With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.
Course Of The Month
3 days, 11 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
VPN: 2 network with same IP scheme problem
Posted on 2011-03-09
We have a windows 2008 server, running as DC/DNS/DHCP,etc. I setup the VPN on it, i don't have problem establish the connection on the client workstation. But the problem is sometimes I cannot use the \\servername, even I try the \\server_IP. When I ping it replies though.
i noticed that the 2 network use same IP scheme as 192.168.1.x, is this causing the problem? why? if that's the case, then I think it's not practical, as how can we expect the network that client at all use different IP scheme, like in hotel, airport, cafe, etc
i noticed that the 2 network use same IP scheme as 192.168.1.x, is this causing the problem? why? if that's the case, then I think it's not practical, as how can we expect the network that client at all use different IP scheme, like in hotel, airport, cafe, etc
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
3
- +1
8 Comments
you've encountered a common problem. 192.168.1.0/24 is a VERY common subnet. you could pick something in the 10.10.0.0 area, like 10.10.200.0/24. this isn't used often.
how some company's get around that is to do what's called tunnel all rather than split tunneling. split tunneling says that your remote users has access to resources on the local network AND the remote network. what this usually amounts to is they access the vpn to access intra-network resources and use the local network to get to the internet. if you "tunnel all" then they only have access to resources on the intra-network and that's it. they'd have to disconnect from the vpn to access the internet. there is a way that you can get internet access over the vpn as well, but i'm not familiar with how to do that on a 2008 vpn server...only a sonicwall appliance.
tunnel all would force all the traffic to go over the VPN regardless of the local subnet. this would almost certainly resolve the issue you are seeing, unless it's a DNS issue. do you see the same issue when the subnet is different?
in your case of resolving the server name, it may be more of an issue with DNS. are you passing an internal DNS server to the IP settings of the vpn client? if not, then it's probably not going to resolve the server name. of course, it could be that the subnet is the same and is trying to resolve the name on a local DNS server which wouldn't know anything about your server.
how some company's get around that is to do what's called tunnel all rather than split tunneling. split tunneling says that your remote users has access to resources on the local network AND the remote network. what this usually amounts to is they access the vpn to access intra-network resources and use the local network to get to the internet. if you "tunnel all" then they only have access to resources on the intra-network and that's it. they'd have to disconnect from the vpn to access the internet. there is a way that you can get internet access over the vpn as well, but i'm not familiar with how to do that on a 2008 vpn server...only a sonicwall appliance.
tunnel all would force all the traffic to go over the VPN regardless of the local subnet. this would almost certainly resolve the issue you are seeing, unless it's a DNS issue. do you see the same issue when the subnet is different?
in your case of resolving the server name, it may be more of an issue with DNS. are you passing an internal DNS server to the IP settings of the vpn client? if not, then it's probably not going to resolve the server name. of course, it could be that the subnet is the same and is trying to resolve the name on a local DNS server which wouldn't know anything about your server.
I don't have any issue if I am on different subnet. So do you know how can I setup tunnel all in windows 2008? When I first setup vpn client, in tcp/ip setting, by default it is "Use default gateway on remote network"..... this is not tunnel all? as they will pass through the remote network to go to internet though....
Yes, checking that box does mean tunnel all. it means all the resources on the local network are not accessible and traffic is sent through the vpn connection.
my expectation is that if you are on an identical network, then tunnel all should work. if it's not, then changing the IP subnet for your remote clients get is the next option and, quite possibly, your only option.
my expectation is that if you are on an identical network, then tunnel all should work. if it's not, then changing the IP subnet for your remote clients get is the next option and, quite possibly, your only option.
it seems the tunnel all working for me, if i am on different subnet, there is no issue.... there is no other solution?
if tunnel all doesn't work with duplicate subnets, then you need to change the subnet for you remote users. sorry.
if you believe another answer exists, then try clicking the request attention link in your question. request a mod to adjust your zones and send a request for other experts to review your question. either you'll get an answer that you like or one that supports mine. i know i'd want a second opinion.
if you believe another answer exists, then try clicking the request attention link in your question. request a mod to adjust your zones and send a request for other experts to review your question. either you'll get an answer that you like or one that supports mine. i know i'd want a second opinion.
You have to change remote site IP range....
Otherwise, you can route specific ip (or small ip ranges) to remote sites (to access specific servers for example) but after a few sites, it will be unmanageable!
Otherwise, you can route specific ip (or small ip ranges) to remote sites (to access specific servers for example) but after a few sites, it will be unmanageable!
Thank you. as digitap mentioned some vpn server can do tunnel all. windows 2008 vpn server cannot handle that? It seems on the vpn client, by default it direct all traffic, but it doesn't help.
Active today
As has been said already - VPNs (of all kind) work only reliable if the subnets are different. Anything else depends on how the VPN client manages traffic. "Tunnel All" can be used only with a few VPN Clients, like Checkpoint, Nortel or Cisco. MS VPN (PPTP) is not able to do that.
With MS VPN and conflicting subnets - and NOT having set "Use default gateway on remote network" - whether you have access to the remote network or the local network is not predictable.
With "Use default gateway" many entries have precedence over the local ones, including DNS and routes. It is not "Tunnel all", which forces all traffic to go thru VPN without exception, though.
The way ampranti described (using more specific routes for the remote network) is working best. E.g. if you need access to only three specific machines, say 192.168.1.3, .5, .7, you can create routes to those. However, it is not easy to do that, and you need to apply the routes on each connect - with a probably changing interface or gateway address, which makes things even more complicated. If you are interested, we can work on that.
With MS VPN and conflicting subnets - and NOT having set "Use default gateway on remote network" - whether you have access to the remote network or the local network is not predictable.
With "Use default gateway" many entries have precedence over the local ones, including DNS and routes. It is not "Tunnel all", which forces all traffic to go thru VPN without exception, though.
The way ampranti described (using more specific routes for the remote network) is working best. E.g. if you need access to only three specific machines, say 192.168.1.3, .5, .7, you can create routes to those. However, it is not easy to do that, and you need to apply the routes on each connect - with a probably changing interface or gateway address, which makes things even more complicated. If you are interested, we can work on that.
Featured Post
On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Suggested Solutions
| Title | # Comments | Views | Activity |
|---|---|---|---|
| VPN - Site to Site not decapsulating (ASA-Sophos XG85) | 1 | 33 | |
| Xerox WorkCentre 7830 Network Printer, Fax, Scanner .. email setup? | 12 | 70 | |
| How can we use Acrylic Wi-Fi to observe our LAN | 7 | 60 | |
| ICT security firms and audit/assurance offerings | 3 | 39 |
A procedure for exporting installed hotfix details of remote computers using powershell
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility.
Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month3 days, 11 hours left to enroll
751 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.