4 Replies Latest reply on Sep 27, 2011 3:21 PM by hernan.fernandez

    VPN / ARP problem

      Hi there:

       

       

      I have a problem with the VPN configuration in my enterprise firewall 8.0.1.

       

       

      I have configured the VPN concentrator and vpn client (Shrew soft) following this instructions. https://kc.mcafee.com/corporate/index?page=content&id=KB67215&pmv=print. The VPN client connect successfully, the user and password are validated fine, also the remote certificate password, and I get an ip address and dns sucessfully also.

       

       

      The landing burb for vpn users is the internal zone, but after establish the vpn session, I'm just able to ping the internal interface of the firewall, I cannot ping another computers inside of the internal burb (in the same internal zone).

       

       

      I have discovered that a ping made from my vpn client computer arrive to the others hosts in the internal burb, but their don't know how get back.

       

       

      The problem is solved when I set with arp the HW address of the internal interface of the firewall with the IP of my vpn client, in the computer inside of the internal zone.

       

       

      arp -s vpn_client_ip_address  firewall_internal_int_mac_address 

       

       

       

       

      Any ideas? how can solve the problem without this manual setting?

       

       

       

       

      thanks

       

      El mensaje fue editado por: hernan.fernandez on 27/09/11 9:32:17 CDT
        • 1. Re: VPN / ARP problem

          Hello,

           

          It seems like you are running into a routing problem. I am making an assumption that the devices behind the firewall do not have their default gateway set to the firewall? If they did, then you would probably not have this problem.

           

          Without chaning routing on the clients behind the firewall, I dont know how you are going to get around this problem.

           

          Hope this helps,

           

          Matt

          • 2. Re: VPN / ARP problem

            Hi Mtuma, thanks for the anwser, I think the same, but I cannot find the exact problem. Here is more information about the configuration that I have

             

             

            firewall

            interface 1-0 external 190.161.34.162 / 29

            interface 1-1 Internal 10.0.0.1 / 24

             

            VPN network

            10.0.0.200 / 29

             

             

            computer connected to 1-0 

            IP 190.151.34.165 (this is the vpn client)

            Mask 255.255.255.248

            GW 190.151.34.162

             

            the default route is 190.161.34.161 ( internet router), If I set the computer connected to 1-0 with the GW 190.151.34.161 still not working.

             

             

            computer connected to 1-1

            IP 10.0.0.5

            Mask 255.255.255.0

            GW 10.0.0.1

            this computer cannot see my vpn client once is connected. and I have to set here an arp. by example

            arp -s 10.0.0.201 MAC_ADDR_OF_INTERFACE 1-1

             

             

             

            thanks a lot for your help

            • 3. Re: VPN / ARP problem
              sliedl

              You have to add the ARP entry because the VPN network (10.0.0.200/29) is in the same network as your PC (10.0.0.5/24).  Your PC cannot ARP for these addresses because they are not 'really' there on the network (they're on the other side of the VPN and ARPs are not propogated over a VPN).

               

              There is nothing you can do on the firewall to 'fix' this the way it is setup right now.  You must add ARP entries to point back to the firewall.

               

              If you were to make the VPN network 10.0.1.200/29 (which is outside the network of your PC), your PC would send this traffic back to its default route (the firewall) with no ARP entries.  Or, if you made the mask on your PC smaller so that this current 10.0.0.200/29 VPN network is no longer in the network of your PC, your PC would send this traffic back to its default route, the firewall.

              • 4. Re: VPN / ARP problem

                It's working.... thanks a lot  :-)

                local and virtual subnets where changed to 10.0.1.0/24 and 10.0.1.200/29