W2K will not route for other machines over VPN

[RickB]

I know this has been asked ad nauseum, but I haven't seen a clear response.
I have a local network with the local subnet 192.168.0.*, and a remote
network 192.168.2.*. My W2K Server is 192.168.0.1. This uses a persistent
demand dial entry to connect to the remote entry. The machine it is
connecting to is a Windows XP box, 192.168.2.2.

I have set up a static route in RRAS as follows:

Destination 192.168.2.0
Mask 255.255.255.0
Gateway none (demand dial sets this)
Interface My VPN Interface

To simplify matters, I let the demand-dial interface use a static IP,
192.168.2.10. So here is how it looks:

Local W2K server - local interface 192.168.0.1, VPN interface 192.168.2.10
Remove WinXP machine 192.168.2.2

From the W2K server (192.168.0.1/192.168.2.10) I can ping the machine that I
am connected to (192.168.2.2). As expected so far.

I have added a static route to other machines on the 192.168.0.* network

route -p add 192.168.2.0 mask 255.255.255.0 192.168.0.1

And I can successfully ping 192.168.2.10 so the subnets are getting routed.
However, none of the machines on the local network (other than 192.168.2.10)
can ping 192.168.2.2. or any other machine on the remote network. So my W2K
server is routing to the subnet, but will not forward packets over the VPN
connection.

Can anyone help? As I said, I've seen similar issues posted, but I haven't
seen a clear solution.

 

[Bill Grant]

You do not need the routes on the client machines in 192.168.0.0 .
Default routing will look after this if the RRAS server is the default
gateway of this LAN.

You cannot solve this problem by making changes at the RRAS router. It
has the necessary routes to get traffic across the link. The problem is at
the other end!

When you connect to the XP, the XP will set up a host route back to the
"calling" machine. That's all - it does not set up a subnet route for the
clients behind the calling machine. So the XP cannot route traffic through
the VPN link for other 192.168.0.x clients.

With RRAS, you can set up a route and associate it with a
demand-dial interface to achieve this. But you cannot do that in XP. Can you
change things so that the XP initiates the connection? It will then work.
The XP will set up a default route through the tunnel (so 192.168.0.x
traffic will use it) and the RRAS router will have the route to 192.168.2.0
set to use the VPN tunnel.

The XP would need to use the name of the dd interface as its username
when it connects. This is required to bind the connection to the dd
interface and activate the subnet route. (Otherwise it just connects as a
normal client-server VPN connection, and only a host route is set up as with
your current XP connection).

This just highlights the difference between client-server connections
and routed connections. Normal connections set up a default route from
client to server and a host route from server to client. Router to router
connections don't set up any routing by default. You need to do it yourself
using routes linked to the demand-dial interfaces. When you try to mix them,
you need to be aware of what is going on.

 

[RickB]

Bill,

The RRAS server is NOT the default gateway of this LAN. Like all the other
machines on the subnet, it is behind a firewall serves as the default
gateway. But that is not a problem. I don't mind putting the static route
in for the machines - I can even do it via DHCP scope options.

Bill, what do you mean "use the name of the DD interface". You mean leave
the DD interface set up on the RRAS server and literally use the string as
the user name? If I do that, what would I use for a password? What is it
authenticating against, since there isn't an account with that as the user
name?

Better yet, is there a Q article that describes what you are discussing?
This seems pretty non-intuitive to someone that just understands IP
networking. Using the name of the DD interface as the user name sounds
pretty MS specific.

Thanks for your help.

Rick

 

[RickB]

Bill,

Thanks, I found the checkbox where it gives the option to create credentials
for the remote to dial in.

Rick

 

[RickB]

Bill,

I got it to work the way you said, but as expected, the XP machine obtains a
local address from the RRAS server. So it is visible on the RRAS subnets,
but no other machines on the remote network are.

I suspect that you're going to tell me that unless I have a W2K Server or a
W2K3 server instead of the XP server, that I can't join the subnets because
I can only route one way.

Rick

 

[Bill Grant]

I am not sure what you mean by "visible". A VPN connection only gives you
IP connectivity. You should be able to ping from one subnet to the other by
IP number. That is all the routing does for you.

If you want connectivity by name, you will need to look closely at DNS
and/or WINS. LAN broadcasts do not cross the WAN link, so you can't use that
for name resolution. Browsing also is a problem because it also depends on
LAN broadcasts.

 

[RickB]

What I'm saying is that the XP machine, which is on local subnet 192.168.2.x
connects to the demand dial connection and gets an IP address on the
192.168.0.x subnet; for example 192.168.0.20. So from anywhere on the
192.168.0.x subnet (where the RRAS server is) I can ping the XP machine.
But nothing is technically getting routed - I can reach the XP machine on
192.168.0.20 - the same subnet as the RRAS server. IOW, I can't ping
anything on the 192.198.2.x subnet because the XP machine is not routing
from its address of 192.168.0.20 to its local address of 192.168.2.2.

 

[Bill Grant]

Have you enabled IP routing on the XP? Is the XP the default gateway for
the subnet?

 

[RickB]

No the XP machine is definitely NOT the default gateway - the hardware
firewall is. I have not seen how to enable IP routing on the XP box, since
it does not have RRAS, and I sure don't see "Enable IP Routing" on the
Network Connections dialog. Do you mean Internet Connection Sharing? If I
have to use that piece of crap I'll spring for hardware VPN boxes ;-)

 

[Bill Grant]

To enable routing on a workstation set the IP routing switch to 1 in the
registry.

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the following registry value:

Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1
NOTE: A value of 1 enables TCP/IP forwarding for all network connections
installed

If the XP is not the default gateway of your LAN, the traffic for your
remote site will be trying to go out the router which is! You will need to
add a static route to get this traffic to the XP. You can add it to each
machine you want to "see" across the VPN link. Or if you want to see them
all, add the route to the gateway router. It will then bounce the traffic to
the XP to go throught he VPN tunnel.

For routing purposes, ignore the IP which the clients obtain at connection
time. Once the VPN is up, you effectively have two subnets connected by a
router. The traffic will be routed using the machine's ordinary LAN IPs, and
ordinary IP routing rules apply. The LAN routers need to know how to get the
traffic for the "other" private subnet to the VPN endpoint. The VPN machine
will then send it through the tunnel, and it will be delivered at the other
end by normal direct delivery on the LAN.

 

[RickB]

Thanks Bill. I understand the routing stuff well - I just forgot how to
enable IP routing on the workstations. All of our routing is done by either
hardware routers or servers ;-)

I appreciate your help, thanks.