Solved

Accessing remote networks over windows VPN without 'Use remote default gateway' being checked.

Posted on 2013-01-03
8
1,181 Views
Last Modified: 2013-01-04
I have two locations setup with a Cisco VPN tunnel. Location A (192.168.12.0/255.255.255.0) and location B (192.168.13.0/255.255.255.0). The tunnel works perfectly, and has no issues.
There is a server at each location:
Location A: SBS 2011
Location B: 2008 R2 Std
RRAS is setup on both servers at both locations, for speed and redundancy (upload speed at Location B is much faster than Location A). E-mail is hosted on-site at Location A (Exchange 2010), as well as som printers, and network shares. Location B only hosts a few printers and a share.
The problem is when accessing the VPN on Location B, i am unable to access e-mail or anything at Location A only when 'Use default gateway on remote network' is unchecked on the client's Windows VPN . This was unchecked due to the limited bandwidth at each location, and it allows remote users to use their own bandwidth for everything EXCEPT network resources. The problem with this being unchecked is there is no route to Location A when connected to the VPN @ Location B (and vice versa). The only real complaint is not being able to access e-mail while connected to the VPN at Location B, but in reality nothing is accessible at Location A (because it's attempting to access the resources using the LAN IP @ Location A (192.168.12.x), but since the VPN is NOT using the default gateway (as stated above), the user has no route to the remote location) . If I add a static route on the machine from the command prompt (route add 192.168.12.0 mask 255.255.255.0 192.168.13.1 metric 1) on ANY remote computer connecting to Location B VPN, im able to get to Location A (obviously) without having 'Use default gateway on remote network' checked.... This is NOT a solution. There has to be a way to do this via RRAS. I've even attempted adding a Static Route in RRAS on Location B's server with the same settings - did not work.
In short - i want to be able to access Location A + B from either the A or B VPN without having to 'Use default gateway on remote network' being checked on clients to avoid unecessary bandwidth usage from remote users.
Any ideas?
0
Comment
Question by:mhdcommunications
  • 4
  • 2
  • 2
8 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38742130
The site to site vpn tunnel should include the RRAS vpn subnet if it is not within the 192.168.12/13.0 range. If it is outside those ranges, the firewall will also need a static route pointed at the local RRAS server for the vpn subnet. You shouldn't need a route for the remote RRAS server's vpn subnet. Configure RRAS to include all 4 subnets for tunneling. Everything else will go directly out the user's internet connection.
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38742239
The Site to Site tunnel and the Windows VPN (RRAS) Server's are seperate. The tunnel is between the two locations, setup and controlled by Cisco equipment, so LAN users can communicate with eachother.
The Windows VPN (RRAS) Server's (one at each location) enable VPN connectivity to BOTH locations from the outside. There are only 2 subnets, not 4. Doing anything on the Firewalls/Routers will have no affect on the Windows VPN. Please re-read my post.
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38742278
Crude drawing of the layout of the network (dont have Viso on this PC).
With 'Use default gateway on remote network' unchecked on EITHER VPN connection, i can access the network that i connect to (A or B) but not both b/c there is no route to the other site (because im not using the Gateway over the VPN), and adding a Static Route in RRAS does not work (eventhough adding it locally on ANY PC works that is connecting to the VPN - as indicated in the original post).


There are switches, i just didnt see the need to draw them.
Network Layout
0
 
LVL 27

Expert Comment

by:Steve
ID: 38742356
the problem here is that you have the VPN run by the CISCO boxes, which are designed to fo the routing for you. but you have instead set the servers up as routers using RRAS and are ignoring the routing facilities of the CISCOs.

The CISCOs should be the default gateway for the network, including the server, at each site.

This will resolve the entire setup unless there is a reason you have set the servers as the default gateways.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:mhdcommunications
ID: 38742421
The servers are not the gateway's, they are providing USERS with VPN access from home. That is all they are doing as far as my overall issue is concerned. The Gateway they (the VPN servers) provide to VPN users IS the Cisco (12.1 and 13.1 respectively), which is the Gateway at each location.
There is a setting (remote user side) on ALL Windows VPN connections to 'Use default gateway on remote network' - which is set by default. I have DISABLED this to prevent users from using VPN bandwidth just in case they decide to stream music, movies, or whatever it may be, and it wont affect their connection to the server.
The problem with doing this, is it prevents access to Location A when establishing a VPN connection with Location B - since 'Use default gateway on remote network' is UNCHECKED, there is no route to Location A.
Under RRAS (on either server) there is a 'Static Routes' section. I added the route, and it had no affect - still no access to Location A from a VPN connection to Location B (and Vice Versa).
I need to be able to access BOTH Location A and B (which have a Lan to Lan tunnel between them) from a VPN to EITHER location with the option 'Use default gateway on remote network' UNCHECKED.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 250 total points
ID: 38742529
http://technet.microsoft.com/library/bb878117

Classless static route dhcp option section
0
 
LVL 27

Assisted Solution

by:Steve
Steve earned 250 total points
ID: 38743311
Ah, so your clients VPNing into the servers from outside, not the Ciscos?

Yes, you need to add the static route via your DHCP server then. this is a common problem with usig multiple VPN facilities at once.

if the clients do not know about this additional route there is no way around it. either add it manually or use DHCP to do it for you automatically.
0
 
LVL 1

Author Closing Comment

by:mhdcommunications
ID: 38744644
Splitting the points.
rauenpc provided a link to 'Classless Static Route DHCP' option, but the article doesn't specify the actual DHCP server, and refer's more to RRAS handling DHCP - may be my misunderstanding.
totallytonto pointed me to the DHCP server itself, where there is (in Scope and Server Options) a "Classless Static Routes" option, where you can define static routes.
Nice article below about how/where to set this up, eventhough its pretty self explanatory. Thanks for the help!
http://tmgblog.richardhicks.com/2009/01/08/using-dhcp-to-assign-static-routes/
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VOIP Setup through a Watchguard BOVPN 4 30
site to site tunnel not autostarting 5 36
Security Alert 2 43
cisco nexus experiance 2 29
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now