Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 780
  • Last Modified:

DNS issues in site to site PPTP VPN connection

I have created a site to site PPTP bridge between 2 domain controllers. The connection is persistent and seems to never go down.

I am have odd DNS issues. If I am on the calling machine and I ping the remote machine I get the remote servers IP address and all is right with the world. If I on the called machine and ping the calling machine it resolves to the local IP address and I get no replies.

How can I force the "called" machine to use the IP address it assigns the "calling" machine so I can mantain connectivity and replication?

  • 3
  • 2
2 Solutions
You may get a better solution if you tell us what you are actually trying to accomplish instead of the problem you see when performing a troubleshooting step like ping.  Also, it will be very helpful to know what type of VPN end-point you are utilizing (specific firewall brand, Windows RRAS, etc)

Generally a PPTP VPN is used so that the calling machine can get access to the network (not for reversing the communication path), so the behavior you describe is not necessarily unusual.  A quick solution, if your endpoint supports this, is to enable dynamic DNS updates.  That way the endpoint will create a DNS entry whenever it passes out a DHCP IP.

If the endpoint does not support this feature, maybe it will use pass-through DHCP IP assignment (meaning that the PPTP VPN endpoint pulles IP addresses from the Windows DHCP server instead of using it's own self contained pool).  Then all you would need to do is be sure your DHCP pool is set to update DNS.
skioneAuthor Commented:
I am using a site-to-site PPTP VPN connection between Windows 2003 Domain Controllers that are members of the same domain. I am doing this via windows routing and remote access.

IP addresses are static on both (since both DCs host DNS servers) and IP address to the VPN client DC is assigned dynamically from an address pool.

The problem is that when it connects it replicates DNS information including all the IP addresses assigned to the client DC.

Then when I try to ping the client by host name it returns the primary IP address of that machine which is on the wrong subnet. I can see that it does indeed register the dynamically assigned address but chooses to ignore it.

If I could somehow force it to use the IP assigned by the VPN server on the VPN server I would be set and all my troubles would go away.

I hesitate using anything like a host file as the IP does change and obvioulsy that would cause a real problem.

Hopefully this provides more information.
OK, got it.  

Let's approach this problem from a different perspective.  A PPTP VPN tunnel is generally used so that client computers can connect remotely to your network (without having to get any client software or jump through any configuration hoops).  An IPSEC VPN tunnel, on the other hand, is almost always the right chocie for a site-to-site VPN (not to mention IPSEC is more secure than PPTP).

I think your best approach to this problem would be to set up an IPSEC tunnel between the servers in place of the PPTP tunnel.  This will not only resolve your DNS issue, but will also put you into more of a "best practices" situation that should better serve down the road.

I also have to point out that running site-to-site VPN through a good firewall will probably save you some grief down the line.  I have yet to see a RRAS server *not* develop problems at some point during it's life.  You will most likely end up spending more in support and troubleshooting of RRAS than you will initially spend investing in a couple quality firewalls.

If you don't like either of these approaches, here is one way that you can force DNS to behave as you want to (but I do not recommend this except as a lab excercise, since it may break some inter-site functionality depending on what else you have going on).  Set up your DNS zones as standard primary zones rather than AD integrated.  Now hard-code the "correct" IP address of each server into the DNS zone.  Do not turn on replication of these zones.  Now the servers will not pass "wrong" addresses to each other.
skioneAuthor Commented:
Well converting over to IPSec might be something I do but for right now PPTP is working ok.

I can't use static addresses as there is no way to assign an address statically when connecting via a VPN connection. The address has to come from an address pool of some sorts.

I just made some changes, most notably, I made the VPN server listen only to the now WAN IP addresses.

Now it seems to be working correctly.

Hopefully it will last.
skioneAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now