Can only see VPN server

[Isidore]

I've been fooling around with this for a while. I can
connect via VPN with no problems but after that, I cannot
see any thing on the network other than the vpn server.
I am using a linksys router connected to the internet via
dsl and behind it is my network (including my webserver,
VPN server and other network clients). I've reconfigured
it a bunch of times but still no dice. I can ping the vpn
server fine but nothing else on the internal network. Any
help will be appreciated

 

[Truth]

In the VPN connection properties go to advanced
and uncheck the use the gateway on the remote network tab
that will resolve your problems

Truth

 

[Kadirvel C Vanniarajan [MSFT]]

Please provide the following information.
What is your VPN server? How is the VPN server and the internal network
organized? What is the IP address assigned to the clients? Are you able to
reach your internal network machines via their IP address (by pinging)?

 

[Troy Donovan]

I'm not the person who started this thread, but this thread captures
my symptoms perfectly. I have spent a few days sifting through the
many messages here and I have taken every course of action that I can
think of. So let me answer your questions hoping that you will have
some suggestions or may be able to focus my thinking on the point that
I have overlooked.

What is your VPN server?

My VPN server is Windows 2000 server.

How is the VPN server and the internal network organized?

The VPN server is the DC (pure Win2000 domain) and runs RRAS with
Router (Local area network (LAN) routing only) and Remote access
server enabled. DNS and Wins also run on this computer. There is a
single subnet on the internal LAN (192.168.0.0/24) with the AD at
fixed IP 192.168.0.200.

What is the IP address assigned to the clients?

Client (XP Pro) NICs are on subnet 192.168.11.0/24 and when they
connect via PPTP they are assigned addresses from a static address
pool on subnet 192.168.100.0/24. On the remote clients, in the
connection properties of the VPN connection "use default gateway on
remote network" is checked.

Are you able to reach your internal network machines via
their IP address (by pinging)?

Unfortunately, no. From the VPN clients I can ping 192.168.100.1 and
192.168.0.200 but that is all. No other machines on the LAN can be
pinged.

Let me add some information that should be relevant. In the RRAS
console, in the server properties dialog IP tab I have "Enable IP
routing" checked.

I understand that these problems are common and are usually caused by
improper routing tables. I have racked my brain over this day after
day. Let me mention the routing that I have confirmed for the
round-trip from the VPN workstation to a workstation inside the LAN.

VPN client routes:

(In the text presented below I edited the way that the metric shows up
to try to prevent text wrapping. The metric follows a hyphen at the
end of the line.)

Active Routes:
Net Destination Netmask Gateway Interface-M
0.0.0.0 0.0.0.0 192.168.11.1 192.168.11.20-21
0.0.0.0 0.0.0.0 192.168.100.2 192.168.100.2- 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1- 1
192.168.11.0 255.255.255.0 192.168.11.20 192.168.11.20-20
192.168.11.20 255.255.255.255 127.0.0.1 127.0.0.1-20
192.168.11.255 255.255.255.255 192.168.11.20 192.168.11.20-20
192.168.100.2 255.255.255.255 127.0.0.1 127.0.0.1-50
192.168.100.255 255.255.255.255 192.168.100.2 192.168.100.2-50
220.106.114.180 255.255.255.255 192.168.11.1 192.168.11.20-20
224.0.0.0 240.0.0.0 192.168.11.20 192.168.11.20-20
224.0.0.0 240.0.0.0 192.168.100.2 192.168.100.2- 1
255.255.255.255 255.255.255.255 192.168.11.20 192.168.11.20- 1
Default Gateway: 192.168.100.2
====================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.0.0 255.255.255.0 192.168.100.1 1

In the above I may have added a route to the 192.168.100.0 subnet in
the AD user profile or I may have added it as a static route. I have
done both at different times.

On the workstation, a persistent route to the 192.168.0.0 subnet is
added even though it is not needed.

On the VPN server I'm not sure how to get a print out of the routing
table in the RRAS console. Presumably it is able to route from the
192.168.100.0 subnet to the 192.168.0.0 subnet. I see the following
route:

Net Destination Netmask Gateway Interface-M
192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.200-1

in the console and in the route table from a command line. Also on
the VPN server, I see the return route:

Net Destination Netmask Gateway Interface
192.168.100.0 255.255.255.0 192.168.100.1 Internal

The above is in the RRAS console routing information but does not show
up at a command line "route print" command.

Finally, at a workstation on the LAN I have added a route to the
192.168.100.0 subnet AND to the 192.168.11.0 subnets.

Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.11.0 255.255.255.0 192.168.0.200 1
192.168.100.0 255.255.255.0 192.168.0.200 1

On the LAN, I do tracert -d 192.168.100.2

Tracing route to 192.168.100.2 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.0.200
2 * * * Request timed out.

which gets me to the VPN server and a dead end.

From the client I tracert the workstation on the LAN

tracert -d 192.168.0.3

Tracing route to 192.168.0.3 over a maximum of 30 hops

1 * * * Request timed out.

Obviously I'm missing something.

--
TD

Please provide the following information.
What is your VPN server? How is the VPN server and the internal network
organized? What is the IP address assigned to the clients? Are you able to
reach your internal network machines via their IP address (by pinging)?

--
Kadir

(e-mail address removed) [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

I've been fooling around with this for a while. I can
connect via VPN with no problems but after that, I cannot
see any thing on the network other than the vpn server.
I am using a linksys router connected to the internet via
dsl and behind it is my network (including my webserver,
VPN server and other network clients). I've reconfigured
it a bunch of times but still no dice. I can ping the vpn
server fine but nothing else on the internal network. Any
help will be appreciated

 

[Bill Grant]

You can get a printout of the routing table on the VPN server the same
way as you do on the client machine - do a route print from a command
prompt. You can also see the routing table by right-clicking any interface
in the RRAS console and selecting the routing table option.

You should not need any routes added to the VPN client. As your routing
table shows, its default route now points to the VPN link (192.168.100.2) ,
so all non-local traffic will go to the VPN server over the VPN link.

On the 192.168.0.x LAN client, you do not need a route to 192.168.11.0
.. All traffic coming in from the VPN client will be using its "VPN" address
of 192.168.100.x . The route you added to forward 192.168.100.0 traffic to
the VPN server should do the job. You don't even need that if the VPN server
is the default gateway for this client.

It should work as it is. If you can't see anything odd in the server's
routing table, post it here (ie a routing table when the VPN client is
connected).

PS. Is the default gateway setting on the VPN server's LAN NIC blank? The
only default route of this machine should be out to the Internet.

I'm not the person who started this thread, but this thread captures
my symptoms perfectly. I have spent a few days sifting through the
many messages here and I have taken every course of action that I can
think of. So let me answer your questions hoping that you will have
some suggestions or may be able to focus my thinking on the point that
I have overlooked.

What is your VPN server?

My VPN server is Windows 2000 server.

How is the VPN server and the internal network organized?

The VPN server is the DC (pure Win2000 domain) and runs RRAS with
Router (Local area network (LAN) routing only) and Remote access
server enabled. DNS and Wins also run on this computer. There is a
single subnet on the internal LAN (192.168.0.0/24) with the AD at
fixed IP 192.168.0.200.

What is the IP address assigned to the clients?

Client (XP Pro) NICs are on subnet 192.168.11.0/24 and when they
connect via PPTP they are assigned addresses from a static address
pool on subnet 192.168.100.0/24. On the remote clients, in the
connection properties of the VPN connection "use default gateway on
remote network" is checked.

Are you able to reach your internal network machines via
their IP address (by pinging)?

Unfortunately, no. From the VPN clients I can ping 192.168.100.1 and
192.168.0.200 but that is all. No other machines on the LAN can be
pinged.

Let me add some information that should be relevant. In the RRAS
console, in the server properties dialog IP tab I have "Enable IP
routing" checked.

I understand that these problems are common and are usually caused by
improper routing tables. I have racked my brain over this day after
day. Let me mention the routing that I have confirmed for the
round-trip from the VPN workstation to a workstation inside the LAN.

VPN client routes:

(In the text presented below I edited the way that the metric shows up
to try to prevent text wrapping. The metric follows a hyphen at the
end of the line.)

Active Routes:
Net Destination Netmask Gateway Interface-M
0.0.0.0 0.0.0.0 192.168.11.1 192.168.11.20-21
0.0.0.0 0.0.0.0 192.168.100.2 192.168.100.2- 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1- 1
192.168.11.0 255.255.255.0 192.168.11.20 192.168.11.20-20
192.168.11.20 255.255.255.255 127.0.0.1 127.0.0.1-20
192.168.11.255 255.255.255.255 192.168.11.20 192.168.11.20-20
192.168.100.2 255.255.255.255 127.0.0.1 127.0.0.1-50
192.168.100.255 255.255.255.255 192.168.100.2 192.168.100.2-50
220.106.114.180 255.255.255.255 192.168.11.1 192.168.11.20-20
224.0.0.0 240.0.0.0 192.168.11.20 192.168.11.20-20
224.0.0.0 240.0.0.0 192.168.100.2 192.168.100.2- 1
255.255.255.255 255.255.255.255 192.168.11.20 192.168.11.20- 1
Default Gateway: 192.168.100.2
====================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.0.0 255.255.255.0 192.168.100.1 1

In the above I may have added a route to the 192.168.100.0 subnet in
the AD user profile or I may have added it as a static route. I have
done both at different times.

On the workstation, a persistent route to the 192.168.0.0 subnet is
added even though it is not needed.

On the VPN server I'm not sure how to get a print out of the routing
table in the RRAS console. Presumably it is able to route from the
192.168.100.0 subnet to the 192.168.0.0 subnet. I see the following
route:

Net Destination Netmask Gateway Interface-M
192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.200-1

in the console and in the route table from a command line. Also on
the VPN server, I see the return route:

Net Destination Netmask Gateway Interface
192.168.100.0 255.255.255.0 192.168.100.1 Internal

The above is in the RRAS console routing information but does not show
up at a command line "route print" command.

Finally, at a workstation on the LAN I have added a route to the
192.168.100.0 subnet AND to the 192.168.11.0 subnets.

Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.11.0 255.255.255.0 192.168.0.200 1
192.168.100.0 255.255.255.0 192.168.0.200 1

On the LAN, I do tracert -d 192.168.100.2

Tracing route to 192.168.100.2 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.0.200
2 * * * Request timed out.

which gets me to the VPN server and a dead end.

From the client I tracert the workstation on the LAN

tracert -d 192.168.0.3

Tracing route to 192.168.0.3 over a maximum of 30 hops

1 * * * Request timed out.

Obviously I'm missing something.

--
TD


"Kadirvel C Vanniarajan [MSFT]" <[email protected]> wrote in

Please provide the following information.
What is your VPN server? How is the VPN server and the internal network
organized? What is the IP address assigned to the clients? Are you able to
reach your internal network machines via their IP address (by pinging)?

--
Kadir

(e-mail address removed) [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

I've been fooling around with this for a while. I can
connect via VPN with no problems but after that, I cannot
see any thing on the network other than the vpn server.
I am using a linksys router connected to the internet via
dsl and behind it is my network (including my webserver,
VPN server and other network clients). I've reconfigured
it a bunch of times but still no dice. I can ping the vpn
server fine but nothing else on the internal network. Any
help will be appreciated

 

[Troy Donovan]

Bill,

Thank you for getting back to me. This really has me backed up.

You asked:

Is the default gateway setting on the VPN server's
LAN NIC blank?

Yes. I have added a static route in the RRAS console to replace it
(0.0.0.0 mask 0.0.0.0 GW 192.168.0.1). Having done that I am a bit
surprised to see a default gateway show up at the command line "Route
Print."

If you can't see anything odd in the server's
routing table, post it here (ie a routing table when the VPN client is
connected).

One thing that was surprising to me was to find the public IP address
of the firewall of the VPN client in the routing table at the command
line. That shows up as XXX.XX.XXX.XX below. My guess is that it is
completely unrelated.

I found a few differences between the route table at the command line
and the route table that can be viewed in the RRAS console. I'm not
sure what is the most understandable way to present it. Below I will
mark lines that are exclusive to the command line route print with
"CL" and those that are exclusive to the RRAS console "RC".

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x1000003 ...00 40 26 f9 9e b0 ...... MELCO LGY-PCI-TXC
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.200
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
RC 127.0.0.1 255.255.255.255 127.0.0.1 loopback
192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.200
192.168.0.200 255.255.255.255 127.0.0.1 127.0.0.1
CL 192.168.0.255 255.255.255.255 192.168.0.200 192.168.0.200
RC 192.168.100.0 255.255.255.0 192.168.100.1 Internal
192.168.100.1 255.255.255.255 127.0.0.1 127.0.0.1
CL 192.168.100.2 255.255.255.255 192.168.100.1 192.168.100.1
RC 192.168.100.2 255.255.255.255 192.168.100.2 192.168.100.1
RC 192.168.100.255 255.255.255.255 192.168.100.1 Internal
CL XXX.XX.XXX.XX 255.255.255.255 192.168.0.1 192.168.0.200
RC 224.0.0.0 240.0.0.0 192.168.100.1 Internal
RC 224.0.0.0 240.0.0.0 192.168.0.200 Internal
CL 224.0.0.0 224.0.0.0 192.168.0.200 192.168.0.200
RC 255.255.255.255 255.255.255.255 192.168.100.1 192.168.0.200
255.255.255.255 255.255.255.255 192.168.0.200 192.168.0.200
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None

I can't find any problem with it.

TIA

 

[Bill Grant]

The main problem is the route you added. The default route of your server
should be out to the Internet, not to the LAN NIC. How does this server
connect to the Internet?

It is not really surprising to see the remote client's firewall public
IP. How do you think the VPN data crosses the Internet to the remote client?
It travels as encrypted data inside another IP packet with the public IP
address of the client. If the client is private behind a firewall, it uses
the public IP of the firewall.

This also shows why the server's default route must be out to the
Internet. That is where the public-addressed packet must go to reach the
remote client.

 

[Troy Donovan]

Thanks for getting back to me!

The main problem is the route you added. The default route of your server
should be out to the Internet, not to the LAN NIC.

The LAN NIC is 192.168.0.200. The default route I added in RRAS
console is to 192.168.0.1 which is the firewall.

Anyway, I have great connectivity between the VPN client and the VPN
server. I just can't pass data to/from the VPN client to/from
anywhere else. I suspect that this is why a group profile won't stick
to the VPN client.

Thanks!

 

[Troy Donovan]

I've seen so many threads like this peter out without resolution that
it makes one wonder what is going on. I think I'll put a note at the
end of this thread to make it clear what happened.

There could have been several reasons that I can think of why this
server was different than others. For one, it was a PDC. For
another, it was promoted to PDC and I could never quite exorcise the
old PDC. Also, I toyed with the idea of using L2TP on this server
even though I am behind a NAT router, for example, by putting a second
NIC on the server and somehow getting traffic through the router
without NAT for that one NIC only. After giving up on this I didn't
uninstall the NIC but disabled it. Suffice it to say I never got
routing to happen on this server however carefully I held my tongue.
No one has pointed out to me what I did wrong nor made any suggestions
as to other avenues of approach. Many other threads suggest a binding
adjustment on the advanced tab on the advanced Network settings dialog
which I guess is something from Windows 2003 server because I don't
see anything like that on Windows 2000 server.

So, my solution was to take another albeit aged server and press it
into service as the dedicated RRAS server. I have had all the routing
problems that I would have expected, but they responded to the proper
treatment whereas the server which is the subject of this thread would
never route whatever treatment I performed.

When I came into this I didn't really have much idea how to deal with
routing issues. My advice to anyone who is doing VPN on Windows 2000
is that you cannot expect to make any headway whatever unless you know
your way around a routing table.