?
Solved

RRAS & adding Routes.

Posted on 2008-06-20
14
Medium Priority
?
1,393 Views
Last Modified: 2011-10-19
I am trying to set up a branch office, with a  VPN connection via RRAS into our head office.  The head office uses a 172.16.x.x range, while  NIC of the branch office uses a 10.1.0.x.  Both RRAS servers are running Windows 2003 Server, all updates applied.  I have configured the head office as an RRAS server, and created a VPN PPTP dialup connection in the branch office.   The VPN works OK, I can connect, and get 172.16.0.16 on the branch office VPN.  I can ping & connect to any port accross the VPN.   No problems creating a route to allow packets from 10.1.0.x to be send up the VPN pipe to the head office.

The problem I am having is configuring a route at the head office to route packets bound for 10.1.0.x down the VPN link to the remote office.  RRAS will only let me add a route to either of the NICs.  The "Route Add" command is much the same.  

How do I add a route to the head office RRAS server routing 10.1.0.x packets out through the VPN tunnel?

Is there another way I should be doing this?
network.jpg
0
Comment
Question by:Mal Osborne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 21829774
First you need to assign the Dial Up interface on the branch server a static IP address (this will be an address in the 172.16.0.0 range, for example 172.16.100.1).
Next you add a route on the HQ server to this IP:
route add 10.0.1.0 mask 255.255.255.0 172.16.100.1
The RRAS server will know over which interface to route this, so you don't have to specify IF.


0
 
LVL 19

Author Comment

by:Mal Osborne
ID: 21830084
I have specified a static address already, it is asking for & receiving 172.16.0.17.  When I add the route, it selects the wrong interface.  The comand I used was "ROUTE ADD 10.1.0.0 MASK 255.255.255.0 172.16.0.17.   Before & after shots attached. If I try to specify an interface, by using "ROUTE ADD 10.1.0.0 MASK 255.255.255.0 172.16.0.17 METRIC 1 IF 2", I get  "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine."
before.JPG
after.JPG
0
 
LVL 16

Accepted Solution

by:
Redwulf__53 earned 1000 total points
ID: 21830283
The after.jpg is correct!
The server in the branch office needs to act as a router, to forward the packages to the 10.0.1.0/24 clients. By default, routing is disabled in Windows and can be enabled by setting the following registry value to "1":
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter
(a reboot is required after changing this value)
No other changes should be necessery.


0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 19

Author Comment

by:Mal Osborne
ID: 21830604
Made that change on BOTH servers.  No difference at all.  I will throw on a packet sniffer & what I can find, I strongly suspect the HQ RRAS servers is sending packets directed at 10.1.0.x out through the internal NIC, rather than the VPN tunnel.
0
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 21830638
can you upload the result of "ipconfig /all" and "route print" of both servers?
0
 
LVL 19

Author Comment

by:Mal Osborne
ID: 21831252
0
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 21831467
Thank you for the information. The problem is now clear to me, but I need some time to work out a solution.
What it amounts to, is that the Microsoft PPTP Dial-up client is not meant to be used for site-to-site VPN's. There is an intermediate IP address on the "PPP adapter RAS Server (Dial In) Interface" on the RRAS server, that confuses the whole routing setup.... I'll get back to you after the weekend.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 21837569
The HQ setup is fine.

For the branch setup:

On the server, you have a route    172.16.0.0      255.255.0.0   169.254.23.180      172.16.0.16      1
It needs to be                                  route add 172.16.0.0 mask 255.255.0.0 10.1.0.1

You will also need to add a route to the site's default gateway (192.168.169.1) device:
    ip route 172.16.0.0 255.255.0.0 192.168.169.15
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21839600
Technically the RRAS VPN server at the 172.16.x.x site knows how to locate the 10.1.0.x site and visa versa. You mention the connecting (VPN client site) is also a RRAS server, therefore as long as RRAS is enabled as well as the "LAN routing " option within RRAS is enabled it should act as a router. However, the VPN client (dial up adapter) has a security feature in the VPN client that blocks local connections, to protect the head office network. You can disable this if you wish. To do so on the client/connecting PC/server, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"

This might be better handled using a demand dial connection than a dial-up connection if clients, rather than just the server, need to connect.
0
 
LVL 19

Author Comment

by:Mal Osborne
ID: 21842897
RobWill:  It IS a demand dial connection in RRAS. I can't see how the 172.16.x.x "knows" it's way to 10.1.0.x, it has no correct route.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21843001
Sorry I was wrong. I was skimming and assuming the 10.1.0.x was the VPN Static Address pool. If you are using a true demand dial connection/interface rather than a typical VPN client it doesn't apply anyway.

Curious though: Normally the route would be
      route -p add 10.1.0.0 mask 255.255.255.0 <RRAS local VPN IP>
     "LAN routing" needs to be enabled on the branch RRAS server as well.
Looking at your HQ ipconfig <RRAS local VPN/PPP IP> = 169.254.23.180 which will work, only your branch site VPN/PPP IP is 172.16.0.16 Not sure how this is actually working. Any thoughts?
0
 
LVL 19

Author Comment

by:Mal Osborne
ID: 21914277
I have given up on this, I suspect it can be done, but I cannot figure it out, and nor can anyone else here. Assigning min points to Redwulf, he seemed to understand th eproblem & put some effort into helping me.
0
 
LVL 16

Expert Comment

by:Redwulf__53
ID: 21914335
Oops sorry I abandoned your question; I guess I answered too many questions at the same time. Thanks for the points.

To get back to the problem: I would not be using PPTP (rather unsecure). Instead, I would set up a persistent l2tp tunnel.
Please refer to this document:
http://www.microsoft.com/downloads/thankyou.aspx?familyId=8540f553-1711-402f-b451-2f8ea7fac379&displayLang=en
Starting at page 56 is the configuration I recommend.
0
 
LVL 19

Author Comment

by:Mal Osborne
ID: 21914343
Can't see that this would not have the same routing problems as the Persistant  PPTP tunnel.  
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question