Solved

RRAS Vpn clients won't register route

Posted on 2009-07-03
9
2,402 Views
Last Modified: 2012-05-07
Hello experts :)

I am trying to configure a Windows 2008 Server with RRAS on ONE SINGLE NIC.

My setup is as follows :
Internal Network : 10.131.0.0
DMZ Network : 192.168.71.0
DMZ Gateway : 192.168.71.1
RRAS Server : 192.168.71.60

I installed RRAS and enabled IPV4 Forwarding with an static address pool of :
192.168.71.193 - 192.168.71.254

From the 192.168.71.0 network I have access trough firewall at everything on my domain.

Now , I have also configured a static route on IPV4 as follows :
Interface : Local Area Connection
Destination : 10.131.0.0
Mask : 255.255.255.0
Gateway : 192.168.71.1

Now , my VPN clients can succesfully connect to the RRAS server and I can connect to any server on the DMZ but the route to my 10.131.0.0 does not work so I can't get in touch with any of my domain server.
My client computer it's on  10.0.0.0 / 255.255.255.0 net so this might be a bit confusing.
Client has IP address : 10.0.0.95

After connecting to VPN I receive from my RRAS server the IP : 192.168.71.194

An ipconfig shows :
PPP adapter Fleggaard:

   Connection-specific DNS Suffix  . : mytestdomain.com
   IPv4 Address. . . . . . . . . . . : 192.168.71.194
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :

thernet adapter Local Area Connection:

  Connection-specific DNS Suffix  . : home.local
  Link-local IPv6 Address . . . . . : fe80::a877:e4f6:23e7:5873%8
  IPv4 Address. . . . . . . . . . . : 10.0.0.95
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 10.0.0.1

If on the client I manually add the route everything works fine :
route ADD 10.131.0.0 MASK 255.255.255.0 192.168.71.1

In the code area is the routing table of my client.

Any ideea what I configured wrong or what I forgot to configure ?


IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0         10.0.0.1        10.0.0.95     10

         10.0.0.0    255.255.255.0         On-link         10.0.0.95    266

        10.0.0.95  255.255.255.255         On-link         10.0.0.95    266

       10.0.0.255  255.255.255.255         On-link         10.0.0.95    266

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      169.254.0.0      255.255.0.0         On-link         10.0.0.95    286

  169.254.255.255  255.255.255.255         On-link         10.0.0.95    266

     192.168.71.0    255.255.255.0   192.168.71.193   192.168.71.194     12

   192.168.71.194  255.255.255.255         On-link    192.168.71.194    267

     193.88.64.60  255.255.255.255         10.0.0.1        10.0.0.95     11

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link         10.0.0.95    267

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link         10.0.0.95    266

  255.255.255.255  255.255.255.255         On-link    192.168.71.194    267

===========================================================================

Open in new window

0
Comment
Question by:George Sas
  • 5
  • 4
9 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24777188
>>"If on the client I manually add the route everything works fine :
route ADD 10.131.0.0 MASK 255.255.255.0 192.168.71.1"

You need to do this as the local router does not know the route to the remote site.
Four ways around this that should work are:
1) on the VPN client go to
Pre Vista:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | check  "Use default gateway on remote network"
Vista:
control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | check  "Use default gateway on remote network")

2) On the router at the client site add your route (route ADD 10.131.0.0 MASK 255.255.255.0 192.168.71.1), assuming it supports adding static routes.

3) Though I have never tried it, under the dial-in tab of the users profile in active directory, there is an option to add static routes for dial-in/VPN clients.

4) If the client machine is a member of the domain, it is possible to apply a logon script and have it automatically add the route to the client
0
 
LVL 13

Author Comment

by:George Sas
ID: 24777954
Rob , thank you for the answers but this does not help and let me tell you why.

1.I tried this before I posted the thread. If I use the default gateway on the remote network I will loose the connection to the internet. All the traffic will try to go out trough my VPN connection and this is a no go.

2. I can't do this manually for 200 clients :)

3. This will work only for actual dial-in clients. Tested and does not work.

4. Client computers are both domain computers and non domain computers and the client will logon on the the machine before the VPN is initiated.

What I am trying to achieve is to replace my old Cisco VPN Concentrator which is limited to 50 simultaneous users.(older model)

Thank you for the ideas but I've tried them all :(
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24778160
Then the simple solution is change your VPN static address pool in RRAS. There is actually no need to assign an IP outside of the LAN subnet. Use a subset of your LAN subnet for the VPN clients. When doing so also enable LAN routing in RRAS and you will be all set. No need to create routes at the client or within RRAS. See my web site for the configuration steps.
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
You may also want to address name resolution if having issues. See my blog for that:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
0
 
LVL 13

Author Comment

by:George Sas
ID: 24778187
The idea of assigning the VPN clients a free class from my private LAN came to me also after 3 days of tesing and poking the networking guy to make firewall changes but I did not tried it yet.(my networking guy is in vacation)
My physical setup is : LAN > Firewall1 > DMZ > Firewall2
LAN : 10.131.0.0 / 255.255.0.0
DMZ: 192.168.71.0 / 255.255.255.0

Right now I am using : 10.131.1.0 > 10.131.11.0 so from 11 up I have them free.... I could assign the VPN Clients the 10.131.12.0 subnet but then I would need to reconfigure Firewall1 .. will check with my networking guy and see how happy he is about it.

What am I thinking is that my actual setup should work , and it does work if I manually add the route to my clients.
What bugs me is why the clients are not registering the manually created route on my RRAS server .. this is kind of a mistery for me.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 24778307
The reason it doesn't work with the current configuration is the client has only 3 options. Send a packet to an IP belonging to their local LAN. Send a packet to the VPN subnet, or use their default gateway. Your packets for the 10.131.0.0 subnet are sent to their local default gateway because no route is known, and lost. Absolutely nothing at the server end you can do to fix that. The client needs a route some how, or you need to change the addressing.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 24779726
If stuck, I can provide a script that will create the route based on the dynamically assigned VPN adapter's IP. This has to be run on the client PC after they connect. I appreciate distributing this may be a nuisance, but it is an option.
0
 
LVL 13

Author Comment

by:George Sas
ID: 24781067
What I don't get is why would Microsoft add the option to add a static route to the IPV4 if it does not work ?
That option to add a static route is there for a reason.
Adding a static route to my clients on the Cisco VPN Concentrator works just fine but on MS's RRAS not...
Microsoft works in misterious ways.

I'll just award you the points because you took the time and discuss this with me and confirmed my fears :)
Still not working but  I will figure a way.

Thx Rob.
0
 
LVL 13

Author Closing Comment

by:George Sas
ID: 31599641
Did not make it work but the tech details were accurate and the time spent deserve the points.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24781214
The Microsoft VPN is definitely lacking, but comparing it to a cisco concentrator, is not really fair :-) The cisco is a dedicated appliance designed specifically for that and has far more options. Of course it is priced accordingly as well.

Should it be of any use I was involved in a discussing before where I proposed a script to add the route automatically. It could be applied to domain clients but non-domain machines would have to click on the batch file to run it:
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_22594402.html?sfQueryTermInfo=1+add+batch+file+rout+vpn

Thanks GeoSs. Good luck with the project,
--Rob
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

In this article, I'll explain how to setup a Plex Media Server (https://plex.tv/) on a Redhat (Centos) 7 based NAS with screenshots to help those looking for assistance.  What is Plex? If you aren't familiar with Plex, it’s a DLNA media serv…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now