[isalist] Re: ICS/Briding over VPN problems

• From: "Jonathon J. Howey" <Jonathon@xxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Sun, 10 Dec 2006 16:38:00 -0700

I still think there's a bit of confusion on how thing's are setup.
Assume all clients are each at a different remote location, talking to
the server from a home connection using built-in XP PPTP / VPN client
software. They may or may not have their own personal router between
their XP machine and the server, but since the connection will be
tunneled the router should not interfere.
 
Now in terms of this client, they will have a second NIC installed which
will talk to an H.323 phone at their house.  This phone needs to talk to
the server, which is part of the Internal network behind the VPN Gateway
/ ISA 2004 Firewall.
 
 
1) I removed the default gateway on the "Phone" NIC as it looked like XP
was taking precedence with this NIC connection over the "WAN" one
anyways.  I can ping the Phone server from my XP machine.
 
2) Yeah, I know H.323 is worthless routing protocol, which I'm stuck
working with.  We're trying to implement SIP in the upcoming months, but
in the meantime I need to figure this out.
To explain, our H.323 gateway is properly configured AFAIK as it's been
working for years.  Up to recently, we had to move offices and until we
new office is ready, we're stuck connecting from home.
 
I hope you understand my problems now.  Would you saying Bridging "WAN"
and "Phone" is my best course of action and adding some custom
persistent routes or do you have any other ideas?
 
 
Jonathon J. Howey
MENSE Inc.
P 780.409.5620
F 780.409.5621
D 780.409.5628
C 780.965.8363
Jonathon@xxxxxxxx
 
Defining the Future of Industry
www.MENSE.ca <http://www.mense.ca/> 
 
 
 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: December 10, 2006 10:42 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ICS/Briding over VPN problems



Actually, that's much better, but still a Q or two.

Q1 - your XP machine has it's own Internet connection via a separate
router?.

Q2 - if Q1 = yes, why?  You can make this connection through ISA..?

 

Problem #1:

You have a default gateway for each interface.  Because the LAN and VPN
interfaces are auto-assigned, you have little control there (we'll
discuss DHCP options later).  

Solution #1:

Remove the default gateway from the "phone" NIC.

If you can successfully ping from to the remote H.323 server (assuming
it responds to ping), you did it right.

 

Problem #2:

Something you need to bear in mind; H.323 doesn't tolerate IP changes
along the path very well.

If you're trying to provide IP telephony through that XP machine to a
remote H.323 gateway, this process may fail.

Solution #2:

This is the tough part; H.323 Gateways are not easy to come by (and less
easy to configure). 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jonathon J. Howey
Sent: Sunday, December 10, 2006 12:59 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ICS/Briding over VPN problems

 

I think I suck at explaining.

 

A. Okie, ICS stays off.

 

B. Yes, basically 3 interfaces, although to re-explain, I have 2 NIC's /
1 VPN:

1) Connects to the Internet essentially (my personal router sits in
front, but shouldn't be interfering) ("WAN")

2) Talks over a cross-over cable to my H.323 phone or even a laptop
("PHONE").

The VPN connection of course talks over the 1st (Internet) NIC ("VPN").

 

C. Essentially what I want is:   H.323 phone through XP through VPN to
H.323 server.

There is an SBS server which the XP client talks to first. The H.323
phone server sits in the Internal network (192.168.100.90/95)

 

===

 

*For my router/Internet:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network
Connection

Physical Address. . . . . . . . . : 00-11-11-63-2D-B8
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
Lease Obtained. . . . . . . . . . : December 10, 2006 1:40:16 AM
Lease Expires . . . . . . . . . . : December 11, 2006 1:40:16 AM

 

*For VPN:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.115
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.100.115
DNS Servers . . . . . . . . . . . : 192.168.100.10
Primary WINS Server . . . . . . . : 192.168.100.10

 

*For the "Phone" NIC, I'm still working through figuring out which IP to
use.  I can tell the H.323 phone to use DHCP or a static IP (static IP
of 192.168.0.111 at the moment), but I can also give the NIC itself an
IP ... so this is probably where I need the help as I've tried so many
thingks with this NIC. Currently ICS/Bridging is off.

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : ADMtek ADM8511
Physical Address. . . . . . . . . : 00-00-E8-00-F6-DE
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

 

 

Route Table
========================================================================
===
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 11 11 63 2d b8 ...... Intel(R) PRO/100 VE Network
Connection
0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x20005 ...00 00 e8 00 f6 de ...... ADMtek ADM8511
========================================================================
===
========================================================================
===
Active Routes:
Network Destination        Netmask          Gateway       Interface
Metric
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.1
20
          0.0.0.0          0.0.0.0      192.168.2.1   192.168.2.100
21
          0.0.0.0          0.0.0.0  192.168.100.115  192.168.100.115
1
      66.51.121.2  255.255.255.255      192.168.2.1   192.168.2.100
20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1
1
      192.168.0.0    255.255.255.0      192.168.0.1     192.168.0.1
20
      192.168.0.1  255.255.255.255        127.0.0.1       127.0.0.1
20
    192.168.0.255  255.255.255.255      192.168.0.1     192.168.0.1
20
      192.168.2.0    255.255.255.0    192.168.2.100   192.168.2.100
20
    192.168.2.100  255.255.255.255        127.0.0.1       127.0.0.1
20
    192.168.2.255  255.255.255.255    192.168.2.100   192.168.2.100
20
  192.168.100.115  255.255.255.255        127.0.0.1       127.0.0.1
50
  192.168.100.255  255.255.255.255  192.168.100.115  192.168.100.115
50
        224.0.0.0        240.0.0.0      192.168.0.1     192.168.0.1
20
        224.0.0.0        240.0.0.0    192.168.2.100   192.168.2.100
20
        224.0.0.0        240.0.0.0  192.168.100.115  192.168.100.115
1
  255.255.255.255  255.255.255.255      192.168.0.1     192.168.0.1
1
  255.255.255.255  255.255.255.255    192.168.2.100   192.168.2.100
1
  255.255.255.255  255.255.255.255  192.168.100.115  192.168.100.115
1
Default Gateway:   192.168.100.115
========================================================================
===
Persistent Routes:
  None

 

66.51.121.2 is public IP of SBS server.

 

Thanks Jim and whoever else can help.

 

Jonathon J. Howey

MENSE Inc.

P 780.409.5620

F 780.409.5621

D 780.409.5628

C 780.965.8363

Jonathon@xxxxxxxx

 

Defining the Future of Industry

www.MENSE.ca <http://www.mense.ca/> 

 

 

 

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: December 9, 2006 7:55 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ICS/Briding over VPN problems

A - IPRouting should *not* be enabled if using ICS; they're conflicting
configurations.  Since you only want to enable routing; ditch ICS; it
also adds a DNS "proxy".  Better that you use only IPRouting, since
that's all you want.

B - it sounds as if XP has three interfaces; LAN, WAN, VPN?

C - what is the traffic path you want to create:

  1. LAN through XP to H.323

  2. LAN through XP through VPN to H.323

  3. LAN through XP through WAN to H.323

 

What is the 'ipconfig/all' and 'netstat -r' from the XP client when it
has a connection to the H.323 VPN server?

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jonathon J. Howey
Sent: Friday, December 08, 2006 10:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] ICS/Briding over VPN problems

 

Hope I can explain my situation well enough, although I apologize as the
solution may not even involve ISA 2004 (but I would appreciate anyone's
networking advise).

 

I have on my client:

1 NIC hanging off to WAN -- "WAN"

1 NIC connected to H.323 IP Phone -- "Phone"

VPN Connection to server H.323 will talk to; receives a 192.168.100.0/24
IP -- "VPN"

IPRouting is enabled on the XP SP2 desktop through registry change +
reboot

 

------

 

Now in terms of ICS (remember that ICS has internal DHCP server which
hands out 192.168.0.0/24 by default):

1) When I setup "WAN" to share to "Phone", ISA logs the IP that the
H.323 Phone received, so 192.168.0.X.

2) On the other hand, if "VPN" is setup to share to "Phone", ISA logs
the VPN address as the client accessing the network, so 192.168.100.X

 

 

My problem is that in ICS Scenario #1, ISA denies the connection as
192.168.0.X is of course not part of the Internal or VPN Clients
network.

 

In ICS Scenario #2, it works fine, but due to the routing problems, it
can never find it's way back to the H.323 phone as it knows the
destination is only 192.168.100.X and when I trace with
Ethereal/Wireshark, the packets do not contain any references to the
original client (and so once it hits the PPP interface on the client it
doesn't know what to do with it).

 

I think that if I were to bridge "WAN" and "Phone" together, I would be
dealing with a combination of the problems of #1 and #2 would I not? (or
does a bridge do something special with managing concurrent streams?)  I
know that if I bridge them together, "Phone" will get an IP from the
same DHCP server as "WAN" did, but I run into routing issues.

 

------

 

Has anything ever had to deal with this situation?  What we be the ideal
solution to Scenario #1 [this of course is why I posted here and not
some networking newsgroup]?  Any other ideas / am I misunderstanding the
technical problem? 

 

 

(In case you are wondering why I'm dealing with this problem, it is
because due to upper management constraints on server locations while we
move offices, all of our servers are in one location while we have users
who need to use the phone server remotely and I know it's possible).

 

 

 

Jonathon J. Howey

MENSE Inc.

P 780.409.5620

F 780.409.5621

D 780.409.5628

C 780.965.8363

Jonathon@xxxxxxxx

 

Defining the Future of Industry

www.MENSE.ca <http://www.mense.ca/> 

 

 

 

All mail to and from this domain is GFI-scanned.

All mail to and from this domain is GFI-scanned.

• Follow-Ups:
  • [isalist] Re: ICS/Briding over VPN problems
    • From: Jonathon J. Howey

• References:
  • [isalist] Re: ICS/Briding over VPN problems
    • From: Jim Harrison

Other related posts:

• » [isalist] ICS/Briding over VPN problems
• » [isalist] Re: ICS/Briding over VPN problems
• » [isalist] Re: ICS/Briding over VPN problems
• » [isalist] Re: ICS/Briding over VPN problems
• » [isalist] Re: ICS/Briding over VPN problems
• » [isalist] Re: ICS/Briding over VPN problems
• » [isalist] Re: ICS/Briding over VPN problems
• » [isalist] Re: ICS/Briding over VPN problems
• » [isalist] Re: ICS/Briding over VPN problems

1. Home
2. isalist
3. Archive
4. 12-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---