Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

RRAS Vpn clients won't register route

Posted on 2009-07-03
9
Medium Priority
?
2,577 Views
Last Modified: 2012-05-07
Hello experts :)

I am trying to configure a Windows 2008 Server with RRAS on ONE SINGLE NIC.

My setup is as follows :
Internal Network : 10.131.0.0
DMZ Network : 192.168.71.0
DMZ Gateway : 192.168.71.1
RRAS Server : 192.168.71.60

I installed RRAS and enabled IPV4 Forwarding with an static address pool of :
192.168.71.193 - 192.168.71.254

From the 192.168.71.0 network I have access trough firewall at everything on my domain.

Now , I have also configured a static route on IPV4 as follows :
Interface : Local Area Connection
Destination : 10.131.0.0
Mask : 255.255.255.0
Gateway : 192.168.71.1

Now , my VPN clients can succesfully connect to the RRAS server and I can connect to any server on the DMZ but the route to my 10.131.0.0 does not work so I can't get in touch with any of my domain server.
My client computer it's on  10.0.0.0 / 255.255.255.0 net so this might be a bit confusing.
Client has IP address : 10.0.0.95

After connecting to VPN I receive from my RRAS server the IP : 192.168.71.194

An ipconfig shows :
PPP adapter Fleggaard:

   Connection-specific DNS Suffix  . : mytestdomain.com
   IPv4 Address. . . . . . . . . . . : 192.168.71.194
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :

thernet adapter Local Area Connection:

  Connection-specific DNS Suffix  . : home.local
  Link-local IPv6 Address . . . . . : fe80::a877:e4f6:23e7:5873%8
  IPv4 Address. . . . . . . . . . . : 10.0.0.95
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 10.0.0.1

If on the client I manually add the route everything works fine :
route ADD 10.131.0.0 MASK 255.255.255.0 192.168.71.1

In the code area is the routing table of my client.

Any ideea what I configured wrong or what I forgot to configure ?


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1        10.0.0.95     10
         10.0.0.0    255.255.255.0         On-link         10.0.0.95    266
        10.0.0.95  255.255.255.255         On-link         10.0.0.95    266
       10.0.0.255  255.255.255.255         On-link         10.0.0.95    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link         10.0.0.95    286
  169.254.255.255  255.255.255.255         On-link         10.0.0.95    266
     192.168.71.0    255.255.255.0   192.168.71.193   192.168.71.194     12
   192.168.71.194  255.255.255.255         On-link    192.168.71.194    267
     193.88.64.60  255.255.255.255         10.0.0.1        10.0.0.95     11
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         10.0.0.95    267
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         10.0.0.95    266
  255.255.255.255  255.255.255.255         On-link    192.168.71.194    267
===========================================================================

Open in new window

0
Comment
Question by:George Sas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24777188
>>"If on the client I manually add the route everything works fine :
route ADD 10.131.0.0 MASK 255.255.255.0 192.168.71.1"

You need to do this as the local router does not know the route to the remote site.
Four ways around this that should work are:
1) on the VPN client go to
Pre Vista:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | check  "Use default gateway on remote network"
Vista:
control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | check  "Use default gateway on remote network")

2) On the router at the client site add your route (route ADD 10.131.0.0 MASK 255.255.255.0 192.168.71.1), assuming it supports adding static routes.

3) Though I have never tried it, under the dial-in tab of the users profile in active directory, there is an option to add static routes for dial-in/VPN clients.

4) If the client machine is a member of the domain, it is possible to apply a logon script and have it automatically add the route to the client
0
 
LVL 13

Author Comment

by:George Sas
ID: 24777954
Rob , thank you for the answers but this does not help and let me tell you why.

1.I tried this before I posted the thread. If I use the default gateway on the remote network I will loose the connection to the internet. All the traffic will try to go out trough my VPN connection and this is a no go.

2. I can't do this manually for 200 clients :)

3. This will work only for actual dial-in clients. Tested and does not work.

4. Client computers are both domain computers and non domain computers and the client will logon on the the machine before the VPN is initiated.

What I am trying to achieve is to replace my old Cisco VPN Concentrator which is limited to 50 simultaneous users.(older model)

Thank you for the ideas but I've tried them all :(
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24778160
Then the simple solution is change your VPN static address pool in RRAS. There is actually no need to assign an IP outside of the LAN subnet. Use a subset of your LAN subnet for the VPN clients. When doing so also enable LAN routing in RRAS and you will be all set. No need to create routes at the client or within RRAS. See my web site for the configuration steps.
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
You may also want to address name resolution if having issues. See my blog for that:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 13

Author Comment

by:George Sas
ID: 24778187
The idea of assigning the VPN clients a free class from my private LAN came to me also after 3 days of tesing and poking the networking guy to make firewall changes but I did not tried it yet.(my networking guy is in vacation)
My physical setup is : LAN > Firewall1 > DMZ > Firewall2
LAN : 10.131.0.0 / 255.255.0.0
DMZ: 192.168.71.0 / 255.255.255.0

Right now I am using : 10.131.1.0 > 10.131.11.0 so from 11 up I have them free.... I could assign the VPN Clients the 10.131.12.0 subnet but then I would need to reconfigure Firewall1 .. will check with my networking guy and see how happy he is about it.

What am I thinking is that my actual setup should work , and it does work if I manually add the route to my clients.
What bugs me is why the clients are not registering the manually created route on my RRAS server .. this is kind of a mistery for me.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24778307
The reason it doesn't work with the current configuration is the client has only 3 options. Send a packet to an IP belonging to their local LAN. Send a packet to the VPN subnet, or use their default gateway. Your packets for the 10.131.0.0 subnet are sent to their local default gateway because no route is known, and lost. Absolutely nothing at the server end you can do to fix that. The client needs a route some how, or you need to change the addressing.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 24779726
If stuck, I can provide a script that will create the route based on the dynamically assigned VPN adapter's IP. This has to be run on the client PC after they connect. I appreciate distributing this may be a nuisance, but it is an option.
0
 
LVL 13

Author Comment

by:George Sas
ID: 24781067
What I don't get is why would Microsoft add the option to add a static route to the IPV4 if it does not work ?
That option to add a static route is there for a reason.
Adding a static route to my clients on the Cisco VPN Concentrator works just fine but on MS's RRAS not...
Microsoft works in misterious ways.

I'll just award you the points because you took the time and discuss this with me and confirmed my fears :)
Still not working but  I will figure a way.

Thx Rob.
0
 
LVL 13

Author Closing Comment

by:George Sas
ID: 31599641
Did not make it work but the tech details were accurate and the time spent deserve the points.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24781214
The Microsoft VPN is definitely lacking, but comparing it to a cisco concentrator, is not really fair :-) The cisco is a dedicated appliance designed specifically for that and has far more options. Of course it is priced accordingly as well.

Should it be of any use I was involved in a discussing before where I proposed a script to add the route automatically. It could be applied to domain clients but non-domain machines would have to click on the batch file to run it:
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_22594402.html?sfQueryTermInfo=1+add+batch+file+rout+vpn

Thanks GeoSs. Good luck with the project,
--Rob
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question