linux machines, I can do the same from any local windows client.
>>From the linux machine, I can ping all the local windows
> servers/clients.
>
> However, I cannot ping the VPN client from the linux machines (I can
> ping, and as I write this, I am connected to the VPN client via remote
> desktop, from this local machine), nor can I pull up the web page
> hosted on the linux machine.
>
> Now here it gets even worse.
>
> If I connect to the main campus VPN connection, then I CAN see the web
> page hosted on the linux machines (I cannot ping though, as ICMP is
> blocked at our department firewall...)
>
> Any help would be greatly appreciated!!
>

Unfortunately there's no routing being done by the Linux boxes at all,
they are on the private side of the VPN Server's network (both
physically and logically).

They still need to perform a route lookup to see which router to send the
traffic ( unless the VPN client is handed an IP on the locl subnet )


--
--
Dusty Harper
Microsoft Corporation
----------------------------------------------------------------------------
This posting is provided "AS IS", with NO warranties and confers NO rights
----------------------------------------------------------------------------

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Unfortunately there's no routing being done by the Linux boxes at all,
> they are on the private side of the VPN Server's network (both
> physically and logically).
>

That is the case, the VPN client gets an address from within the local
subnet.

Once the VPN client is connected, I can remote desktop to the client
using the local address, the client can see all my windows boxes, but
these two linux boxes are invisible, I can't ping, ssh, ftp, or pull up
the web page, whether I try to do so using the IP address of the linux
box, or the name.

I am at such a loss as to why all the windows machines are visible, but
the linux are not.



Dusty Harper {MS} wrote:
> They still need to perform a route lookup to see which router to send the
> traffic ( unless the VPN client is handed an IP on the locl subnet )
>
>
> --
> --
> Dusty Harper
> Microsoft Corporation
> ----------------------------------------------------------------------------
> This posting is provided "AS IS", with NO warranties and confers NO rights
> ----------------------------------------------------------------------------
>
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
> > Unfortunately there's no routing being done by the Linux boxes at all,
> > they are on the private side of the VPN Server's network (both
> > physically and logically).
> >

(E-Mail Removed) wrote:
> That is the case, the VPN client gets an address from within the local
> subnet.
>
> Once the VPN client is connected, I can remote desktop to the client
> using the local address, the client can see all my windows boxes, but
> these two linux boxes are invisible, I can't ping, ssh, ftp, or pull up
> the web page, whether I try to do so using the IP address of the linux
> box, or the name.
>
> I am at such a loss as to why all the windows machines are visible, but
> the linux are not.
>
>
>
> Dusty Harper {MS} wrote:
>
>>They still need to perform a route lookup to see which router to send the
>>traffic ( unless the VPN client is handed an IP on the locl subnet )
>>
>>
>>--
>>--
>>Dusty Harper
>>Microsoft Corporation
>>----------------------------------------------------------------------------
>>This posting is provided "AS IS", with NO warranties and confers NO rights
>>----------------------------------------------------------------------------
>>
>><(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed) groups.com...
>>
>>>Unfortunately there's no routing being done by the Linux boxes at all,
>>>they are on the private side of the VPN Server's network (both
>>>physically and logically).

What does the arp table on the linux box look like? The arp address of
the VPN clients IP should resolve to the same ethernet id as the VPN
gateway/server. Also what does the arp table on the client look like.
Does it get the ethernet id of the linux box. If you find arp problems,
does creating a static entry with the ethernet mac address of the remote
system help?

--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)

Mike, you were on the right track!

Monitoring the ARP caches, the Linux boxes were trying to communicate
with the public side IP address (also on my local subnet, as I am not
able to do NAT and private addressing here).

I used the default filter to block all but VPN tunnel traffic on the
public address. By adding my local subnet in the "allow" for incoming
packets to the public side address, all was well.

Thanks!!


Mike Drechsler - SPAM PROTECTED EMAIL wrote:
> (E-Mail Removed) wrote:
> > That is the case, the VPN client gets an address from within the local
> > subnet.
> >
> > Once the VPN client is connected, I can remote desktop to the client
> > using the local address, the client can see all my windows boxes, but
> > these two linux boxes are invisible, I can't ping, ssh, ftp, or pull up
> > the web page, whether I try to do so using the IP address of the linux
> > box, or the name.
> >
> > I am at such a loss as to why all the windows machines are visible, but
> > the linux are not.
> >
> >
> >
> > Dusty Harper {MS} wrote:
> >
> >>They still need to perform a route lookup to see which router to send the
> >>traffic ( unless the VPN client is handed an IP on the locl subnet )
> >>
> >>
> >>--
> >>--
> >>Dusty Harper
> >>Microsoft Corporation
> >>----------------------------------------------------------------------------
> >>This posting is provided "AS IS", with NO warranties and confers NO rights
> >>----------------------------------------------------------------------------
> >>
> >><(E-Mail Removed)> wrote in message
> >>news:(E-Mail Removed) groups.com...
> >>
> >>>Unfortunately there's no routing being done by the Linux boxes at all,
> >>>they are on the private side of the VPN Server's network (both
> >>>physically and logically).
>
> What does the arp table on the linux box look like? The arp address of
> the VPN clients IP should resolve to the same ethernet id as the VPN
> gateway/server. Also what does the arp table on the client look like.
> Does it get the ethernet id of the linux box. If you find arp problems,
> does creating a static entry with the ethernet mac address of the remote
> system help?
>
> --
> WARNING! Email address has been altered for spam resistance.
> Please remove the -deletethispart-. section before replying directly.
> Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)