Solved

Having VPN problems, Linksys RV042, SBS2003 - Connects to router but no route to LAN

Posted on 2006-06-28
13
6,872 Views
Last Modified: 2013-11-09
Hey everybody!

I wonder if you kind and talented people can help me!

My customer has:

SBS2003
5 XP Pro Clients
2 Mobile users

Server is Dell PowerEdge SC240 - Celeron!! (yuk)
D-Link DSL-300T Ethernet DSL modem
Linksys RV042 VPN Router

I'm having trouble accessing the domain with a VPN connection. RRAS is enabled and seems OK, on the Linksys I've configured a Client to Gateway VPN tunnel with their static IP address (Gateway), and I selected the remote client as having dynamic IP + domain name to authenticate. The local group IP range is 192.168.16.0 - 150 - which is the internal network (the server has 2 NICs, one for DSL 192.168.0.3 and the other internal 192.168.16.2 - are these ranges normal ie. no bridge/same subnet?).

I downloaded the Linksys QuickVPN client software, inputted a relevant username and password with the router's WAN IP in the server address to connect to. It connects but doesn't seem to route it to the LAN as I can only get remote management (to the router). I don't get assigned a 192.168.16.X IP - the dial-up 81.X.X.X remains. Maybe I should be using the XP VPN connection - but that doesn't work either - What am I doing wrong.

This description is probably missing bits you need to know so please tell me what you need.

Thanks in advance

Aljeebo
0
Comment
Question by:Aljeebo
  • 5
  • 3
  • 2
  • +1
13 Comments
 
LVL 32

Expert Comment

by:Luc Franken
ID: 17005483
Hi Aljeebo,

I'm interested in your question, but the whole setup isn't really clear to me.
If you've setup the RV042 on the same location as the SBS2003 server which will do additional routing, the VPN software might be confused as it, of course, doesn't realize there's also a 192.168.16.x subnet on the other side of the VPN tunnel, a better solution might be to have the SBS server directly connected to the RV042 and also have the clients of that network. This will avoid double NAT-ting, but might cause a security problem as the clients on that side are directly connected to the internet through the RV042 then. If that concerns you you might want to force a proxy server on the SBS2003 server by group policy and deny any direct attempts on the RV042 by blocing all internet access except through the proxy server.

Greetings,

LucF
0
 

Author Comment

by:Aljeebo
ID: 17056403
Hi LucF

Thank you so much for responding and I apologize for not replying until now.

I thought that 192.168.16.x would be on the same subnet as 192.168.0.x, being 255.255.255.0? I'm going to the site today so I'll give it a try and let you know.

Many thanks

Aljeebo
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 17060724
Hello Aljeebo,

Thanks for your reaction, I was affraid you abandoned the question.
Indeed 192.168.1.x and 192.168.16.x are not on the same subnet if the subnet mask is 255.255.255.0 (only the last number may change, not the 3rd)
Keeping everything in the same subnet will solve your problem, but keep the last part of my previous comment in mind, if neccesery you'll have to make sure internet connections can only happen through the server.
Let me know if you have any luck tomorrow with the setup.

Best regards,

Luc
0
 

Author Comment

by:Aljeebo
ID: 17097161
Hi

I didn't have any luck because the D-Link (don't link) ethernet modem failed, no LEDs, no nothing!

I'm confused: Indeed 192.168.1.x and 192.168.16.x are not on the same subnet if the subnet mask is 255.255.255.0 (only the last number may change, not the 3rd) - so they're not on the same subnet even if the subnet mask is the same?

What do you think to Hamachi? Don't get me wrong, I'm not giving up on this, just wondered what you thought. Security risk?

Kind regards

Al
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 150 total points
ID: 17103971
Hi Aljeebo,

Sorry to hear about the failing D-Link modem, I hope you can replace it with another device soon.

Yes, even if the subnet mask is the same, as the ranges itself are different (16.x instead of 1.x) the devices are not in the same subnet and will need some form of routing to communicate together as is now done by your SBS server. The client, in this case QuickVPN however doesn't know anything about the existing SBS server and won't forward the requests.

There's a nice article about subnetting on Wikipedia at http://en.wikipedia.org/wiki/Subnetwork especially the short part about the network and hostpart of a subnetmask.

About Hamachi, although I'm personally using it, I don't see it as anything which should be used on a company network. There's very little security on hamachi, anyone knowing the networkname and password is by default allowed to see everything on the network, which effectively also means there's little to no authorisation within hamachi.
The best use for Hamachi is IMO to connect your computer to the ones of your friends to share some files and/or to play some games.

LucF
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 150 total points
ID: 17322800
Al,

Your configuration sounds like a very normal SBS installation.  You can see an example of one here:  http://sbsurl.com/twonics

I think your problem is that you are confused about how the VPN is being provided.  SBS has all the necessary components to handle the VPN without the need for much of anything from the Linksys router except that the router needs to be configured to allow GRE Protocol 47 (not port 47 -- on a Linksys router, this is termed "VPN Passthrough" -- which is confusing enough because that's usually the term for allowing OUTBOUND VPN connections... but not in Linksysland).

You will also need to have port 1723 open on the router, but the best way to do this is to enable UPnP on it and then run the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email)

A visual how-to is here:  http://sbsurl.com/ceicw and a full networking overview for SBS is at http://sbsurl.com/msicw

You would follow this with the Remote Access Configuration Wizard.

Also, no need for anything like Hamachi... again it's all in SBS!

Jeff
TechSoEasy

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 17490117
red,

On this one I have to disagree.
First of all, Jeff's comment came in more than a month after my last comment and about 1 1/2 month after the question was posted, so the question was already abandoned way before his comment.
Appart from that, Aljeebo is talking about QuickVPN which has to be handled by the RV042 as it can not connect to a SBS server.

No offence intended to Jeff, but I think this question should be "Accept: LucF {http:#17005483}"

Thanks,

LucF
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17490877
Hi LucF,

I did notice the time lag, and recently asked the admins about it (not relating to this question though).  My opinion was that comments after 21 days should be ignored by cleanup, unless they add *substantially* more information to the Q.  The admins had the opinion that time was not a factor - it doesnt immediately discount the validity of the experts answer.

As for the validity of Jeff's post - he showed another way to configure a VPN.  I realise the asker has downloaded the quickvpn client, but they also configured RRAS (so answers showing how to fix the linksys host OR configure and connect to RRAS are valid IMHO)

Anyway, the decision is not mine, the Mod will be here in 3 days now and will decide then.  If you have more to add feel free, however if you have a lot more to add, then we should move to a CS question.  Also, thanks for responding, while I am not terribly happy that you aren't satisfied by my recommendation, it is nice to see someone actually reads these things! :)

-red
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17491598
I did realize that my comment was late... HOWEVER, that does not take away from the fact that the asker was headed down the wrong path with the QuickLink VPN client.  The router is sitting on the External NIC of a dual-homed SBS.  VPNing to the router will not get anyone into the LAN properly.  This was his question... and you even confirmed that this was a problem in your answer LucF.  However, you did not supply a workable solution.  

Additionally, when Al asked if he was barking up the wrong tree, you did not advise him that 3rd party tools are not necessary for an SBS VPN solution.

I'm sorry, but even though it was late... I gave an appropriate answer.  The fact that it's even split will not leave a proper record of the solution... but I don't mind sharing points anyhow.

Jeff
TechSoEasy
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 17491961
red, Jeff,

This will be my last comment on this one, as I surely don't want to clutter up this conversation too much. No need to move to a CS question.
Last time I checked with AnnieMod she told me points are awarded for answers "in time".

Anyways, Jeff, you say "However, you did not supply a workable solution."; my workable solution is in the first comment I made, the RV042 has more than enough capabilities to handle it and it saves some load of the server anyways. It would require a small change in the network layout but that's it.
I'm a big fan of SBS solutions myself, but that doesn't mean that I think everything should be handled by the server when other hardware is available which can save some tasks of the server. I'd say both yours and mine are possible solutions, it's up to Aljeebo to choose which direction he wants to go.

I'll leave it to the Moderator following up to decide.

Thanks,

Luc
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 17499036
It doesn't make any sense at all to award points for a wrong answer even if it was "in time".  Your "workable" solution is this?

"a better solution might be to have the SBS server directly connected to the RV042 and also have the clients of that network. This will avoid double NAT-ting, but might cause a security problem as the clients on that side are directly connected to the internet through the RV042 then. If that concerns you you might want to force a proxy server on the SBS2003 server by group policy and deny any direct attempts on the RV042 by blocing all internet access except through the proxy server."

The SBS WAS directly connected to the router.  It's a dual-homed configuration which, in many experts opinions, is a far better configuration because it keeps the LAN secure from the Internet.  Double-NATting is no problem for SBS.  But you didn't even provide HOW to do this... which would have required the uninstallation and removal of his second NIC and to connect all workstations directly to the router which may or may not have been capable of that.  It then would have required changing either the LAN IP of the router or of the SBS.

The configuration that he already had was just fine.  There was no reason at all to make all of those changes above (even if they had been outlined).  The example I provided from http://sbsurl.com/twonics shows this to be true.

Honestly, I don't really care about the points... I have plenty.  What I do care about is leaving a correct legacy answer, which is why I responded in the first place.

Jeff
TechSoEasy

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now