Direct Dial Routing Issue

  • Thread starter Thread starter durinp
  • Start date Start date
D

durinp

Hello,
Today I just started messing with VPN's. I was able to successfully
get a VPN working from my laptop to my server. Below is the ipconfig
output

PPP adapter VPN:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.1.52
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 172.16.1.52

You see how it is assigning me a default gateway? From what I think I
know so far, that gateway address lets me traverse the LAN from the
routing and remote access server. I can ping other addresses such as
172.16.1.253, 252, etc... I can see all IPs on the other side. So, no
problems there.

I need to setup a Demand Dial interface between one server in a remote
location to the server I already set VPN access on using PPTP. I set
them up and the two can authenticate with each other and the direct
dial connection becomes established, however packets are not being
routed across the LAN on either server. Below is the ipconfig output:


PPP adapter {948561E6-1C48-42E4-AECB-9A98950E6E60}:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.1.53
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

Do you see how it has no gateway? I'm very sure that's my problem, but
I have no idea how to fix it.
 
To route between the clients behind the servers you need to set up a
site to site VPN (also called a router to router or LAN to LAN VPN link).

The details are explained in the help files. If you need more info, try
www.microsoft.com/vpn .

In brief, a site to site VPN does not set up any routes by default. You
need to set up demand-dial interfaces and configure subnet routes linked to
these interfaces. When the VPN connects, the routes become active and route
traffic through the VPN link for the "other" site.
 
Here is my network layout

Branch: 172.16.1.0/24

Main Office: 172.16.2.0/23

On one, in order to get the VPN to work this is the static route I
configured

Destination: 172.16.1.0
Network Mask: 255.255.255.0
Gateway: None (It won't let me set this because it initiates the demand
dial connection)
Interface: office_vpn

In the office, this is the static route I configured
Destination: 172.16.2.0
Network Mask: 255.255.254.0
Gateway: None (same as before)
Interface: main_vpn

With these configured, I can ping the server I connect to on the other
side of the VPN, but not any of the other IPs on the subnet. I know I
have to add a static route to tell it how to get there, but I'm not
sure what static routes to add and to which interface.
 
OK, I added static routes on each server to its own network and now if
I'm on a VPN server, my traffic is routed correctly at the other end of
the VPN.

Now, how can I set it up so that client machines can traverse the VPN?
I'm assuming I have to manually add a route on the machine but I'm not
sure.
 
No, you do not manually add routes. You configure the routes using the
New Static Route wizard in RRAS. You select the demand-dial interface (from
the dropdown list) to link the route to the dd interface. You then configure
the calling router so that it connects to the dd interface (by using the
name of the dd interface as the username making the connection). When you
connect to the dd interface, the route becomes active and routes traffic for
the subnet through the VPN link.
 
I believe the issue I'm having is with the static routing. As I stated
earlier, I have two networks:

172.16.0.0/23 and 172.16.0.2/23

Directly from the VPN machines, it is working perfectly. Here is a
traceroute from 172.16.3.100 to 172.16.1.2

Tracing route to ah0015.company.local [172.16.1.2]
over a maximum of 30 hops:

1 143 ms 16 ms 9 ms BACKUPDOMAIN [172.16.3.102]
2 15 ms 9 ms 9 ms ah0015.company.local [172.16.1.2]

Trace complete.

It goes right over the VPN IP and connects directly to the other
machine. I think my problem is with RRAS not routing traffic from
other local machines through the VPN. I setup a rule on our Cisco
switch in our datacenter routing all traffic destined for 172.16.0.0/23
to be routed to the RRAS/VPN server. Below is a traceroute of what is
happening:

Tracing route to 172.16.1.2 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 69.X.X.X <---Cisco Switch
2 1 ms <1 ms <1 ms BILL [69.X.X.X] <----Public IP of
RRAS/VPN server
3 * * * Request timed out
etc...

So, the Cisco is routing it correctly to the RRAS/VPN server, but then
it's not routing it correctly. But, as I pasted before, the routes
appear to be correct since I am able to do it directly from the VPN
machine. Here are the static routes that were setup in RRAS

Destination: 172.16.2.0
Network Mask: 255.255.254.0
Gateway: 172.16.3.254
Interface: Local Area Connection

Destination: 172.16.0.0
Network Mask: 255.255.254.0
Gateway: None (If you route through a direct dial connection, you can
not specify a gateway)
Interface: office_vpn

So, any ideas?
 
I agree with that. It almost certainly is the static routes on the
servers. Have you looked at both ends? The traffic has to get back as well!
 
Back
Top