Solved

PPTP VPN connection routing traffic through HQ to BO

Posted on 2007-11-15
12
1,096 Views
Last Modified: 2008-02-01
How can I accomplish the following scenario.  Remote user establishes a PPTP VPN to the HQ network.  Now this remote user needs to access resources at the branch office that is connected to the HQ network via a BOVPN.

Is there a best practice for this?
0
Comment
Question by:ammexit
  • 5
  • 5
  • 2
12 Comments
 
LVL 3

Expert Comment

by:dipak_in_2k
Comment Utility
it would be good if you use IPSec instead of PPTP, and by the way what VPN product you use for connectivity?
0
 

Author Comment

by:ammexit
Comment Utility
The VPN product is a Watchguard Firebox x550e.  I agree with you on the IPSec, but I'll still have the same routing problem.  What do you think?
0
 

Author Comment

by:ammexit
Comment Utility
Client side is just a Windows VPN connection
0
 
LVL 3

Expert Comment

by:dipak_in_2k
Comment Utility
Have you set up proper network configuration as per your ISP given? and also have you setup Trusted and External interface properly?
especially check DNS and Gateway configuration.
if possible let me know what is your Trusted and External interface configuration.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Best if you don't change the client to IPSec. I am assuming the Watchguard is using IPSec. As a rule you cannot connect and go back out (hairpin) using the same protocol.
You need to add a route to the client/connecting PC. For example assume:
The VPN client is assigned an IP of 192.168.111.123, the primary site uses the same subnet and the  BOVPN remote site uses 192.168.222.x
Try adding to the client:
route  add  192.168.222.0  mask  255.255.255.0  192.168.111.123

Assuming that works, you will need to assign the client a static IP or change the route every time. To do so on the "Dial-Up" tap of the users profile, near the bottom", there is an option to assign the static IP. (If grayed out please advise)
Then on the client when you add the route insert -p to make it permanent upon reboots:
route  add  -p  192.168.222.0  mask  255.255.255.0  192.168.111.123

Another common option is for the user to connect to the primary site , over the VPN, using remote desktop, and from there work and connect to the other site.

0
 

Author Comment

by:ammexit
Comment Utility
Hi Rob,

Thank you for the input.  I tried route add last night without success.  There is one more piece to the puzzle that I should have mentioned earlier.  I incorrectly stated that the BO was a BOVPN.  Its actually an MPLS that plugs directly into our switch.  The ISP's router has an IP on our subnet.  To match your example lets say 192.168.111.252.

This is the route I tried last night.

route add 192.168.222.0 mask 255.255.255.0 192.168.111.252 metric 2

and

route add 192.168.222.0 mask 255.255.255.0 192.168.111.252 metric 2 if ???

???= I tried a few that didn't work

So in that example 192.168.222.0 is the BO subnet.  192.168.111.252 is the IP of the ISP MPLS router.  Internal clients have -p routes to use 192.168.111.252 for access to the BO when they're in the office.  Works just fine of course.  When I attempt to enter that route remotely I get an error stating that the DG doesn't exist on the same subnet (My home network is a different subnet).  I attempted to add an "if" so I could tell the route to NOT use my remote networks gatway, but to use the PPTP WAN ip.  Either it didn't work, or I didn't do it right.  I couldn't get it to except anything I entered as the "if"
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sorry ammexit, I somehow missed your reply.
Not familiar with MPLS connections but I assume then you have 2 sites connected by MPLS and one site uses a local subnet of 192.168.222.0/24 and the other uses 192.168.111.0/24, at least for example purposes. You are connecting by VPN successfully to the 192.168.222.0 subnet. The 192.168.222.0 site can reach the 192.168.111.0 site by pointing to the 192.168.111.252 router, so there must be a local router that does that routing, perhaps 192.168.222.252 ? Or am I barking up the wrong tree. Just trying to picture the configuration.
     VPN client                        MPLS connection  
192.168.222.123   =>  192.168.222.0 => 192.168.111.0

The concept would be to tell your local system (VPN client) to use the VPN connection (IP address) to direct the packets for the 192.168.111.0 subnet. When they reach the 192.168.222.252 router presumably it knows the route to the 192.168.111.0 network. If not it will need a route added to the router. This would likely only be necessary if you have multiple routers at one site. Therefore on the VPN client machine you would add a route:
route add 192.168.111.0  mask  255.255.255.0  192.168.222.123
The part that we may have missed is the return path. What is creating the VPN? If a RRAS server it shouldn't be necessary. Or are there multiple routers at the 192.168.111.0 site, i.e the 192.168.111.252 router is not the default gateway for that network? If so, on the machine you are ultimately trying to reach, try adding:
route add 192.168.222.123  mask 255.255.255.0  192.168.222.252

I don’t think I am being much help here <G>. However, return path is often forgotten. I have had this work quite successfully with a PPTP VPN to a RRAS server connected to a 3rd site by IPSec VPN.
0
 

Author Comment

by:ammexit
Comment Utility
We don't have a router that points to the MPLS.  The MPLS currently plugs directly into the LAN and the PC's within the LAN have statics routes that point to .252 for traffic meant for the branch office.

I'm working on changing that with the ISP, but its slow going.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I was wondering if there is a matching unit at the other site, similar to: " The ISP's router has an IP on our subnet.  To match your example lets say 192.168.111.252." That is what I was referring to above as the router.
0
 

Author Comment

by:ammexit
Comment Utility
Hi Rob,

Sorry for the delayed response.  First let me answer your questions about the topology.  Your are right, each site has a router with an IP of .252 directing traffic to the other.  So the 192.168.111.0 network has a router with an IP of 192.168.111.252 that directs trafficto the 192.168.222.0 network.  Its the same thing on the other side.  There are multiple routers.  The 192.168.222.0 network has a Watchguard Firebox that has an IP of 192.168.222.1.  This unit is also what is maintaining the client VPN's.  So basically a client establishes a VPN to the Firebox (192.168.222.1) and needs to specifically have its traffic that is intend for the 192.168.111.0 network to route through the other router on the network (192.168.222.252).

I've tried adding the routes you suggested, but the connection still isn't there.  Any other idea's?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
Sorry, I am no faster, getting back to you.
I think I completely understand the configuration now. Thanks.

Just to confirm, is "everyone" using a subnet mask of 255.255.255.0 ?  If so good. If not let ma know, that may complicate things.

This should definitely work, if I can get head around the different routers. We had the right concept above but...

Assume VPN client has an virtual IP of 192.168.222.123
On the VPN client add
route  add  192.168.111.0  mask  255.255.255.0  192.168.222.123
On a test PC on the 192.168.111.0 subnet add:
route add 192.168.222.123  mask 255.255.255.255 192.168.222.1
                                                                              ^                       ^
I assume the PC's on 192.168.111.0 already have a route, or there is one on the local router telling them:
route add 192.168.222.0  mask  255.255.255.0  192.168.111.252
Try from the VPN client pinging your test machine on 192.168.111.0

If this works, or you want to try anyway, the routes should likely be added to the local default gateway routers. The catch would be that the VPN client will need a static IP, or the configuration will change every time you connect.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks ammexit. Hope you were able to resolve.
Cheers !
--Rob
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now