Problem with VPN Tunnel between ADSL router and W2K Server

  • Thread starter Thread starter Andrew
  • Start date Start date
A

Andrew

I have established a remote conection between and ADSL router
and Win2K Server. From the client I can connect and use all
network functions. The client registers with wins etc. The problem
is from the server network I cannot access the client. The client
is on a different subnet (192.168.1.0) to the server (192.168.0.0).
I am effectively trying to route between subnets, although the connection
between subnets is made using VPN. Any attempts to add static routes
to the server seems to offer no success.
The server begins its DHCP subnet at 192.168.0.50. The router
generally gets the IP of 192.168.0.51. I can ping this as it's part of the
normal
subnet.

What route should I be adding to get a successful ping from the server to
the
subnet 192.168.1.0?

server routing table below:
230.120.240.184 is the remote client
201.05.214.245 is the server WAN
192.168.0.7 is the server LAN
192.168.0.51 is the IP assigned to the client router
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x1000003 ...00 a0 cc a1 3c 6a ...... NETGEAR FA311/FA312 PCI Adapter
0x1000004 ...00 02 e3 16 70 fc ...... NETGEAR FA311/FA312 PCI Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 201.05.214.254 201.05.214.245 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.7 192.168.0.7 1
192.168.0.7 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.50 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.51 255.255.255.255 192.168.0.50 192.168.0.50 1
192.168.0.255 255.255.255.255 192.168.0.7 192.168.0.7 1
230.120.240.184 255.255.255.255 201.05.214.254 201.05.214.245 1
201.05.214.240 255.255.255.240 201.05.214.245 201.05.214.245 1
201.05.214.245 255.255.255.255 127.0.0.1 127.0.0.1 1
201.05.214.255 255.255.255.255 201.05.214.245 201.05.214.245 1
224.0.0.0 224.0.0.0 192.168.0.7 192.168.0.7 1
224.0.0.0 224.0.0.0 201.05.214.245 201.05.214.245 1
255.255.255.255 255.255.255.255 201.05.214.245 201.05.214.245 1
Default Gateway: 201.05.214.254
===========================================================================
Persistent Routes:
None
 
The easiest way to handle the routing is to use a demand dial
interface on the server. You do not need to use the dial on demand option.
You simply use the demand dial interface as a "named" interface to represent
the VPN connection. This is basically the technique which RRAS uses to set
up router to router VPN connections.

To route between two sites, each router needs a route to the "other"
subnet via the tunnel. For a RRAS server, set up a demand dial interface to
represent the connection. Using the New Static Route wizard, set up a route
to the "other" subnet using the demand dial interface (select it from the
dropdown list).

Exactly how you set this up depends on what initiates the connection. If
you are connecting to the RRAS server, use the name of the demand dial
interface as the username. The connection will then be made to the dd
interface, and the route you have specified will be added to the routing
table, using the VPN endpoint.
 
The connection is established by the router to the w2k rras vpn, although
the ip address for the router is dynamic due to the isp involved.
With the example you specified it appears that the rras needs to connect
back to the client router as a vpn client. or is it using the client
established connection
and configuring a connection to attach itself to the router connect.
I think I'm missing something in the translation.

Given that the client routers public ip will change for each connection
what do I do when using the remote wizard?
Using the Wizard;
The interface name is auto generated as "remote router" then an
ip is requested to connect to. the routing examples shown in the msoft site
had 0.0.0.0
as the destination address for a two router scenario (vpn not mentioned)
and finally the dial out credentials. This is where I become bogged down
in the who, when and wheres.

The static route aspect was easy given that it only had to use the "remote
router"
as it's interface.
Alas I seem to be stuck on the initial step.
 
You seem to have used the wrong option in the wizard. What you are
setting up is an interface to allow your LAN to access the Internet!

What you should be setting up on the RRAS server is a dd interface to
allow an incoming router connection. When it is set up, your incoming
connection will need to use this interface's name as its username.
(Otherwise it will connect as a "normal" client-server VPN and the routing
will not work).

The fact that the calling router uses a dynamic IP shouldn't cause a
great problem. As long as the calling router can see the RRAS server through
the Internet, it can set up the connection. When the connection is made,
routing back to the calling router's subnet is ensured by having a static
route to that subnet (ie the private subnet behind the router) linked to the
demand dial interface. When the connection is made, this route will be
linked to the tunnel endpoint. So as long as the RRAS server is the default
gateway of your LAN, packets destined for the branch subnet will be routed
through the tunnel.
 
What kind of router?


Andrew said:
The connection is established by the router to the w2k rras vpn, although
the ip address for the router is dynamic due to the isp involved.
With the example you specified it appears that the rras needs to connect
back to the client router as a vpn client. or is it using the client
established connection
and configuring a connection to attach itself to the router connect.
I think I'm missing something in the translation.

Given that the client routers public ip will change for each connection
what do I do when using the remote wizard?
Using the Wizard;
The interface name is auto generated as "remote router" then an
ip is requested to connect to. the routing examples shown in the msoft site
had 0.0.0.0
as the destination address for a two router scenario (vpn not mentioned)
and finally the dial out credentials. This is where I become bogged down
in the who, when and wheres.

The static route aspect was easy given that it only had to use the "remote
router"
as it's interface.
Alas I seem to be stuck on the initial step.

connection.
===========================================================================
===========================================================================
===========================================================================
===========================================================================
Click to expand...
 
The router is a Draytek 2600We, can handle 8 simultaneous inbound or out 8
outbound
connections. good for cheap vpn connections, no licensing fees or software,
although
encryption is done by the main processor via software. so many encrypted
tunnels will
probably slow it down.
 
I just went through this with some Netopia routers. The router would connect
to the server using PPTP just fine, and we could ping machines behind the
2000 server, but machines behind server could not ping machines behind the
Netopia router.

Bill's advice is right on. You have to create a Dial on demand (DoD)
interface in RRAS on the 2000 server and a static route in RRAS which uses
the DoD to route traffic back to the router.

In addition, with the Netopias you have to create a static route on the
router pointing to the network behind the RRAS server.

What helped me do it was to think of the router as another RRAS server
instead of a VPN client. There is a lot of documentation out there on how to
connect two Windows 2000 RRAS.

This article was somewhat helpful to me (I documented our process for future
use, but it's different than what you're doing):
http://www.tacteam.net/isaserverorg/vpnkitbeta2/g2g-betab.htm

Have fun, and I'll check the NG a bit later tonight, if you need some more
help.
 
I have created the DoD interface and it seems to be trying to connect,
but at the moment unsuccesfully.
My original, and I think errored assumption was that by connecting to
RRAS server that the routes to my private subnet (on the other side
of the Draytek) would automatically be created. I based this on the fact
that the user I created (W2K) for the login had a default static route to
the private
subnet. I assumed (I know ass U & me) that this would allow routing
to and fro, and it does to some extent as I can connect and run things
like VNC from client to server network without any hassles.
It's only when I try to establish from the server side ( i.e. ping. etc) it
fails miserably.

The DoD interface creation asks for a client ID on the router which I will
set up ASAP and test.
I kinda hoped that by making the conection to RRAS it would automagically
create the route straight back, but given that I have 192.168.0.0 on the
server and 192.168.1.0 on the client I guess I'll actually have to do some
work.
Isaacs comment about treating both points as RRAS actually sank in.

Given a few thousand dollars and an MSCE I'm sure this would be intuitive,
unfortunately small business and one overworked IT guy leads to wholes.

Why do the bosses eyes glaze over, when you talk about delays due to
ensuring adequate security?

Thanks Bill and Isaac your help is appreciated.
Here goes again
 
Andrew,

It certainly isn't intuitive! A normal client-server VPN sets up its
own routing. The client sets up a default route to the server and the server
sets up a host route back to the client.

But router to router VPN doesn't set up any routing by default. You need
to do it all yourself. If both routers are RRAS, you can do it by linking
the routes to demand-dial interfaces, and making sure that these interfaces
both bind to the link. If one router is not RRAS, you need to look through
its documentation to find how to route through the VPN.

Routing between LAN clients in each site will only work if the routers
at both ends of the link know how to route traffic for the "other" site
through the VPN link.
 
Back
Top