Using windows VPN (multiple subnets)

I have a customer with servers in Conn. and SC (both of which are on different subnets. They are connected together by a vpn. We are trying to setup a simple windows vpn so that they can access files from home across the net. The VPN points to the server in Conn. they connect successfully and can browse the Conn server, but can't see anything on the other subnet.

Please Help!!!
PlusIncAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
>>"they connect successfully and can browse the Conn server, but can't see anything on the other subnet."

Do you mean they cannot see anything on the SC network ?
If so, and the Conn <=> SC VPN uses PPTP it may not be possible, but if using IPSec (i.e. a different protocol), which it likely is, it should be possible if you add a route. Assuming they are connecting to the Conn network, and for example purposes, the IP assigned to the client is 192.168.200.101 (PPP adapter), and the SC network uses 192.168.100.x add a route using:
route add 192.168.100.0 mask 255.255.255.0 192.168.200.101
The problem with this is the IP changes each time you connect. If it works for you , you may want to assign VPN clients static IP's under the dial-in tab of their profile in active directory.
0
PlusIncAuthor Commented:
Ok well I am not too familiar with setting up routes could you help me with syntax:

Here is what I know Conn subnet is 192.168.0.X and SC is 192.168.4.X mask is 255*3 I assume for both. Anything else you need to know?

Thanks for quick reply
0
PlusIncAuthor Commented:
By the way it will not accept connection if I dial in with static ip
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Rob WilliamsCommented:
One catch, no one can connect if using 192.168.0.x or 192.168.0.x on their home local network. 192.168.0.x is quite common.

route  add  192.168.4.0  mask  255.255.255.0  192.168.0.101
Assuming the connecting client were assigned the 192.168.0.101 IP. You can determine their IP by running at a command line:
ipconfig  /all
and look at the "IP address" under the PPP adapter.
0
Rob WilliamsCommented:
>>"By the way it will not accept connection if I dial in with static ip"
Sorry missed this. No, that is correct. In order to assign the user a static IP, you have to do so on the server. This is done by opening their profile in active directory and going to the Dial-up tab/page. Near the bottom there is an option to assign a dial-up (VPN) connection a specific IP. If this is grayed out let me know. Changes may be necessary.
0
PlusIncAuthor Commented:
well this is what I tried:

route add 192.168.4.0 mask 255.255.255.0 192.168.0.80

it said it completed but I can not ping anything on the 4 subnet. I can't browse to it either.
0
PlusIncAuthor Commented:
well which subnet do I assign them an IP to? The one they are dialing in to or the one the route is to.
0
Rob WilliamsCommented:
>>"I can not ping anything on the 4 subnet. I can't browse to it either."
Ignore browsing, often doesn't work. Stick to pinging or accessing resources by IP, \\192.168.4.123\ShareName, at least for now.

Can you ping other devices on the Conn network OK ?
On the server where the Windows VPN is configured, check the RRAS console, and right click on the server name and choose properties, then on the general tab make sure LAN and Demand-Dial routing is enabled.

As mentioned this may not always be possible as you are effectively asking your packets to make a 'U' turn. Some systems do not support this. Because the server is doing the routing and you are using 2 protocols ( I assume site to site is IPSec), I think it should work. I will be able to test a similar configuration in about an hour.
0
Rob WilliamsCommented:
>>"well which subnet do I assign them an IP to?"
Same subnet RRAS uses. Open RRAS, right click on the server name and choose properties, then on the IP tab, check under "static address pool"
You want to be same subnet as that.
0
Rob WilliamsCommented:
Just realized another scenario where I could test. Windows VPN client => Windows RRAS/VPN server => another site/city using hardware to hardware IPSec tunnel. Worked great, after adding the appropriate route.

However, the Windows RRAS server must assign an IP in the same subnet as the local LAN, to the VPN client. Though this is not necessary for a VPN connection to the server, it is to route to the remote site. You can get around this by adding additional static routes on the RRAS server, but simplest if you do not have to. Looks to me from what you have 'said' that your VPN clients and Conn network are using the same subnet which is good.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rob WilliamsCommented:
Thanks PlusInc,
Cheers !
--Rob
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.