VPN and Windows XP

[Joemonkey]

Searched the forum, couldn't find anything quite like my question.

I have 3 friends who all live together and share cable modem on 3 computers through a linksys router.

I myself have DSL and I am also behind a linksys router.

We are all using Windows XP Pro

We want me to be able to VPN in and play games and share files as though I were on the LAN with them.

One of my friends set up a VPN server, and I set up a VPN client. I am able to connect, view his computer's shared files, and play games using LAN options, but the other 2 friends can't see my shared files, nor games created by me.

Anyone come across anything like this before? Any help would be much appreciated.

 

[El Norm]

BUMP for this guy, i am trying to do the same thing with no luck, i can connect to two people max with windows XP (one person logs on to me as me the server and then i log on to someone else as a client). anyone have any idea on how to get a bigger VPN so more people can be on the network?

 

[Saltin]

When you VPN in, how is the IP info for your friends network being assigned to you? Is the VPN service doing it, or is it DHCP? I'm wondering if anything is..... it sounds like you dont have the right IP/mask/gateway.

Connect in and issue an ipconfig/all at the command line, copy and paste the info here please.

 

[Joemonkey]

Windows IP Configuration

Host Name . . . . . . . . . . . . : joemonkey
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . : dsl-verizon.net
Description . . . . . . . . . . . : 3Com EtherLink 10/100 PCI TX NIC (3C
905B-TX)
Physical Address. . . . . . . . . : 00-10-4B-09-9B-E9
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 4.2.2.1
4.2.2.2
4.2.2.3
Lease Obtained. . . . . . . . . . : Thursday, June 27, 2002 7:14:00 AM
Lease Expires . . . . . . . . . . : Friday, June 28, 2002 7:14:00 AM

PPP adapter Shadowspiral:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.102
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.1

C:\Documents and Settings\Joey>


The only weird things that I can think of are:

1. both of our routers are using 192.168.1.1 as their internal IP

2. when I VPN in, my subnet mask is 255.255.255.255 when the people on the subnet I vpn into is 255.255.255.0

3. DHCP is not enabled when I am on their network... but i'm pretty sure it's enabled on their router

Saltin help!

[edit] couple more things i thought of... when i am on their network via vpn, if i tell them my IP over an instant messenger, they can ping it, but can't see me in the network neighborhood or browse my shares[/edit]

 

[ThePanda]

I'm trying to set up a VPN connection too (in XP) and it tells me this when I try to connect 2 client computers: "Because another connection of your type is in use, you cannot connect" or something like that. I can only get one computer to connect at a time. Why is this?

 

[Joemonkey]

Seems like more and more people are having trouble with their VPN connections they are trying to create for non-business use. If no one here can help w/ all the problems, could they maybe recommend another set of forums that would maybe be more helpful? I would hate to go somewhere else, AT has always had my answers...

 

[Saltin]

1. both of our routers are using 192.168.1.1 as their internal IP

That sounds like trouble to me. By default, a Windows XP VPN connectoid is set to "Use the Default gateway on the Remote network". This is a security setting and is enabled to ensure your computer does not become a gateway into the remote network from the internet. It is also responsible for you not being able to access internet resources on your machine while connected to the VPN.
The fact that your Default Gateway and the remote Default Gateway have the same IP could be troublesome. Your box may not know where to send packets.

Having a 255.255.255.255 subnet address is normal.

Is it possible for you to change your network settings?

 

[El Norm]

I get the same problem as THEPANDA, seems windows only supports 3 incomming connections but they all have to be diffrent, so 1 vpn, 1 modem dial-in and there was one more that i forgot what it was. But what i am really looking for is a software that is compatible with standard windows VPN and can serve more then one incomming VPN connection at a time so that i can get a bunch of people connect via VPN and have a VPN "LAN" party going. we used to have real lan parties alot before but it just gets to be a real hassle dragging your computer to someones house, VPN would be a great solution.

 

[Joemonkey]

OK so I changed my router's IP to 192.168.1.10 and they kept theirs as 192.168.1.1

so I have my VPN connection set to use the following address as my DNS server: 192.168.1.1 OR should I have it set it to their REAL IP address?

I also have the Use default gateway on remote network box unchecked... seemed like when i checked it i had no internet access while the VPN was going

 

[FUBAR]

Having your internal gateway as the same as everyone else's is NOT the problem, I would guess that your subnet is.

When you vpn in you get a new IP for that connection which is what the connection to the server and the others on the server uses to communicate to you. Saying that your gateways is causing an issue is like saying that since my pc is at 192.168.0.3 right now I can't deal with anyone in the world that is at that IP... it's all private, and doesn't go past your local NAT hop... but it is confusing to look at nonetheless. You should have your VPN server change the addresses they use... try one of the other private ranges, like 10.x.x.x or the 172 one, I can never remember what it is.

Your subnet of 255.255.255.255 (or /32) should mean that your IP is the only one that you can talk to. There must be a loophole in (MS?) VPN to let you get to the server tho. if it was 255.255.255.254 (/31) you would be able to see one other address, /31 = 4... ad nauseum. The people with 255.255.255.0 (/24) seems more normal for a LAN situation.

 

[Saltin]

The 255.255.255.255 subnet is likely the correct subnet. I havent seen a VPN that doesnt use it (though they may exsist).

Whenever a mask of /32 is applied to a route in the routing table, it means that a packet will only be routed to the destination in question if the destination IP address in the header is an exact match of the destination IP. A 0.0.0.0 netmask is used for the default route, which means that none of the bits must match. For host routes, a route that matches an IP address, a 255.255.255.255 netmask is used.

That's the way I understand it anyhow. Please correct me if I am wrong.

Assuming this is correct, that is exactly the setup you want for a VPN. The connection to the VPN server is a direct connection. It is a host route. Host routes have masks of 255.255.255.255

 

[Joemonkey]

Well, I changed my router's internal IP to 192.168.1.10, made myself the DMZ, and my IP is 192.168.1.20

My friend kept his router at 192.168.1.1 and their IP's start at 192.168.1.100 so there isn't really any way we can have conflicting IP addresses on our internal networks. He also set the VPN server computer as the DMZ.

And we are back to the same spot we were before... I can connect fine, browse his computer, ping other people on his network, they can ping me, but we can't see each other.

 

[wlee]

The best solution for your guys is to get VPN Routers on each end. I've been using the new Linksys BEFSX41 boxes between home and work for a few days now. It seems to work fine for file transfer,etc., but even with NetBIOS forwarding enabled, visual browsing via "My Network Places" is flakey. Sometimes it works, then the remote machines just disappear, though you can still ping, resolve names and connect to shares. ( e.g., \\server\stuff ) I think this is a prob on just about all VPN connections though, since NetBIOS really doesn't like to cross subnets. You might also look into the DLINK DI-804v boxes. They only cost a little more$$$ than the Linksys, but have a DYDNS CLient built in.

 

[Hermann]

I think getting away from MS VPN is the best solution as you don't know what artifical restrictions have been inbedded in the OS to generate revenue. Short of that, I had to set up a LMSTATS file to get name resolution across our vpn. Don't know if that will help you but is pretty easy. Do a seach for that file on your harddrive, you'll find a sample. The other problem I had was with RRAS on the server wasn't set for VPN. If you are not running server on one of the boxes, it may be limiting you to the single connection and not linking you to the network. Also, we had trouble with ours when we were on the same subnet. we are now on different ip sets, 10.0.10.0 and 10.0.0.0. This solved some of our problems. Aldo, when MS moved to WIN2K and all of the DNS server stuff, it got more complicated. MS KNowlege base seems to have a lot of info but most is way over my head so don't know actual usefulness. Hope some of this helps!

 

[denpgeorge]

hey,
ive been having the exact same problems as joemonkey, and have been trying to figure this out for a while. i did some extensive searching for any information i could find on getting this to work, and i think i have now. I think the key is in the routing table.

http://www.tnz.co.nz/winroute/Servertoserver.htm
That link is an example setup between two lans, server to server. In my case I only need to connect one computer into another lan. But i believe the information is all there if you can understand it. It includes detailed instructions on how they did it, plus a well made diagram. Then they go on to tell you how you can do it much easier using their software as well.

anyways, the way i did it, is fairly similiar to theirs but not exactly the same. plus i dont have everything working yet like i want it. so id like to describe what i have done so far anyways:

i have a lan setup using winxp ics at home. i have a client set up at the office which is part of a lan, all set up behind a router. all the computers are winxp pro. i want the client to be able to see all the computers on the lan at home, use sharing, all that. i found that you cant change the ip range given by winxp ics from 192.168.0.x, which is a shame. this used to be doable in win98. luckily the office is not set up with ics, so i changed the range on the router to 192.168.1.x. i think the ranges necessarily have to be different on the two networks. someone tell me if im wrong.

so i setup vpn on the xp ics computer at home and on the client at the office. i want the client to be able to access the internet while connected, and am not worried about any "security" issues involved with this. so i unchecked "Use default gateway on remote network" on the client side. the vpn server is setup to "allow callers access to local network" and has the range 10.0.0.1-10.0.0.2. meaning the server gets the address 10.0.0.1 and client 10.0.0.2. so i connect, and it all works just like joemonkey's does. i can ping the xp ics computer at home at 10.0.0.1, type in \\10.0.0.1 and access all its shares. great, but i cant ping any address with 192.168.0.x or get to any of the other computers on the lan at home.

on the client computer, i added a route for all 192.168.0.x addresses to go thru the vpn client address 10.0.0.2. i typed "route add -p 192.168.0.0 mask 255.255.255.0 10.0.0.2". now, i can ping all the computers on my lan at home at 192.168.0.x and access all their shares with \\192.168.0.x . name resolution doesnt work, and i know i can set up an LMHOSTS file for that. kind of annoying though. so my question is this:

doesnt windows networking use some sort of broadcast address for peer-to-peer networking, and name resolution is passed around like that? im probably totally off, but thats how i understood it. so im thinking there should be a way to route those broadcasts also right? im not exactly sure how to go about doing that, but i will be searching for more information. also, i think other programs such as lan games use broadcasts as well, which is what this topic was for in the first place. i dont have any games here to try with, but im curious to know if they will work the way i have it now, or if theres more i need to do.

if anyone has any information to help me out, or if anyone found any of this information i gave to be useful, please let me know.

thanks!

 

[denpgeorge]

ive looked around alot on the problem of not being able to browse the lan. most of the solutions ive found involve setting up a WINS server, which i definately dont feel like doing. but ive found an article with troubleshooting steps for VPN connections. towards the bottom there is a section "Client can log on but can't browse the LAN". they list 3 items as troubleshooting steps. item 3 states that installing NetBEUI is the easiest quick fix for this problem, and thats what im going to try now. i will update with any successes i have. the thing is, ive got tcp/ip and ipx w/ netbios both working on the vpn connection. so shouldnt ipx and netbios do some name resolution for me? little confused on that.

also looking at item 2, im unclear on whether this is what ive already done or not, or if there is another route i could add...? could anyone please clarify what exactly is being said there?

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=8290&pg=2

thanks!

 

[denpgeorge]

alright, well i installed NetBEUI on the vpn server and client, but when the client connects, it just doesnt seem to want to negotiate that protocol. i cant figure it out.

also, i have tried a lan game to see if it works, it didnt. adding that route to the routing table did allow for me to ping all the computers on the lan from the client, and open their shares, but thats it. lan games and NetBIOS resolution still dont work. i still think it has to do with the broadcast address, but i dont know enough about it or how lan games talk to each other. its different from game to game, and some games like counterstrike you can set up a server, but this one you cant. i looked thru any settings i could find in the game... and the only thing i could find was what port it communicated on, which it was set to 6112. is there just no hope for making this work?

does anyone remember a program called Kali? it was for playing lan games that use ipx over the internet. im curious how it worked though.

 

[Saltin]

NetBEUI isnt going to do squat for you. Uninstall it.

If you're convinced the probelm is netbios related (and I'm not b/c the machines are all XP) why not just build an LMHOSTS file? There are only a few computers after all.

While the browser service still relies ultimately on NetBIOS, LMHOSTS will do the same thing.

 

[denpgeorge]

I agree that its not a very big deal to make an LMHOSTS file. I also agree that NetBEUI is useless, just thought maybe it could be a quick fix for the lazy.

You said youre not convinved the problem is netbios related because the machines are all XP? Im just wondering what you meant by that, or if you were only implying that an LMHOSTS file would solve the problem.

I was sure that if there is no WINS server available, netbios is used between the computers for name resolution and that this is all done with broadcasts. The whole browse master election process... is this not how it works anymore in xp? What i want to know is whether netbios is not working over the vpn connection because its broadcasts are not being routed or not. To me it seems like if that were the problem, that might also be the reason lan games dont work. It only makes sense that they would use broadcasts as well.

Im not exactly dieing to get netbios working here... im just trying to satisfy my curiousity for why why why.

 

[bbqweed]

first off...if you guys are both running Dynamic connection, then it will be a pain to set up VPN...simply because your IP's can randomly cahange at any moment and the programs would have to adjust for it. Also, behind a router you need port 500, 47, and 1723 forwarded for IPSEC (i beleive those are the ports). Anyhow...to do it dynamically, you might need a DYNAMIC VPN client where the endpoin IP does not matter for your connection...the only thing is..., you will still have to change setting for the remote end whenever needed.

Try ipsec.com and download the SSH dynamic VPN client...it's free....

 

[Joemonkey]

Thanks for all the replies... the SSH thing is a little complicated for me, so unless someone feels like walking me step by step on how we need to set it up on server and client side, it's out.

denpgeorge thanks for the link, we thought it would help but didn't change a thing...

We're assuming our routers are not allowing something through as of right now... running out of things to try

 

[FUBAR]

for bbqweed, that's PROTOCOL 47, not port 47