PPTP Pass through for VPN not on RRAS

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

How do I configure RRAS to pass though PPTP traffic?
We have a Windows 2003 server that is acting as a Wireless Router. The test
network server TESTSERV1 is dual-homed with an IP of 192.168.1.3 and has an
on-board Wireless NIC (192.168.2.10) that connects to a DSL wireless router
(192.168.2.1) the default gateway is the wireless router. The wired network
clients are on 192.168.1.0 and go to TESTSERV1 (192.168.1.3) which routes
them to the DSL Router (192.168.2.1) to use our test DSL link.

This all works fine, except for PPTP. When we are testing our PPTP server,
clients with a 192.168.2.0 IP address (well, it's just one Wireless client)
can establish a PPTP session by going out over the DSL line, and in to our
main PPTP server which has a public IP. Our PPTP server works fine for all
remote clients, and we know that it is all working from that end - it's only
our test network that is not working.
The problem is that all clients who are on our test 192.168.1.0 network
cannot establish a PPTP session, because they are going through the RRAS on
the Windows 2003 server TESTSERV1 that has the Wireless card in it. They can
resolve the PPTP server address, but they cannot authenticate or register on
the remote network. All 192.168.1.0 clients can access the Internet through
the Wireless router and DSL link.

What do I need to configure on the Routing and Remote Access to be a
pass-though PPTP router, and not terminate the PPTP connection on itself? All
I can see in RRAS is how to make the RRAS server a PPTP server, but not how
to make it pass TCP/1723 and GRE traffic?

Thanks
 
Are you sure that this is really the problem? If you have configured RRAS
as a LAN router it shouldn't be doing any filtering at all. It only does
filtering if you set it up using the VPN server option or if you turn the
firewall on (or actually configure packet filters). Have you checked the
actual filter settings on the server's NICs? By default they are set to
allow all traffic.

What error message do you get when you try to connect from the
192.168.1.0 subnet?
 
I am not sure that RRAS is the source of the problem, it's just that the
symptoms seem to be pointing to that server.
Our DSL router is a wireless box because the DSL line is not near an
Ethernet socket. Wireless clients can connect to our PPTP server by going out
through the Internet connection, but all 6 clients on our test 192.168.1.0
subnet all get the connection hanging during the authentication period. The
server TESTSERV can make a PPTP session itself, but that is because it's
default gateway is on the 192.168.2.0 subnet (the Wireless DSL router).
Once the clients on 192.168.1.0 start the connection to the PPTP server,
they communicate and then timeout when it's checking the username and
password, before the client is registered on the remote network.

I was just hoping that there was an option within RRAS that I missed that
allowed the PPTP traffic to be passed through the NAT done by RRAS.

Is there another way, where the server TESTSERV1 could run the PPTP tunnel,
and all clients on the 192.168.1.0 subnet could use that tunnel? But we would
have to configure the tunnel to not allow traffic from our main network
192.168.44.0 (where the PPTP server is) out to our test network 192.168.1.0
through the tunnel (because we have lots of stuff on the test workgroup that
we don't want our users to get to!)
How do I do that?
 
The PPTP server is probably having problems setting up a host route
back to the client because of the extra hop. You could try enabling NAT on
the test server so that the clients actually use the 192.168.2.x address of
the server. (This means you are doing NAT twice, but it works OK for a test
setup).

You can certainly set up a router-to-router VPN connection between the
two servers. But with the default settings that would allow each subnet to
see the other, which isn't what you want to happen.

What does the main network use as its default gateway? If it is not the
PPTP server, you could set it up so that only selected machines could route
through the VPN (using static routes). But if the PPTP server is also the
default gateway, all machines would have automatic access to the VPN link.
The packets get to the dg by default, and the VPN router has a route to
192.168.1.0 through the tunnel. And the router at the other end must have a
route to 192.168.44.0 for the setup to work.
 
Back
Top