martynrobertson
asked on
Hardware VPN in front of SBS 2003
We have taken over a site that has a hardware site to site vpn using two draytek routers, with a sbs 2003 at the head office. the site can see the sbs 2003 and view shared files etc, however the server cannot see the share on the site pc. The vpn is a simple pptp vpn.
I assuem that teh sbs 2003 does nto recoginsed the sites ip /dns and ignores it for security
Does the sites ip range/subnet need to be added to the sbs or local pc security polices or group policy anywhere to allow them to be view or visa versa?
Any help would be appreciated
I assuem that teh sbs 2003 does nto recoginsed the sites ip /dns and ignores it for security
Does the sites ip range/subnet need to be added to the sbs or local pc security polices or group policy anywhere to allow them to be view or visa versa?
Any help would be appreciated
plug1
If it works one way it should work the other because the routes are working. Id be inclined to think the local firewall is enabled on the PC or the Draytek firewall at the remote end is enabled over the VPN.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Vico, if the route wasn't there already then you wouldn't be able to ping it from the the remote network either. It still needs a route to return ping's. I stand by what I say, the "route add" is unneccesary.
You are almost right with the only Exception that the route should be added to the the site pc.
Trust me,
You may be able to ping from one network and not able to do the same in the other one.
Add the route to the "the site pc"
Please do a route print on the sbsserver and the the site pc and post it that will help.
Trust me,
You may be able to ping from one network and not able to do the same in the other one.
Add the route to the "the site pc"
Please do a route print on the sbsserver and the the site pc and post it that will help.
I assume the site pc has only one router, the draytek. As I work with hundreds of draytek routers on a daily basis I can assure you that in the case of a site to site VPN with only one router at each end then the static route is not needed.
If however there is 2 routers at the site then your right.
If however there is 2 routers at the site then your right.
You could be right also but that is not going to kill to just try.
at least that will be out of the way and we will move on.
That why I believe its a good start to have a print out of the 2 networks route.
That will answer a lot of questions.
at least that will be out of the way and we will move on.
That why I believe its a good start to have a print out of the 2 networks route.
That will answer a lot of questions.
Good point vico.. we'll take it from there.. if the author responds lol.. we've probably scared him off by now.
Since you guys addressed the question, your back and forth on adding a route is the reason for this post. I would agree with plug1 that adding a route is unnecessary on either the SBS or the PC.
Vico1, you do not have the necessary parameters to add a route.
The Site to site VPN is not seen by the SBS or the client PC. The only network they know of is the Local LAN and then everything else has to go through the default gateway.
I am unfamiliar with Draytek routers.
Can you from the Draytek router ping the PC on the remote side? The route addition might have to be made on the draytek. If the PPTP connection is a one way route. i.e. from the remote side to the SBS location.
Is the VPN configuration you have includes the local/remote LAN IPs?
Vico1, you do not have the necessary parameters to add a route.
The Site to site VPN is not seen by the SBS or the client PC. The only network they know of is the Local LAN and then everything else has to go through the default gateway.
I am unfamiliar with Draytek routers.
Can you from the Draytek router ping the PC on the remote side? The route addition might have to be made on the draytek. If the PPTP connection is a one way route. i.e. from the remote side to the SBS location.
Is the VPN configuration you have includes the local/remote LAN IPs?
What can I say,
Something as simple as adding a route that can be deleted if it doesn't work, or print the route from both side of the network is a big deal. I have done enough Site to site VPN to know that a simple route entry on a router or the wrong subnet on any side can cause this kind of problems.
You are right I do not have enough Info and that is exactly why I ask for a route print on the machines in question.
anything else is guessing.
Vico1
Something as simple as adding a route that can be deleted if it doesn't work, or print the route from both side of the network is a big deal. I have done enough Site to site VPN to know that a simple route entry on a router or the wrong subnet on any side can cause this kind of problems.
You are right I do not have enough Info and that is exactly why I ask for a route print on the machines in question.
anything else is guessing.
Vico1
Vico1,
You do not have enough information to add a route on the local system that is the problem.
You have the destination network.
You have the destination netmask.
What are you using for the gateway?
The IP of the Local PC, The IP of the local router? Either scenarios already exist in the routing table.
I.e. LAN through the Local PC IP and everything else through the default gateway already exists.
Are there multiple PCs at the remote SITE and can they see the PC share?
I think the issue is that PPTP VPN treats the remote Draytek as a client such that the VPN is not a site-to-site but rather a remote client VPN. Traffic can be initiated in one direction only. The responses find their way back because they are tagged with the PPTP IP assigned to the remote Draytek. The SBS side Draytek has no information on the LAN IPs behind the remote Draytek.
Adding a route on the SBS side draytek using the PPTP IP as the gateway might work.
A better approach would be to setup a site to site VPN using IPSEC.
You do not need to tear down the existing PPTP while you are setting up the IPSEC. Once IPSEC is setup and functions both ways, you can disable the PPTP setup.
You do not have enough information to add a route on the local system that is the problem.
You have the destination network.
You have the destination netmask.
What are you using for the gateway?
The IP of the Local PC, The IP of the local router? Either scenarios already exist in the routing table.
I.e. LAN through the Local PC IP and everything else through the default gateway already exists.
Are there multiple PCs at the remote SITE and can they see the PC share?
I think the issue is that PPTP VPN treats the remote Draytek as a client such that the VPN is not a site-to-site but rather a remote client VPN. Traffic can be initiated in one direction only. The responses find their way back because they are tagged with the PPTP IP assigned to the remote Draytek. The SBS side Draytek has no information on the LAN IPs behind the remote Draytek.
Adding a route on the SBS side draytek using the PPTP IP as the gateway might work.
A better approach would be to setup a site to site VPN using IPSEC.
You do not need to tear down the existing PPTP while you are setting up the IPSEC. Once IPSEC is setup and functions both ways, you can disable the PPTP setup.
If the above is the case then Arnold a site to site VPN can easily be created over PPTP with the draytek routers.. Not that the author of this seems to care :)
I said that I am unfamiliar with the Draytek, but while searching initially found an example that sets up a remote client PPTP connection.
Following your post, found http://www.draytek.co.uk/support/vpn_setup.html
I still think an ipsec tunnel might be a better option.
Following your post, found http://www.draytek.co.uk/support/vpn_setup.html
I still think an ipsec tunnel might be a better option.
ASKER
hi, not frightned off yet!. Just been on site doing other jobs!
Just to add a bit more theire are serveral 3 sites, with a draytek at each site. previoulsy the other site had the same problem when I was installing software, and the IT guy at the time remoted in, and added the ip and subnet of the site into some where- I assume the server routing or group policy and hey presto it all worked. took him 10 minutes max as I partialy watched him - this was 6 months ago and he has left. Since then another site has come on line, routers ok, but this problem came up again. The site can see the standard shared file but when I wish to add my software I need the server to see the site to push information down. I have done draytek router before had not had this problem. I suppose he could have explicity locked down the ip ranges also somewhere as a 'securty precaution'
Will have a look at the routing link later today
Cheers
Just to add a bit more theire are serveral 3 sites, with a draytek at each site. previoulsy the other site had the same problem when I was installing software, and the IT guy at the time remoted in, and added the ip and subnet of the site into some where- I assume the server routing or group policy and hey presto it all worked. took him 10 minutes max as I partialy watched him - this was 6 months ago and he has left. Since then another site has come on line, routers ok, but this problem came up again. The site can see the standard shared file but when I wish to add my software I need the server to see the site to push information down. I have done draytek router before had not had this problem. I suppose he could have explicity locked down the ip ranges also somewhere as a 'securty precaution'
Will have a look at the routing link later today
Cheers
Keep us posted then but remember and give is the ip configs of both the server and remot epc and also a tracert from both sides as well.
AS I stated right from the beginning You have a routing problem.
You need to add that subnet to the routing table.
and I gave you the commands to do it.
If you would post the routing tables I would tell you exactly the ip ruote that you should add.
Vico1
You need to add that subnet to the routing table.
and I gave you the commands to do it.
If you would post the routing tables I would tell you exactly the ip ruote that you should add.
Vico1
ASKER
Customer has now been flooded, and server drowned ! Waiitng for insurance, thankfully that s not my problem. Will be back in touch when up and running again.