W2k VPN Problems

  • Thread starter Thread starter Russ
  • Start date Start date
R

Russ

Hi. I guess I'm just another guy who can't understand Windows VPN
issues. Here is what I am trying to do:

Verizon DSL
|
|
Firewall (10.0.0.1)
|
|
| (10.0.0.2)
Win 2000 VPN server
| (90.0.0.1)
|
'---hub---rest of network (90.0.0.2 and up)

I think this should work. It looks like the setup recommended for (VPN
after firewall). In addition to VPN in from remote users, I need all
users on the 90.0.0.0 network to have internet access.

If RRAS is NOT running on the server, all looks ok. I can ping either
network card on the VPN server from any workstation (but cannot ping
the firewall (I think this is correct). But as soon as RRAS is
started, I lose the ability to ping the VPN box from the lan. The
pings are received but there is no response. And I cannot ping the
machines on the lan from the VPN box (I can ping the firewall though).
Since packets are not routed to the lan, no internet connections are
available, and if I connect via VPN from the remote it authenticates
OK but there is no connection beyond the VPN server. I have studied
the routing table and it looks OK to me. I can't figure out what I
could add that would make a difference (the table is shown below).

The firewall is a D-Link DI-713P, and it has port 1723 directed to the
VPN server at 10.0.0.2. I cannot see anything about IP protocal 47 or
GRE on the D-Link setup, but I believe it is working OK since I can
connect via VPN.

Network Destination Netmask Gateway Interface M
0.0.0.0 0.0.0.0 10.0.0.1 90.0.0.1 1
0.0.0.0 0.0.0.0 90.0.0.1 10.0.0.2 1
10.0.0.0 255.255.0.0 10.0.0.2 10.0.0.2 1
10.0.0.2 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.0.0.2 10.0.0.2 1
90.0.0.0 255.255.255.0 90.0.0.1 90.0.0.1 1
90.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 1
90.255.255.255 255.255.255.255 90.0.0.1 90.0.0.1 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 224.0.0.0 10.0.0.2 10.0.0.2 1
224.0.0.0 224.0.0.0 90.0.0.1 90.0.0.1 1
255.255.255.255 255.255.255.255 10.0.0.2 10.0.0.2 1
Default Gateway: 10.0.0.1

I think the above table is OK. What does not make sense to me is that
the NIC at 90.0.0.1 is connected to the LAN hub. Why can't I ping
it??? It seems that RRAS is disabling it somehow.

Thanks for any and all help!

Russ
 
this may help. quoted form http://www.ChicagoTech.net
Can't Ping External Network Adapter After Configuring RRAS as a VPN Server

SYMPTOMS: After you configure the RRAS as a virtual private network (VPN)
server in Windows 2000 Server with two or more network adapters, pinging the
external network adapter does not work. This behavior occurs only while RRAS
is running. Pinging the external network adapter succeeds when RRAS is
stopped.
RESOLUTION: When you use the Routing and Remote Access Server Setup Wizard
to configure RRAS as a VPN server, Input and Output filters are
automatically configured on the external network adapter to process only VPN
traffic and disable all ports and protocols except protocol 47 (GRE), TCP
port 1723 for PPTP Outbound/Inbound, UDP 500 for ISAKMP and UDP 1701 for
L2TP. To allow pinging to and from the external network adapter, add Inbound
and Outbound filters to the adapter to allow ICMP packets to be processed on
the adapter. To do this, go to Routing and Remote Access>Server Name>IP
Routing>General, In the right pane, right-click the adapter that has been
configured as the external adapter, and then click Properties>Input
Filters>Add, In the Protocol box, click ICMP. Do the same on Output
Filters.

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
 
Thanks Bill. To answer your question first, I have been using WinProxy
for years and 90.0.0.0 is the subnet address they recommend for LAN's.
If that is not a good choice, I wonder why they recommend it, since it
appears that they are one of the major proxy software companies (at
least for small business and home users). I have no objection to
using a different private network address if this is really a problem.

Ok on the static route for the firewall. I did not think there was a
problem there because I can connect and get authenticated through the
firewall. Or are you saying that once I am connected, no further
traffic will be forwarded to the VPN server?

With regard to the above, I thought that the firewall sent all port
1723 traffic to the VPN server, and the VPN server was responsible to
unpack it and see what the real destination address is. If that is
true, then why would the firewall even see the 90.0.0.0 address?

Is all of that correct? If not could you please explain?

But it now occurrs to me that maybe you were talking about non VPN
traffic. There, I think I can see why the static route is needed.

But that leaves the question of why the VPN connection, at least, does
not allow access to the LAN?

Thanks, Russ
 
Well the first problem is that the firewall has no reason to forward
traffic for 90.0.0.0 to the RRAS server. It will use its default route
(which is back out to the Internet!).

Adding a static route to the firewall to forward 90.0.0.0 traffic to
10.0.0.2 will solve this problem.

Firewall 10.0.0.1 static route 90.0.0.0 255.0.0.0 10.0.0.2
|
10.0.0.2 dg 10.0.0.1
RRAS
90.0.0.1 dg blank
|
workstations
90.0.0.x dg 90.0.0.1

What inspired you to use 90.0.0.0 ? This is not one of the reserved
private address subnets. It may or may not be allocated for a special
purpose and routed somewhere else!
 
Sorry, missed the bit about port forwarding.

Did you remove the default gateway from the 90.0.0.1 NIC? This was
putting a spurious default route in your routing table. This will foul up
your LAN routing.

The only default route on your server should be to 10.0.0.1 via
interface 10.0.0.2 . You can set this through the default gateway setting on
the NIC or from the RRAS console.
 
Back
Top