Solved

Need help with router over MS PPTP VPN

Posted on 2006-06-17
10
278 Views
Last Modified: 2010-03-18
I have a site to site hardware vpn using Netscreen 5GT firewalls between Site A and Site B.  Some users want to work from home and will VPN into Site A through the firewall to a MS PPTP VPN Server.  The remote users can access the resources at Site A just fine.  The remote users need to access Site B.

How can I accomplish this?
0
Comment
Question by:avsc
10 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
What seems to be the problem?
-are they not able to connect? If so please provide error # and message, and VPN server version.
-are they trying to connect to site B through the site-to-site tunnel while connected to A? Not possible.
-are they trying to connect to both sites at the same time with a VPN client? Many home routers will only support a single PPTP connection, also as I recall XP will only support a single PPTP session. You can have multiple connections but not simultaneously.
0
 
LVL 7

Expert Comment

by:dansoto
Comment Utility
Microsoft PPTP VPN's require:

1) GRE Protocol (usually allowed through most firewalls/routers by enabline the PPTP protocol)
2) Port 1723 MUST be open

I would start by making sure port 1723 is allowed into the network.  Also, the router must forward all requests from port 1723 to the internal IP address of the Microsoft PPTP server.  These are the most important and often overlooked items.

I hope this helps

- dan -
0
 

Author Comment

by:avsc
Comment Utility
I guess I did not explain it well enough.  The remote users can vpn into site A.  They are able to access resources at site A.  There are other resources at site B which they can not access when VPN into site A.  There is a hardware (Juniper/Netscreen 5GT) site to site VPN tunnel between Site A and Site B. It is complicated as the users are vpn'ed into the MS Network and needing to route over the Juniper/netscreen link.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Unfortunately you cannot VPN to one site and then redirect over a VPN to a 3rd site, the routing just doesn't work.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:avsc
Comment Utility
I resolved my own problem. Normaly I set up the PPTP and deselect the option to use the vpn as the default gateway.

I now selected the option to use the vpn tunnel as the default and I can accesss the site to site networks with ease.

0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Never fails if I say something definitive I am proven wrong  :-)  So you are saying that remote users can connect to A with PPTP client and then to site B through the tunnel, or is it a mapped drive on A that connects to B. Appreciate knowing how it works.

For the record, if I still have any credibility <G>, if ever necessary since apparently it is possible, you could probably also resolve with a route add command. The only packets that would normally be destined for Site A would be those of site A's subnet. With the default gateway unchecked all other packets, such as those destined for site B would be sent to the local gateway and lost. Enabling the default gateway option (which is usually done by default as a security feature to block local and Internet access) would force all packets to the office network. Adding the following should allow it to work with or without the default gateway option:
Assuming
local  = 192.168.1.0 with PPTP/adapter gateway of 192.168.2.100 (would have to be static)
site A = 192.168.2.0
site B = 192.168.3.0

route  add  -p  192.168.3.0  mask  255.255.255.0  192.168.2.100
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
Oops! my bad!

PAQ with points refunded
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
Comment Utility
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now