PlusInc
asked on
Using windows VPN (multiple subnets)
I have a customer with servers in Conn. and SC (both of which are on different subnets. They are connected together by a vpn. We are trying to setup a simple windows vpn so that they can access files from home across the net. The VPN points to the server in Conn. they connect successfully and can browse the Conn server, but can't see anything on the other subnet.
Please Help!!!
Please Help!!!
ASKER
Ok well I am not too familiar with setting up routes could you help me with syntax:
Here is what I know Conn subnet is 192.168.0.X and SC is 192.168.4.X mask is 255*3 I assume for both. Anything else you need to know?
Thanks for quick reply
Here is what I know Conn subnet is 192.168.0.X and SC is 192.168.4.X mask is 255*3 I assume for both. Anything else you need to know?
Thanks for quick reply
ASKER
By the way it will not accept connection if I dial in with static ip
One catch, no one can connect if using 192.168.0.x or 192.168.0.x on their home local network. 192.168.0.x is quite common.
route add 192.168.4.0 mask 255.255.255.0 192.168.0.101
Assuming the connecting client were assigned the 192.168.0.101 IP. You can determine their IP by running at a command line:
ipconfig /all
and look at the "IP address" under the PPP adapter.
route add 192.168.4.0 mask 255.255.255.0 192.168.0.101
Assuming the connecting client were assigned the 192.168.0.101 IP. You can determine their IP by running at a command line:
ipconfig /all
and look at the "IP address" under the PPP adapter.
>>"By the way it will not accept connection if I dial in with static ip"
Sorry missed this. No, that is correct. In order to assign the user a static IP, you have to do so on the server. This is done by opening their profile in active directory and going to the Dial-up tab/page. Near the bottom there is an option to assign a dial-up (VPN) connection a specific IP. If this is grayed out let me know. Changes may be necessary.
Sorry missed this. No, that is correct. In order to assign the user a static IP, you have to do so on the server. This is done by opening their profile in active directory and going to the Dial-up tab/page. Near the bottom there is an option to assign a dial-up (VPN) connection a specific IP. If this is grayed out let me know. Changes may be necessary.
ASKER
well this is what I tried:
route add 192.168.4.0 mask 255.255.255.0 192.168.0.80
it said it completed but I can not ping anything on the 4 subnet. I can't browse to it either.
route add 192.168.4.0 mask 255.255.255.0 192.168.0.80
it said it completed but I can not ping anything on the 4 subnet. I can't browse to it either.
ASKER
well which subnet do I assign them an IP to? The one they are dialing in to or the one the route is to.
>>"I can not ping anything on the 4 subnet. I can't browse to it either."
Ignore browsing, often doesn't work. Stick to pinging or accessing resources by IP, \\192.168.4.123\ShareName,
Can you ping other devices on the Conn network OK ?
On the server where the Windows VPN is configured, check the RRAS console, and right click on the server name and choose properties, then on the general tab make sure LAN and Demand-Dial routing is enabled.
As mentioned this may not always be possible as you are effectively asking your packets to make a 'U' turn. Some systems do not support this. Because the server is doing the routing and you are using 2 protocols ( I assume site to site is IPSec), I think it should work. I will be able to test a similar configuration in about an hour.
Ignore browsing, often doesn't work. Stick to pinging or accessing resources by IP, \\192.168.4.123\ShareName,
Can you ping other devices on the Conn network OK ?
On the server where the Windows VPN is configured, check the RRAS console, and right click on the server name and choose properties, then on the general tab make sure LAN and Demand-Dial routing is enabled.
As mentioned this may not always be possible as you are effectively asking your packets to make a 'U' turn. Some systems do not support this. Because the server is doing the routing and you are using 2 protocols ( I assume site to site is IPSec), I think it should work. I will be able to test a similar configuration in about an hour.
>>"well which subnet do I assign them an IP to?"
Same subnet RRAS uses. Open RRAS, right click on the server name and choose properties, then on the IP tab, check under "static address pool"
You want to be same subnet as that.
Same subnet RRAS uses. Open RRAS, right click on the server name and choose properties, then on the IP tab, check under "static address pool"
You want to be same subnet as that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks PlusInc,
Cheers !
--Rob
Cheers !
--Rob
Do you mean they cannot see anything on the SC network ?
If so, and the Conn <=> SC VPN uses PPTP it may not be possible, but if using IPSec (i.e. a different protocol), which it likely is, it should be possible if you add a route. Assuming they are connecting to the Conn network, and for example purposes, the IP assigned to the client is 192.168.200.101 (PPP adapter), and the SC network uses 192.168.100.x add a route using:
route add 192.168.100.0 mask 255.255.255.0 192.168.200.101
The problem with this is the IP changes each time you connect. If it works for you , you may want to assign VPN clients static IP's under the dial-in tab of their profile in active directory.