Ping over VPN

I am trying to test my VPN connection and am running into a blockade
(again)........I am using IPSec to connect to my Netgear router, the client
software I am using tells me it has connected (although I am not sure if it
really has as it connects almost instantly).

I then try and ping a machine on the LAN and at first get:

ping 192.168.0.2
Negotiating IP Security

Once this complete's it tells me I got a 100% loss, but I read online that
this could be because it takes time to negotiate, and so to instead try:

ping -n 192.168.0.2

However, when I try this the only thing that happens is I get the line "IP
address must be specified" and nothing happens.

So I am still stuck with what appears to be a non functioning VPN........ or
at least I think I am, I am very suspicious of the fact my client connects
as soon as I click the button.

Thanks.

Should be:
ping 192.168.0.2 -n 7

Homer Jay wrote:
> I am trying to test my VPN connection and am running into a blockade
> (again)........I am using IPSec to connect to my Netgear router, the client
> software I am using tells me it has connected (although I am not sure if it
> really has as it connects almost instantly).
>
> I then try and ping a machine on the LAN and at first get:
>
> ping 192.168.0.2
> Negotiating IP Security
>
> Once this complete's it tells me I got a 100% loss, but I read online that
> this could be because it takes time to negotiate, and so to instead try:
>
> ping -n 192.168.0.2
>
> However, when I try this the only thing that happens is I get the line "IP
> address must be specified" and nothing happens.
>
> So I am still stuck with what appears to be a non functioning VPN........ or
> at least I think I am, I am very suspicious of the fact my client connects
> as soon as I click the button.
>
> Thanks.

In news:e$(E-Mail Removed),
Homer Jay <(E-Mail Removed)> stated, which I commented on below:
> I am trying to test my VPN connection and am running into a blockade
> (again)........I am using IPSec to connect to my Netgear router, the
> client software I am using tells me it has connected (although I am
> not sure if it really has as it connects almost instantly).
>
> I then try and ping a machine on the LAN and at first get:
>
> ping 192.168.0.2
> Negotiating IP Security
>
> Once this complete's it tells me I got a 100% loss, but I read online
> that this could be because it takes time to negotiate, and so to
> instead try:
> ping -n 192.168.0.2
>
> However, when I try this the only thing that happens is I get the
> line "IP address must be specified" and nothing happens.
>
> So I am still stuck with what appears to be a non functioning
> VPN........ or at least I think I am, I am very suspicious of the
> fact my client connects as soon as I click the button.
>
> Thanks.

Did my post help you about your previous VPN issue?

As for the ping, follow Trooper's response. You can also do a continuous
ping:
ping x.x.x.x -t

hit Ctrl-C to stop it.

But curious, if you are using IPSec with a Netgear, does the Netgear router
support certificates?

Or are you using the Netgear router as a RADIUS client to your IAS server?

Can you elaborate on exactly how you would like to setup your remote
infrastructure? Maybe that will help us help you a little better.

--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

"Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In news:e$(E-Mail Removed),
>
> Did my post help you about your previous VPN issue?
>
> As for the ping, follow Trooper's response. You can also do a continuous
> ping:
> ping x.x.x.x -t
>
> hit Ctrl-C to stop it.
>
> But curious, if you are using IPSec with a Netgear, does the Netgear
> router support certificates?
>
> Or are you using the Netgear router as a RADIUS client to your IAS server?
>
> Can you elaborate on exactly how you would like to setup your remote
> infrastructure? Maybe that will help us help you a little better.
>
> --
> Ace
> Innovative IT Concepts, Inc
> Willow Grove, PA

Hi,

Your previous reply may have helped, however I got a reply back from Netgear
support which told me that the router does not work properly with PPTP
passthrough (despite me manually opening port 1723 and enabling the option
in the router interface of "Enable PPTP and L2TP passthrough") and also does
not support GRE. So I am not exactly happy with Netgear.

I don't know exactly what I am now trying to set up, I had wanted to go with
the PPTP and have the SBS 2003 server handle the VPN connections. Now I am
trying to figure out IPSec and learning as I go. As things stand I will now
have the Netgear router handling the VPN connections using IPSec. The
Netgear does support certificates, but I don't know how I get a certificate,
so am currently trying to use a pre-shared key.

What I want to ultimately end up with is VPN access into a server to access
files/email. I can't use RWW as the users have laptops. The files are stored
on the SBS2003 server, this is connected to the Netgear.

I tried configuring the Win XP IPSec client, but from what I have read the
client PC's need to have a static IP address, which is no good since they
may connect from various sites and so have a different IP assigned. I have
been hunting around for a good free IPSec client, but am unable to find one.
I had tried using the DrayTek Smart VPN Client, but am not so sure this is
working correctly (When I click to connect to the VPN tunnel it says it is
connected instantly, yet I am unable to ping/access anything on the remote
LAN).

Sorry to sound so dumb at all this, but I am new to VPN and had hoped to use
PPTP as it appeared to be the the simplest to implement. I do appreciate the
time taken to reply to my many (and often vague) questions.

Thanks.

In news:(E-Mail Removed),
Homer Jay <(E-Mail Removed)> stated, which I commented on below:

> Hi,
>
> Your previous reply may have helped, however I got a reply back from
> Netgear support which told me that the router does not work properly
> with PPTP passthrough (despite me manually opening port 1723 and
> enabling the option in the router interface of "Enable PPTP and L2TP
> passthrough") and also does not support GRE. So I am not exactly
> happy with Netgear.
> I don't know exactly what I am now trying to set up, I had wanted to
> go with the PPTP and have the SBS 2003 server handle the VPN
> connections. Now I am trying to figure out IPSec and learning as I
> go. As things stand I will now have the Netgear router handling the
> VPN connections using IPSec. The Netgear does support certificates,
> but I don't know how I get a certificate, so am currently trying to
> use a pre-shared key.
> What I want to ultimately end up with is VPN access into a server to
> access files/email. I can't use RWW as the users have laptops. The
> files are stored on the SBS2003 server, this is connected to the
> Netgear.
> I tried configuring the Win XP IPSec client, but from what I have
> read the client PC's need to have a static IP address, which is no
> good since they may connect from various sites and so have a
> different IP assigned. I have been hunting around for a good free
> IPSec client, but am unable to find one. I had tried using the
> DrayTek Smart VPN Client, but am not so sure this is working
> correctly (When I click to connect to the VPN tunnel it says it is
> connected instantly, yet I am unable to ping/access anything on the
> remote LAN).
> Sorry to sound so dumb at all this, but I am new to VPN and had hoped
> to use PPTP as it appeared to be the the simplest to implement. I do
> appreciate the time taken to reply to my many (and often vague)
> questions.
> Thanks.

We;ve had this same exact issue with a few or our clients, meaning about a
router that cannot support GRE. Honestly, you can either go with the Netgear
client, but I haven't used it yet, but I think it would reduce your
headaches and frustrations if you changed your router to a PIX or Watchguard
(I like either one) and either allow PPTP (1723 and GRE) or you can use the
Watchguard client or the PIX client, respectively depending on which you
purchase.

As for certs, you would need to setup a CA (Cert Authority) with Windows
(2000 or 2003) and get a cert from the CA. This is a bit more complicated.
You can post into the security.crypto newsgroups for more help. But I think
it is way easier if you can see if you can budget for a Watchguard Edge X5
or X15 or PIX 505 or 515 (depending on users and throughput). They are
enterprise class devices and highly reliable and follow all the industry
standards. Support with Cisco Pix is awesome as well.

Let me know what you will do...

Ace

"Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In news:(E-Mail Removed),
> Homer Jay <(E-Mail Removed)> stated, which I commented on below:
>
>
> We;ve had this same exact issue with a few or our clients, meaning about a
> router that cannot support GRE. Honestly, you can either go with the
> Netgear client, but I haven't used it yet, but I think it would reduce
> your headaches and frustrations if you changed your router to a PIX or
> Watchguard (I like either one) and either allow PPTP (1723 and GRE) or you
> can use the Watchguard client or the PIX client, respectively depending on
> which you purchase.
>
> As for certs, you would need to setup a CA (Cert Authority) with Windows
> (2000 or 2003) and get a cert from the CA. This is a bit more complicated.
> You can post into the security.crypto newsgroups for more help. But I
> think it is way easier if you can see if you can budget for a Watchguard
> Edge X5 or X15 or PIX 505 or 515 (depending on users and throughput). They
> are enterprise class devices and highly reliable and follow all the
> industry standards. Support with Cisco Pix is awesome as well.
>
> Let me know what you will do...
>
> Ace
>

I think I will first give the Netgear (or another IPSec client) a try. At
the moment I am trying to connect using the Greenbow VPN Client (evaluation
copy). It does not give me any error messages, but all I see in the VPN
status log is:

[2006-09-28 11:54:49][==== IKE PHASE 1(from 64.236.XXX.XX) START (responder)
====]
[2006-09-28 11:54:49]**** RECEIVED FIRST MESSAGE OF AGGR MODE ****
[2006-09-28 11:54:49]<POLICY: > PAYLOADS:
SA,PROP,TRANS,VID,VID,VID,VID,KE,NONCE,ID
[2006-09-28 11:54:49]<LocalRID> Type=ID_USER_FQDN,ID Data=(E-Mail Removed)
[2006-09-28 11:54:49]<RemoteLID> Type=ID_USER_FQDN,ID Data=(E-Mail Removed)
[2006-09-28 11:54:49]<POLICY: VPN> PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,HASH
[2006-09-28 11:54:49]**** SENT OUT SECOND MESSAGE OF AGGR MODE ****
[2006-09-28 11:55:08]**** SENT OUT INFORMATIONAL EXCHANGE
MESSAGE(DELETE_PAYLOAD) ****

And then nothing happens, the only thing I see in the log on the client side
is:

20060928 121610 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA]
[KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID]

I wish I had known about the Netgear issues, and the Watchguard Edge X5
sooner!! There is not really an available budget at the moment to dump the
Netgear in favor of one of the other routers (its a small business) and we
just recently purchased the server/router etc.

"Homer Jay" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
>
> I think I will first give the Netgear (or another IPSec client) a try. At
> the moment I am trying to connect using the Greenbow VPN Client
> (evaluation copy). It does not give me any error messages, but all I see
> in the VPN status log is:
>
> [2006-09-28 11:54:49][==== IKE PHASE 1(from 64.236.XXX.XX) START
> (responder) ====]
> [2006-09-28 11:54:49]**** RECEIVED FIRST MESSAGE OF AGGR MODE ****
> [2006-09-28 11:54:49]<POLICY: > PAYLOADS:
> SA,PROP,TRANS,VID,VID,VID,VID,KE,NONCE,ID
> [2006-09-28 11:54:49]<LocalRID> Type=ID_USER_FQDN,ID Data=(E-Mail Removed)
> [2006-09-28 11:54:49]<RemoteLID> Type=ID_USER_FQDN,ID
> Data=(E-Mail Removed)
> [2006-09-28 11:54:49]<POLICY: VPN> PAYLOADS:
> SA,PROP,TRANS,KE,NONCE,ID,HASH
> [2006-09-28 11:54:49]**** SENT OUT SECOND MESSAGE OF AGGR MODE ****
> [2006-09-28 11:55:08]**** SENT OUT INFORMATIONAL EXCHANGE
> MESSAGE(DELETE_PAYLOAD) ****
>
> And then nothing happens, the only thing I see in the log on the client
> side is:
>
> 20060928 121610 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA]
> [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID]
>
> I wish I had known about the Netgear issues, and the Watchguard Edge X5
> sooner!! There is not really an available budget at the moment to dump the
> Netgear in favor of one of the other routers (its a small business) and we
> just recently purchased the server/router etc.
>

EDIT:

I have also tried configuring the Win XP built in IPSec client, the Netgear
log shows the following when attempting to use this client:

[2006-09-28 14:57:10][==== IKE PHASE 1(from 64.236.XXX.XX) START (responder)
====]
[2006-09-28 14:57:10]**** RECEIVED FIRST MESSAGE OF MAIN MODE ****
[2006-09-28 14:57:10]<POLICY: > PAYLOADS:
SA,PROP,TRANS,TRANS,TRANS,TRANS,VID,VID,VID,VID
[2006-09-28 14:57:10]ERROR# NO MATCHING ISAKMP PROPOSAL FOR DIALUP CASE
[2006-09-28 14:57:10]SENDING NOTIFY MSG:NO_PROPOSAL_CHOSEN
[2006-09-28 14:57:10]**** SENT OUT INFORMATIONAL EXCHANGE
MESSAGE(NOTIFY_PAYLOAD) ****

Can the Win XP client handle dynamic IP addresses? My server has a static IP
and the WAN (on the VPN side) is a static IP. However, the IP on client
computers can change depending on where they conneect from. Should I give up
trying to use the XP client based on this limitation?

Thanks.

Try ping 192.168.0.2 -t
This will ping untill you tell it to stop.

"Homer Jay" <(E-Mail Removed)> wrote in message
news:e$(E-Mail Removed)...
>I am trying to test my VPN connection and am running into a blockade
>(again)........I am using IPSec to connect to my Netgear router, the client
>software I am using tells me it has connected (although I am not sure if it
>really has as it connects almost instantly).
>
> I then try and ping a machine on the LAN and at first get:
>
> ping 192.168.0.2
> Negotiating IP Security
>
> Once this complete's it tells me I got a 100% loss, but I read online that
> this could be because it takes time to negotiate, and so to instead try:
>
> ping -n 192.168.0.2
>
> However, when I try this the only thing that happens is I get the line "IP
> address must be specified" and nothing happens.
>
> So I am still stuck with what appears to be a non functioning VPN........
> or at least I think I am, I am very suspicious of the fact my client
> connects as soon as I click the button.
>
> Thanks.
>

In news:(E-Mail Removed),
Homer Jay <(E-Mail Removed)> stated, which I commented on below:
> "Homer Jay" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>>
>> I think I will first give the Netgear (or another IPSec client) a
>> try. At the moment I am trying to connect using the Greenbow VPN
>> Client (evaluation copy). It does not give me any error messages,
>> but all I see in the VPN status log is:
>>
>> [2006-09-28 11:54:49][==== IKE PHASE 1(from 64.236.XXX.XX) START
>> (responder) ====]
>> [2006-09-28 11:54:49]**** RECEIVED FIRST MESSAGE OF AGGR MODE ****
>> [2006-09-28 11:54:49]<POLICY: > PAYLOADS:
>> SA,PROP,TRANS,VID,VID,VID,VID,KE,NONCE,ID
>> [2006-09-28 11:54:49]<LocalRID> Type=ID_USER_FQDN,ID
>> Data=(E-Mail Removed) [2006-09-28 11:54:49]<RemoteLID>
>> Type=ID_USER_FQDN,ID Data=(E-Mail Removed)
>> [2006-09-28 11:54:49]<POLICY: VPN> PAYLOADS:
>> SA,PROP,TRANS,KE,NONCE,ID,HASH
>> [2006-09-28 11:54:49]**** SENT OUT SECOND MESSAGE OF AGGR MODE ****
>> [2006-09-28 11:55:08]**** SENT OUT INFORMATIONAL EXCHANGE
>> MESSAGE(DELETE_PAYLOAD) ****
>>
>> And then nothing happens, the only thing I see in the log on the
>> client side is:
>>
>> 20060928 121610 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA]
>> [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID]
>>
>> I wish I had known about the Netgear issues, and the Watchguard Edge
>> X5 sooner!! There is not really an available budget at the moment to
>> dump the Netgear in favor of one of the other routers (its a small
>> business) and we just recently purchased the server/router etc.
>>
>
> EDIT:
>
> I have also tried configuring the Win XP built in IPSec client, the
> Netgear log shows the following when attempting to use this client:
>
> [2006-09-28 14:57:10][==== IKE PHASE 1(from 64.236.XXX.XX) START
> (responder) ====]
> [2006-09-28 14:57:10]**** RECEIVED FIRST MESSAGE OF MAIN MODE ****
> [2006-09-28 14:57:10]<POLICY: > PAYLOADS:
> SA,PROP,TRANS,TRANS,TRANS,TRANS,VID,VID,VID,VID
> [2006-09-28 14:57:10]ERROR# NO MATCHING ISAKMP PROPOSAL FOR DIALUP
> CASE [2006-09-28 14:57:10]SENDING NOTIFY MSG:NO_PROPOSAL_CHOSEN
> [2006-09-28 14:57:10]**** SENT OUT INFORMATIONAL EXCHANGE
> MESSAGE(NOTIFY_PAYLOAD) ****
>
> Can the Win XP client handle dynamic IP addresses? My server has a
> static IP and the WAN (on the VPN side) is a static IP. However, the
> IP on client computers can change depending on where they conneect
> from. Should I give up trying to use the XP client based on this
> limitation?
> Thanks.

Sorry for the late reply. Kind of hectic lately.

The reason that you get nothing afterwards is that the tunnel can't be
established. GRE is the tunnel. TCP 1723 is the control channel, so to
speak.

And XP can be a DHCP client as long as the DHCP server is accessible. If the
tunnel is not being established, there is no way to get an address or
anything else.

Ace

"Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In news:(E-Mail Removed),
> Homer Jay <(E-Mail Removed)> stated, which I commented on below:
>
> Sorry for the late reply. Kind of hectic lately.
>
> The reason that you get nothing afterwards is that the tunnel can't be
> established. GRE is the tunnel. TCP 1723 is the control channel, so to
> speak.
>
> And XP can be a DHCP client as long as the DHCP server is accessible. If
> the tunnel is not being established, there is no way to get an address or
> anything else.
>
> Ace
>

Ace,

No need to apologize on the delay on replying.........

I went back to the start with this, dug out an old Linksys BEFR41v4 router
that I had, and set that up to allow PPTP VPN. I had someone interpret my
(Netgear) log who told me that the Netgear had responded, but it was being
blocked somewhere between the Netgear (this was before I hooked up the
Linksys) and the client.

I got the same error with the Linksys as with the Netgear, and was unable to
connect. I have no access to the firewalls/routers here at work and so took
my laptop to another location where I could access the firewall/router and
attempted a PPTP VPN connection through the Linksys at the new
location........... Bingo it worked first time.

I have since (re)installed the Netgear router, but have not yet had a chance
to try again and connect. I am hoping it will allow me to connect using PPTP
and have SBS2003 handle the VPN connections, if not then I will try with an
IPSec VPN client.

Thanks for all your help, I will try and post back here as soon as I have
retested the connection with the Netgear.