Solved

Draytek 2820 Lan to Lan VPN. SBS2003 R2 Std domain with 2 nics to multiple xp sp3 clients.

Posted on 2008-10-30
18
4,678 Views
Last Modified: 2012-05-05
Hi.

I have a user with a main office which has 5 computers connected to an sbs 2003 domain (internal nic 192.168.16.1 / 255.255.255.0, and external nic 192.168.1.2 / 255.255.255.0, (gateway) router address 192.168.1.1). I am using the SBS for firewall and DHCP and all computers can access internet and email etc fine through the Draytek 2820.

I now need to connect a branch office which has 3 computers connected directly to another Draytek 2820 via a different ISP (there is no server at this office). I have been trying to setup a Lan to Lan VPN with the routers and can get the routers to connect fine, but I can only ping the lan on the public side of the sbs server - i.e. I can ping 192.168.1.1 and 192.168.1.2 from the branch office, but cannot ping 192.168.16.1.

The lan to lan setup in the routers is as follows. Main office - Dian-In, PPTP, TCP/IP settings My WAN IP 0.0.0.0, remote gateway IP 0.0.0.0, remote network IP 192.168.2.0, remote network mask 255.255.255.0. Branch office - Dial-Out, PPTP, TCP/IP settings My WAN IP 0.0.0.0, remote gateway 0.0.0.0, remote network IP 192.168.1.0, remote network mask 255.255.255.0.

I believe I need to setup a static route either in the router(s) or RRAS in SBS, but have tried various configs with no success. Can someone please point me in the right direction or suggest another setup which may work?

Thanks.
0
Comment
Question by:keyuk
  • 6
  • 5
  • 4
  • +2
18 Comments
 
LVL 4

Expert Comment

by:Kaddict
ID: 22847050
From what I know you need a VPN connection

  (1) for each user to the remote server (2003)

  -OR-

  (2) between two "vpn routers" like the netgear prosafe FVS318 (example)

without one of those two conditions both lans' won't communicate


Others with more knowledge will probably tell u more

-kaddict
0
 

Author Comment

by:keyuk
ID: 22847068
Thanks for clarifying kaddict - this is exctly what I'm trying to setup... a site to site VPN between 2 routers. I believe the question describes the situation, but if you need any more info please ask.
0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22847069
Quickly looking @ the Draytek 2820 I'm not seeing any VPN tunnels into that ADSL router, so you will need every 3 users (that are not using a domain and having a server on the LAN) to configure a VPN connection to the 2003 server. So you'll need to enable it on your server 2003, and you also need to unlock port 3389 to you server's IP, and let the GRE protocol pass thru too.

(sorry for my english im french hope you understand clearly)

-kaddict
0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22847075
If you can invest some $, then you could setup a "complete site-to-site" vpn using two VPN Firewall routers with enough tunnels (like for a 5 computer lan + a 3 computer lan you need a least a 5-tunnel router)

and Ive heard miracles about the Netgear Prosafe FVS318 :) and 338 too but more $$

good luck

-kaddict
0
 

Author Comment

by:keyuk
ID: 22847089
These Draytek routers are specifically designed for site to site VPNs. There are 32 tunnels available. I believe I have the right equipment, but I think it is the routing at the sbs side where the problem lies.

Thanks.
0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22847124
Ok sorry if I looked quickly ;-)

 If you can have up to 32 tunnels, then your equipment indeed is right for you. About the routing on the SBS side, I don't see why, because site-to-site vpn is implemented on the routers only. If both networks get their IP's with DHCP, the router should allow them to communicate using static routes that the VPN tunnels will transfer between both lan's
0
 
LVL 3

Expert Comment

by:Russianblue
ID: 22848843
i take it you've seen this page?

http://www.draytek.co.uk/support/vpn_setup.html

draytek routers FTW, by the way!  i absolutely LOVE how fast the CPUs are.  Friggin thing reboots completely in literally 2-3 seconds.

0
 

Author Comment

by:keyuk
ID: 22850405
Thanks Russianblue.

I have seen this page and it makes sense, except I have the Windows SBS 2003 server between the subnet and the router. The SBS nats traffic from the router to the local subnet. Does this mean I should re-configure SBS to only use 1 NIC? This is why I asked the question about setting up a static route in RRAS.

I agree - these routers are so fast and would reccommend to anyone!
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 3

Expert Comment

by:Russianblue
ID: 22850565
"I have the Windows SBS 2003 server between the subnet and the router"

so then, you aren't sure where the communication is hanging?

the FIRST thing we need to establish is whether you are using ISA?  if you aren't, then drop a NIC for sure.

are you using ISA?
0
 

Author Comment

by:keyuk
ID: 22857869
I'm not using ISA as it is SBS standard. It would make sense to drop a NIC, but as the original network was setup with 2 NICs, I was unsure if I could simply add on the new network without tampering with the existing setup too much.

Thanks for your comments and I will see if this is possible without taking too much offline while I re-configure (or shcedule it in for a late night!!)

Anyone have any ideas for using RRAS - I'm sure this may still be an option.
0
 
LVL 3

Expert Comment

by:Russianblue
ID: 22859580
from what i've read, i don't think you can have a remote router log in via RRAS and server the NAT clients behind it.  I think that's maybe a limitation of RRAS.

now, as far as the the 2 NIC situation, I'd think you need to figure out what's going on there.  it may not be serving ANY purpose, but you need to verifty that.  otherwise we could be chasing our tails.  run an ipconfig /all and post it here.
0
 

Author Comment

by:keyuk
ID: 22859641
Hi. Please find the ipconfig as requested below.

I believe the internet connection wizard in SBS (CEICW) configures windows firewall and/or RRAS to act as a gateway for the local lan even if ISA isn't installed. This way all internet traffic from the router comes into the server on one NIC and is then routed out to the local lan on the other. Apparently, this  creates a more secure network, with the SBS server controlling all traffic from the local lan to the internet. Please correct me if I'm wrong.

Windows IP Configuration
   Host Name . . . . . . . . . . . . : server
   Primary Dns Suffix  . . . . . . . : Freedom.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : Freedom.local

Ethernet adapter Public Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Bus Network Adapter #1
   Physical Address. . . . . . . . . : 00-15-5D-00-08-0D
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.16.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Bus Network Adapter #2
   Physical Address. . . . . . . . . : 00-15-5D-00-08-0C
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.16.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.16.1
   Primary WINS Server . . . . . . . : 192.168.16.1
0
 
LVL 3

Accepted Solution

by:
Russianblue earned 168 total points
ID: 22866248
ummm....yes.   this could be causing all sorts of issues and is totally unnecessary.  If you are looking for security beyond that of an SPI hardware firewall and secure VPN setup, i'd go with the Windows firewall before setting up some kind of IP filtering between NICs.  You're just gonna end up with too many problems with SBS having two NICs on the same server with the same subnet without using ISA.  I betcha the previous guy THOUGHT he was gonna use ISA and then had to uninstall it after he figured out it was for an esoteric group!

anyway, you should try simply disabling the 16.1 NIC, re-run the wizard and see what happens.  if it doesn't work, you just re-enable it and re-run the wizard.  you're also going to need to check DNS and DHCP, not only to make sure they are config'd correctly, but that the settings propogate to all machines.





0
 

Author Comment

by:keyuk
ID: 22958295
I will assign 250 points to Russianblue, but I would still welcome any other views on this question.

I believe the dual NIC setup was to take advantage of the Windows Firewall in SBS 2003 and it NATs traffic between the gateway and the subnet. Keeping this in mind, there must be a way to connect remote computers to local ones via router VPN.

If I have no other suggestions, I will drop a NIC on the SBS, test and assign the remainder of the points to Russianblue in 28 days.
0
 
LVL 3

Expert Comment

by:Russianblue
ID: 22959720
Dude, think about this....from the outside, no VPN involved, if i wanted to get into a PC at your home office, i'd have to go through...

public IP (router WAN)
              |
gateway (router LAN)
              |
          NIC 1
              |
          NIC 2
              |
     workstation
             

SBS using RRAS is intended to serve in place of a (limited) hardware firewall. Your trouble is coming in with the relationship between NIC 1 and NIC 2.   Basically, you are using two firewalls and introducing needless complexity, especially with the abilities of the Drayteks as i know them.  Depending on what options you selected in CEICW, there could be some miscommunication here.  

Anyway, if you really want to keep it like this (which i don't understand, but i respect your choice and i am not gonna flame you), let's figure it out.

when the draytek from the remote office dials in to create the LAN to LAN, how does it get its IP address?  from DHCP thru RRAS? or is it dialing in to the other Draytek router at the home office? in either case, what IP address is the remote router assuming upon connection?
0
 
LVL 1

Assisted Solution

by:Richard_Macbeth
Richard_Macbeth earned 168 total points
ID: 23565004
This seems to be a simple routing issue with the LAN to LAN configuration. You have set the following:remote network IP 192.168.1.0, remote network mask 255.255.255.0.
This means only traffic for the above subnet will be routed over the VPN. Your ping to the 192.168.16.x subnet will go to the internet (and not get very far), rather than over the VPN.
It may be possible to set up a static route on the Vigor, but I'm not sure this will work.

0
 

Assisted Solution

by:jmsjms
jmsjms earned 168 total points
ID: 24019786
HI,

I regularly use Drayteks to provide a router based VPN.  I do not use the SBS RRAS services.  Seems to work well enough.

As for using SBS as a firewall, I dont, as Russian blue says it's added complexity, and I dont know about you but I'd rather trust hardware to firewall the networks than use a firewall on the SBS server!

Have you tried just using the routers for VPN?

If so can you use the VPN Connection management to see if you have a VPN between them?

Have you got any client firewalls stopping you accessing another subnet?

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now