Solved

Using windows VPN (multiple subnets)

Posted on 2007-04-06
11
778 Views
Last Modified: 2008-01-09
I have a customer with servers in Conn. and SC (both of which are on different subnets. They are connected together by a vpn. We are trying to setup a simple windows vpn so that they can access files from home across the net. The VPN points to the server in Conn. they connect successfully and can browse the Conn server, but can't see anything on the other subnet.

Please Help!!!
0
Comment
Question by:PlusInc
  • 7
  • 4
11 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18865345
>>"they connect successfully and can browse the Conn server, but can't see anything on the other subnet."

Do you mean they cannot see anything on the SC network ?
If so, and the Conn <=> SC VPN uses PPTP it may not be possible, but if using IPSec (i.e. a different protocol), which it likely is, it should be possible if you add a route. Assuming they are connecting to the Conn network, and for example purposes, the IP assigned to the client is 192.168.200.101 (PPP adapter), and the SC network uses 192.168.100.x add a route using:
route add 192.168.100.0 mask 255.255.255.0 192.168.200.101
The problem with this is the IP changes each time you connect. If it works for you , you may want to assign VPN clients static IP's under the dial-in tab of their profile in active directory.
0
 

Author Comment

by:PlusInc
ID: 18865533
Ok well I am not too familiar with setting up routes could you help me with syntax:

Here is what I know Conn subnet is 192.168.0.X and SC is 192.168.4.X mask is 255*3 I assume for both. Anything else you need to know?

Thanks for quick reply
0
 

Author Comment

by:PlusInc
ID: 18865565
By the way it will not accept connection if I dial in with static ip
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18865570
One catch, no one can connect if using 192.168.0.x or 192.168.0.x on their home local network. 192.168.0.x is quite common.

route  add  192.168.4.0  mask  255.255.255.0  192.168.0.101
Assuming the connecting client were assigned the 192.168.0.101 IP. You can determine their IP by running at a command line:
ipconfig  /all
and look at the "IP address" under the PPP adapter.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18865586
>>"By the way it will not accept connection if I dial in with static ip"
Sorry missed this. No, that is correct. In order to assign the user a static IP, you have to do so on the server. This is done by opening their profile in active directory and going to the Dial-up tab/page. Near the bottom there is an option to assign a dial-up (VPN) connection a specific IP. If this is grayed out let me know. Changes may be necessary.
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 

Author Comment

by:PlusInc
ID: 18865666
well this is what I tried:

route add 192.168.4.0 mask 255.255.255.0 192.168.0.80

it said it completed but I can not ping anything on the 4 subnet. I can't browse to it either.
0
 

Author Comment

by:PlusInc
ID: 18865690
well which subnet do I assign them an IP to? The one they are dialing in to or the one the route is to.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18866582
>>"I can not ping anything on the 4 subnet. I can't browse to it either."
Ignore browsing, often doesn't work. Stick to pinging or accessing resources by IP, \\192.168.4.123\ShareName, at least for now.

Can you ping other devices on the Conn network OK ?
On the server where the Windows VPN is configured, check the RRAS console, and right click on the server name and choose properties, then on the general tab make sure LAN and Demand-Dial routing is enabled.

As mentioned this may not always be possible as you are effectively asking your packets to make a 'U' turn. Some systems do not support this. Because the server is doing the routing and you are using 2 protocols ( I assume site to site is IPSec), I think it should work. I will be able to test a similar configuration in about an hour.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18866862
>>"well which subnet do I assign them an IP to?"
Same subnet RRAS uses. Open RRAS, right click on the server name and choose properties, then on the IP tab, check under "static address pool"
You want to be same subnet as that.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 18867029
Just realized another scenario where I could test. Windows VPN client => Windows RRAS/VPN server => another site/city using hardware to hardware IPSec tunnel. Worked great, after adding the appropriate route.

However, the Windows RRAS server must assign an IP in the same subnet as the local LAN, to the VPN client. Though this is not necessary for a VPN connection to the server, it is to route to the remote site. You can get around this by adding additional static routes on the RRAS server, but simplest if you do not have to. Looks to me from what you have 'said' that your VPN clients and Conn network are using the same subnet which is good.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18894762
Thanks PlusInc,
Cheers !
--Rob
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now