2008 R2 VPN Clients can only see VPN Server not remote network

Please connect to the VPN open a command prompt window and copy your ipconfig /all to a text document.

Modify the text to remove identifying attributes and then post the text to this forum.
I have a suspicion that you have no default gateway on the adapter that is connected to the VPN.

Sure, here it is........


Windows IP Configuration

   Host Name . . . . . . . . . . . . :
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . :

PPP adapter

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . :
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.1.21(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.1.0.15
                                       10.1.0.16
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR8152/8158 PCI-E Fast Ethernet C
ontroller (NDIS 6.20)
   Physical Address. . . . . . . . . : 00-26-6C-C7-A8-E5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::50f6:3beb:471d:1592%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.39(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, January 17, 2013 11:32:07 AM
   Lease Expires . . . . . . . . . . : Saturday, January 19, 2013 8:31:07 AM
   Default Gateway . . . . . . . . . : 192.168.10.1
   DHCP Server . . . . . . . . . . . : 192.168.10.1
   DHCPv6 IAID . . . . . . . . . . . : 352331372
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-81-2D-59-E0-CA-94-12-ED-4D

   DNS Servers . . . . . . . . . . . : 205.171.3.65
                                       205.171.2.65
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter
   Physical Address. . . . . . . . . : E0-CA-94-12-ED-4D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter VMware Network Adapter VMnet1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
1
   Physical Address. . . . . . . . . : 00-50-56-C0-00-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a5dd:c55d:2d8f:4e7b%31(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.85.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 520114262
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-81-2D-59-E0-CA-94-12-ED-4D

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter VMware Network Adapter VMnet8:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
8
   Physical Address. . . . . . . . . : 00-50-56-C0-00-08
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b052:6a74:fc0d:d0e8%33(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.23.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 553668694
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-81-2D-59-E0-CA-94-12-ED-4D

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{4D0671FA-7949-489B-8F55-B0D7F35F524A}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{55B94073-F0E2-476C-AAF8-2098CF594C01}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{28EDE97B-8C7B-4649-92F9-3E644F2DF189}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{58CC31C2-5CCA-49E4-995E-B77AB5BA50D5}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Is the IP range you're assigning to VPN clients different to what the servers have?  I'm guessing no!

For example, your servers are in the 10.0.0.0 255.255.255.0 range.
Your VPN clients are in the 192.168.0.0 255.255.255.0 range.

You can ping the VPN server on 192.168.0.1 (for example) and you can resolve DC1's IP address to 10.0.0.1 (for example)?

Am I right so far?

If so, you need to add a static route to each of your servers so that they all point traffic to the 192.168.0.0 network via the VPN server.

So, if your VPN server is 10.0.0.254 on your LAN, you would do this on each server at the command prompt...

route -p add 192.168.0.0 mask 255.255.255.0 10.0.0.254

Give that a try!

Well my vpn clients are getting IPs from a server on the remote network which is on the same subnet as the VPN server.

So they are on the 10.1.0.x 255.255.248.0 subnet.  There is an ip address for the internal adapter on the VPN server which is access by remote access and routing plugin that is 10.1.1.27.  The IP address I was assigned by dhcp on the vpn was 10.1.1.25 and it shows up in the dhcp leases on the other server.

I am not sure where you would specifiy static vs dynamic routing on the VPN server? I do not see that option anywhere.  I do see where I would could put in static routes though.  Also I can ping all internal resources from VPN server.
This is a single NIC VPN server where our firewall is forwarding VPN packets to the server.
At this point DNS is resolving names on the remote network when connected to VPN.  I cannot ping any other server besides the VPN server so DNS is not really in question at moment.

How is DNS resolving names for VPN clients if you can't talk to the DNS server? Or is the VPN server also a DNS server?

To clarify, you don't need to set up static or dynamic routing to allow clients to successfully connect as long as the clients are only connecting to the same subnet as the VPN server (as is this case).

When you say the firewall is forwarding VPN packets to the server, what do you mean?

Can you post the output from the ROUTE PRINT command on a VPN client?

Sure.....
Also, the VPN server is one of the DNS servers yes.  





================================================
Interface List
 35..........................
 12...00 26 6c c7 a8 e5 ......Atheros AR8152/8158 PCI-E Fast Ethernet Controller
 (NDIS 6.20)
 10...e0 ca 94 12 ed 4d ......Atheros AR9285 Wireless Network Adapter
 31...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
 33...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
  1...........................Software Loopback Interface 1
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 30...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 32...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 34...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
 36...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.250.1  192.168.250.112     25
         10.0.0.0        255.0.0.0        10.1.1.27        10.1.1.19     21
        10.1.1.19  255.255.255.255         On-link         10.1.1.19    276
     67.131.79.55  255.255.255.255    192.168.250.1  192.168.250.112     26
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.23.0    255.255.255.0         On-link      192.168.23.1    276
     192.168.23.1  255.255.255.255         On-link      192.168.23.1    276
   192.168.23.255  255.255.255.255         On-link      192.168.23.1    276
     192.168.85.0    255.255.255.0         On-link      192.168.85.1    276
     192.168.85.1  255.255.255.255         On-link      192.168.85.1    276
   192.168.85.255  255.255.255.255         On-link      192.168.85.1    276
    192.168.250.0    255.255.255.0         On-link   192.168.250.112    281
  192.168.250.112  255.255.255.255         On-link   192.168.250.112    281
  192.168.250.255  255.255.255.255         On-link   192.168.250.112    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link   192.168.250.112    281
        224.0.0.0        240.0.0.0         On-link      192.168.85.1    276
        224.0.0.0        240.0.0.0         On-link      192.168.23.1    276
        224.0.0.0        240.0.0.0         On-link         10.1.1.19    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link   192.168.250.112    281
  255.255.255.255  255.255.255.255         On-link      192.168.85.1    276
  255.255.255.255  255.255.255.255         On-link      192.168.23.1    276
  255.255.255.255  255.255.255.255         On-link         10.1.1.19    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 10    281 fe80::/64                On-link
 31    276 fe80::/64                On-link
 33    276 fe80::/64                On-link
 10    281 fe80::24ed:42bf:9093:896b/128
                                    On-link
 31    276 fe80::a5dd:c55d:2d8f:4e7b/128
                                    On-link
 33    276 fe80::b052:6a74:fc0d:d0e8/128
                                    On-link
  1    306 ff00::/8                 On-link
 10    281 ff00::/8                 On-link
 31    276 ff00::/8                 On-link
 33    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Ok, on the VPN client can you add a static route at the command prompt and try talking to the servers?

route add 10.1.0.0 mask 255.255.248.0 <VPN_CLIENT_IP>

You might have to do an IPCONFIG first to determine the IP address assigned to the VPN client if it has changed between connections.

Actually when I do a tracert from the VPN client to a remote resource it gets to the VPN server PPP interface then drops.  Sounds like a routing issue on the server side but I am not sure what route to put in?

If it gets to the VPN server then drops it's probably routing from the servers that fails.

Can you do a trace to the VPN client from a server and post the output?

The VPN server and the VPN clients are on the 10.1.0.x 255.255.248.0 subnet.

On what subnet is the resource that you are connecting to?

Same subnet. remote server 10.1.0.16