Incorrect Default Gateway for Clients using a Concentrator - Page 2

andrewburridge · ‎10-12-2011

Hey all,

Hopfully an easy one - I'm trying to configure a VPN Concentrator for use with the old VPN Client for an IPSec CVPN.

The clients connect fine, but they are getting the incorrect default gateway during the address assignment.

My address pool is 192.168.0.128/25. The client correctly picks up the first address in the range, 192.168.0.129, but the default gateway for the VPN adapter is assigned as the next address in the range, 192.168.0.130.

I need the gateway address to be 192.168.0.254 (the SVI of the L3 switch connected to the Concentrator), but I can't for the life of me fine a configuration option anywhere in the pool assignment. I've set the tunnel default gateway to this 192.168.0.254, but this makes no difference.

Any ideas where I can find this config option?

Thanks!

Herbert Baerten · ‎10-20-2011

Andy,

no, the tunnel default gateway should be the ip addres of the L3 switch, in other words this is the next hop the concentrator should use to send all traffic (that it receives from the vpnclients) to.

However in your routing table I see you have an explicit route for 192.168.0.0/26 pointing to the L3sw so this will take precedence over the tunnel default gw. Therefor I don't expect it will make any difference when you correct the tunnel def.gw.

Can your clients still ping the L3 switch (192.18.0.254) ?

Can they ping another interface of the same L3 switch?

Are there any filters defined on the concentrator (either on the private interface, or on the default group/specific group/user) ?

Any access-lists on the L3 switch?

Anything in the comcentrator logs?

hth

Herbert

andrewburridge · ‎10-21-2011

Hey,

Ok, the tunnel gateway is set to the L3 switch now, but I'm still not getting any joy. I can't ping this address from the client (now on a different subnet). I haven't configured any access lists on the switch, and the concentrator is just the simplest config to get it to function (pretty much just running through the setup prompts.

Sorry to come back to this, but I'm still a little worried about the client default gateway setting. I know you say that it shouldn't matter as it will use the tunnel gateway, but I don't think my client is treating it as such.

If I for example try to telnet to a different subnet (the L3 switch it should be using as the tunnel default gateway for example) from the connected client and run a trace, I see the client ARP for 192.168.0.130 (the default gateway it gets assigned by the concentrator). It gets a response from a mystery mac address, so then constructs a packet with a destination IP destination of the L3 switch, but a destination MAC of some mystery device on 192.168.0.130. This obviously never gets anywhere.

So the client seems to be operating in a 'traditional' model, not sending all traffic down the tunnel to the concentrator.

Thanks,

Andy

Richard Burts · ‎10-21-2011

Andy

I am puzzled at these symptoms. I continue to believe that what shows up in the client as default gateway should not impact its ability to access network resources through the concentrator and that there is something in the environment that we do not yet understand which is causing this. So here are a couple of things that I hope might shed some light on this:

- when the PC ARPs for the 130 address what MAC address does it learn?

- can you post the output of route print from the PC while it has the VPN session up?

- is your concentrator and VPN client set up for split tunneling or does it just tunnel all data back to the concentrator?

- can you go back to the screen on the concentrator where it shows its IP routing entries and tell us what its current routing contents are?

HTH

Rick

HTH

Rick

andrewburridge · ‎10-31-2011

Thanks for all your help guys - I ended up just forgetting about it and using a firewall instead. Thanks!