VPN Connection Problem

Hello!

I not sure if my problem belongs here.
I upgraded from CPF 2 to version 3 and now I can’t use my universities VPN connection.
With version 2 I had no problems.
The strange thing is, that I can establish a connection. Ping does also work, but opening URLs or checking mail doesn’t work.
CPF doesn’t show any blocking alert, although I have the setting at “very high”.
Also when I disable the firewall, I can’t use the VPN connection, only when I uninstall CPF.
I don’t know what’s the problem.

Another thing is that I chkdsk /f isn’t working anymore. Don’t know if CPF fault. Anyway, it doesn’t belong here.

!ot! OpenVPN FTW! SCNR… but MS’s idea of VPNs are a sad joke wrt usability. >:( :-TD

Hi Philee,

I split your question off into a separate topic. Your setup is likely to be very different, and I want to keep the chance of things getting confused to a reasonable minimum. VPN’s can be confusing enough, all by themselves.

First question, is there anything in your CFP log?

When you make the VPN connection, what does an “ipconfig /all” show? Do the addresses for the VPN shown by the ipconfig match the CFP rules?

Thanks grue155!

I added the rules like in this thread but no change. I allowed the range 131.130.0.0-131.130.255.255.
I also tried your tips from here.

This is what ipconfig /all shows me:

PPP-Adapter xDSL:

        Verbindungsspezifisches DNS-Suffix:
        Beschreibung. . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physikalische Adresse . . . . . . : 00-xx-xx-00-00-00
        DHCP aktiviert. . . . . . . . . . : Nein
        IP-Adresse. . . . . . . . . . . . : 85.127.xxx.xxx
        Subnetzmaske. . . . . . . . . . . : 255.255.255.255
        Standardgateway . . . . . . . . . : 85.127.xxx.xxx
        DNS-Server. . . . . . . . . . . . : 195.58.xxx.xxx
                                            195.58.xxx.xxx

PPP-Adapter VPN Univie:

        Verbindungsspezifisches DNS-Suffix:
        Beschreibung. . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physikalische Adresse . . . . . . : 00-xx-xx-00-00-00
        DHCP aktiviert. . . . . . . . . . : Nein
        IP-Adresse. . . . . . . . . . . . : 131.130.110.xxx
        Subnetzmaske. . . . . . . . . . . : 255.255.255.255
        Standardgateway . . . . . . . . . : 131.130.110.xxx
        DNS-Server. . . . . . . . . . . . : 131.130.1.xxx
                                            131.130.1.xxx

The server-IP address I’m connecting to iis: 131.130.253.xxx

Thanks for your help!
Kind regards

This is unusual:

PPP-Adapter VPN Univie:

    Verbindungsspezifisches DNS-Suffix:
    Beschreibung. . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physikalische Adresse . . . . . . : 00-xx-xx-00-00-00
    DHCP aktiviert. . . . . . . . . . : Nein
    IP-Adresse. . . . . . . . . . . . : 131.130.110.xxx
    Subnetzmaske. . . . . . . . . . . : 255.255.255.255
    Standardgateway . . . . . . . . . : 131.130.110.xxx
    DNS-Server. . . . . . . . . . . . : 131.130.1.xxx
                                        131.130.1.xxx</blockquote>

A subnetmask of 255.255.255.255 makes sense for a point-to-point connection, but not for a VPN. It means that your machine and the host you are connecting to have the same IP address. That’s normal for a classic dial-up style telehone connection. But very unusual for a VPN. For a VPN that looks like a LAN, your mask is likely to be 255.255.255.0 or 255.255.0.0.

Is this a PPTP connection? That usually is a DHCP connection, and yours is marked no DHCP. Just to be sure, check the Network Connections list (Start → Control Panel, then right-click on Network Connections, and select Open).
Find the line for your VPN connection, and see what the Device Name says.

If you’re not sure, you can post a screenshot of the Network Connections window here.

Thanks for your help!

To use the Internet I first need to establish a connection to my ISP. Apparently it’s VPN (PPTP).
It’s a DSL connection (called xDSL here).
When I want to use my UNI’s VPN, I establish a connection trough my ISP connection.

http://www7.picfront.org/picture/q0ssJjLf/thb/VPN_univie.jpg

Here is a screenshot of my network connections:

http://www7.picfront.org/picture/V8p9aQHPc/thb/network_connections.jpg

I always had problems using the VPN, because my UNIs only offered to connect with the Cisco client. But the Cisco client didn’t work for me, neither with or without CPF. I could only could connect, but not use it.
Since they also offer to connect through MS-VPN it’s working for me, too. But not with CPF 3, only 2.

I hope I make myself clear.

There are different kinds of VPN’s. The one that is showing in your Network Connections is the L2TP/IPSec style connection. A PPTP connection is not compatible, as it uses an entirely different protocol to make connections.

If the Uni has offered a Cisco client software package, it is probably tailored to the Uni environment, and so is probably the only connection method available.

Since they also offer to connect through MS-VPN it's working for me, too. But not with CPF 3, only 2.

Since Uni apparently does offer a PPTP connection, you should be able to use it with CFP v3. Looking at your Network Connections, it is using the address space 10.0.0.x, and not the 131.130.x.x space. That means there is a mismatch in settings to be resolved.

On the Network Connections window, for your xDSL VPN connection, right click the xDSL name, and select Properties. Then go to the Networking tab, and highlight “Internet Protocol (TCP/IP)” and click Properties. This will show how you are to get address assignments thru the VPN. Can you give me a screenshot of this Properties tab?

The strange thing is that without CFP 3 or with CFP 2 everything works without changing something.
Here’s the screen from the xDSL properties:

http://www7.picfront.org/picture/LCwB8hLLeU/thb/xDSL.jpg

More and more interesting. Your xDSL properties are using still another IP address range, in the 195.58.x.x range.

Can you run the CFP Config Reporting Script, for just the firewall rules, and post the report here? The Reporting Script is in one of the sticky topics at the top of the forum page.

The script can report eerything about your CFP configuration, and in considerable detail. I’m just interested in that part of the report about the firewall. You can clear all of the report checkboxes, and then mark just the box for the firewall settings.

When the script completes, it will open Notepad with a report. You can save that report as a file, and attach that file with your posting.

Okay, here’s the report

[attachment deleted by admin]

It looks like your CFP network zones and Global Rules are not meshing at all with your Windows network connections. That means some major restructuring of your CFP ruleset.

To do that restructuring, I need to make sure that I understand how you are making your connections. What I understand you to be using, is like this:

1. You connect with a DSL connection to your ISP. This connection gives you a dynamic address on the Internet.

2. After you are connected to the Internet, you then open a Windows Network Connection to Uni that is a PPTP connection. You connect to the Uni server that is accessible to the Internet, in the 131.130.x.x space

3. The Uni PPTP connection server assigns your PPTP connection a VPN address. This VPN address is in the 10.x.x.x space.

4. Once your VPN is connected, all is good. You can do what work you need to do.

5. You disconnect the VPN when you get done.

6. Eventually you disconnect DSL connection to your ISP.

Is that mostly correct?

1. right
2. maybe right, I don’t know if it’s a PPTP connection. In the network connections list, it states L2TP
3. wrong, 10.0.0.x is the ISP server I’m connecting to, to establish a Internet-connection.
   When the connection is establish I have dynamic address in the 85.127.x.x range.
4. I can normaly connect to my UNIs VPN. I just can’t use it. So, no browsing, e-mail checking, … But when I ping a site, I get the IP address with the response times
5. right, I only need the VPN to get entry to educational resources
6. right, when I’m totally done or when I want a new IP-address

edit: Maybe I should also mention that I’m using Homeplug Adapters to bridge the distance from the router to the PC/Laptop. But that shouldn’t influence this.
The router’s address is 10.0.xx.x

2nd edit: edited 2)

I’m a little bit confused here. Not an unusual occurrence, however.

The 10.x.x.x address space is a private IP address space. It isn’t Internet accessible. ISP’s will use it on their internal network. Particularly those ISPs that use cable modems. DSL connections are almost always straight thru connections. It’s how the technology works.

So I’ll need to clarify how you connect to your ISP. Is it like this:

Internet -------- modem ---------YourPC

or like this

Internet -------- modem ------- NAT/router --------- YourPC

Can you tell me the make and model of your modem? I can check details on the web, and that will likely clear things up for me about what is connecting and how it is done.

I’ve worked up an outline for a VPN ruleset that CFP should use. I may need to change it some, depending on the connection details.

The Uni server that you connect to is univpn.univie.ac.at? That is what was in your screenshot earlier.

I connect like this:
PC ----------- Homeplug Adapter (Netgear XE104) --------- Router (Zyxel Prestige 650H) -------- Internet

The Router isn’t configurable. It’s password protected and the ISP doesn’t share the password.

The UNI VPN server I connect to is univpn.univie.ac.at. I also have another VPN connection from my 2nd university that doesn’t work. But I think it will be resolved once this one works.

Thank you. The ZyXel hardware is really very good hardware. I have worked with it before.

I think I understand now how you are connecting, if the ZyXel is configured as a bridge endpoint in a private network for the ISP. The actual routing detail is something the ISP takes care of. The result, is that you get an actual straight through Internet connection with no intervening NAT/firewall that the ZyXel would normally provide. Your earlier “ipconfig /all” would seem to support that understanding.

What that means, is that the 10.x.x.x ISP address isn’t really relevent to your configuration. It’s something the ISP takes care of, and should be invisible to your operation.

The one detail missing, is the address space of the Uni PPTP VPN once the connection is made. Probably something in a private address space, but it could be in the Uni address space. It will take connecting at least once to find out.

To get that connection, here’s a ruleset for you. These rules need to be added to your Global Rules, and need to be the very first rules at the top of the Global Rules list.

0. Allow UDP In&Out from any to singleIP[255.255.255.255] where srcport is any and destport is range[67-68]
1. Allow IP In&Out from zone[UniVPN] to zone[UniVPN] where protocol is any
2. Allow IP In&Out from zone[UniVPN] to zone[Multicast] where protocol is any

where these rules make use of two CFP network zones.

The first zone, UniVPN, is something of an unknown. As a guess, I would have this network zone contain these 4 address spaces:

the Uni space of 130.131.0.0 mask 255.255.0.0
the private space 10.0.0.0 mask 255.0.0.0
the private space 172.16.0.0 mask 255.240.0.0
the private space 192.168.0.0 mask 255.255.0.0

Which of those address spaces is actually in use, can be determined with an “ipconfig /all” the VPN connection is make and working.

The second zone, Multicast, is the special address space 224.0.0.0 mask 240.0.0.0. This gets used by routing protocols and other special services.

Once these rules are in place, you should be able to go to your Windows Network Connections, and right-click your xDSL and select Connect, and get connected to the Uni VPN server.

I added your rules and still no change.

But now I unchecked “Block Fragmented IP datagrams” and everything works!! :BNC
Silly me, why didn’t I try that earlier.
But why aren’t any blocks (fragmented IPs) listed in the Firewall Events?
Is it secure to uncheck that option?

Thanks for your help and sorry for stealing your time!

Good to hear that it is working!

And thank you for finding that the “fragmented IP datagrams” was a problem. I missed that one. The fragmented IP packets aren’t a security problem, but more of a traffic volume problem. Big packets get broken up into little packets, which have to be sorted into proper order before being processed. If you get a lot of little packets, it can be a lot of sorting and re-arranging to get the original big packet.

Now that the VPN is working, those CFP rules that I gave in my earlier post need to be streamlined a bit. Particularly in the address space for the UniVPN network zone.

When you have a working VPN connection, can you post the result of “ipconfig /all”? That will show the VPN address assigned to your connection, and its network mask. Then it is a change to the CFP settings to match those VPN settings.

Hello grue155,
the setting for the “fragmented IP datagrams” was the only reason it didn’t work. I removed all the rules you gave me and the VPN is still working.

As you asked here’s the result from “ipconfig /all”:

Ethernetadapter LAN-Verbindung:

        Verbindungsspezifisches DNS-Suffix:
        Beschreibung. . . . . . . . . . . : Broadcom 440x 10/100 Integrated Cont
roller
        Physikalische Adresse . . . . . . : xx-xx-xx-xx-xx-xx
        DHCP aktiviert. . . . . . . . . . : Ja
        Autokonfiguration aktiviert . . . : Ja
        IP-Adresse. . . . . . . . . . . . : 10.88.8.xxx
        Subnetzmaske. . . . . . . . . . . : 255.255.0.0
        Standardgateway . . . . . . . . . : 10.88.0.1
        DHCP-Server . . . . . . . . . . . : 172.27.28.xxx
        DNS-Server. . . . . . . . . . . . : 208.67.222.222
        Lease erhalten. . . . . . . . . . : Samstag, 02. August 2008 23:20:13
        Lease läuft ab. . . . . . . . . . : Sonntag, 03. August 2008 23:20:13

PPP-Adapter xDSL:

        Verbindungsspezifisches DNS-Suffix:
        Beschreibung. . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physikalische Adresse . . . . . . : 00-xxx-xxx-00-00-00
        DHCP aktiviert. . . . . . . . . . : Nein
        IP-Adresse. . . . . . . . . . . . : 85.127.xxx.xxx
        Subnetzmaske. . . . . . . . . . . : 255.255.255.255
        Standardgateway . . . . . . . . . : 85.127.230.xxx
        DNS-Server. . . . . . . . . . . . : 195.58.160.194
                                            195.58.161.122

PPP-Adapter VPN Univie:

        Verbindungsspezifisches DNS-Suffix:
        Beschreibung. . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physikalische Adresse . . . . . . : 00-xx-xx-00-00-00
        DHCP aktiviert. . . . . . . . . . : Nein
        IP-Adresse. . . . . . . . . . . . : 131.130.110.xxx --> same as standardgateway
        Subnetzmaske. . . . . . . . . . . : 255.255.255.255
        Standardgateway . . . . . . . . . : 131.130.110.xxx
        DNS-Server. . . . . . . . . . . . : 131.130.1.11
                                            131.130.1.12

This time I included also the Ethernet-connection. I must have overlooked it last time.

Thanks again for your help and sorry for the circumstances!

the setting for the "fragmented IP datagrams" was the only reason it didn't work.

VPN’s can be strange things to work with. Sometimes the simplest of things can trip them up. Fragmented datagrams, for example. So long as it all works, you’re good to go.

I removed all the rules you gave me and the VPN is still working.

Not a problem. The extra rules would be a precaution. Your existing rules are sufficient to the connection setup that you have. You do have one of the more unusual network connections that I have encountered. But, again, so long as it all works.

Now that things are resolved and working, I’ll hold this topic open for another day or so, in case there are any follow-on questions. Then I’ll lock it for reference. After that, if the topic needs to be re-opened, just PM any of the moderators.

Thanks again!
You’re great