Make a VPN client's internal network visible to the VPN server

  • Thread starter Thread starter \Rob\
  • Start date Start date
R

\Rob\

Hi, does anyone know if it is possible to have a VPN client's internal
network visible from the VPN server upon connection?

If so, how do you do this for both the client & server?

I'm using XP Pro as the client & Windows Server 2003 with RRAS.

Thanks
 
Rob,

as far as i know this is not possible. As soon as you make a
VPN-connection you will get an extra IP on your client. there are
logically several reasons why the server cannot connect to the "other
network" the client is on. Two i stated here:

* The server does not know the adress ranges the client has connected.
There is no trigger to put those ranges in the routing tabke of the
server, so the server will direct all IP-traffic to those "client
ranges" to it's default gateway.

* The client will not route between the VPN and the "client networks",
unless ICS is enabled. In that case there will be NATting, and that is
in this case "one way inititated" for the same reason as above.

Greetz,

Trumpeteer
 
The basic reason that this doesn't work is that a normal VPN connection is
just a client-server setup. The client sends all non-local traffic across
the VPN link by default and the server has a host route back to the client.
Any other machines behind this client machine can't route to the remote
server because the remote server/router doesn't have a return route for
them - it only has a host route for the VPN client. See KB 254231 .

To get full routing between two sites requires a site-to-site VPN.
Instead of a simple client-server connection you set up a router-to-router
VPN connection. You configure routes on these routers to route trafffic for
the "other" site through the VPN link. Clearly this requires a router at
both ends, and you can find documentation to do this with RRAS or with ISA.

It is possible (but not recommended) to use XP as the router at one end
if you have RRAS at the other. It is not as versatile as the full setup with
two RRAS servers. You can only initiate the connection from the XP end. You
configure the RRAS server as for a site to site VPN (setting up the return
route linked to a demand-dial interface). At the other end, you enable IP
routing on the XP and when you connect the VPN, you use the name of the
demand-dial interface on the answering router as the username. This binds
the VPN to the demand-dial interface and sets up the return route through
the VPN for the subnet behind the XP. (In other words, the XP machine
connects as a router, not as a normal VPN client). So you have default
routing to get traffic from the XP's network to the RRAS server and a static
route through the VPN to get the return traffic back to the XP router from
the RRAS router.
 
Hi Rob,
You can archieve this by having to ISA server on the two site and setup VPN
tunnel accross the two ISA Server.

Hope this helps,

Patrick
 
Back
Top