Solved

2008 R2 VPN Clients can only see VPN Server not remote network

Posted on 2013-01-18
13
496 Views
Last Modified: 2013-02-05
I have a 2008 R2 server setup as a VPN server. I am able to log into the VPN.  I am able to get DNS resolution for the remote network.  I can ping and RDP into the server hosting the VPN service but cannot get past that server to other servers on the network.  I have unchecked use the remote gateway etc.  I have IP v4 routing enabled.  Not sure where else to go from here??  

Any help will be greatly appreciated!
0
Comment
Question by:DaveKall42
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 11

Expert Comment

by:itguy565
Comment Utility
Please connect to the VPN open a command prompt window and copy your ipconfig /all to a text document.

Modify the text to remove identifying attributes and then post the text to this forum.
I have a suspicion that you have no default gateway on the adapter that is connected to the VPN.
0
 

Author Comment

by:DaveKall42
Comment Utility
Sure, here it is........


Windows IP Configuration

   Host Name . . . . . . . . . . . . :
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . :

PPP adapter

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . :
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.1.21(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.1.0.15
                                       10.1.0.16
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR8152/8158 PCI-E Fast Ethernet C
ontroller (NDIS 6.20)
   Physical Address. . . . . . . . . : 00-26-6C-C7-A8-E5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::50f6:3beb:471d:1592%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.39(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, January 17, 2013 11:32:07 AM
   Lease Expires . . . . . . . . . . : Saturday, January 19, 2013 8:31:07 AM
   Default Gateway . . . . . . . . . : 192.168.10.1
   DHCP Server . . . . . . . . . . . : 192.168.10.1
   DHCPv6 IAID . . . . . . . . . . . : 352331372
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-81-2D-59-E0-CA-94-12-ED-4D

   DNS Servers . . . . . . . . . . . : 205.171.3.65
                                       205.171.2.65
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter
   Physical Address. . . . . . . . . : E0-CA-94-12-ED-4D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter VMware Network Adapter VMnet1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
1
   Physical Address. . . . . . . . . : 00-50-56-C0-00-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a5dd:c55d:2d8f:4e7b%31(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.85.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 520114262
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-81-2D-59-E0-CA-94-12-ED-4D

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter VMware Network Adapter VMnet8:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
8
   Physical Address. . . . . . . . . : 00-50-56-C0-00-08
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b052:6a74:fc0d:d0e8%33(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.23.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 553668694
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-81-2D-59-E0-CA-94-12-ED-4D

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{4D0671FA-7949-489B-8F55-B0D7F35F524A}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{55B94073-F0E2-476C-AAF8-2098CF594C01}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{28EDE97B-8C7B-4649-92F9-3E644F2DF189}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{58CC31C2-5CCA-49E4-995E-B77AB5BA50D5}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Is the IP range you're assigning to VPN clients different to what the servers have?  I'm guessing no!

For example, your servers are in the 10.0.0.0 255.255.255.0 range.
Your VPN clients are in the 192.168.0.0 255.255.255.0 range.

You can ping the VPN server on 192.168.0.1 (for example) and you can resolve DC1's IP address to 10.0.0.1 (for example)?

Am I right so far?

If so, you need to add a static route to each of your servers so that they all point traffic to the 192.168.0.0 network via the VPN server.

So, if your VPN server is 10.0.0.254 on your LAN, you would do this on each server at the command prompt...

route -p add 192.168.0.0 mask 255.255.255.0 10.0.0.254

Give that a try!
0
 

Author Comment

by:DaveKall42
Comment Utility
Well my vpn clients are getting IPs from a server on the remote network which is on the same subnet as the VPN server.

So they are on the 10.1.0.x 255.255.248.0 subnet.  There is an ip address for the internal adapter on the VPN server which is access by remote access and routing plugin that is 10.1.1.27.  The IP address I was assigned by dhcp on the vpn was 10.1.1.25 and it shows up in the dhcp leases on the other server.
0
 
LVL 4

Accepted Solution

by:
mgpremkumar earned 500 total points
Comment Utility
The IPv4 routing that you have enabled on the VPN Server is that static or dynamic? If dynamic is it learning the routes to the Internal networks that you have? If static you will have to add all the routes manually on the VPN server first. Also routing should be taking place from the servers back to the VPN clients as well. A good test would be to check if the VPN server is able to connect to the Internal resources. The VPN server should only have gateway configured on the Internet facing NIC.

If 'Use Default Gateway on remote network' is unchecked which is the default setting, static routes has to be pushed to the VPN client machines for all the internal networks.

Checking the setting 'Use Default Gateway on remote network' disables split tunneling. In this state the name resolution packets would be sent to the Intranet or the Corporate network. If the name resolution fails then access to Internet fails.
0
 

Author Comment

by:DaveKall42
Comment Utility
I am not sure where you would specifiy static vs dynamic routing on the VPN server? I do not see that option anywhere.  I do see where I would could put in static routes though.  Also I can ping all internal resources from VPN server.
This is a single NIC VPN server where our firewall is forwarding VPN packets to the server.
At this point DNS is resolving names on the remote network when connected to VPN.  I cannot ping any other server besides the VPN server so DNS is not really in question at moment.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
How is DNS resolving names for VPN clients if you can't talk to the DNS server? Or is the VPN server also a DNS server?

To clarify, you don't need to set up static or dynamic routing to allow clients to successfully connect as long as the clients are only connecting to the same subnet as the VPN server (as is this case).

When you say the firewall is forwarding VPN packets to the server, what do you mean?

Can you post the output from the ROUTE PRINT command on a VPN client?
0
 

Author Comment

by:DaveKall42
Comment Utility
Sure.....
Also, the VPN server is one of the DNS servers yes.  





================================================
Interface List
 35..........................
 12...00 26 6c c7 a8 e5 ......Atheros AR8152/8158 PCI-E Fast Ethernet Controller
 (NDIS 6.20)
 10...e0 ca 94 12 ed 4d ......Atheros AR9285 Wireless Network Adapter
 31...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
 33...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
  1...........................Software Loopback Interface 1
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 30...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 32...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 34...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
 36...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.250.1  192.168.250.112     25
         10.0.0.0        255.0.0.0        10.1.1.27        10.1.1.19     21
        10.1.1.19  255.255.255.255         On-link         10.1.1.19    276
     67.131.79.55  255.255.255.255    192.168.250.1  192.168.250.112     26
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.23.0    255.255.255.0         On-link      192.168.23.1    276
     192.168.23.1  255.255.255.255         On-link      192.168.23.1    276
   192.168.23.255  255.255.255.255         On-link      192.168.23.1    276
     192.168.85.0    255.255.255.0         On-link      192.168.85.1    276
     192.168.85.1  255.255.255.255         On-link      192.168.85.1    276
   192.168.85.255  255.255.255.255         On-link      192.168.85.1    276
    192.168.250.0    255.255.255.0         On-link   192.168.250.112    281
  192.168.250.112  255.255.255.255         On-link   192.168.250.112    281
  192.168.250.255  255.255.255.255         On-link   192.168.250.112    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link   192.168.250.112    281
        224.0.0.0        240.0.0.0         On-link      192.168.85.1    276
        224.0.0.0        240.0.0.0         On-link      192.168.23.1    276
        224.0.0.0        240.0.0.0         On-link         10.1.1.19    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link   192.168.250.112    281
  255.255.255.255  255.255.255.255         On-link      192.168.85.1    276
  255.255.255.255  255.255.255.255         On-link      192.168.23.1    276
  255.255.255.255  255.255.255.255         On-link         10.1.1.19    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 10    281 fe80::/64                On-link
 31    276 fe80::/64                On-link
 33    276 fe80::/64                On-link
 10    281 fe80::24ed:42bf:9093:896b/128
                                    On-link
 31    276 fe80::a5dd:c55d:2d8f:4e7b/128
                                    On-link
 33    276 fe80::b052:6a74:fc0d:d0e8/128
                                    On-link
  1    306 ff00::/8                 On-link
 10    281 ff00::/8                 On-link
 31    276 ff00::/8                 On-link
 33    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Ok, on the VPN client can you add a static route at the command prompt and try talking to the servers?

route add 10.1.0.0 mask 255.255.248.0 <VPN_CLIENT_IP>

You might have to do an IPCONFIG first to determine the IP address assigned to the VPN client if it has changed between connections.
0
 

Author Comment

by:DaveKall42
Comment Utility
Actually when I do a tracert from the VPN client to a remote resource it gets to the VPN server PPP interface then drops.  Sounds like a routing issue on the server side but I am not sure what route to put in?
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
If it gets to the VPN server then drops it's probably routing from the servers that fails.

Can you do a trace to the VPN client from a server and post the output?
0
 
LVL 4

Expert Comment

by:mgpremkumar
Comment Utility
The VPN server and the VPN clients are on the 10.1.0.x 255.255.248.0 subnet.

On what subnet is the resource that you are connecting to?
0
 

Author Comment

by:DaveKall42
Comment Utility
Same subnet. remote server 10.1.0.16
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Local Printing Using Remote Desktop Windows 7 sometimes has issues with printing to a local printer using a Remote Desktop Connection (RDC). The 1st step is to verify that printers are checked on the Local Resources tab of the Remote Desktop C…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now