[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

RRAS & adding Routes.

Posted on 2008-06-20
14
Medium Priority
?
1,399 Views
Last Modified: 2011-10-19
I am trying to set up a branch office, with a  VPN connection via RRAS into our head office.  The head office uses a 172.16.x.x range, while  NIC of the branch office uses a 10.1.0.x.  Both RRAS servers are running Windows 2003 Server, all updates applied.  I have configured the head office as an RRAS server, and created a VPN PPTP dialup connection in the branch office.   The VPN works OK, I can connect, and get 172.16.0.16 on the branch office VPN.  I can ping & connect to any port accross the VPN.   No problems creating a route to allow packets from 10.1.0.x to be send up the VPN pipe to the head office.

The problem I am having is configuring a route at the head office to route packets bound for 10.1.0.x down the VPN link to the remote office.  RRAS will only let me add a route to either of the NICs.  The "Route Add" command is much the same.  

How do I add a route to the head office RRAS server routing 10.1.0.x packets out through the VPN tunnel?

Is there another way I should be doing this?
network.jpg
0
Comment
Question by:Mal Osborne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 21829774
First you need to assign the Dial Up interface on the branch server a static IP address (this will be an address in the 172.16.0.0 range, for example 172.16.100.1).
Next you add a route on the HQ server to this IP:
route add 10.0.1.0 mask 255.255.255.0 172.16.100.1
The RRAS server will know over which interface to route this, so you don't have to specify IF.


0
 
LVL 19

Author Comment

by:Mal Osborne
ID: 21830084
I have specified a static address already, it is asking for & receiving 172.16.0.17.  When I add the route, it selects the wrong interface.  The comand I used was "ROUTE ADD 10.1.0.0 MASK 255.255.255.0 172.16.0.17.   Before & after shots attached. If I try to specify an interface, by using "ROUTE ADD 10.1.0.0 MASK 255.255.255.0 172.16.0.17 METRIC 1 IF 2", I get  "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine."
before.JPG
after.JPG
0
 
LVL 16

Accepted Solution

by:
Redwulf__53 earned 1000 total points
ID: 21830283
The after.jpg is correct!
The server in the branch office needs to act as a router, to forward the packages to the 10.0.1.0/24 clients. By default, routing is disabled in Windows and can be enabled by setting the following registry value to "1":
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter
(a reboot is required after changing this value)
No other changes should be necessery.


0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 19

Author Comment

by:Mal Osborne
ID: 21830604
Made that change on BOTH servers.  No difference at all.  I will throw on a packet sniffer & what I can find, I strongly suspect the HQ RRAS servers is sending packets directed at 10.1.0.x out through the internal NIC, rather than the VPN tunnel.
0
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 21830638
can you upload the result of "ipconfig /all" and "route print" of both servers?
0
 
LVL 19

Author Comment

by:Mal Osborne
ID: 21831252
0
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 21831467
Thank you for the information. The problem is now clear to me, but I need some time to work out a solution.
What it amounts to, is that the Microsoft PPTP Dial-up client is not meant to be used for site-to-site VPN's. There is an intermediate IP address on the "PPP adapter RAS Server (Dial In) Interface" on the RRAS server, that confuses the whole routing setup.... I'll get back to you after the weekend.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 21837569
The HQ setup is fine.

For the branch setup:

On the server, you have a route    172.16.0.0      255.255.0.0   169.254.23.180      172.16.0.16      1
It needs to be                                  route add 172.16.0.0 mask 255.255.0.0 10.1.0.1

You will also need to add a route to the site's default gateway (192.168.169.1) device:
    ip route 172.16.0.0 255.255.0.0 192.168.169.15
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21839600
Technically the RRAS VPN server at the 172.16.x.x site knows how to locate the 10.1.0.x site and visa versa. You mention the connecting (VPN client site) is also a RRAS server, therefore as long as RRAS is enabled as well as the "LAN routing " option within RRAS is enabled it should act as a router. However, the VPN client (dial up adapter) has a security feature in the VPN client that blocks local connections, to protect the head office network. You can disable this if you wish. To do so on the client/connecting PC/server, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"

This might be better handled using a demand dial connection than a dial-up connection if clients, rather than just the server, need to connect.
0
 
LVL 19

Author Comment

by:Mal Osborne
ID: 21842897
RobWill:  It IS a demand dial connection in RRAS. I can't see how the 172.16.x.x "knows" it's way to 10.1.0.x, it has no correct route.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21843001
Sorry I was wrong. I was skimming and assuming the 10.1.0.x was the VPN Static Address pool. If you are using a true demand dial connection/interface rather than a typical VPN client it doesn't apply anyway.

Curious though: Normally the route would be
      route -p add 10.1.0.0 mask 255.255.255.0 <RRAS local VPN IP>
     "LAN routing" needs to be enabled on the branch RRAS server as well.
Looking at your HQ ipconfig <RRAS local VPN/PPP IP> = 169.254.23.180 which will work, only your branch site VPN/PPP IP is 172.16.0.16 Not sure how this is actually working. Any thoughts?
0
 
LVL 19

Author Comment

by:Mal Osborne
ID: 21914277
I have given up on this, I suspect it can be done, but I cannot figure it out, and nor can anyone else here. Assigning min points to Redwulf, he seemed to understand th eproblem & put some effort into helping me.
0
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 21914335
Oops sorry I abandoned your question; I guess I answered too many questions at the same time. Thanks for the points.

To get back to the problem: I would not be using PPTP (rather unsecure). Instead, I would set up a persistent l2tp tunnel.
Please refer to this document:
http://www.microsoft.com/downloads/thankyou.aspx?familyId=8540f553-1711-402f-b451-2f8ea7fac379&displayLang=en
Starting at page 56 is the configuration I recommend.
0
 
LVL 19

Author Comment

by:Mal Osborne
ID: 21914343
Can't see that this would not have the same routing problems as the Persistant  PPTP tunnel.  
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question