Issue with routing in Win2K3 VPN and Windows XP client

[Matt Andres]

I have an issue that seemed to start about the same time we began upgrading
laptops to Windows XP Service Pack 2. But, we have gone back and tried
non-service pack 2 laptops and the problem occurs there as well now.

But, the problem is this.
I have an internal network with multiple VLAN's.The VPN server has two
NIC's, 1 trusted (internal) and 1 untrusted (internet, on DMZ). The internal
NIC is on segement 10.1.16.0. The network interface 's do not have default
gateways set, I set those as static routes within RRAS with the internal
route being 10.0.0.0 through the default gateway of 10.1.16.253. When I
connect with my client form home I can connect to anything in the 10.1.16.0
segment but nothing beyond. We have a number of VLANS in the 10.189.0.0
range that I should be able to access. One work around, that for some reason
does not work every time, is to manually add a static route on my client for
10.0.0.0 with the gateway being the ip address assigned to my vpn session,
for instance 10.16.1.109. Client ip address are assigned from the DHCP
server o nthe 10.1.16.0 segment.

The sever is an IBM xSeries 335, dual proc, 1Gig RAM, Windows 2003 with all
but a couple of the latest security updates.

Client is Windows XP, Service pack 2 with all security updates.


Matt Andres

 

[Robert L [MS-MVP]]

this may help. quoted from http://www.ChicagoTech.net

Can ping VPN server only but not other resources

Symptom: after establishing VPN, you can ping and access the VPN server, but
not other servers and the network resources.

Cause: 1. incorrect NAT/Firewall settings.
2. ISA/Proxy blocking.
3. Disable IP routing/forwarding.
--
For more and other information, go to http://www.ChicagoTech.net


Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
Networking Solutions, http://www.chicagotech.net/networksolutions.htm
VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
VPN Process and Error Analysis, http://www.chicagotech.net/VPN process.htm
VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
This posting is provided "AS IS" with no warranties.

 

[Matt Andres]

I can ping beyond the VPN server, just not beyond the segment that it is on.
There is a static route defined on the VPN server to allow this and it used
to work. Not sure what happened to cause it to stop.

 

[Robert L [MS-MVP]]

posting the routing table here may help.

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
Networking Solutions, http://www.chicagotech.net/networksolutions.htm
VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
VPN Process and Error Analysis, http://www.chicagotech.net/VPN process.htm
VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
This posting is provided "AS IS" with no warranties.