Unable to navigate to LAN-WAN hosts when dialed into IPSec VPN
When dialed into a IPSec tunnel, users are not able to access WAN hosts within the same LAN such as our mail server and intranet. I believe I have a routing table issue, but I am not sure. No custom routes are defined and any that I attempt to define do not relieve the issue. Firewall rules are used to direct WAN traffic in to the appropriate host instead of classic routing. I have tried DNS host changes in the Mode Config settings, and that fixes nothing either. The current routing table is below. Note that not all WAN IPs are captured in the routing table for some reason. I have tried to add them manually to fix my problem as I mentioned with no success, so I just removed them. It does not matter which host a client tries to connect to, one that is in this table or one that is not. I also should mention that pings through the firewall never reach the host even with that security feature disabled, which makes me think again that I have a routing table problem. It is also important to note that users physically on the LAN and anonymous users have no problem accessing these hosts. Any help is appreciated!
Interface Name
Destination
Mask
Gateway
Metric
WAN1
64.XXX.0.1
255.255.255.255
0.0.0.0
0
LAN
64.XXX.XXX.XXX
255.255.255.255
192.168.1.101
0
LAN
64.XXX.XXX.XXX
255.255.255.255
192.168.1.101
0
LAN
64.XXX.XXX.XXX
255.255.255.255
192.168.1.101
0
LAN
192.168.1.0
255.255.255.0
0.0.0.0
0
WAN1
64.XXX.0.0
255.255.248.0
0.0.0.0
0
WAN1
default
0.0.0.0
64.XXX.0.1
0
Model: FVS336Gv2|PROSAFE DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN
Re: Unable to navigate to LAN-WAN hosts when dialed into IPSec VPN
Thanks for your reply! Responses are below..
a. Do you have a client-to-box VPN or box-to-box VPN? Client-to-box
b. Was it working before? If yes, are there any changes made within the settings or within the network? Yes, before I started using multiple WAN IP addresses, it worked.
c. Does it mean that you are unable to go online when you are connected via VPN? No, all internet access is functional except to those WAN hosts within this LAN.
d. What is the current firmware version of your FVS336Gv2? 3.1.1-08; I do not want to upgrade due to performance degradation as a known issue in the current version.
Re: Unable to navigate to LAN-WAN hosts when dialed into IPSec VPN
Follow-up answers:
a. Are you using a NETGEAR VPN Client software? If yes, is it the VPN Client Professional software or VPN Client Lite software? I am not using Netgear Client software. I am using Shrew for Windows and the built in utility on Apple products, such as iOS. Both produce the same results.
b. What is the current version of the VPN Client software you are using? N/A
c. Are you able to get replies when you ping the WAN hosts within the LAN while you are connected via VPN? I am not. Whether I am on the VPN or physically attached to the LAN, all pings to the WAN hosts within fail. Trace routes to the hosts stop at the gateway (the Netgear box). However, resolving those hosts always succeeds when I am physically on the LAN, just not via VPN.
Re: Unable to navigate to LAN-WAN hosts when dialed into IPSec VPN
Hi, DaneA.
That is quite a tremendous amount of information to send. Is there a specific configuration you are interested in understanding? I have summarized some of the more detailed points of my config below. Answering your question regarding pings, no when I use the full domain name on the LAN, WAN, or VPN, all pings stop at the gateway host.
I am only using WAN1 on the firewall. Settings are configured accordingly. All LAN clients share an outbound WAN IP with the firewall, even those that host inbound traffic on a different WAN IP. Those that host inbound traffic on a different WAN IP do so by way of Firewall Security rules that specify which Destination WAN traffic is routed to which LAN IP by policy. This works quite effectively. However, I still believe the inherited routing table is incorrect. The three WAN IP addresses in the routing table are pointing in the wrong direction. Those WAN IPs are not dedicated hosts within the LAN. The firewall is placing them in the routing table as if they reside within the LAN. It could be a bug in that I am using Security Policies to drive traffic from those three IPs exclusively.
Re: Unable to navigate to LAN-WAN hosts when dialed into IPSec VPN
Hi TheDurb,
I believe a topology of your detailed network setup would help. I am not sure but it might be possible that when VPN is active, it creates a loop or possibly a problem with the MAC address table somewhere.
