bhilgenkamp
asked on
Connect to Win 2003 server via VPN and see rest of network
I am connecting to work to our Win 2003 server using the built in VPN feature in the server. I can ping the server and access its resources, but I also want to be able to access other nodes on the network there. How can I go about doing this?
ASKER
No. I can ping the ip of the VPN server, as well as its FQDN. Trying to ping other nodes does not work, Pinging their FQDN resolves their ip but I do not get a reply. The VPN server is also the DNS server
Are there 1 or 2 network adapters on the server?
If 2 you will need to configure RRAS, probably "IP routing". RRAS management console | right click on server and choose properties | IP | enable IP routing
However if a single NIC, it should not be necessary. If it is a single NIC, and IP routing is enabled in RRAS you will likely need to turn it off.
The problem is more likely:
1) make sure any firewalls on the PC's, such as the Windows firewall, are configured to allow the remote connection. Better yet, switch them off completely for testing
2) on the VPN "virtual adapter" on the machine from which you are connecting, make sure "use default gateway on remote network" is enabled. This is located Control panel | network connections | right click on the VPN virtual adapter and choose properties | networking | TCP/IP properties | advanced | general |.........
3) the server's subnet should be different than the connecting client's subnet
4) if none of the above post the results from a command line of:
route print
here so we can see if there are any obvious problems.
If 2 you will need to configure RRAS, probably "IP routing". RRAS management console | right click on server and choose properties | IP | enable IP routing
However if a single NIC, it should not be necessary. If it is a single NIC, and IP routing is enabled in RRAS you will likely need to turn it off.
The problem is more likely:
1) make sure any firewalls on the PC's, such as the Windows firewall, are configured to allow the remote connection. Better yet, switch them off completely for testing
2) on the VPN "virtual adapter" on the machine from which you are connecting, make sure "use default gateway on remote network" is enabled. This is located Control panel | network connections | right click on the VPN virtual adapter and choose properties | networking | TCP/IP properties | advanced | general |.........
3) the server's subnet should be different than the connecting client's subnet
4) if none of the above post the results from a command line of:
route print
here so we can see if there are any obvious problems.
ASKER
1 NIC
No software firewall - only router
Use default gateway on remote net is selected
Subnets are different (local is 192.168.100.0 remote is 192.168.1.0)
Route table
========================== ========== ========== ========== ========== =========
Interface List
0x1 .......................... . MS TCP Loopback interface
0x2 ...00 10 4b 2e c5 aa ...... 3Com EtherLink 10/100 PCI NIC (3C905-TX) - Packet Scheduler Miniport
0x3 ...00 08 02 3b 79 be ...... 82557-based Integrated Ethernet with Wake on LAN - Packet Scheduler Miniport
0x10004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x80005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 70.171.188.1 70.171.189.199 21
0.0.0.0 0.0.0.0 192.168.1.54 192.168.1.54 1
68.15.230.226 255.255.255.255 70.171.188.1 70.171.189.199 20
70.171.188.0 255.255.254.0 70.171.189.199 70.171.189.199 20
70.171.189.199 255.255.255.255 127.0.0.1 127.0.0.1 20
70.255.255.255 255.255.255.255 70.171.189.199 70.171.189.199 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.54 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.1.255 255.255.255.255 192.168.1.54 192.168.1.54 50
192.168.100.0 255.255.255.0 192.168.100.1 192.168.100.1 20
192.168.100.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.100.50 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.100.255 255.255.255.255 192.168.100.1 192.168.100.1 20
224.0.0.0 240.0.0.0 70.171.189.199 70.171.189.199 20
224.0.0.0 240.0.0.0 192.168.100.1 192.168.100.1 20
224.0.0.0 240.0.0.0 192.168.1.54 192.168.1.54 1
255.255.255.255 255.255.255.255 70.171.189.199 70.171.189.199 1
255.255.255.255 255.255.255.255 192.168.1.54 192.168.1.54 1
255.255.255.255 255.255.255.255 192.168.100.1 192.168.100.1 1
Default Gateway: 192.168.1.54
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
No software firewall - only router
Use default gateway on remote net is selected
Subnets are different (local is 192.168.100.0 remote is 192.168.1.0)
Route table
==========================
Interface List
0x1 ..........................
0x2 ...00 10 4b 2e c5 aa ...... 3Com EtherLink 10/100 PCI NIC (3C905-TX) - Packet Scheduler Miniport
0x3 ...00 08 02 3b 79 be ...... 82557-based Integrated Ethernet with Wake on LAN - Packet Scheduler Miniport
0x10004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x80005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 70.171.188.1 70.171.189.199 21
0.0.0.0 0.0.0.0 192.168.1.54 192.168.1.54 1
68.15.230.226 255.255.255.255 70.171.188.1 70.171.189.199 20
70.171.188.0 255.255.254.0 70.171.189.199 70.171.189.199 20
70.171.189.199 255.255.255.255 127.0.0.1 127.0.0.1 20
70.255.255.255 255.255.255.255 70.171.189.199 70.171.189.199 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.54 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.1.255 255.255.255.255 192.168.1.54 192.168.1.54 50
192.168.100.0 255.255.255.0 192.168.100.1 192.168.100.1 20
192.168.100.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.100.50 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.100.255 255.255.255.255 192.168.100.1 192.168.100.1 20
224.0.0.0 240.0.0.0 70.171.189.199 70.171.189.199 20
224.0.0.0 240.0.0.0 192.168.100.1 192.168.100.1 20
224.0.0.0 240.0.0.0 192.168.1.54 192.168.1.54 1
255.255.255.255 255.255.255.255 70.171.189.199 70.171.189.199 1
255.255.255.255 255.255.255.255 192.168.1.54 192.168.1.54 1
255.255.255.255 255.255.255.255 192.168.100.1 192.168.100.1 1
Default Gateway: 192.168.1.54
==========================
Persistent Routes:
None
therefore ???:
Server site public IP = 68.15.230.x
Server site LAN = 192.168.1.0
Local LAN =192.168.100.0
Local VPN virtual adapter = 192.168.1.54
However what is 70.171.189.x ? I assume this computer has dual NIC's or a PPPoE network connection ?
Regardless, the following statements indicate the routing is correct for your VPN, at least at the client end:
68.15.230.226 255.255.255.255 70.171.188.1 70.171.189.199 20
192.168.1.54 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.1.255 255.255.255.255 192.168.1.54 192.168.1.54 50
Server site public IP = 68.15.230.x
Server site LAN = 192.168.1.0
Local LAN =192.168.100.0
Local VPN virtual adapter = 192.168.1.54
However what is 70.171.189.x ? I assume this computer has dual NIC's or a PPPoE network connection ?
Regardless, the following statements indicate the routing is correct for your VPN, at least at the client end:
68.15.230.226 255.255.255.255 70.171.188.1 70.171.189.199 20
192.168.1.54 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.1.255 255.255.255.255 192.168.1.54 192.168.1.54 50
I was thinking on this. You shouldn't have to, but you could try adding a route statement on the client computer. At a command line enter:
ROUTE ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.54
if 2 NIC's you will need to add the interface # and if not WINXP you will need to add metric such as
ROUTE ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.54 METRIC 50 IF 2
If you wish to delete enter:
ROUTE DELETE 192.168.1.0
This should force all pings/traffic for the remote network ,through the virtual adapter. Might be worth a shot.
ROUTE ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.54
if 2 NIC's you will need to add the interface # and if not WINXP you will need to add metric such as
ROUTE ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.54 METRIC 50 IF 2
If you wish to delete enter:
ROUTE DELETE 192.168.1.0
This should force all pings/traffic for the remote network ,through the virtual adapter. Might be worth a shot.
ASKER
Correct Rob on the IP's. Sorry I didn't explain. I have two NICs in the client - one for WAN and one for LAN. The 70.171.189.199 is my public IP. I'll try adding a route when I get home from work today. The main reason I don't really wanna go that route is that right now my IP for the VPN is dynamically given to me from the VPN server. Guess I could use a static though. Anyway, I'l try this later.
The route add shouldn't be necessary, but you may want to try for troubleshooting purposes. If it works it may help to isolate the problem. When I get to a RRAS server I'll do a little tinkering as well. I don't have that option today.
ASKER
Tried your suggestion, still can't ping the other computers on the remote network
Well it was worth a try. <G>
I am loading a test 2003 server as we speak. If you still haven't found a solution, tomorrow I'll try and break it and see if I can duplicate your problem. It likely has to routing being configured in RRAS where it shouldn't be.
I am loading a test 2003 server as we speak. If you still haven't found a solution, tomorrow I'll try and break it and see if I can duplicate your problem. It likely has to routing being configured in RRAS where it shouldn't be.
ASKER
Sorry, I forgot to put this in my previous post. When I go to look at RRAS it has not been configured yet. Would this do it?
RRAS must have been configured if you are able to connect. However, there are different parts to RRAS, you may have just done the VPN part, which is good. I assume you can open the RRAS console in administrative tools , click on the server name and open a list of features as oppose to getting " do you want to configure and enable RRAS now". If not, or you want to review the steps have a look at:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
Should you want to start fresh (if you are not using other RRAS features) you can right click on the server name in the RRAS console and choose disable. Once complete, about 2 minutes, you can right click again and choose enable/configure and follow the wizard steps as outlined in the link.
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
Should you want to start fresh (if you are not using other RRAS features) you can right click on the server name in the RRAS console and choose disable. Once complete, about 2 minutes, you can right click again and choose enable/configure and follow the wizard steps as outlined in the link.
ASKER
Ok... For my VPN I created an incoming connection in network connections rather than using RRAS. I removed the incoming connection and set up the VPN using RRAS this time. I can connect to the VPN using the new setup, but I still cannot ping the other machines
Learn something everyday. I didn't know that was an option with 2003, thought only XP, then again, I guess no reason why not. It would have more limited capabilities though, than the RRAS configuration.
ASKER
Yeah, I never even knew about VPN through RRAS. You do learn something everyday I guess...
ASKER
Does this make sense? A route to the remote lan with a subnet mask of 255.255.255.0 and a gateway of the vpn server is created when I am connected when I de-select Use default gateway on remote network on my virtual adapter settings in Networking > TCP/IP > Properties > Advanced. If I select this box and connect, this route uses a mask of 255.255.255.0. Is that correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Should I repost this or would it be better if you kept it up?
Have you made any progress bhilgenkamp ? I did check and regardless of whether the "use default gateway" option is selected or not, the subnet mask is usually 255.255.255.255. However, you say when enabled you have a subnet mask of 255.255.255.0 Have you configured the mask manually, or is it assigned by the VPN server. It should be 255.255.255.255 for the routing to work properly.
Also on your RRAS console under the VPN server name is there a NAT option/menu? If so it should probably be disabled as you are not performing NAT. Then under IP routing, click on Static Routes. Are there any routes listed in the right hand window ?there shouldn't be.
Also on your RRAS console under the VPN server name is there a NAT option/menu? If so it should probably be disabled as you are not performing NAT. Then under IP routing, click on Static Routes. Are there any routes listed in the right hand window ?there shouldn't be.
ASKER
Thanks for the follow up. I'll have to play with this again when I get home.
Let us know how it goes.
can you ping the other nodes as yet? via name and IP