RRAS as VPN Server Configuration Questions...

  • Thread starter Thread starter Mike B.
  • Start date Start date
M

Mike B.

Hi all,

I have a client with a single Windows 2000 Advanced Server controlling a
local domain (abc.local). This very small company (1 Server, 4 Workstations
and 2 Laptops) CANNOT afford a second server. However, they wish to enable
remote access (VPN). I have configured the network in the following way:

Cable/DSL Modem
|
Router #1
| \
| \
| \
Router #2 Server
| /
| /
| /
Switch
|
Rest of network

Router #1:
WAN IP: Dynamic (Set by ISP - FOR NOW, client will get static IP after
RRAS working)
(IP, Mask, Gateway and DNS configured through ISPs DHCP)
LAN IP: 192.168.10.1
LAN Mask: 255.255.255.0
DNS Relay: Enabled
Everything blocked Except:
IPSec Passthrough Enabled
PPPoE Passthrough Enabled
PPTP Passthrough Enabled
Ext.Port TCP 1723 Forwarded to
Int.Port TCP 1723 on Server NIC #2: 192.168.10.2

Router #2:
WAN IP: 192.168.10.10
WAN Mask: 255.255.255.0
WAN Gateway: 192.168.10.1
LAN IP: 192.168.20.1
LAN Mask: 255.255.255.0
DNS Relay: Enabled
Everything blocked

Server:
NIC #1: configured and connected to internal network via Switch (intranet)
NIC #1 IP: 192.168.20.2
NIC #1 Mask: 255.255.255.0
NIC #1 Gateway: 192.168.20.1
NIC #2: configured and connected to external network via Router #1
(internet)
NIC #2 IP: 192.168.10.2
NIC #2 Mask: 255.255.255.0
OS: Windows 2000 Advanced Server (All updates applied)
PDC - abc.local
Active Directory
DHCP - Scope (192.168.20.10 - 192.168.20.250)
DNS - Standard Files; NOT Active Directory Stored
WINS
Routing And Remote Access - * currently disabled *

At this point everything is working beautifully! Then I configure RRAS.
During setup I choose Remote Access NOT VPN Server, because I read VPN
Server mode is for a stand-alone server not a PDC. With just that
configured everything is still working fine (internal workstations have
access to the internet and can browse locally) and remote clients can
connect. However, remote clients cannot even ping internal workstations,
all they see is the server. When attempting to ping an internal workstation
from the remote client by name, the name is resolved to an IP address. So,
I'm assuming that the clients are resolving (seeing) the DNS and this is a
route problem? I know I can NOT put a default gateway on NIC #2 to point at
NIC #1, so I've tried adding a route from NIC #2 to the loopback
(127.0.0.1)?

The BIG QUESTION, is everything I need to configure to get this working in
RRAS GUI or do I need to configure routes manually through "route add -p"???
The smaller BIG QUESTION is can anybody please help with specifics not
generics?

Thanks in advance for any assistance,

Mike B.
I.D.M. Technologies
Milwaukee, WI, USA
 
It is not recommended to enable RRAS on a DC. However, if you configure it correctly, it should work. It seems to me this is routing issue. Have you enable IP routing on the server? or posting the routing table here may help.

Name resulotion on VPN Connection issues on DC, ISA, DNS and WINS server as VPN server How to assign DNS and WINS on VPN client manually Name resolution Issue in a VPN client ...
www.chicagotech.net/nameresolutionpnvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Hi all,

I have a client with a single Windows 2000 Advanced Server controlling a
local domain (abc.local). This very small company (1 Server, 4 Workstations
and 2 Laptops) CANNOT afford a second server. However, they wish to enable
remote access (VPN). I have configured the network in the following way:

Cable/DSL Modem
|
Router #1
| \
| \
| \
Router #2 Server
| /
| /
| /
Switch
|
Rest of network

Router #1:
WAN IP: Dynamic (Set by ISP - FOR NOW, client will get static IP after
RRAS working)
(IP, Mask, Gateway and DNS configured through ISPs DHCP)
LAN IP: 192.168.10.1
LAN Mask: 255.255.255.0
DNS Relay: Enabled
Everything blocked Except:
IPSec Passthrough Enabled
PPPoE Passthrough Enabled
PPTP Passthrough Enabled
Ext.Port TCP 1723 Forwarded to
Int.Port TCP 1723 on Server NIC #2: 192.168.10.2

Router #2:
WAN IP: 192.168.10.10
WAN Mask: 255.255.255.0
WAN Gateway: 192.168.10.1
LAN IP: 192.168.20.1
LAN Mask: 255.255.255.0
DNS Relay: Enabled
Everything blocked

Server:
NIC #1: configured and connected to internal network via Switch (intranet)
NIC #1 IP: 192.168.20.2
NIC #1 Mask: 255.255.255.0
NIC #1 Gateway: 192.168.20.1
NIC #2: configured and connected to external network via Router #1
(internet)
NIC #2 IP: 192.168.10.2
NIC #2 Mask: 255.255.255.0
OS: Windows 2000 Advanced Server (All updates applied)
PDC - abc.local
Active Directory
DHCP - Scope (192.168.20.10 - 192.168.20.250)
DNS - Standard Files; NOT Active Directory Stored
WINS
Routing And Remote Access - * currently disabled *

At this point everything is working beautifully! Then I configure RRAS.
During setup I choose Remote Access NOT VPN Server, because I read VPN
Server mode is for a stand-alone server not a PDC. With just that
configured everything is still working fine (internal workstations have
access to the internet and can browse locally) and remote clients can
connect. However, remote clients cannot even ping internal workstations,
all they see is the server. When attempting to ping an internal workstation
from the remote client by name, the name is resolved to an IP address. So,
I'm assuming that the clients are resolving (seeing) the DNS and this is a
route problem? I know I can NOT put a default gateway on NIC #2 to point at
NIC #1, so I've tried adding a route from NIC #2 to the loopback
(127.0.0.1)?

The BIG QUESTION, is everything I need to configure to get this working in
RRAS GUI or do I need to configure routes manually through "route add -p"???
The smaller BIG QUESTION is can anybody please help with specifics not
generics?

Thanks in advance for any assistance,

Mike B.
I.D.M. Technologies
Milwaukee, WI, USA
 
If you want to run the server as a router/remote access server and be
the gateway for your LAN, there should be no connection between the DSL
router and the switch. Only the server's "public" NIC should connect to the
DSL router. You will also need a static route on the DSL router to forward
traffic for 192.168.20.0/24 to the Windows server (so that it can deliver it
on the LAN. The router's only private NIC is in 192.168.10 , so it does not
know where 192.168.20 is. Without a static route it will use its default,
which is back out to the Internet!). The setup would look like this.

Internet
|
public IP
DSL router (static route 192.168.20.0 255.255.255.0 192.168.10.2)
192.168.10.1
|
192.168.10.2 dg 192.168.10.1
server
192.168.20.1 dg blank
|
workstations
192.168.20.x dg 192.168.20.1

Because of AD, every machine (including the sever itself) should use the
local DNS server. This server should be configured to forward to a public
DNS service (such as your ISP) to resolve public addresses. DNS relay
through a router is not compatible with AD. AD uses DNS to find local SRV
records and they are only fould in your local DNS.
 
Bill,

Thanks for the reply. However, I do not want the server to be the
default gateway for the LAN. The server has enough to do.

DHCP is configured to hand out 192.168.20.1 (Router #2) as the default
gateway (003 Router) on the LAN, as well, (004 Time Server), (005 Name
Servers), (006 DNS Server), (007 Log Servers), (042 NTP Servers), and (044
WINS/NBNS Servers) point to the Server (192.168.20.2) and finally (015 DNS
Domain Name) is abc.local.

The public NIC #2 on the server should only be used for VPN Services.
DHCP and DNS are only configured to service NIC #1, and DNS is forwarding to
the ISP. As well, the Server is using the local DNS.

RRAS is configured to use the DHCP and look at NIC #1 for DCHP, DNS, and
WINS addresses for dial-up clients. The DHCP Relay Agent has been
configured with the Server (192.168.20.2)

Thanks,

Mike B.
I.D.M. Technologies
Milwaukee, WI, USA
 
Robert,

Thanks for the reply. Here is a dump before any manual modifications
I've tried (MAC Addresses have been removed for security reasons). More
info on the network setup I forgot to mention in the original post is in the
reply to Bill Grant.

Thanks for any help,

Mike B.
I.D.M. Technologies
Milwaukee, WI, USA


c:\ipconfig /all

Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : server
Primary DNS Suffix . . . . . . . : abc.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : abc.local

Ethernet adapter LAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC
(3C905B-TX) #1
Physical Address. . . . . . . . . : *Removed from post for security
reasons*
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.20.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.1
DNS Servers . . . . . . . . . . . : 192.168.20.2
Primary WINS Server . . . . . . . : 192.168.20.2

Ethernet adapter VPN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC
(3C905B-TX) #2
Physical Address. . . . . . . . . : *Removed from post for security
reasons*
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 127.0.0.1


c:\route print *

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...*Removed MAC from post for security reasons* ...... 3Com EtherLink
PCI (Microsoft's Packet Scheduler)
0x3 ...*Removed MAC from post for security reasons* ...... 3Com EtherLink
PCI (Microsoft's Packet Scheduler)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.20.1 192.168.20.2 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.2 192.168.10.2 1
192.168.10.2 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.10.255 255.255.255.255 192.168.10.2 192.168.10.2 1
192.168.20.0 255.255.255.0 192.168.20.2 192.168.20.2 1
192.168.20.2 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.20.255 255.255.255.255 192.168.20.2 192.168.20.2 1
224.0.0.0 224.0.0.0 192.168.10.2 192.168.10.2 1
224.0.0.0 224.0.0.0 192.168.20.2 192.168.20.2 1
255.255.255.255 255.255.255.255 192.168.10.2 192.168.10.2 1
Default Gateway: 192.168.20.1
===========================================================================
Persistent Routes:
None

It is not recommended to enable RRAS on a DC. However, if you configure it
correctly, it should work. It seems to me this is routing issue. Have you
enable IP routing on the server? or posting the routing table here may help.

Name resulotion on VPN Connection issues on DC, ISA, DNS and WINS server as
VPN server How to assign DNS and WINS on VPN client manually Name resolution
Issue in a VPN client ...
www.chicagotech.net/nameresolutionpnvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
Hi all,

I have a client with a single Windows 2000 Advanced Server controlling a
local domain (abc.local). This very small company (1 Server, 4 Workstations
and 2 Laptops) CANNOT afford a second server. However, they wish to enable
remote access (VPN). I have configured the network in the following way:

Cable/DSL Modem
|
Router #1
| \
| \
| \
Router #2 Server
| /
| /
| /
Switch
|
Rest of network

Router #1:
WAN IP: Dynamic (Set by ISP - FOR NOW, client will get static IP after
RRAS working)
(IP, Mask, Gateway and DNS configured through ISPs DHCP)
LAN IP: 192.168.10.1
LAN Mask: 255.255.255.0
DNS Relay: Enabled
Everything blocked Except:
IPSec Passthrough Enabled
PPPoE Passthrough Enabled
PPTP Passthrough Enabled
Ext.Port TCP 1723 Forwarded to
Int.Port TCP 1723 on Server NIC #2: 192.168.10.2

Router #2:
WAN IP: 192.168.10.10
WAN Mask: 255.255.255.0
WAN Gateway: 192.168.10.1
LAN IP: 192.168.20.1
LAN Mask: 255.255.255.0
DNS Relay: Enabled
Everything blocked

Server:
NIC #1: configured and connected to internal network via Switch (intranet)
NIC #1 IP: 192.168.20.2
NIC #1 Mask: 255.255.255.0
NIC #1 Gateway: 192.168.20.1
NIC #2: configured and connected to external network via Router #1
(internet)
NIC #2 IP: 192.168.10.2
NIC #2 Mask: 255.255.255.0
OS: Windows 2000 Advanced Server (All updates applied)
PDC - abc.local
Active Directory
DHCP - Scope (192.168.20.10 - 192.168.20.250)
DNS - Standard Files; NOT Active Directory Stored
WINS
Routing And Remote Access - * currently disabled *

At this point everything is working beautifully! Then I configure RRAS.
During setup I choose Remote Access NOT VPN Server, because I read VPN
Server mode is for a stand-alone server not a PDC. With just that
configured everything is still working fine (internal workstations have
access to the internet and can browse locally) and remote clients can
connect. However, remote clients cannot even ping internal workstations,
all they see is the server. When attempting to ping an internal workstation
from the remote client by name, the name is resolved to an IP address. So,
I'm assuming that the clients are resolving (seeing) the DNS and this is a
route problem? I know I can NOT put a default gateway on NIC #2 to point at
NIC #1, so I've tried adding a route from NIC #2 to the loopback
(127.0.0.1)?

The BIG QUESTION, is everything I need to configure to get this working in
RRAS GUI or do I need to configure routes manually through "route add -p"???
The smaller BIG QUESTION is can anybody please help with specifics not
generics?

Thanks in advance for any assistance,

Mike B.
I.D.M. Technologies
Milwaukee, WI, USA
 
We may have many issues with this configuration. The DNS should be 127.0.0.1. However, that is no thing to do with the routing issue.

The routing problem is the DW should be 192.168.10.1 instead of 192.168.20.1.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Robert,

Thanks for the reply. Here is a dump before any manual modifications
I've tried (MAC Addresses have been removed for security reasons). More
info on the network setup I forgot to mention in the original post is in the
reply to Bill Grant.

Thanks for any help,

Mike B.
I.D.M. Technologies
Milwaukee, WI, USA


c:\ipconfig /all

Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : server
Primary DNS Suffix . . . . . . . : abc.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : abc.local

Ethernet adapter LAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC
(3C905B-TX) #1
Physical Address. . . . . . . . . : *Removed from post for security
reasons*
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.20.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.1
DNS Servers . . . . . . . . . . . : 192.168.20.2
Primary WINS Server . . . . . . . : 192.168.20.2

Ethernet adapter VPN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC
(3C905B-TX) #2
Physical Address. . . . . . . . . : *Removed from post for security
reasons*
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 127.0.0.1


c:\route print *

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...*Removed MAC from post for security reasons* ...... 3Com EtherLink
PCI (Microsoft's Packet Scheduler)
0x3 ...*Removed MAC from post for security reasons* ...... 3Com EtherLink
PCI (Microsoft's Packet Scheduler)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.20.1 192.168.20.2 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.2 192.168.10.2 1
192.168.10.2 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.10.255 255.255.255.255 192.168.10.2 192.168.10.2 1
192.168.20.0 255.255.255.0 192.168.20.2 192.168.20.2 1
192.168.20.2 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.20.255 255.255.255.255 192.168.20.2 192.168.20.2 1
224.0.0.0 224.0.0.0 192.168.10.2 192.168.10.2 1
224.0.0.0 224.0.0.0 192.168.20.2 192.168.20.2 1
255.255.255.255 255.255.255.255 192.168.10.2 192.168.10.2 1
Default Gateway: 192.168.20.1
===========================================================================
Persistent Routes:
None

It is not recommended to enable RRAS on a DC. However, if you configure it
correctly, it should work. It seems to me this is routing issue. Have you
enable IP routing on the server? or posting the routing table here may help.

Name resulotion on VPN Connection issues on DC, ISA, DNS and WINS server as
VPN server How to assign DNS and WINS on VPN client manually Name resolution
Issue in a VPN client ...
www.chicagotech.net/nameresolutionpnvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
Hi all,

I have a client with a single Windows 2000 Advanced Server controlling a
local domain (abc.local). This very small company (1 Server, 4 Workstations
and 2 Laptops) CANNOT afford a second server. However, they wish to enable
remote access (VPN). I have configured the network in the following way:

Cable/DSL Modem
|
Router #1
| \
| \
| \
Router #2 Server
| /
| /
| /
Switch
|
Rest of network

Router #1:
WAN IP: Dynamic (Set by ISP - FOR NOW, client will get static IP after
RRAS working)
(IP, Mask, Gateway and DNS configured through ISPs DHCP)
LAN IP: 192.168.10.1
LAN Mask: 255.255.255.0
DNS Relay: Enabled
Everything blocked Except:
IPSec Passthrough Enabled
PPPoE Passthrough Enabled
PPTP Passthrough Enabled
Ext.Port TCP 1723 Forwarded to
Int.Port TCP 1723 on Server NIC #2: 192.168.10.2

Router #2:
WAN IP: 192.168.10.10
WAN Mask: 255.255.255.0
WAN Gateway: 192.168.10.1
LAN IP: 192.168.20.1
LAN Mask: 255.255.255.0
DNS Relay: Enabled
Everything blocked

Server:
NIC #1: configured and connected to internal network via Switch (intranet)
NIC #1 IP: 192.168.20.2
NIC #1 Mask: 255.255.255.0
NIC #1 Gateway: 192.168.20.1
NIC #2: configured and connected to external network via Router #1
(internet)
NIC #2 IP: 192.168.10.2
NIC #2 Mask: 255.255.255.0
OS: Windows 2000 Advanced Server (All updates applied)
PDC - abc.local
Active Directory
DHCP - Scope (192.168.20.10 - 192.168.20.250)
DNS - Standard Files; NOT Active Directory Stored
WINS
Routing And Remote Access - * currently disabled *

At this point everything is working beautifully! Then I configure RRAS.
During setup I choose Remote Access NOT VPN Server, because I read VPN
Server mode is for a stand-alone server not a PDC. With just that
configured everything is still working fine (internal workstations have
access to the internet and can browse locally) and remote clients can
connect. However, remote clients cannot even ping internal workstations,
all they see is the server. When attempting to ping an internal workstation
from the remote client by name, the name is resolved to an IP address. So,
I'm assuming that the clients are resolving (seeing) the DNS and this is a
route problem? I know I can NOT put a default gateway on NIC #2 to point at
NIC #1, so I've tried adding a route from NIC #2 to the loopback
(127.0.0.1)?

The BIG QUESTION, is everything I need to configure to get this working in
RRAS GUI or do I need to configure routes manually through "route add -p"???
The smaller BIG QUESTION is can anybody please help with specifics not
generics?

Thanks in advance for any assistance,

Mike B.
I.D.M. Technologies
Milwaukee, WI, USA
 
If you don't want to use the server as the DG for the network it should
only have one NIC. It is just another machine on the LAN, and it doesn't do
any routing.
 
hallo

i have seeen your answers for the trouble shooting of vpn servers.
please find a solution for me, because i am unable to build a vpn
network.


I have 6 computers in my net work.i have a internet connection with
adsl router connected to the 8 port switch.

can i build a vpn server in any one of my computers? if it is, how to .

whereever i refer in internet , one interface required for build a vpn.
 
You can setup any one of your computer (only one). You need to port 1723 forwarding to the computer. this link may help,

How to setup VPN To create VPN connection, open Networking Connections>New Connection Wizard>Set up an advanced connection>Accept incoming connections, then follow the ...
www.howtonetworking.com/Windows/vpnsetup.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
hallo

i have seeen your answers for the trouble shooting of vpn servers.
please find a solution for me, because i am unable to build a vpn
network.


I have 6 computers in my net work.i have a internet connection with
adsl router connected to the 8 port switch.

can i build a vpn server in any one of my computers? if it is, how to ..

whereever i refer in internet , one interface required for build a vpn.
 
Back
Top