Solved

DNS issues in site to site PPTP VPN connection

Posted on 2008-06-23
5
715 Views
Last Modified: 2012-08-14
I have created a site to site PPTP bridge between 2 domain controllers. The connection is persistent and seems to never go down.

I am have odd DNS issues. If I am on the calling machine and I ping the remote machine I get the remote servers IP address and all is right with the world. If I on the called machine and ping the calling machine it resolves to the local IP address and I get no replies.

How can I force the "called" machine to use the IP address it assigns the "calling" machine so I can mantain connectivity and replication?

0
Comment
Question by:skione
  • 3
  • 2
5 Comments
 
LVL 14

Expert Comment

by:mds-cos
ID: 21849173
You may get a better solution if you tell us what you are actually trying to accomplish instead of the problem you see when performing a troubleshooting step like ping.  Also, it will be very helpful to know what type of VPN end-point you are utilizing (specific firewall brand, Windows RRAS, etc)

Generally a PPTP VPN is used so that the calling machine can get access to the network (not for reversing the communication path), so the behavior you describe is not necessarily unusual.  A quick solution, if your endpoint supports this, is to enable dynamic DNS updates.  That way the endpoint will create a DNS entry whenever it passes out a DHCP IP.

If the endpoint does not support this feature, maybe it will use pass-through DHCP IP assignment (meaning that the PPTP VPN endpoint pulles IP addresses from the Windows DHCP server instead of using it's own self contained pool).  Then all you would need to do is be sure your DHCP pool is set to update DNS.
0
 

Author Comment

by:skione
ID: 21849228
I am using a site-to-site PPTP VPN connection between Windows 2003 Domain Controllers that are members of the same domain. I am doing this via windows routing and remote access.

IP addresses are static on both (since both DCs host DNS servers) and IP address to the VPN client DC is assigned dynamically from an address pool.

The problem is that when it connects it replicates DNS information including all the IP addresses assigned to the client DC.

Then when I try to ping the client by host name it returns the primary IP address of that machine which is on the wrong subnet. I can see that it does indeed register the dynamically assigned address but chooses to ignore it.

If I could somehow force it to use the IP assigned by the VPN server on the VPN server I would be set and all my troubles would go away.

I hesitate using anything like a host file as the IP does change and obvioulsy that would cause a real problem.

Hopefully this provides more information.
0
 
LVL 14

Assisted Solution

by:mds-cos
mds-cos earned 25 total points
ID: 21849454
OK, got it.  

Let's approach this problem from a different perspective.  A PPTP VPN tunnel is generally used so that client computers can connect remotely to your network (without having to get any client software or jump through any configuration hoops).  An IPSEC VPN tunnel, on the other hand, is almost always the right chocie for a site-to-site VPN (not to mention IPSEC is more secure than PPTP).

I think your best approach to this problem would be to set up an IPSEC tunnel between the servers in place of the PPTP tunnel.  This will not only resolve your DNS issue, but will also put you into more of a "best practices" situation that should better serve down the road.

I also have to point out that running site-to-site VPN through a good firewall will probably save you some grief down the line.  I have yet to see a RRAS server *not* develop problems at some point during it's life.  You will most likely end up spending more in support and troubleshooting of RRAS than you will initially spend investing in a couple quality firewalls.


If you don't like either of these approaches, here is one way that you can force DNS to behave as you want to (but I do not recommend this except as a lab excercise, since it may break some inter-site functionality depending on what else you have going on).  Set up your DNS zones as standard primary zones rather than AD integrated.  Now hard-code the "correct" IP address of each server into the DNS zone.  Do not turn on replication of these zones.  Now the servers will not pass "wrong" addresses to each other.
0
 

Author Comment

by:skione
ID: 21849515
Well converting over to IPSec might be something I do but for right now PPTP is working ok.

I can't use static addresses as there is no way to assign an address statically when connecting via a VPN connection. The address has to come from an address pool of some sorts.

I just made some changes, most notably, I made the VPN server listen only to the now WAN IP addresses.

Now it seems to be working correctly.

Hopefully it will last.
0
 

Accepted Solution

by:
skione earned 0 total points
ID: 21849536
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now