Using windows VPN (multiple subnets)

I have a customer with servers in Conn. and SC (both of which are on different subnets. They are connected together by a vpn. We are trying to setup a simple windows vpn so that they can access files from home across the net. The VPN points to the server in Conn. they connect successfully and can browse the Conn server, but can't see anything on the other subnet.

Please Help!!!
PlusIncAsked:
Who is Participating?
 
Rob WilliamsConnect With a Mentor Commented:
Just realized another scenario where I could test. Windows VPN client => Windows RRAS/VPN server => another site/city using hardware to hardware IPSec tunnel. Worked great, after adding the appropriate route.

However, the Windows RRAS server must assign an IP in the same subnet as the local LAN, to the VPN client. Though this is not necessary for a VPN connection to the server, it is to route to the remote site. You can get around this by adding additional static routes on the RRAS server, but simplest if you do not have to. Looks to me from what you have 'said' that your VPN clients and Conn network are using the same subnet which is good.
0
 
Rob WilliamsCommented:
>>"they connect successfully and can browse the Conn server, but can't see anything on the other subnet."

Do you mean they cannot see anything on the SC network ?
If so, and the Conn <=> SC VPN uses PPTP it may not be possible, but if using IPSec (i.e. a different protocol), which it likely is, it should be possible if you add a route. Assuming they are connecting to the Conn network, and for example purposes, the IP assigned to the client is 192.168.200.101 (PPP adapter), and the SC network uses 192.168.100.x add a route using:
route add 192.168.100.0 mask 255.255.255.0 192.168.200.101
The problem with this is the IP changes each time you connect. If it works for you , you may want to assign VPN clients static IP's under the dial-in tab of their profile in active directory.
0
 
PlusIncAuthor Commented:
Ok well I am not too familiar with setting up routes could you help me with syntax:

Here is what I know Conn subnet is 192.168.0.X and SC is 192.168.4.X mask is 255*3 I assume for both. Anything else you need to know?

Thanks for quick reply
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
PlusIncAuthor Commented:
By the way it will not accept connection if I dial in with static ip
0
 
Rob WilliamsCommented:
One catch, no one can connect if using 192.168.0.x or 192.168.0.x on their home local network. 192.168.0.x is quite common.

route  add  192.168.4.0  mask  255.255.255.0  192.168.0.101
Assuming the connecting client were assigned the 192.168.0.101 IP. You can determine their IP by running at a command line:
ipconfig  /all
and look at the "IP address" under the PPP adapter.
0
 
Rob WilliamsCommented:
>>"By the way it will not accept connection if I dial in with static ip"
Sorry missed this. No, that is correct. In order to assign the user a static IP, you have to do so on the server. This is done by opening their profile in active directory and going to the Dial-up tab/page. Near the bottom there is an option to assign a dial-up (VPN) connection a specific IP. If this is grayed out let me know. Changes may be necessary.
0
 
PlusIncAuthor Commented:
well this is what I tried:

route add 192.168.4.0 mask 255.255.255.0 192.168.0.80

it said it completed but I can not ping anything on the 4 subnet. I can't browse to it either.
0
 
PlusIncAuthor Commented:
well which subnet do I assign them an IP to? The one they are dialing in to or the one the route is to.
0
 
Rob WilliamsCommented:
>>"I can not ping anything on the 4 subnet. I can't browse to it either."
Ignore browsing, often doesn't work. Stick to pinging or accessing resources by IP, \\192.168.4.123\ShareName, at least for now.

Can you ping other devices on the Conn network OK ?
On the server where the Windows VPN is configured, check the RRAS console, and right click on the server name and choose properties, then on the general tab make sure LAN and Demand-Dial routing is enabled.

As mentioned this may not always be possible as you are effectively asking your packets to make a 'U' turn. Some systems do not support this. Because the server is doing the routing and you are using 2 protocols ( I assume site to site is IPSec), I think it should work. I will be able to test a similar configuration in about an hour.
0
 
Rob WilliamsCommented:
>>"well which subnet do I assign them an IP to?"
Same subnet RRAS uses. Open RRAS, right click on the server name and choose properties, then on the IP tab, check under "static address pool"
You want to be same subnet as that.
0
 
Rob WilliamsCommented:
Thanks PlusInc,
Cheers !
--Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.