Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1428
  • Last Modified:

RRAS & adding Routes.

I am trying to set up a branch office, with a  VPN connection via RRAS into our head office.  The head office uses a 172.16.x.x range, while  NIC of the branch office uses a 10.1.0.x.  Both RRAS servers are running Windows 2003 Server, all updates applied.  I have configured the head office as an RRAS server, and created a VPN PPTP dialup connection in the branch office.   The VPN works OK, I can connect, and get 172.16.0.16 on the branch office VPN.  I can ping & connect to any port accross the VPN.   No problems creating a route to allow packets from 10.1.0.x to be send up the VPN pipe to the head office.

The problem I am having is configuring a route at the head office to route packets bound for 10.1.0.x down the VPN link to the remote office.  RRAS will only let me add a route to either of the NICs.  The "Route Add" command is much the same.  

How do I add a route to the head office RRAS server routing 10.1.0.x packets out through the VPN tunnel?

Is there another way I should be doing this?
network.jpg
0
Mal Osborne
Asked:
Mal Osborne
  • 6
  • 5
  • 2
  • +1
1 Solution
 
Redwulf__53Commented:
First you need to assign the Dial Up interface on the branch server a static IP address (this will be an address in the 172.16.0.0 range, for example 172.16.100.1).
Next you add a route on the HQ server to this IP:
route add 10.0.1.0 mask 255.255.255.0 172.16.100.1
The RRAS server will know over which interface to route this, so you don't have to specify IF.


0
 
Mal OsborneAlpha GeekAuthor Commented:
I have specified a static address already, it is asking for & receiving 172.16.0.17.  When I add the route, it selects the wrong interface.  The comand I used was "ROUTE ADD 10.1.0.0 MASK 255.255.255.0 172.16.0.17.   Before & after shots attached. If I try to specify an interface, by using "ROUTE ADD 10.1.0.0 MASK 255.255.255.0 172.16.0.17 METRIC 1 IF 2", I get  "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine."
before.JPG
after.JPG
0
 
Redwulf__53Commented:
The after.jpg is correct!
The server in the branch office needs to act as a router, to forward the packages to the 10.0.1.0/24 clients. By default, routing is disabled in Windows and can be enabled by setting the following registry value to "1":
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter
(a reboot is required after changing this value)
No other changes should be necessery.


0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Mal OsborneAlpha GeekAuthor Commented:
Made that change on BOTH servers.  No difference at all.  I will throw on a packet sniffer & what I can find, I strongly suspect the HQ RRAS servers is sending packets directed at 10.1.0.x out through the internal NIC, rather than the VPN tunnel.
0
 
Redwulf__53Commented:
can you upload the result of "ipconfig /all" and "route print" of both servers?
0
 
Mal OsborneAlpha GeekAuthor Commented:
0
 
Redwulf__53Commented:
Thank you for the information. The problem is now clear to me, but I need some time to work out a solution.
What it amounts to, is that the Microsoft PPTP Dial-up client is not meant to be used for site-to-site VPN's. There is an intermediate IP address on the "PPP adapter RAS Server (Dial In) Interface" on the RRAS server, that confuses the whole routing setup.... I'll get back to you after the weekend.
0
 
kdearingCommented:
The HQ setup is fine.

For the branch setup:

On the server, you have a route    172.16.0.0      255.255.0.0   169.254.23.180      172.16.0.16      1
It needs to be                                  route add 172.16.0.0 mask 255.255.0.0 10.1.0.1

You will also need to add a route to the site's default gateway (192.168.169.1) device:
    ip route 172.16.0.0 255.255.0.0 192.168.169.15
0
 
Rob WilliamsCommented:
Technically the RRAS VPN server at the 172.16.x.x site knows how to locate the 10.1.0.x site and visa versa. You mention the connecting (VPN client site) is also a RRAS server, therefore as long as RRAS is enabled as well as the "LAN routing " option within RRAS is enabled it should act as a router. However, the VPN client (dial up adapter) has a security feature in the VPN client that blocks local connections, to protect the head office network. You can disable this if you wish. To do so on the client/connecting PC/server, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"

This might be better handled using a demand dial connection than a dial-up connection if clients, rather than just the server, need to connect.
0
 
Mal OsborneAlpha GeekAuthor Commented:
RobWill:  It IS a demand dial connection in RRAS. I can't see how the 172.16.x.x "knows" it's way to 10.1.0.x, it has no correct route.
0
 
Rob WilliamsCommented:
Sorry I was wrong. I was skimming and assuming the 10.1.0.x was the VPN Static Address pool. If you are using a true demand dial connection/interface rather than a typical VPN client it doesn't apply anyway.

Curious though: Normally the route would be
      route -p add 10.1.0.0 mask 255.255.255.0 <RRAS local VPN IP>
     "LAN routing" needs to be enabled on the branch RRAS server as well.
Looking at your HQ ipconfig <RRAS local VPN/PPP IP> = 169.254.23.180 which will work, only your branch site VPN/PPP IP is 172.16.0.16 Not sure how this is actually working. Any thoughts?
0
 
Mal OsborneAlpha GeekAuthor Commented:
I have given up on this, I suspect it can be done, but I cannot figure it out, and nor can anyone else here. Assigning min points to Redwulf, he seemed to understand th eproblem & put some effort into helping me.
0
 
Redwulf__53Commented:
Oops sorry I abandoned your question; I guess I answered too many questions at the same time. Thanks for the points.

To get back to the problem: I would not be using PPTP (rather unsecure). Instead, I would set up a persistent l2tp tunnel.
Please refer to this document:
http://www.microsoft.com/downloads/thankyou.aspx?familyId=8540f553-1711-402f-b451-2f8ea7fac379&displayLang=en
Starting at page 56 is the configuration I recommend.
0
 
Mal OsborneAlpha GeekAuthor Commented:
Can't see that this would not have the same routing problems as the Persistant  PPTP tunnel.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 6
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now