Solved

Draytek 2820 Lan to Lan VPN. SBS2003 R2 Std domain with 2 nics to multiple xp sp3 clients.

Posted on 2008-10-30
18
4,685 Views
Last Modified: 2012-05-05
Hi.

I have a user with a main office which has 5 computers connected to an sbs 2003 domain (internal nic 192.168.16.1 / 255.255.255.0, and external nic 192.168.1.2 / 255.255.255.0, (gateway) router address 192.168.1.1). I am using the SBS for firewall and DHCP and all computers can access internet and email etc fine through the Draytek 2820.

I now need to connect a branch office which has 3 computers connected directly to another Draytek 2820 via a different ISP (there is no server at this office). I have been trying to setup a Lan to Lan VPN with the routers and can get the routers to connect fine, but I can only ping the lan on the public side of the sbs server - i.e. I can ping 192.168.1.1 and 192.168.1.2 from the branch office, but cannot ping 192.168.16.1.

The lan to lan setup in the routers is as follows. Main office - Dian-In, PPTP, TCP/IP settings My WAN IP 0.0.0.0, remote gateway IP 0.0.0.0, remote network IP 192.168.2.0, remote network mask 255.255.255.0. Branch office - Dial-Out, PPTP, TCP/IP settings My WAN IP 0.0.0.0, remote gateway 0.0.0.0, remote network IP 192.168.1.0, remote network mask 255.255.255.0.

I believe I need to setup a static route either in the router(s) or RRAS in SBS, but have tried various configs with no success. Can someone please point me in the right direction or suggest another setup which may work?

Thanks.
0
Comment
Question by:keyuk
  • 6
  • 5
  • 4
  • +2
18 Comments
 
LVL 4

Expert Comment

by:Kaddict
ID: 22847050
From what I know you need a VPN connection

  (1) for each user to the remote server (2003)

  -OR-

  (2) between two "vpn routers" like the netgear prosafe FVS318 (example)

without one of those two conditions both lans' won't communicate


Others with more knowledge will probably tell u more

-kaddict
0
 

Author Comment

by:keyuk
ID: 22847068
Thanks for clarifying kaddict - this is exctly what I'm trying to setup... a site to site VPN between 2 routers. I believe the question describes the situation, but if you need any more info please ask.
0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22847069
Quickly looking @ the Draytek 2820 I'm not seeing any VPN tunnels into that ADSL router, so you will need every 3 users (that are not using a domain and having a server on the LAN) to configure a VPN connection to the 2003 server. So you'll need to enable it on your server 2003, and you also need to unlock port 3389 to you server's IP, and let the GRE protocol pass thru too.

(sorry for my english im french hope you understand clearly)

-kaddict
0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22847075
If you can invest some $, then you could setup a "complete site-to-site" vpn using two VPN Firewall routers with enough tunnels (like for a 5 computer lan + a 3 computer lan you need a least a 5-tunnel router)

and Ive heard miracles about the Netgear Prosafe FVS318 :) and 338 too but more $$

good luck

-kaddict
0
 

Author Comment

by:keyuk
ID: 22847089
These Draytek routers are specifically designed for site to site VPNs. There are 32 tunnels available. I believe I have the right equipment, but I think it is the routing at the sbs side where the problem lies.

Thanks.
0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22847124
Ok sorry if I looked quickly ;-)

 If you can have up to 32 tunnels, then your equipment indeed is right for you. About the routing on the SBS side, I don't see why, because site-to-site vpn is implemented on the routers only. If both networks get their IP's with DHCP, the router should allow them to communicate using static routes that the VPN tunnels will transfer between both lan's
0
 
LVL 3

Expert Comment

by:Russianblue
ID: 22848843
i take it you've seen this page?

http://www.draytek.co.uk/support/vpn_setup.html

draytek routers FTW, by the way!  i absolutely LOVE how fast the CPUs are.  Friggin thing reboots completely in literally 2-3 seconds.

0
 

Author Comment

by:keyuk
ID: 22850405
Thanks Russianblue.

I have seen this page and it makes sense, except I have the Windows SBS 2003 server between the subnet and the router. The SBS nats traffic from the router to the local subnet. Does this mean I should re-configure SBS to only use 1 NIC? This is why I asked the question about setting up a static route in RRAS.

I agree - these routers are so fast and would reccommend to anyone!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Expert Comment

by:Russianblue
ID: 22850565
"I have the Windows SBS 2003 server between the subnet and the router"

so then, you aren't sure where the communication is hanging?

the FIRST thing we need to establish is whether you are using ISA?  if you aren't, then drop a NIC for sure.

are you using ISA?
0
 

Author Comment

by:keyuk
ID: 22857869
I'm not using ISA as it is SBS standard. It would make sense to drop a NIC, but as the original network was setup with 2 NICs, I was unsure if I could simply add on the new network without tampering with the existing setup too much.

Thanks for your comments and I will see if this is possible without taking too much offline while I re-configure (or shcedule it in for a late night!!)

Anyone have any ideas for using RRAS - I'm sure this may still be an option.
0
 
LVL 3

Expert Comment

by:Russianblue
ID: 22859580
from what i've read, i don't think you can have a remote router log in via RRAS and server the NAT clients behind it.  I think that's maybe a limitation of RRAS.

now, as far as the the 2 NIC situation, I'd think you need to figure out what's going on there.  it may not be serving ANY purpose, but you need to verifty that.  otherwise we could be chasing our tails.  run an ipconfig /all and post it here.
0
 

Author Comment

by:keyuk
ID: 22859641
Hi. Please find the ipconfig as requested below.

I believe the internet connection wizard in SBS (CEICW) configures windows firewall and/or RRAS to act as a gateway for the local lan even if ISA isn't installed. This way all internet traffic from the router comes into the server on one NIC and is then routed out to the local lan on the other. Apparently, this  creates a more secure network, with the SBS server controlling all traffic from the local lan to the internet. Please correct me if I'm wrong.

Windows IP Configuration
   Host Name . . . . . . . . . . . . : server
   Primary Dns Suffix  . . . . . . . : Freedom.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : Freedom.local

Ethernet adapter Public Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Bus Network Adapter #1
   Physical Address. . . . . . . . . : 00-15-5D-00-08-0D
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.16.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Bus Network Adapter #2
   Physical Address. . . . . . . . . : 00-15-5D-00-08-0C
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.16.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.16.1
   Primary WINS Server . . . . . . . : 192.168.16.1
0
 
LVL 3

Accepted Solution

by:
Russianblue earned 168 total points
ID: 22866248
ummm....yes.   this could be causing all sorts of issues and is totally unnecessary.  If you are looking for security beyond that of an SPI hardware firewall and secure VPN setup, i'd go with the Windows firewall before setting up some kind of IP filtering between NICs.  You're just gonna end up with too many problems with SBS having two NICs on the same server with the same subnet without using ISA.  I betcha the previous guy THOUGHT he was gonna use ISA and then had to uninstall it after he figured out it was for an esoteric group!

anyway, you should try simply disabling the 16.1 NIC, re-run the wizard and see what happens.  if it doesn't work, you just re-enable it and re-run the wizard.  you're also going to need to check DNS and DHCP, not only to make sure they are config'd correctly, but that the settings propogate to all machines.





0
 

Author Comment

by:keyuk
ID: 22958295
I will assign 250 points to Russianblue, but I would still welcome any other views on this question.

I believe the dual NIC setup was to take advantage of the Windows Firewall in SBS 2003 and it NATs traffic between the gateway and the subnet. Keeping this in mind, there must be a way to connect remote computers to local ones via router VPN.

If I have no other suggestions, I will drop a NIC on the SBS, test and assign the remainder of the points to Russianblue in 28 days.
0
 
LVL 3

Expert Comment

by:Russianblue
ID: 22959720
Dude, think about this....from the outside, no VPN involved, if i wanted to get into a PC at your home office, i'd have to go through...

public IP (router WAN)
              |
gateway (router LAN)
              |
          NIC 1
              |
          NIC 2
              |
     workstation
             

SBS using RRAS is intended to serve in place of a (limited) hardware firewall. Your trouble is coming in with the relationship between NIC 1 and NIC 2.   Basically, you are using two firewalls and introducing needless complexity, especially with the abilities of the Drayteks as i know them.  Depending on what options you selected in CEICW, there could be some miscommunication here.  

Anyway, if you really want to keep it like this (which i don't understand, but i respect your choice and i am not gonna flame you), let's figure it out.

when the draytek from the remote office dials in to create the LAN to LAN, how does it get its IP address?  from DHCP thru RRAS? or is it dialing in to the other Draytek router at the home office? in either case, what IP address is the remote router assuming upon connection?
0
 
LVL 1

Assisted Solution

by:Richard_Macbeth
Richard_Macbeth earned 168 total points
ID: 23565004
This seems to be a simple routing issue with the LAN to LAN configuration. You have set the following:remote network IP 192.168.1.0, remote network mask 255.255.255.0.
This means only traffic for the above subnet will be routed over the VPN. Your ping to the 192.168.16.x subnet will go to the internet (and not get very far), rather than over the VPN.
It may be possible to set up a static route on the Vigor, but I'm not sure this will work.

0
 

Assisted Solution

by:jmsjms
jmsjms earned 168 total points
ID: 24019786
HI,

I regularly use Drayteks to provide a router based VPN.  I do not use the SBS RRAS services.  Seems to work well enough.

As for using SBS as a firewall, I dont, as Russian blue says it's added complexity, and I dont know about you but I'd rather trust hardware to firewall the networks than use a firewall on the SBS server!

Have you tried just using the routers for VPN?

If so can you use the VPN Connection management to see if you have a VPN between them?

Have you got any client firewalls stopping you accessing another subnet?

0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stack Switches in IOU  web V22 6 63
Need to separate small office by VLAN... 3 56
Setting up new vpn 15 56
SBS 2007 remove AD ? 10 22
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now