Solved

RRAS & adding Routes.

Posted on 2008-06-20
14
1,368 Views
Last Modified: 2011-10-19
I am trying to set up a branch office, with a  VPN connection via RRAS into our head office.  The head office uses a 172.16.x.x range, while  NIC of the branch office uses a 10.1.0.x.  Both RRAS servers are running Windows 2003 Server, all updates applied.  I have configured the head office as an RRAS server, and created a VPN PPTP dialup connection in the branch office.   The VPN works OK, I can connect, and get 172.16.0.16 on the branch office VPN.  I can ping & connect to any port accross the VPN.   No problems creating a route to allow packets from 10.1.0.x to be send up the VPN pipe to the head office.

The problem I am having is configuring a route at the head office to route packets bound for 10.1.0.x down the VPN link to the remote office.  RRAS will only let me add a route to either of the NICs.  The "Route Add" command is much the same.  

How do I add a route to the head office RRAS server routing 10.1.0.x packets out through the VPN tunnel?

Is there another way I should be doing this?
network.jpg
0
Comment
Question by:Malmensa
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 16

Expert Comment

by:Redwulf__53
Comment Utility
First you need to assign the Dial Up interface on the branch server a static IP address (this will be an address in the 172.16.0.0 range, for example 172.16.100.1).
Next you add a route on the HQ server to this IP:
route add 10.0.1.0 mask 255.255.255.0 172.16.100.1
The RRAS server will know over which interface to route this, so you don't have to specify IF.


0
 
LVL 16

Author Comment

by:Malmensa
Comment Utility
I have specified a static address already, it is asking for & receiving 172.16.0.17.  When I add the route, it selects the wrong interface.  The comand I used was "ROUTE ADD 10.1.0.0 MASK 255.255.255.0 172.16.0.17.   Before & after shots attached. If I try to specify an interface, by using "ROUTE ADD 10.1.0.0 MASK 255.255.255.0 172.16.0.17 METRIC 1 IF 2", I get  "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine."
before.JPG
after.JPG
0
 
LVL 16

Accepted Solution

by:
Redwulf__53 earned 500 total points
Comment Utility
The after.jpg is correct!
The server in the branch office needs to act as a router, to forward the packages to the 10.0.1.0/24 clients. By default, routing is disabled in Windows and can be enabled by setting the following registry value to "1":
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter
(a reboot is required after changing this value)
No other changes should be necessery.


0
 
LVL 16

Author Comment

by:Malmensa
Comment Utility
Made that change on BOTH servers.  No difference at all.  I will throw on a packet sniffer & what I can find, I strongly suspect the HQ RRAS servers is sending packets directed at 10.1.0.x out through the internal NIC, rather than the VPN tunnel.
0
 
LVL 16

Expert Comment

by:Redwulf__53
Comment Utility
can you upload the result of "ipconfig /all" and "route print" of both servers?
0
 
LVL 16

Author Comment

by:Malmensa
Comment Utility
0
 
LVL 16

Expert Comment

by:Redwulf__53
Comment Utility
Thank you for the information. The problem is now clear to me, but I need some time to work out a solution.
What it amounts to, is that the Microsoft PPTP Dial-up client is not meant to be used for site-to-site VPN's. There is an intermediate IP address on the "PPP adapter RAS Server (Dial In) Interface" on the RRAS server, that confuses the whole routing setup.... I'll get back to you after the weekend.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 13

Expert Comment

by:kdearing
Comment Utility
The HQ setup is fine.

For the branch setup:

On the server, you have a route    172.16.0.0      255.255.0.0   169.254.23.180      172.16.0.16      1
It needs to be                                  route add 172.16.0.0 mask 255.255.0.0 10.1.0.1

You will also need to add a route to the site's default gateway (192.168.169.1) device:
    ip route 172.16.0.0 255.255.0.0 192.168.169.15
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Technically the RRAS VPN server at the 172.16.x.x site knows how to locate the 10.1.0.x site and visa versa. You mention the connecting (VPN client site) is also a RRAS server, therefore as long as RRAS is enabled as well as the "LAN routing " option within RRAS is enabled it should act as a router. However, the VPN client (dial up adapter) has a security feature in the VPN client that blocks local connections, to protect the head office network. You can disable this if you wish. To do so on the client/connecting PC/server, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"

This might be better handled using a demand dial connection than a dial-up connection if clients, rather than just the server, need to connect.
0
 
LVL 16

Author Comment

by:Malmensa
Comment Utility
RobWill:  It IS a demand dial connection in RRAS. I can't see how the 172.16.x.x "knows" it's way to 10.1.0.x, it has no correct route.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sorry I was wrong. I was skimming and assuming the 10.1.0.x was the VPN Static Address pool. If you are using a true demand dial connection/interface rather than a typical VPN client it doesn't apply anyway.

Curious though: Normally the route would be
      route -p add 10.1.0.0 mask 255.255.255.0 <RRAS local VPN IP>
     "LAN routing" needs to be enabled on the branch RRAS server as well.
Looking at your HQ ipconfig <RRAS local VPN/PPP IP> = 169.254.23.180 which will work, only your branch site VPN/PPP IP is 172.16.0.16 Not sure how this is actually working. Any thoughts?
0
 
LVL 16

Author Comment

by:Malmensa
Comment Utility
I have given up on this, I suspect it can be done, but I cannot figure it out, and nor can anyone else here. Assigning min points to Redwulf, he seemed to understand th eproblem & put some effort into helping me.
0
 
LVL 16

Expert Comment

by:Redwulf__53
Comment Utility
Oops sorry I abandoned your question; I guess I answered too many questions at the same time. Thanks for the points.

To get back to the problem: I would not be using PPTP (rather unsecure). Instead, I would set up a persistent l2tp tunnel.
Please refer to this document:
http://www.microsoft.com/downloads/thankyou.aspx?familyId=8540f553-1711-402f-b451-2f8ea7fac379&displayLang=en
Starting at page 56 is the configuration I recommend.
0
 
LVL 16

Author Comment

by:Malmensa
Comment Utility
Can't see that this would not have the same routing problems as the Persistant  PPTP tunnel.  
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now