Solved

Configure RRAS VPN with Off Subnet Clients

Posted on 2014-11-07
9
371 Views
Last Modified: 2014-11-10
I am trying to configure PPTP VPN in a windows server 2008 R2 box with a single NIC. The RRAS config part and firewall pass-through is working just fine. I am able to connect from outside and get a valid IP address. The goal is to give remote clients a different IP Subnet and still be able to access the IP Subnet where the VPN Server is.

Here are the Addressing Schemes i am using:

vpn clients - Static IP Pool - 10.255.255.0/24
Local network (including vpn server) - 192.168.100.0/24

VPN server IPs: 192.168.100.11 (physical) | 10.255.255.10 (internal)


How do i configure RRAS so that the vpn clients will be able access resources on the local network even with a different subnet. I tried putting a static route in IPv4:
Destination: 10.255.255.0
Subnet Mask: 255.255.255.0
Gateway: 192.168.100.11 (IP address of the VPN Server)

I am sure this is not correct because its not working.

I appreciate any help.
0
Comment
Question by:pords
  • 5
  • 4
9 Comments
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40429161
When the clients dial in, they get a 10.255.255.0/24 address, and the corresponding route is set automatically. That is, if "Use remote gateway" option is not used on the client, in which case the default gateway is changed - I assume that is not intended.

So, on dial-in you need to set a route to the real network, and there is no other way than to do that by batch:
  route add 192.168.100.0 mask 255.255.255.0 192.168.100.11
You do not need that route if the default gateway gets changed.

I'm pretty certain the RRAS server is not your internal default gateway. So answers for packets originating from 10.255.255.0/24 will be sent to another router (that network is not known by the LAN clients), and the router does not know what to do either.
Choices are either to set the route for 10.255.255.0/24 using 192.168.100.11 on the default gateway, or on each local machine needing to be reachable via VPN.
0
 

Author Comment

by:pords
ID: 40429186
Yes - the clients get 10.255.255.0/24 address and yes, the "use remote gateway" option is not checked. and Finally, we have a dedicated gateway (SW firewall) for 192.168.100.0 network and its not the RRAS Server.

"Choices are either to set the route for 10.255.255.0/24 using 192.168.100.11 on the default gateway" - will i be setting this in the IPv4 Static Routes Section? because that's what i did first and it didnt work. i thought by putting it there.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40429193
As said, you need both steps - setting the additional route on VPN client and setting the VPN route on the default gateway. Yes, "static Routes" section should be correct.
0
 

Author Comment

by:pords
ID: 40429233
Sorry, i forgot to mention. i added the static route in the RRAS server for 10.255.255.0/24 with DG 192.168.100.11 and added a route on the client to the 192.168.100.0 network with DG 192.168.100.11.
here is the routing table on the client:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.16.31.1    172.16.31.233     25
         10.0.0.0        255.0.0.0    10.255.255.11    10.255.255.12     21
    10.255.255.12  255.255.255.255         On-link     10.255.255.12    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      172.16.31.0    255.255.255.0         On-link     172.16.31.233    281
    172.16.31.233  255.255.255.255         On-link     172.16.31.233    281
    172.16.31.255  255.255.255.255         On-link     172.16.31.233    281
   173.220.158.58  255.255.255.255      172.16.31.1    172.16.31.233     26
    192.168.100.0    255.255.255.0   192.168.100.51    172.16.31.233     26
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     172.16.31.233    281
        224.0.0.0        240.0.0.0         On-link     10.255.255.12    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     172.16.31.233    281
  255.255.255.255  255.255.255.255         On-link     10.255.255.12    276
===========================================================================
Persistent Routes:
  None

and the routing table in RRAS:
Destination      Net Mask              Gateway                     Interface
0.0.0.0               0.0.0.0                   192.168.100.254       Local Area Connection
10.255.255.0    255.255.255.0      192.168.100.11         Local Area Connection

Is this what its supposed to be?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:pords
ID: 40429334
with the above routes in place. Doing a tracert on the client shows the first hop is sent to 0.0.0.0 address.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40429737
Again:
don't add a route to RRAS
add the route to the client - done
add a route to either the default gateway on LAN or each LAN device.
0
 

Author Comment

by:pords
ID: 40433856
Qlemo - Sorry for misunderstanding your previous instruction. Its working now and here are some changes i made.

1. I had to change the IP subnet to 192.168.255.0/24 because i was getting a /8 network when i use 10.255.255.0 although i intended use /24 - no biggie.
2. added a route to 192.168.100.0/24 to the client using the 192.168.255.11 as the gateway.
3. added a route in the default gateway of the 192.168.100.0 network to 192.168.255.0 network.

Thank you for pointing me to the right direction.

extra request - i am trying to use CMAK to automate the creation/distribution of the connection and route. Any suggestion? i am get having an issue when it tries to create the route - Custom script (to update your routing table) failed (8007000b).
 - i have this command in the route file - ADD 192.168.0.0 MASK 255.255.255.0 default METRIC default IF default
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40433918
ADD 192.168.0.0   is certainly a typo - should be   ADD 192.168.100.0
I've no experience with CMAK, but I guess the IF default is the issue. Try if you can get a log of which route is tried to set for starters.
0
 

Author Comment

by:pords
ID: 40434239
:) sorry. it is indeed a typo. i had it the right way on the actual command. Thanks again!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Start scripts 3 39
IPhone using PC internet 17 45
Top cover replacement dell latitude d620 12 51
Server 2008 Cluster Fail-over Errors 5 46
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Resolve DNS query failed errors for Exchange
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now