LANCOM Support Knowledgebase Document No. 1702.2010.4150.RHOO - V1.10

The connection established with my LANCOM Advanced VPN Client doesn't work



Description:

This document deals with a number of reasons why data transmission may not be possible even if you have successfully established a VPN connection with the LANCOM Advanced VPN Client.


Requirements:
  • The latest version of the LANCOM Advanced VPN Client (download)
  • The latest LCOS version (download)
  • The latest LANtools version (download)


Scenario:

It is impossible to communicate via the VPN tunnel, even though the tunnel has been established. As illustrated in the image below, the VPN connection is established, but we have not received any RX data packets from the remote network.



Procedure:

The following settings should solve the problem:

Step 1:

1.1) Check if NAT-traversal is activated on the remote router you wish to connect to in the menu item Configure -> VPN -> General.




Step 2:

Check the order or the network adapters as found by your operating system.

Windows Vista, Windows 7 & Windows 8:

2.1) Open the Network and Sharing Center via Control Panel -> Network and Sharing Center.



2.2) Click on the option Change adapter settings.



2.3) Open you the menu Advanced -> Advanced settings.

2.4) Re-order your network adapters as follows:

First position: Physical network adapter
Middle position: WLAN network adapters, Firewire, UMTS, etc.
Final position: Virtual network adapter LANCOM Advanced VPN Client

These changes come into effect after the computer's operating system is restarted.




Step 3:

Add the remote local IP network to the VPN configuration of the LANCOM Advanced VPN Client.

3.1) In the LANCOM Advanced VPN Client, open the menu Configuration-> Profiles.



3.2) Select the profile which you wish to edit and click on the Edit button.



3.3) Navigate to the menu Split tunneling.

3.4) Enter the local IP network(s) which are to be accessed via the VPN tunnel.

If you do not specify an IP network here, your Internet traffic will also be directed via the VPN tunnel!





Step 4:

Check if you require an IPSec pass-through, or whether this has been set up already.

By default an IPSec connection uses the port 500 UDP, the IP protocol ESP (50), or port 4500 UDP. The VPN tunnel may occasionally be directed via routers which do not support IPSec pass-through. In these cases, the IPSec packets may be handled incorrectly, or they may even be dropped.

A result of this is that, even though the tunnel has been established, it cannot be used for communications. This problem can be avoided by activating port forwarding for the UDP ports 500 and 4500 on the client-side of the router.



Step 5:

If you cannot use IPSec pass-through, you have the option of setting up a VPN connection based on IPSec over HTTPS. All you have to do in this case is to open the HTTPS port 443.

With IPSec over HTTPS, an attempt is first made to transfer data using standard IPSec. If the connection cannot be established (e.g. because IKE port 500 is blocked), then an attempt is then automatically made to establish a connection that encapsulates the IPSec VPN in an additional SSL header (port 443, like HTTPS).

For a guide on setting up a VPN with IPSec over HTTPS, see this KnowledgeBase document (Database 'SP Knowledgebase', View '03. Edit Documents\by Responsible, Status', Document 'Configuring IPsec over HTTPS').



Step 6 – other possible error sources:

Generally speaking, the LANCOM Advanced VPN Client is not the only security software installed on a system to protect it from unauthorized access.

The system may also be running a virus scanner, a firewall, and/or a Spy Doctor. These programs often integrate deeply into the system, and they can cause software conflicts. A potential effect of this is that the LANCOM Advanced VPN Client may not be able to communicate over an active VPN tunnel.

In this case the connection problems cannot be solved simply by deactivating the program. To find out whether the programs being used are affecting communications, they must first be uninstalled and the operating system then restarted. LANCOM Systems has experienced problems of this nature with the programs listed below. The only way of assisting our customers was for them to uninstall this anti-virus or firewall software:

  • Norton Internet Security
  • Panda Antivirus
  • Trendmicro
  • Kasperski



Step 7:

The VPN tunnel does not work using a UMTS/3G or LTE/4G connection. The following reasons may be causing the problem where a LANCOM Advanced VPN Client is operating on a computer which uses 3G/4G for its Internet connection.

7.1) The 3G/4G provider blocks communications on ports 500 and 4500, or the provider blocks the ESP protocol. In this case, contact the provider of your connection.

7.2) There is a conflict between the LANCOM Advanced VPN Client and the 3G/4G management software. If this is the case, you should prevent the 3G/4G management software from starting with the operating system, and you should allow the 3G/4G connection to be established by the LANCOM Advanced VPN Client.

For a description of how to set up a VPN client connection via 3G or 4G, see the following KnowledgeBase article (Database 'SP Knowledgebase', View '03. Edit Documents\by Responsible, Status', Document 'Setting up a VPN Client connection over UMTS/3G or LTE/4G').



Step 8:

If your workstation has more than one active network adapter, please check the default gateway. Having more than one default gateway on a workstation may cause the packets to be sent in the wrong direction, or not to be sent at all.

8.1) You can read out your network settings by entering the command ipconfig at the Windows command-line prompt. To run this, click on Start, Run... and enter the command cmd.



8.2) At the command-line prompt you then type the command ipconfig.

In this example the workstation has just one default gateway.



8.3) You can adjust your network settings in the Properties for your network adapter.


Catchwords: avc; vpn; client; troubleshooting
Please review this document! This document was helpful This document was not helpful