Solved

Need help with router over MS PPTP VPN

Posted on 2006-06-17
10
282 Views
Last Modified: 2010-03-18
I have a site to site hardware vpn using Netscreen 5GT firewalls between Site A and Site B.  Some users want to work from home and will VPN into Site A through the firewall to a MS PPTP VPN Server.  The remote users can access the resources at Site A just fine.  The remote users need to access Site B.

How can I accomplish this?
0
Comment
Question by:avsc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16926998
What seems to be the problem?
-are they not able to connect? If so please provide error # and message, and VPN server version.
-are they trying to connect to site B through the site-to-site tunnel while connected to A? Not possible.
-are they trying to connect to both sites at the same time with a VPN client? Many home routers will only support a single PPTP connection, also as I recall XP will only support a single PPTP session. You can have multiple connections but not simultaneously.
0
 
LVL 7

Expert Comment

by:dansoto
ID: 16927135
Microsoft PPTP VPN's require:

1) GRE Protocol (usually allowed through most firewalls/routers by enabline the PPTP protocol)
2) Port 1723 MUST be open

I would start by making sure port 1723 is allowed into the network.  Also, the router must forward all requests from port 1723 to the internal IP address of the Microsoft PPTP server.  These are the most important and often overlooked items.

I hope this helps

- dan -
0
 

Author Comment

by:avsc
ID: 16927404
I guess I did not explain it well enough.  The remote users can vpn into site A.  They are able to access resources at site A.  There are other resources at site B which they can not access when VPN into site A.  There is a hardware (Juniper/Netscreen 5GT) site to site VPN tunnel between Site A and Site B. It is complicated as the users are vpn'ed into the MS Network and needing to route over the Juniper/netscreen link.
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 16927753
Unfortunately you cannot VPN to one site and then redirect over a VPN to a 3rd site, the routing just doesn't work.
0
 

Author Comment

by:avsc
ID: 16931900
I resolved my own problem. Normaly I set up the PPTP and deselect the option to use the vpn as the default gateway.

I now selected the option to use the vpn tunnel as the default and I can accesss the site to site networks with ease.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16933705
Never fails if I say something definitive I am proven wrong  :-)  So you are saying that remote users can connect to A with PPTP client and then to site B through the tunnel, or is it a mapped drive on A that connects to B. Appreciate knowing how it works.

For the record, if I still have any credibility <G>, if ever necessary since apparently it is possible, you could probably also resolve with a route add command. The only packets that would normally be destined for Site A would be those of site A's subnet. With the default gateway unchecked all other packets, such as those destined for site B would be sent to the local gateway and lost. Enabling the default gateway option (which is usually done by default as a security feature to block local and Internet access) would force all packets to the office network. Adding the following should allow it to work with or without the default gateway option:
Assuming
local  = 192.168.1.0 with PPTP/adapter gateway of 192.168.2.100 (would have to be static)
site A = 192.168.2.0
site B = 192.168.3.0

route  add  -p  192.168.3.0  mask  255.255.255.0  192.168.2.100
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17254814
Oops! my bad!

PAQ with points refunded
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 17280976
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question