• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1726
  • Last Modified:

VPN, RRAS, and 2 different subnets

I have a win 2003 server running Routing and Remote Access for VPN clients.  I have two different subnets 192.168.111.x and 192.168.10.x.  The RRAS box is sitting on the 192.168.111.x subnet and my clients can connect to it just fine and have full access to the 192.168.111.x subnet, however they cannot see the 192.168.10.x subnet.  

I have added a static route in RRAS with the following settings:
Interface: Local Area Connection (there is only one NIC)
Network Mask:
Gateway: (the IP address of the RRAS box)

There is a Cisco router that connects the 111.x subnet to the 10.x subnet and its IP address is  My RRAS server can connect to and ping the 10.x subnet just fine but my VPN clients cannot.  What am I doing wrong?
  • 2
1 Solution
I don't know what static route you created,...but my guess is that you should not have.

The clients must enable the checkbox in the DUN Settings that says "Use Gateway on Remote Network".  Without that they will only be able to contact the immediate subnet that they "dialed into".  what this does is cause whatever the RRAS Gateway and Routing Settings to be applied to the VPN Clients.  You will not see this happen on the clients using IPCONFIG,...it happens internally within the relationship between the and the VPN Server that they dialed into.

On the Clients an IPCONFIG would show the IP# they were given and it would show a Mask of (yes that is the correct mask), and the Gateway is the same IP# as the Interface IP.  The Dialup Interface gets automatically moved to the top of the binding order and the 32bit mask tells it that any destination that doesn't match the exact IP of the Dialup Interface just get "tossed at the VPN Connection",....the RRAS Server does all the rest of the work from there.

Note this will limit the Users access to their own local network to just the local subnet they are on.  This is Remote Access VPN and it is not designed to be up all the time,...it is only to be up for the period of time the work is being done,...then disconnected so that the user's machine goes back to operating normally on their local LAN.   If you haven't noticed by now VPN is a "Dialup Tecnhnology" and operate by al the same principles and behavors of the old modem dialup links.

apsonlineAuthor Commented:
Well now I feel silly; that worked great.  Thank you so much for the solution and great explanation.
Now, don't feel silly!  People get tripped up on that one all the time.
I have RRAS running on 2003 and I don't need to check "use remote gateway", but I do on 2008 RRAS.  I'd prefer to be able to not sure the RRAS as the remote gateway.  Is there any workaround?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now