Solved

Configure RRAS VPN with Off Subnet Clients

Posted on 2014-11-07
9
513 Views
Last Modified: 2014-11-10
I am trying to configure PPTP VPN in a windows server 2008 R2 box with a single NIC. The RRAS config part and firewall pass-through is working just fine. I am able to connect from outside and get a valid IP address. The goal is to give remote clients a different IP Subnet and still be able to access the IP Subnet where the VPN Server is.

Here are the Addressing Schemes i am using:

vpn clients - Static IP Pool - 10.255.255.0/24
Local network (including vpn server) - 192.168.100.0/24

VPN server IPs: 192.168.100.11 (physical) | 10.255.255.10 (internal)


How do i configure RRAS so that the vpn clients will be able access resources on the local network even with a different subnet. I tried putting a static route in IPv4:
Destination: 10.255.255.0
Subnet Mask: 255.255.255.0
Gateway: 192.168.100.11 (IP address of the VPN Server)

I am sure this is not correct because its not working.

I appreciate any help.
0
Comment
Question by:pords
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40429161
When the clients dial in, they get a 10.255.255.0/24 address, and the corresponding route is set automatically. That is, if "Use remote gateway" option is not used on the client, in which case the default gateway is changed - I assume that is not intended.

So, on dial-in you need to set a route to the real network, and there is no other way than to do that by batch:
  route add 192.168.100.0 mask 255.255.255.0 192.168.100.11
You do not need that route if the default gateway gets changed.

I'm pretty certain the RRAS server is not your internal default gateway. So answers for packets originating from 10.255.255.0/24 will be sent to another router (that network is not known by the LAN clients), and the router does not know what to do either.
Choices are either to set the route for 10.255.255.0/24 using 192.168.100.11 on the default gateway, or on each local machine needing to be reachable via VPN.
0
 

Author Comment

by:pords
ID: 40429186
Yes - the clients get 10.255.255.0/24 address and yes, the "use remote gateway" option is not checked. and Finally, we have a dedicated gateway (SW firewall) for 192.168.100.0 network and its not the RRAS Server.

"Choices are either to set the route for 10.255.255.0/24 using 192.168.100.11 on the default gateway" - will i be setting this in the IPv4 Static Routes Section? because that's what i did first and it didnt work. i thought by putting it there.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40429193
As said, you need both steps - setting the additional route on VPN client and setting the VPN route on the default gateway. Yes, "static Routes" section should be correct.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:pords
ID: 40429233
Sorry, i forgot to mention. i added the static route in the RRAS server for 10.255.255.0/24 with DG 192.168.100.11 and added a route on the client to the 192.168.100.0 network with DG 192.168.100.11.
here is the routing table on the client:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.16.31.1    172.16.31.233     25
         10.0.0.0        255.0.0.0    10.255.255.11    10.255.255.12     21
    10.255.255.12  255.255.255.255         On-link     10.255.255.12    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      172.16.31.0    255.255.255.0         On-link     172.16.31.233    281
    172.16.31.233  255.255.255.255         On-link     172.16.31.233    281
    172.16.31.255  255.255.255.255         On-link     172.16.31.233    281
   173.220.158.58  255.255.255.255      172.16.31.1    172.16.31.233     26
    192.168.100.0    255.255.255.0   192.168.100.51    172.16.31.233     26
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     172.16.31.233    281
        224.0.0.0        240.0.0.0         On-link     10.255.255.12    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     172.16.31.233    281
  255.255.255.255  255.255.255.255         On-link     10.255.255.12    276
===========================================================================
Persistent Routes:
  None

and the routing table in RRAS:
Destination      Net Mask              Gateway                     Interface
0.0.0.0               0.0.0.0                   192.168.100.254       Local Area Connection
10.255.255.0    255.255.255.0      192.168.100.11         Local Area Connection

Is this what its supposed to be?
0
 

Author Comment

by:pords
ID: 40429334
with the above routes in place. Doing a tracert on the client shows the first hop is sent to 0.0.0.0 address.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40429737
Again:
don't add a route to RRAS
add the route to the client - done
add a route to either the default gateway on LAN or each LAN device.
0
 

Author Comment

by:pords
ID: 40433856
Qlemo - Sorry for misunderstanding your previous instruction. Its working now and here are some changes i made.

1. I had to change the IP subnet to 192.168.255.0/24 because i was getting a /8 network when i use 10.255.255.0 although i intended use /24 - no biggie.
2. added a route to 192.168.100.0/24 to the client using the 192.168.255.11 as the gateway.
3. added a route in the default gateway of the 192.168.100.0 network to 192.168.255.0 network.

Thank you for pointing me to the right direction.

extra request - i am trying to use CMAK to automate the creation/distribution of the connection and route. Any suggestion? i am get having an issue when it tries to create the route - Custom script (to update your routing table) failed (8007000b).
 - i have this command in the route file - ADD 192.168.0.0 MASK 255.255.255.0 default METRIC default IF default
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40433918
ADD 192.168.0.0   is certainly a typo - should be   ADD 192.168.100.0
I've no experience with CMAK, but I guess the IF default is the issue. Try if you can get a log of which route is tried to set for starters.
0
 

Author Comment

by:pords
ID: 40434239
:) sorry. it is indeed a typo. i had it the right way on the actual command. Thanks again!
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question