I have a very strange problem I have spent many hours on. I'll try to keep this post as concise as possible.
Long story short - I can connect the VPN, I can ping all IP addresses on the remote network EXCEPT the IP address of the server that is hosting the VPN Server.
I'm using the SoftEther server and client to establish my VPN connection. I've tested the server on 3 different OSes (2003, 2008, and 2012 R2). I have an identical setup at another organization that I have not experienced this issue with. I've tried setting up both secureNAT, and a dual virtual hub w/ L3 virtual router setup. I've tried setting specific static routes. I've tracert'd the packets and see that they try to go out the default gateway rather than the VPN. I've tried setting up the VPN client on several different computers. I've confirmed routing tables are all correct.
I am not using a local bridge setup. I cannot, in this scenario. I have created a private VPN network that is routable through SoftEther with DHCP provided static routes.
I can connect the VPN, I can ping the IP address of the VPN server's LAN IP indefinitely without issue. But, if I stop pinging it, or don't ping it right away I can no longer ping it after a moment.
It's absolutely crazy. I have no idea how anything on the client end would even know the LAN IP address of the VPN server when I am using SecureNAT or virtual routing between multiple hubs. Yet, it ALWAYS effects only the IP address of the VPN host, no matter what system the VPN server is installed on, and no matter what IP address it has.
I finally narrowed it down to a problem with Windows 7. It does not act up on Windows 10. I also narrowed it down to a problem with source IP selection. i.e. If I ping any of the other remote IP addresses, windows chooses to use my VPN interface's IP address as the source. If I try to ping the affected IP address, windows chooses to use the IP address of my network interface on my computer which causes the packets to always try to route through the default gateway and fail.
Why would windows choose the wrong source IP address only for packets destined to the LAN IP address of the VPN Server host computer?
I have confirmed I can successfully ping the affected IP address if I force the proper source IP address:
ping -S 10.130.10.5 10.0.0.5
I read here which seems to have the best explanation about source IP selection: https://blogs.technet.microsoft.com/net ... -computer/
But, it still doesn't give me a clue why this is happening. The only thing I can guess is that for some reason it thinks the route is down for this one particular IP address and chooses to use the default gateway / interface.
Thanks!
Wrong source IP used when connecting to IP of SoftEther Host
-
appleoddity
- Posts: 2
- Joined: Wed Jul 06, 2016 7:05 am
-
raafat
- Posts: 223
- Joined: Fri Jul 03, 2015 2:21 pm
Re: Wrong source IP used when connecting to IP of SoftEther
Hi there!, sorry but i got confused because of your words, in fact, lots of words (:, so i need you to determine what is your problem that you are trying to solve, and kindly, be concise as much as you can and don't provide us any details wouldn't matter to your problem so that we can help you as much as we can (:
Good luck (:
Good luck (:
-
appleoddity
- Posts: 2
- Joined: Wed Jul 06, 2016 7:05 am
Re: Wrong source IP used when connecting to IP of SoftEther
Hi. I appreciate your response. I'm sorry my post is confusing. It's just that I have done and tried so much, that I wanted to post everything I already knew.
Our LAN's network address is 10.0.0.0/24.
I have setup SoftEther using a SecureNAT configuration. The virtual network is 10.130.10.0/24 and the SecureNAT interface in SoftEther is 10.130.10.1. During my troubleshooting, I also changed to a Layer3 / Virtual Router setup where I created two Virtual HUBs. One HUB I bridged to the 10.0.0.0/24 network and the other HUB I used for my VPN clients. I setup the L3 Switch function to have an interface on each network and route between the two HUBs.
I can successfully connect to the VPN. I can successfully ping several hosts on the 10.0.0.0/24 network. i.e. 10.0.0.4, 10.0.0.22, etc. But, I cannot ping the internal LAN IP address of the physical machine that is hosting the SoftEther Server. i.e. 10.0.0.5. The behavior is the same using either configuration mentioned above.
As stated in my previous post, I performed a ton of troubleshooting. I've installed the VPN server on 3 different physical hosts each with three different OSes. Every time, the IP address of the physical host is not reachable within moments after connecting to the VPN.
As stated in my previous post, I determined that the vpn client computer tries to use the wrong source IP address when making connections to the affected IP address on the 10.0.0.0/24 network. Instead of using it's address from the 10.130.10.0/24 network, it tried to use it's IP address from the other physical network interface on the computer. For instance, maybe 192.168.1.23. Because of this, Windows forces the packet out the physical interface instead of tunneling it through the VPN.
I know that windows is attempting to use the wrong source IP address and interface because I have used WireShark to sniff the packets. I also can defeat the erroneous source IP address by forcing the right IP address in a ping. i.e. ping -S 10.130.10.101 10.0.0.5 (which works successfully)
From my research one of two things might be happening:
1) Windows thinks the route to the affected IP address on the 10.0.0.0/24 network is unreachable (even though it is) and tried to force the packet out the default gateway which it then changes the source IP address to match that interface.
2) Windows is mistakingly using the wrong source IP address which then forces the packet out the wrong interface.
Like I stated in my previous post, the routing tables are all correct. I push out static routes to the VPN client with the SoftEther virtual DHCP server. All other IP addresses on the 10.0.0.0/24 network are reachable. I eliminated the possibility of any issues such as firewalls, routing tables, OS types, etc.
This problem only effects the Windows 7 computers I try it from, it does not have this problem in Windows 10. In addition, I have a similar setup at another organization and it works fine, even on Windows 7. Very strange.
I'm not sure what other information to provide at this time. I'm looking for a known issue or bug at this point. But, I'm not sure if it is with Windows or SoftEther.
Our LAN's network address is 10.0.0.0/24.
I have setup SoftEther using a SecureNAT configuration. The virtual network is 10.130.10.0/24 and the SecureNAT interface in SoftEther is 10.130.10.1. During my troubleshooting, I also changed to a Layer3 / Virtual Router setup where I created two Virtual HUBs. One HUB I bridged to the 10.0.0.0/24 network and the other HUB I used for my VPN clients. I setup the L3 Switch function to have an interface on each network and route between the two HUBs.
I can successfully connect to the VPN. I can successfully ping several hosts on the 10.0.0.0/24 network. i.e. 10.0.0.4, 10.0.0.22, etc. But, I cannot ping the internal LAN IP address of the physical machine that is hosting the SoftEther Server. i.e. 10.0.0.5. The behavior is the same using either configuration mentioned above.
As stated in my previous post, I performed a ton of troubleshooting. I've installed the VPN server on 3 different physical hosts each with three different OSes. Every time, the IP address of the physical host is not reachable within moments after connecting to the VPN.
As stated in my previous post, I determined that the vpn client computer tries to use the wrong source IP address when making connections to the affected IP address on the 10.0.0.0/24 network. Instead of using it's address from the 10.130.10.0/24 network, it tried to use it's IP address from the other physical network interface on the computer. For instance, maybe 192.168.1.23. Because of this, Windows forces the packet out the physical interface instead of tunneling it through the VPN.
I know that windows is attempting to use the wrong source IP address and interface because I have used WireShark to sniff the packets. I also can defeat the erroneous source IP address by forcing the right IP address in a ping. i.e. ping -S 10.130.10.101 10.0.0.5 (which works successfully)
From my research one of two things might be happening:
1) Windows thinks the route to the affected IP address on the 10.0.0.0/24 network is unreachable (even though it is) and tried to force the packet out the default gateway which it then changes the source IP address to match that interface.
2) Windows is mistakingly using the wrong source IP address which then forces the packet out the wrong interface.
Like I stated in my previous post, the routing tables are all correct. I push out static routes to the VPN client with the SoftEther virtual DHCP server. All other IP addresses on the 10.0.0.0/24 network are reachable. I eliminated the possibility of any issues such as firewalls, routing tables, OS types, etc.
This problem only effects the Windows 7 computers I try it from, it does not have this problem in Windows 10. In addition, I have a similar setup at another organization and it works fine, even on Windows 7. Very strange.
I'm not sure what other information to provide at this time. I'm looking for a known issue or bug at this point. But, I'm not sure if it is with Windows or SoftEther.
-
thisjun
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: Wrong source IP used when connecting to IP of SoftEther
Did you assign default gateway IP address on the virtual NIC?
Can you see affected IP address on virtual hub IP address list?
Which SecureNAT mode did you use?
Did you install VPN client on the server host?
Can you see affected IP address on virtual hub IP address list?
Which SecureNAT mode did you use?
Did you install VPN client on the server host?