-2

I've setup VPN connections with different servers today and all worked, in one direction, from VPN client TO VPN SERVER.

BUT I could NOT whatever I tried access ports/services on my 'connected' VPN client's vpn given IP address FROM the VPNSERVER.

In all cases I used Windows Native Client on my Windows 7 PC and I tried various VPN connections to various servers. I tried connecting to a couple different IPSEC L2TP vpn servers and also an SSTP VPN server.

I could access the VPN SERVER and its network from the VPN CLIENT side, but I could never access the VPN Client's vpn given IP from the VPN server side, neither with IPSEC L2tp nor with SSTP regardless of all the routing tricks I tried. ( see VPN SSTP windows client can not ping or connect to VPN server but it can talk to every other PC on the local LAN that VPN server is on )

THE QUESTION:

IS this a PURPOSEFULLY set limitation on native Windows VPN client to protect VPN users? After banging my head all day I came to this conclusion since I was not able to load website or even PING my VPN CLIENT from the VPN SERVER. The other way works fine. My conclusion was that I have to do a Site-to-Site type VPN connection to have 2-way connection between my Windows PC VPN client and the remote vpn server. I assume if what I was trying to do did work, then a lot of VPN users of FREE VPN services could be compromised/hacked/exposed etc so I figured for security reasons it does not allow communication to the VPN client initiated from vpnserver.

BUT after reading this: https://social.technet.microsoft.com/Forums/en-US/1da6fbe1-5263-4097-b87c-6a58afdd15f8/sstp-vpn-back-connections-possible-?forum=forefrontedgeiag

It's claimed there that you CAN connect TO VPN CLIENT from the server? So now I'd like a definitive answer from some networks guru.

So I've just edited this question now to be more specific that I'm only concerned with built-in native Windows VPN client. So, is it possible for a VPNServer administrator to 'initiate' connection and connect to ports on a connected windows VPN client machine? (the VPNserver can be IPsec L2TP or SSTP but client has to be non-server Windows version (Windows 7 Home Premium) using its built-in native Windows VPN client).

Community
  • 1
htfree
  • 463
  • 4
  • 9
  • 21

2 Answers2

0

Basically, a VPN-connected client appear as a "normal" network node, so it should be pingable/reacheable.

That said, it really depends on the IPSec policies installed during client/server negotiation. If client/server negotiate a bi-directional policy (and no NAT is applied), the client will be visible.

For example, I had similar configs both with a Safenet/Juniper (software client/hardware firewall) and a OpenVPN/OpenVPN (client/server) setups. In the fist case (Safenet->Juniper), a bidirectional policy had to be explicitly configured. In the second case (OpenVPN/OpenVPN), it was somewhat implicit due to how OpenVPN works, as it install a virtual tun/tap interface (note that I had do configure the appropriate routes, but this is another story).

In the end: it really depends on what you use as VPN server and its configuration.

shodanshok
  • 44,038
  • 6
  • 98
  • 162
  • True I haven't tried OpenVPN, because been using only Windows "native" client. But you're saying its possible then with Windows Native client to connect to an IPSEC L2tp server which let's say gives it a 192.168.0.50 ip and then for the administrator on that server to then connect to your shared folders on your Windows Client pc. Or RDP 'into' your Windows 7 Pro/Ultimate vpn 'client'? You mention "BI-Directional" policy, well my question was isn't "Site-to-Site" the only really Bi-Directional policy? Where could I see such a bidirectional allowing IPsec l2tp config/policy do you think? thanks – htfree Apr 18 '15 at 10:57
  • Just found this link http://www.networkworld.com/article/2345146/cisco-subnet/the-trouble-with-ipsec-vpns--part-1.html saying "It is worth noting that the IKE SA negotiated during phase 1 is bidirectional, but IPsec SAs negotiated during phase 2 are unidirectional." but that may be referring to only initial tunnel creation communications, not sure. – htfree Apr 18 '15 at 11:00
  • I don't know if Windows L2TP server enable true bidirectional capabilities. You should search some specific documentation about it... – shodanshok Apr 18 '15 at 11:35
  • Yea, great point, I should clarify my question so that its clear I'm only asking in relation to using built-in native Windows VPN clients connecting to various IPsec L2TP or SSTP servers. – htfree Apr 18 '15 at 19:14
  • thanks, I solved the mystery finally, see my added answer :D – htfree Apr 18 '15 at 23:12
0

SOLVED!

ANSWER:

DO NOT OVERWORK entire week long 16-18hours a day until 4:30am and expect your brain to not be FRIED! IT WAS A STUPID WINDOWS FIREWALL ISSUE!!! YES, I "THOUGHT" I had disabled it but apparently I was too sleepy to have noticed I only disabled domain and maybe outgoing but not incoming firewall!

OK, I'm going to try and get some sunlight today, guess brain needs it??!

To all the sys-admins out there, if it don't work stop banging your head and go partying (or sleep!) a while, come back bit refreshed and things will work out! :)

htfree
  • 463
  • 4
  • 9
  • 21