VPN not Routing

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I am trying to VPN into my server and then access different subnets and also
the internet. The problem is that it doesn't seem to be routing correctly.
My details of my network are:
VPN NIC:
IP Address: 10.4.200.121
Subnet Mask: 255.255.255.0
Default Gateway: 10.4.200.254

VPN LAN:
IP Address: 10.20.254.23
Subnet Mask: 255.255.255.0
Default Gateway: 10.20.254.254

When I try to ping: 10.4.2.201 I get a timeout error.
I am not able to ping anything on the 10.4.x.x side.
Everything on the 10.20.x.x side pings just fine.

The 10.4.x.x also is my route out to the internet.

I do have "Enable IP routing" checked.
I also have "Enable this computer as a: Router" checked
Remote access server is also checked.

Here is my routing table:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.4.200.254 10.4.200.121 1
10.4.200.0 255.255.255.0 10.4.200.121 10.4.200.121 1
10.4.200.121 255.255.255.255 127.0.0.1 127.0.0.1 1
10.20.1.212 255.255.255.255 10.4.200.254 10.4.200.121 1
10.20.254.0 255.255.255.0 10.20.254.23 10.20.254.23 1
10.20.254.23 255.255.255.255 127.0.0.1 127.0.0.1 1
10.20.254.45 255.255.255.255 127.0.0.1 127.0.0.1 1
10.20.254.46 255.255.255.255 10.20.254.45 10.20.254.45 1
10.20.254.70 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.4.200.121 10.4.200.121 1
10.255.255.255 255.255.255.255 10.20.254.23 10.20.254.23 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 224.0.0.0 10.4.200.121 10.4.200.121 1
224.0.0.0 224.0.0.0 10.20.254.23 10.20.254.23 1
255.255.255.255 255.255.255.255 10.20.254.23 10.20.254.23 1
Default Gateway: 10.4.200.254
===========================================================================

Does anyone have a solution to help me out?

Thanks,

Adam Cavaliere
 
My guess is that the problem is your LAN routing. The client will send
all traffic over the VPN link by default, so that is OK. But you will only
get replies if the LAN machines and/or routers know how to reach your remote
client subnet. If they use default routing and send the replies to the
default router for the network, they will be lost. They must be routed to
the VPN server first, so that they can be encrypted and encapsulated before
going to the public Internet.
 
OK, I sort of understand. Can you give me some suggestions on how to fix this?
Maybe an example? I thought my NIC setup was correct. If not, I can probably
fix that.

Also my setup seems like it is pretty "basic" - so why am I having all of
this trouble? The VPN setup guides make it look way too easy!
 
No, it certainly isn't basic. A basic setup is when all LAN machines
are on the same segment and in the same IP subnet, and the remotes get IP
addresses in the same IP subnet as well. RRAS just does proxy ARP for the
remotes, and everything just works.

As soon as you have multiple subnets and routers it gets complicated. If
your remotes are in their own IP subnet, they can only be routed through the
RRAS server. Have you enabled IP routing on the RRAS server? The RRAS server
will forward the traffic to the remotes, but your LAN routing needs to get
it to the RRAS server. That depends on your LAN routers.

If your LAN machines send everything to a gateway router, you will need
to add a route to that device to "bounce" the VPN traffic to the RRAS
server. If you have multiple routers on the LAN, they all need to be aware
of the remote subnet and where traffic has to go to reach it. It is just the
same situation as adding an extra subnet to your LAN. I can't be more
specific without a description of your LAN.
 
OK, I will try to describe my setup a little bit more.

I have two subnets and one DMZ subnet.

The three Subnets are: 10.20.x.x
10.4.92.x
10.4.2.x
My DMZ subnet is: 10.4.200.x

I am connecting in to the DMZ'ed machine (10.4.200.121).
That machine is my RRAS VPN. It has the LAN subnet: 10.20.x.x attached to it.
The Two IP address on that machine are: 10.4.200.121 (VPN)
10.20.254.23
(LAN)
When I connect in I am able to ping anything on the 10.20.x.x Subnet.

What I don't understand is if the packets are being routed from the
10.20.x.x to the 10.4.2.x subnet they are going through a gateway address of
10.20.254.254. So why would the network need to know about my RRAS server? It
should look like the packets are being routed from a local machine on the
10.20.x.x subnet. Then the RRAS server should be taking care of the rest of
it, shouldn't it?

I posted in the first post a lot of information, along with saying that I
have enabled IP Routing.

Thanks for your continued help.

Adam
 
Since you are using "on subnet" addresses for your clients (ie in the
same subnet as the DMZ LAN segment), you don't really need IP routing on the
RRAS server. You are using the proxy ARP setup I described in the "basic"
model. So all you need to do is make sure that your internal subnets know
how to route traffic to 10.4.200 .

If you can ping machines in 10.20 from a remote, that subnet must be
able to get replies back to 10.4.200 . What is the default gateway for the
10.4.2 and 10.4.92 subnets? That is probably where the replies are being
lost. The fact that the RRAS server itself can see these subnets isn't
enough. It has an interface in 10.20 ! Do the 10.4.2 and 10.4.92 subnets
know how to reach 10.4.200 ?

If you do a tracert from a VPN client to a 10.4.2 address, where does
it die?
 
Back
Top