Local IP versus Remote IP - source of VPN problems, maybe?

boerio · EVDO Fledgling Joined: 29 Mar 2006 Posts: 22

I noticed in my log file that there are two IP addresses that get reported. One is a local IP address and the other is a remote IP address.

What is the difference between the two? Maybe this is what part of my problem with establishing VPN connections is? (I've been trying to use one of the DHCP-provided IP addresses, 192.168.0.101 for example.)

Maybe I need to be allowing a different IP address to communicate for VPN to work?

- Jeff

Mackieman · EVDO Junkie Joined: 31 Oct 2005 Posts: 451

The remote IP in the logs is the gateway through which your HA connects to the Internet. It is the same value as Default Gateway when you type ipconfig /all into a command prompt in Windows.

boerio · EVDO Fledgling Joined: 29 Mar 2006 Posts: 22

So if I'm having VPN problems, what IP address should I be using in the Firewall rules to try and resolve it?

Is it the 192.168.0.101 address that the computer gets? This is what I've been using.

Is it the local IP address that the KR1 gets?

Is it the remote IP address that the KR1 gets?

If I want to put something outside of the firewall, should I use the 192.168.0.101 address from the computer? The local IP? The remote IP? Again, I've been using the computer's address.

- Jeff

PrimeSuspect · EVDO Newbie Joined: 03 May 2006 Posts: 8

First off which firewall rules? Are you trying to modify the firewall rules on the KR1 or the firewall rules on the remote VPN server? 192.168.0.x is non-routable so it will never get routed across the Internet. You can always hit something like www.whatismyip.org to see what sites on the Internet see you as (should be the remote KR1 address). I hope this helps!

Mackieman · EVDO Junkie Joined: 31 Oct 2005 Posts: 451

I believe what he is actually looking for is port forwarding.

The idea here is to pass and route incoming traffic on the WAN public IP across NAT to a LAN internal IP. If you're having VPN problems and want to open ports, you need to specify what port the incoming packets are received on. You can do this by enabling a virtual server rule if one exists for your setup or by writing a firewall rule.

In any event, the traffic passes from WAN > NAT > LAN. When you're opening up a port in the firewall, the destination is always the LAN IP address of the computer you're using.

PrimeSuspect · EVDO Newbie Joined: 03 May 2006 Posts: 8

Everything Mackieman said is correct. I just want to point out however that you shouldn't need to make any virtual server rules for an IPSec or PPTP VPN (both of these have another config option you can enable or disable). I'm using an IPSec VPN without any vritual server rules at all (I removed every single one). If the VPN you are using does non standard stuff (say not using 500/udp to exchange key information for example) I would suggest going the DMZ route if you aren't familiar with firewall rules and whatnot. That should resolve your problem without having to worry about each of the firewall rules and wondering if you did it right or not.

boerio · EVDO Fledgling Joined: 29 Mar 2006 Posts: 22

See my thread here: http://www.evdoforums.com/viewtopic.php?t=2205

Something Bad Is Happening at the final step. There's also a variety of other posts of people not able to use the KR1 with VPN, and it appears to be a known issue that Kyocera doesn't plan to address?

The way it sits right now, when I work from the house, I yank the KPC650 from the KR1 whenever I want to connect to my employer's network.

- Jeff

Mackieman · EVDO Junkie Joined: 31 Oct 2005 Posts: 451

The VPN issue concerns the various security protocols employed by some turnkey VPN concentrator manufacturers such as Cisco, Nortel, Watchguard, and others. KR1 does not support these protocols and will not in its current state. Supporting additional things like that will require both a hardware platform and a corresponding software change. That will likely be pushed to the next revision of the product. So the hard truth is that no, you're not likely to see VPN support beyond what it is right now for KR1.

PrimeSuspect · EVDO Newbie Joined: 03 May 2006 Posts: 8

I too have read the numerous forum posts where people have had issues getting their VPN to work properly through the KR1. The vast majority of those are people also utilizing the wifi connection instead of jacked into the KR1 its builtin switch/hub. That would lead me to believe it is most likely MTU issues in the majority of cases but that's just a theory at this point, could be an actual issue with the KR1 itself. Are you connected to your KR1 via ethernet or wifi? Also for you since you are using the Netstructure VPN client which you said appears to be speaking UDP 2233 the two default policies for VPNs probably wouldn't apply. Can you change your settings so that your machine is DMZ'd and see if it works then? Maybe not the ideal setup for you but at least you can verify if you are able to establish a VPN connection at all through the KR1. I'm sure Mackieman can provide additional information on this subject matter though.

boerio · EVDO Fledgling Joined: 29 Mar 2006 Posts: 22

Tried the DMZ route, but that didn't work either (same results). Of course, the IP address I was using to "place" into the DMZ was 192.168.0.101 (as received via DHCP from the KR1).

In all cases, I was connected via the LAN ports, not by WLAN. I like to try and walk before running or trying to chew gum simultaneously Smile

- Jeff