d******s
发帖数: 113 | 1 我现在是让一台机器的Win2k ICS 做proxy来让另一台机器共享
dsl. 一切都正常.
但是当我装了vpn后, 另外那台就不能上网了.
甚至连ping那台server都不通了.
是不是IP tunnel不能用两次的缘故?
难道连LAN内部的数据也要ip tunnel吗?
有什么办法吗? 除了买个router. |
y****t
发帖数: 10233 | 2 Seems vpn and firewall could not co-exist on same computer, at least on my xp.
Check you have firewall openned.
【在 d******s 的大作中提到】
: 我现在是让一台机器的Win2k ICS 做proxy来让另一台机器共享
: dsl. 一切都正常.
: 但是当我装了vpn后, 另外那台就不能上网了.
: 甚至连ping那台server都不通了.
: 是不是IP tunnel不能用两次的缘故?
: 难道连LAN内部的数据也要ip tunnel吗?
: 有什么办法吗? 除了买个router.
|
d******s
发帖数: 113 | 3 Sorry, I did not get you.
I use the ICS of Win2k as the proxy. Is there firewall?
I even can not ping the server in the LAN.
BUt the DHCP client successfull get the IP address, gateway and DNS server
from the Win2K ICS.
【在 y****t 的大作中提到】
: Seems vpn and firewall could not co-exist on same computer, at least on my xp.
: Check you have firewall openned.
|
y****t
发帖数: 10233 | 4 http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/w
indowsxp/home/using/productdoc/en/hnw_enable_firewall.asp
This is for XP and please pay attention for the Notes 4th item.
If that is not your case, sorry I am out of my ideas.
xp.
【在 d******s 的大作中提到】
: Sorry, I did not get you.
: I use the ICS of Win2k as the proxy. Is there firewall?
: I even can not ping the server in the LAN.
: BUt the DHCP client successfull get the IP address, gateway and DNS server
: from the Win2K ICS.
|
v**n
发帖数: 951 | 5 when your VPN is up, you are part of the corporate network.
In short, you PC's IP protocol stack is intercepted.
Everything IP(local) will be encap'd in VPN packet(ipsec, l2tp, pptp whatever)
and tunnelled to the corporate network and then deencap'd at the remote
endpoint(most likely within your corporate network), the real IP packet has to
find it way from there.
So it is obviously that the other PC on your local LAN can't ping you and you
can't ping it either.
Some VPN clients can handle this
【在 d******s 的大作中提到】
: 我现在是让一台机器的Win2k ICS 做proxy来让另一台机器共享
: dsl. 一切都正常.
: 但是当我装了vpn后, 另外那台就不能上网了.
: 甚至连ping那台server都不通了.
: 是不是IP tunnel不能用两次的缘故?
: 难道连LAN内部的数据也要ip tunnel吗?
: 有什么办法吗? 除了买个router.
|
d******s
发帖数: 113 | 6 Thanks very much anyway!
【在 y****t 的大作中提到】
: http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/w
: indowsxp/home/using/productdoc/en/hnw_enable_firewall.asp
: This is for XP and please pay attention for the Notes 4th item.
: If that is not your case, sorry I am out of my ideas.
:
: xp.
|
d******s
发帖数: 113 | 7 The local packet will be tunnel also?
This is the case:
PC2------PC1-----Internet
PC2 access the PC1 via win2k's ICS.
PC2 does not run VPN client.
Let PC1 run the VPN client, then PC2 can not ping PC1.
Will the packets destinated to PC1 be tunneled?
Or maybe the VPN client intercepted the protocol stack of the
LAN part of the PC1 also?
【在 v**n 的大作中提到】
: when your VPN is up, you are part of the corporate network.
: In short, you PC's IP protocol stack is intercepted.
: Everything IP(local) will be encap'd in VPN packet(ipsec, l2tp, pptp whatever)
: and tunnelled to the corporate network and then deencap'd at the remote
: endpoint(most likely within your corporate network), the real IP packet has to
: find it way from there.
: So it is obviously that the other PC on your local LAN can't ping you and you
: can't ping it either.
: Some VPN clients can handle this
|
v**n
发帖数: 951 | 8
how many nics installed on your PC1?
what vpn client you are running? Cisco VPN dialer?
whatever)
has to
you
【在 d******s 的大作中提到】
: The local packet will be tunnel also?
: This is the case:
: PC2------PC1-----Internet
: PC2 access the PC1 via win2k's ICS.
: PC2 does not run VPN client.
: Let PC1 run the VPN client, then PC2 can not ping PC1.
: Will the packets destinated to PC1 be tunneled?
: Or maybe the VPN client intercepted the protocol stack of the
: LAN part of the PC1 also?
|
v**n
发帖数: 951 | 9
and please check you routing table when the VPN is up.
I bet the route to your PC2 won't be there anymore.
I think PC1 sees the ICMP echo request packet, but try to route the ICMP echo
reply via your corporate network. so PC2 won't receive it.
You could try this: when VPN on pc1 is up, can you access corporate web pages,
things like that from PC2?
and
【在 v**n 的大作中提到】
:
: how many nics installed on your PC1?
: what vpn client you are running? Cisco VPN dialer?
: whatever)
: has to
: you
|
d******s
发帖数: 113 | 10 The PC1 has two NICs. One is for DSL, one is for the LAN.
yeah, you are right. The problem is that VPN will take over the connection of
both the Internet and the LAN. Whatever the destination is, the vpn
will route it first to the VPN router.
I used Cisco VPN.
I can not find configuration that can make the VPN take over only
the DSL part, not the LAN.
【在 v**n 的大作中提到】
:
: and please check you routing table when the VPN is up.
: I bet the route to your PC2 won't be there anymore.
: I think PC1 sees the ICMP echo request packet, but try to route the ICMP echo
: reply via your corporate network. so PC2 won't receive it.
: You could try this: when VPN on pc1 is up, can you access corporate web pages,
: things like that from PC2?
: and
|
|
|
m**t
发帖数: 1292 | 11 u may try to manipulate the adapter bindings from the control panel if cisco
uses the virtual adapter binding or...change the VPN SPD to bypass the processing
for your LAN? just a suggestion though, never used CISCO VPN client
【在 d******s 的大作中提到】
: The PC1 has two NICs. One is for DSL, one is for the LAN.
: yeah, you are right. The problem is that VPN will take over the connection of
: both the Internet and the LAN. Whatever the destination is, the vpn
: will route it first to the VPN router.
: I used Cisco VPN.
: I can not find configuration that can make the VPN take over only
: the DSL part, not the LAN.
|
v**n
发帖数: 951 | 12 CSCO and MSFT declare ICS and VPN client are not competible.
I have no clue le.. sorry.
Anyway, buy a cheap router bah.
of
echo
pages,
【在 d******s 的大作中提到】
: The PC1 has two NICs. One is for DSL, one is for the LAN.
: yeah, you are right. The problem is that VPN will take over the connection of
: both the Internet and the LAN. Whatever the destination is, the vpn
: will route it first to the VPN router.
: I used Cisco VPN.
: I can not find configuration that can make the VPN take over only
: the DSL part, not the LAN.
|
d******s
发帖数: 113 | 13 I worked it out.
It is simple, in the LAN connection of the PC1, I can disable the
VPN enhancement. Then everything is fine.
【在 v**n 的大作中提到】
: CSCO and MSFT declare ICS and VPN client are not competible.
: I have no clue le.. sorry.
: Anyway, buy a cheap router bah.
:
: of
: echo
: pages,
|
v**n
发帖数: 951 | 14 cool. what's VPN enhancement ne?
connection
【在 d******s 的大作中提到】
: I worked it out.
: It is simple, in the LAN connection of the PC1, I can disable the
: VPN enhancement. Then everything is fine.
|
d******s
发帖数: 113 | 15 In the connection properties, there is a Cisco VPN
Network Enhancer in the general tag. It is like a protocol I think.
If this is
enabled, then the VPN will take over the TCP/IP suite
of this connection. I disable this enhancer on the LAN
connection of the PC1. Then the destination using this
connection will not be tunneled by the VPN.
【在 v**n 的大作中提到】
: cool. what's VPN enhancement ne?
:
: connection
|
m**t
发帖数: 1292 | 16
that makes sense, I think I pointed it out in my previous followup
【在 d******s 的大作中提到】
: In the connection properties, there is a Cisco VPN
: Network Enhancer in the general tag. It is like a protocol I think.
: If this is
: enabled, then the VPN will take over the TCP/IP suite
: of this connection. I disable this enhancer on the LAN
: connection of the PC1. Then the destination using this
: connection will not be tunneled by the VPN.
|
