0

I have a normal windows VPN on a computer connecting to a 196.201.x.x/24 IP. If this VPN tries to connect from any address in the 41.x.x.x range it cant get there. The server is a normal windows 2008 server, running exchange with a PPPoE IP natted to a public IP on the public gateway of the wireless network as the server is on site and its connectivity is derived from Mikrotik RB's.

The computer on the 41 range can traceroute and ping the server, but the VPN does not authenticate. When on the network or any other, the VPN works fine. Is there something that could be configured on the VPN client? All firewall settings of a standard ADSL router have been checked and found to block only ICMP's.

Is this a VPN configuration problem or a network issue?

deanvz
  • 55
  • 1
  • 7

2 Answers2

1

I'm assuming that you're using the PPTP VPN protocol here. I'm not sure if this will cause failures at the authentication stage, but check that the client has GRE connectivity to the server. GRE runs directly on IP (and not over TCP or UDP), and so it may be treated differently by the modem, or a certain telecommunication monopoly's network.

You can use hping to generate empty GRE packets like this:

hping3 --rawip --ipproto 47 --data 16 196.201.x.x

And then check if they are being received by the server. On Linux this could be done with tcpdump, on Windows you probably need something like wireshark.

tcpdump -i eth0 -vvvn ip proto gre

If the packets don't arrive you can try using hping in traceroute mode to find out where they are being dropped.

hping3 --rawip --ipproto 47 --data 16 --traceroute 196.201.x.x
mgorven
  • 30,036
  • 7
  • 76
  • 121
  • How would i be able to generate GRE packets from a windows machine to a windows server when I am not the administrator of the server to monitor the situation? – deanvz Jul 11 '12 at 18:24
  • @deanvz You'd need access to a router in the path in order to capture packets. Try using the traceroute mode though, it may be sufficient. – mgorven Jul 11 '12 at 18:28
0

Hmm, its possible the ISP that owns the 41.x range may limit VPN or other types or protocols on their network. I've seen this before where certain services don't work because the ISP does not allow them.

Not sure if 41.x is a South African range or not but that may be the issue if its always from 41.

Brent Pabst
  • 6,059
  • 2
  • 23
  • 36
  • Why would you then be able to connect to the VPN, not via localhost from the same 41.x IP range and then when at home, also on the 41.x network, not? – deanvz Jul 09 '12 at 19:56