Problem with VPN over Wireless - Help please!

Hi

I have had a consultant in at work today setting up our network so that staff can connect to our network from their home PCs. Our office network is linked to an ADSL BT line through a SonicWall TZ170 firewall and an Alcatel router. We installed SonicWall VPN client on my laptop and I managed to connect OK from my laptop using a modem dialup (having disconnected all network cables first). I got on to the network with no problems. Unfortunately, I could not test this my home wireless connection until I got home.

Guess what: it doesn't work on my wireless connection.

At home, using the same laptop, I tried connecting through my Belkin wireless ADSL router. It seems to connect to our network OK, as I get prompted for a login and password and it tells me it is connected. It then tries to allocate me an IP address but times out. When I looked in the laptop's SonicWall VPN client log, the last entry there is "Failed to renew the IP address for the virtual interface. The semaphore timeout period has expired".

I guess from this that it is trying to allocate me an IP address but my Belkin unit is blocking it. Could this be the firewall in the Belkin? I could be wrong as I am new at this VPN and wireless stuff.

Can anyone advise me what to try?

Regards

Tom

Just to add to the message below, I have just looked in the Belkin firewall security log and it tells me that when I tried to connect to the VPN at work, it generated the message

"**Smurf** 0.0.0.0->> 224.0.0.22,0 (from wireless inbound)"

Regards

Tom

Smurf detection is broken in a lot of cheap firewalls (and on IBM mainframe "NETSTAT DOS").

I had to turn it off in my SMC router. It might be called Denial of Service attack, or broadcast, or something like that.

Does it work when you used a wired CAT5 connection to your Belkin router instead of wireless?

The Safenet client that Sonicwall supplies includes some rather verbose logging and diagnostic info. I don't have it loaded on this machine so I can't point to the exact location to check, but I think they were called "log viewer" and "connection monitor". They will tell you at what point your connection is failing.

My guess(tm) is that the consultant wisely limited the IP addresses that are allowed to connect. Is your ISP's IP address in the "allowed" IP address pool on the Sonicwall.

The Sonicwall VPN config includes IP address blocks for the remote VPN and for your local LAN. The LAN side can be a wild card and accept any IP address block. However, both ends cannot be the same class C IP block. For example, you cannot use 192.168.1.xxx for the office, and the same 192.168.1.xxx for your home network. Pick something else like 192.168.111.xxx.

The Safenet client configuration may be "locked" by the administrator. if this was done, you cannot change any of your settings. If this is the case, it's your consultants job to implement any config changes.

The purpose of a VPN is to assign an IP address to your machine that appears through a tunnel on the same class C IP address block as the office LAN. When you tested it in the office, there was no need to assign an address through a tunnel because you were already on the office LAN. However, when you tried it at home, you now have a tunnel and a different IP address. Testing it in the office is not even close to a proper test as the tunnel wasn't tested. I usually hang a temporary NAT router on the office LAN and assign the LAN side to something off the wall like 10.0.0.xxx. If the office LAN is running on 192.168.1.xxx, and if the configuration can give me an IP address in the 192.168.1.xxx block, then it's working. You can check your assigned IP addresses with: Start -> Run -> cmd ipconfig You should have TWO IP addresses. One is the normal NAT IP address assigned by your Belkin router. The other is the one that is coming from the VPN. 169.254.xxx.xxx means DHCP has failed.

Anyway, inspect the logging and diagnostics. It should give you a clue where it's failing. A one line excert doesn't tell me where it failed.

Well, it might be that the DHCP server on whichever box is playing DHCP server in the office has found some reason to NOT assign an IP address to your client. It might be out of IP's, it might have a restricted IP address pool, it might be failing authentication, etc. Which box is playing DHCP server?

Incidentally, if you have a very long DHCP lease time, it's possible that the laptop still thinks it owns the IP address that was assigned in the office. If it tried to renew it when it connected to the VPN, it might be expected to fail if the server assigned the IP address to another client. Try the usual: ipconfig /release (wait about 10 seconds) ipconfig /renew

Well, take the wireless out of the picture and try a direct LAN connection to your Belkin. I don't think it's the Belkin. You can verify it if you bypass the Belkin and connect your laptop directly to your DSL or cable modem. However, please be sure that you have a functional firewall on your laptop before trying this.

period has

Tom,

I have a Sonicwall 3060 and use the VPN client.

In the Sonicwall client you need to set NAT Traversal to disabled. If you have a Belkin 7632 you may also need to disable the firewall because the 7632 crashes with VPN clients. The 7633 works fine (I have both).

Make sure that you aren't using the same range of IP addresses on your home LAN as your work LAN. They MUST be different, i.e. if your work LAN is 192.168.1.x with a mask of 255.255.255.0 then set your home LAN to something different, like 192.168.20.x/255.255.255.0

Hope that helps.

Ed.

Hmmm... no response from the original poster in two weeks...

Did you install the VPN client _after_ the wireless connection? It is supposed to bind to new network devices, but I found that the Sonicwall client needed to be reinstalled after I added a new wireless card. My connection at the time was an SMC wired router, using a Linksys BEFW11S4 only as a WAP.

That was a problem for us as well. Our office network was 192.168.0, so the home network had to be something else. That caught several people who left their home systems at the default.

I don't agree with that. The VPN client will pick up a new address, and you will not be able to communicate on the old address, even though an ipconfig will show both.

I currently connect to a Nortel VPN. I can connect inside the office or outside. The VPN does work inside, and that is a standard test when setting up new laptops. You can tell that you are on a VPN and not the local network because of different security settings.