Supply route to VPN clients

  • Thread starter Thread starter Massimo
  • Start date Start date
M

Massimo

My office LAN (192.168.42.0/24) is connected to a remote site
(192.168.43.0/24) through a VPN connection.
We also have a VPN server (Windows 2003) in the main LAN to allow our users
access to our network.
When I connect to the VPN server from home (Windows XP), I get a valid IP
address (192.168.42.X) and everything works fine, but I can't access the
remote site, because my Windows doesn't know how to reach the
192.168.43.0/24 subnet: it only knows about the 192.168.42.0/24 one.
If I manually add a route, telling it to reach the remote site through the
VPN connection to the main LAN (ROUTE ADD 192.168.43.0 MASK 255.255.255.0
192.168.42.X), everything is ok; but I need to do this manually each time I
connect to the office. Is there any way to make my RRAS server automatically
supply this route to its clients when they connect?
Thanks

Massimo
 
My office LAN (192.168.42.0/24) is connected to a remote site
(192.168.43.0/24) through a VPN connection.
We also have a VPN server (Windows 2003) in the main LAN to allow our
users access to our network.
When I connect to the VPN server from home (Windows XP), I get a valid IP
address (192.168.42.X) and everything works fine, but I can't access the
remote site, because my Windows doesn't know how to reach the
192.168.43.0/24 subnet: it only knows about the 192.168.42.0/24 one.
If I manually add a route, telling it to reach the remote site through the
VPN connection to the main LAN (ROUTE ADD 192.168.43.0 MASK 255.255.255.0
192.168.42.X), everything is ok; but I need to do this manually each time
I connect to the office. Is there any way to make my RRAS server
automatically supply this route to its clients when they connect?
Click to expand...

Any thoughts on this?

Massimo
 
You may want to do this on VPN server. If I remember correctly, IP
routing>static routes.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
 
dido robert,

all you have to do is do it on the vpn server since the clients are using
the vpn server as their gateway.
 
You may want to do this on VPN server. If I remember correctly, IP
routing>static routes.
Click to expand...

No, those are the static routes for the server itself... and, anyway, a
route to the remote LAN is already specified there.

Massimo
 
all you have to do is do it on the vpn server since the clients are using
the vpn server as their gateway.
Click to expand...

Unfortunately, that's not the case: a VPN client doesn't use the VPN server
as its default gateway, since it has to continue reaching the Internet when
the VPN is up. A VPN client uses the server as gateway only for the LAN
accessed through the VPN, i.e., in this case, 192.168.42.0/24. I want to
tell clients they should use the VPN server as gateway for 192.168.43.0/24
also.

Massimo
 
Is there any way to make my RRAS server
automatically supply this route to its clients when they connect?
Click to expand...

I found a workaround: I used the option for specifying the static route on
the DHCP server used by RRAS to supply addresses to clients; now that route
is also supplied to all of the LAN clients, but I don't think this is a
problem.
Anyway, is there a way to make the RRAS server supply the route to its
client without setting it on the DHCP server?

Massimo
 
I am having the same issue as you. How do you know what to set as the
default gateway, if your VPN clients are assigned ip addresses via DHCP?

--Mike
 
Let me rephrase that last question.
How do you know what to set as the
gateway for the VPN client's static route, if your VPN clients are assigned
ip addresses via DHCP?

--Mike
 
I believe it is handled automatically when you enable "Use Gateway on Remote
Network" in the TCP Properties of the Dialup-Connection on the Client.

It also makes a big difference whether this is a "Remote Access VPN" or a
"Site-to-Site VPN" (aka Router-to-Router VPN). The two don't behave the
same. I no longer have any past messages of this thread so I don't know the
context. I've dealt with too many similar ones to keep track of who was who.
 
Also if you are running in Native mode, you can set static routes for the
VPN clients in AD Users and computers--> User Properties-->Dial-In tab-->
Static routes.
This is only available in native mode, not mixed mode. :(

--Mike
 
Let me rephrase that last question.
How do you know what to set as the
gateway for the VPN client's static route, if your VPN clients are
assigned ip addresses via DHCP?
Click to expand...

I use the static internal address of the RRAS server, 192.168.42.1; since
the VPN client knows how to reach the 192.168.42.0/24 network, it can use
any addresss of that network as a router for any other network.

Massimo
 
I no longer have any past messages of this thread so I don't know
the context. I've dealt with too many similar ones to keep track of who
was who.
Click to expand...

The original question was how to supply a static route to VPN clients. I
have my office LAN (192.168.42.0/24) which is connected via VPN to another
LAN (192.168.43.0/24). The main LAN has a VPN server for remote users, and I
want VPN clients to be able to talk to the remote LAN too; so I have to
supply them a route for 192.168.43.0/24, which they don't know anything
about. I was hoping to find a way to do this on the VPN server, but I didn't
find any... I worked around this by assigning it from the DHCP server which
supplies addesses to the VPN server for remote clients.

Massimo
 
Also if you are running in Native mode, you can set static routes for the
VPN clients in AD Users and computers--> User Properties-->Dial-In tab-->
Static routes.
This is only available in native mode, not mixed mode. :(
Click to expand...

Uh? Really?
I didn't now anything about this... I'll give it a look, thanks for the tip.

Massimo
 
In a LAN-to-LAN VPN you don't do anything with the clients at all. the
routing is handled by your own LAN's Layer3 Routing scheme. You clients use
your LAN's Router as their Default Gateway. Then the LAN Router uses static
routes within itself to handle sending the proper traffic to theVPN Device.
Then Your LAN Router's Default Gateway is typically the Firewall leading to
the Internet.

If you don't have a LAN Router then the VPN Box would be the Client's
Default Gateway and then the VPN Box would know what to do with the right
traffic from there. Then the VPN Box would typically use the Firewall as it
Default Gateway.

If the VPN Box also doubles as the LAN's Firewall, then the Clients use it
as the Default Gateway and that is all.
 
In a LAN-to-LAN VPN you don't do anything with the clients at all. the
routing is handled by your own LAN's Layer3 Routing scheme. You clients
use your LAN's Router as their Default Gateway. Then the LAN Router uses
static routes within itself to handle sending the proper traffic to
theVPN Device. Then Your LAN Router's Default Gateway is typically the
Firewall leading to the Internet.

If you don't have a LAN Router then the VPN Box would be the Client's
Default Gateway and then the VPN Box would know what to do with the right
traffic from there. Then the VPN Box would typically use the Firewall as
it Default Gateway.

If the VPN Box also doubles as the LAN's Firewall, then the Clients use it
as the Default Gateway and that is all.
Click to expand...

Yes, but I'm talking about *another* VPN :-)
There's the lan-to-lan VPN between the two sites, but there's also the VPN
access to the main LAN for remote users... I'm talking about these clients,
who use their Internet connection as their default gateway, and also use the
VPN server as their gateway to the office LAN. I want to tell them to use it
also for reaching the second LAN (through the first one).

Massimo
 
Ok.
That is "Remote Access VPN". It is not meant to be as flexable as the
other. But the way to handle the routing is the enable "Use Gateway on
Remote Network" in the Dial-up connection Settings on the client machine.

Then the Default Gateway in your system becomes thier Default Gateway as
well (overriding their normal Default Gateway) , and they follow your same
routing scheme as all the other clients.
 
Ok.
That is "Remote Access VPN". It is not meant to be as flexable as the
other. But the way to handle the routing is the enable "Use Gateway on
Remote Network" in the Dial-up connection Settings on the client machine.

Then the Default Gateway in your system becomes thier Default Gateway as
well (overriding their normal Default Gateway) , and they follow your same
routing scheme as all the other clients.
Click to expand...

Of course, but then they're going to route any packet through the office
LAN, and this slows down any other Internet connection and generates a lot
of unnecessary traffic on the VPN, the office LAN and the main RRAS server.
So I want them to use the VPN connection only to reach the two LANs, and the
main Internet connection to reach any other site.

Massimo
 
Back
Top