K
Kristofer Andersson
How do I configure bridging from the LAN to a VPN connection on Win2k or
Win2k3? Or is this not allowed? If so, why?
Win2k3? Or is this not allowed? If so, why?
P
Phillip Windell
Define what you mean by "bridging" and why you think or desire to do it. It
is easier to solve when working towards the goal rather than working on a
problem when you don't know where it "leads".
is easier to solve when working towards the goal rather than working on a
problem when you don't know where it "leads".
K
Kristofer Andersson
Ok, here is what I have:
LAN A. Company we are doing a joint project with. I am not in control of it
but we access it using VPN. They have a Win2k server acting as a VPN server.
LAN B. My lan. I want traffic destined for the address range of LAN A to be
routed through a VPN connection to LAN A by my Win2k server.
I have tried by setting up a routing interface in 'routing and remote
access' (interface is demand dial) and a static route for the network I want
to route to. From my win2k server where the routing is configured I can
access machines in LAN A, but no other machine in LAN B can use this route.
LAN A. Company we are doing a joint project with. I am not in control of it
but we access it using VPN. They have a Win2k server acting as a VPN server.
LAN B. My lan. I want traffic destined for the address range of LAN A to be
routed through a VPN connection to LAN A by my Win2k server.
I have tried by setting up a routing interface in 'routing and remote
access' (interface is demand dial) and a static route for the network I want
to route to. From my win2k server where the routing is configured I can
access machines in LAN A, but no other machine in LAN B can use this route.
P
Phillip Windell
Whatever device your machines are currently using for a Default Gateway must
contain a Static Route for LAN-A that points to the VPN Device. It is just
simple Layer3 Routing, no briding or anything like that. If this can't be
done, then the VPN Device must be the Default Gateway of all machines, then
on the VPN Device its own Default Gateway would point to what ever you
*used* to use as the Default Gateway before all this came along.
Also depending on your proxy server/firewall design you may have to include
LAN-A's IP# range in the proxy/firewall's LAT so that LAN-A is understodd to
be a "local subnet" and not somewhere out in "Internet-land". This may or
may not apply to you, you will have to figure that out.
contain a Static Route for LAN-A that points to the VPN Device. It is just
simple Layer3 Routing, no briding or anything like that. If this can't be
done, then the VPN Device must be the Default Gateway of all machines, then
on the VPN Device its own Default Gateway would point to what ever you
*used* to use as the Default Gateway before all this came along.
Also depending on your proxy server/firewall design you may have to include
LAN-A's IP# range in the proxy/firewall's LAT so that LAN-A is understodd to
be a "local subnet" and not somewhere out in "Internet-land". This may or
may not apply to you, you will have to figure that out.
K
Kristofer Andersson
Thanks.
I have tried that but for some reason the win2k server that acts as the vpn
router reports that the destination net is unavailable.
A tracert shows the following:
Tracing route to 10.10.5.29 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms xxx.xxx.net [192.168.112.6]
2 xxx.xxx.net [192.168.112.6] reports: Destination host unreachable.
Trace complete.
However, doing the same tracert on the server goes all the way to the
destination.
Could RIP broadcasts from a router on the same lan cause a conflict even
though I have set the default gateway to be the win2k server?
I have tried that but for some reason the win2k server that acts as the vpn
router reports that the destination net is unavailable.
A tracert shows the following:
Tracing route to 10.10.5.29 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms xxx.xxx.net [192.168.112.6]
2 xxx.xxx.net [192.168.112.6] reports: Destination host unreachable.
Trace complete.
However, doing the same tracert on the server goes all the way to the
destination.
Could RIP broadcasts from a router on the same lan cause a conflict even
though I have set the default gateway to be the win2k server?
P
Phillip Windell
Well I don't know anything about your network config at this point, so I am
just shooting blind. But if the router machine can see both networks on
each side of it but other machines cannot actually route across it, then one
of the following (or combination of) are wrong:
1. IP Routing is not enabled
2. Routing Table has been messed with and is not correct.
3. Network settings (IP#, Gateway, Mask, etc) of the Nics are not correct
4. Packet Filters of the wrong type have been added, or filters of the right
type in the wrong place.
5. Network settings of the clients sending the packet or receiving the
packet is not correct.
6. The network has other routing devices and the system as a whole is not
configured to work together properly.
just shooting blind. But if the router machine can see both networks on
each side of it but other machines cannot actually route across it, then one
of the following (or combination of) are wrong:
1. IP Routing is not enabled
2. Routing Table has been messed with and is not correct.
3. Network settings (IP#, Gateway, Mask, etc) of the Nics are not correct
4. Packet Filters of the wrong type have been added, or filters of the right
type in the wrong place.
5. Network settings of the clients sending the packet or receiving the
packet is not correct.
6. The network has other routing devices and the system as a whole is not
configured to work together properly.
K
Kristofer Andersson
Thank's. I looked through the different areas you suggest and here is what I
found:
It is enabled ("enable this computer as a router" is checked and "LAN and
demand-dial routing" is selected.
This is possible. There is a weird entry in the route table on the server
that acts as a router. See the first one - why is gateway 0.0.0.0? (all
these were automatically added when I added the route in "routing and remote
access")
10.10.5.0 255.255.255.0 0.0.0.0 10.10.5.146 3
10.10.5.0 255.255.255.0 10.10.5.150 10.10.5.146 3
10.10.5.146 255.255.255.255 127.0.0.1 127.0.0.1 1
10.10.5.150 255.255.255.255 10.10.5.146 10.10.5.146 1
10.255.255.255 255.255.255.255 10.10.5.146 10.10.5.146 1
hasn't changed
No packet filters are set up
can't find anything wrong
Yes, there are two other routers. They are now configured to route all
traffic for the target network (10.10.5.0) through the windows server.
Here's a tracert on the server:
Tracing route to xxx.xxx [10.10.5.29] over a maximum of 30 hops:
1 985 ms 797 ms 953 ms xxx.xxx [10.10.5.150]
2 1062 ms 922 ms 938 ms xxx.xxx [10.10.5.29]
Trace complete.
Here's a tracert on my pc:
Tracing route to 10.10.5.29 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.112.1
2 2 ms 2 ms 2 ms 192.168.112.253
3 4 ms 3 ms 3 ms xxx.xxx [192.168.112.6]
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * ^C
The first and second one are other routers, the third one is the win2k
server that has the vpn route configured.
found:
It is enabled ("enable this computer as a router" is checked and "LAN and
demand-dial routing" is selected.
This is possible. There is a weird entry in the route table on the server
that acts as a router. See the first one - why is gateway 0.0.0.0? (all
these were automatically added when I added the route in "routing and remote
access")
10.10.5.0 255.255.255.0 0.0.0.0 10.10.5.146 3
10.10.5.0 255.255.255.0 10.10.5.150 10.10.5.146 3
10.10.5.146 255.255.255.255 127.0.0.1 127.0.0.1 1
10.10.5.150 255.255.255.255 10.10.5.146 10.10.5.146 1
10.255.255.255 255.255.255.255 10.10.5.146 10.10.5.146 1
hasn't changed
No packet filters are set up
can't find anything wrong
Yes, there are two other routers. They are now configured to route all
traffic for the target network (10.10.5.0) through the windows server.
Here's a tracert on the server:
Tracing route to xxx.xxx [10.10.5.29] over a maximum of 30 hops:
1 985 ms 797 ms 953 ms xxx.xxx [10.10.5.150]
2 1062 ms 922 ms 938 ms xxx.xxx [10.10.5.29]
Trace complete.
Here's a tracert on my pc:
Tracing route to 10.10.5.29 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.112.1
2 2 ms 2 ms 2 ms 192.168.112.253
3 4 ms 3 ms 3 ms xxx.xxx [192.168.112.6]
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * ^C
The first and second one are other routers, the third one is the win2k
server that has the vpn route configured.
P
Phillip Windell
3Kristofer Andersson said:
When you added what route in RRAS?
Forget pinging or tracing across it. Can a client ping the closest
interface of the router?...in other words, just *to* it and not across it?
To tell you the truth, there is just too much "fog" surrounding the design
and configuration of this network for me to do anything with it.
K
Kristofer Andersson
Under routing interfaces:
a demand dial vpn connection
Under Static Route:
Interface: name of the vpn connection
Destination: 10.10.5.0
Mask: 255.255.255.0
Gateway: grayed out when I selected the vpn interface
Metric: 1
Use this route to initiate demand-dial connections: checked
It can ping the win2k server that acts as a router on my side. It can not
ping the win2k server that is the vpn server on the other side.
Let me try to clarify what we have:
1) a DSL connection to the internet. This one has a SOHO firewall device.
This is the default gateway for all PCs. IP 192.168.112.1
Has a route for 10.10.1.0 to gateway 192.168.112.253
2) a T1 connection to another company with a Cisco router. IP
192.168.112.253.
routes traffic for 10.10.0.0 to external network but has an exception route
for 10.10.5.0 to go through 192.168.112.6
3) a win2k server 192.168.112.6 configured as a router and to route all
traffic for 10.10.5.x through a VPN connection to a Win2k VPN server on the
other side of the planet
4) a bunch of PCs with IPs in the 192.168.112.50-192.168.112.252 range, mask
255.255.255.0, default gateway 192.168.112.1
P
Phillip Windell
Ok, it is making more sense. It is late here, let me get back to it in the
morning when I feel all "fresh". Plus I may be able to experiment with a
simlar RRAS box tonight and see what results I get. I'll print out your
description and take it home,..maybe map out a few things.
P
Phillip Windell
Ok,...
I don't see anything wrong with your Layer3 Routing. So I think the problem
is in the way that the VPN was implemented with RRAS. RRAS can do two
types, Remote Access VPN and Router-to-Router VPN. You need the
Router-to-Router VPN which is quite a bit more complex to set up. These
articles should help to verify if you did it correctly. One is for using
2003 and the other is for doing it with 2000. They are not short and are
over 50 pages printed out per each article.
2003 uses the term Site-to-Site VPN instead of Router-to-Router but it is
the same thing. Watch out that the email line-wrap doesn't destroy the
URLs.
Virtual Private Networking with Windows 2000: Deploying Router-to-Router
VPNs
http://www.microsoft.com/technet/itsolutions/network/deploy/depovg/vpnroute.mspx
Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site
VPNs
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
I don't see anything wrong with your Layer3 Routing. So I think the problem
is in the way that the VPN was implemented with RRAS. RRAS can do two
types, Remote Access VPN and Router-to-Router VPN. You need the
Router-to-Router VPN which is quite a bit more complex to set up. These
articles should help to verify if you did it correctly. One is for using
2003 and the other is for doing it with 2000. They are not short and are
over 50 pages printed out per each article.
2003 uses the term Site-to-Site VPN instead of Router-to-Router but it is
the same thing. Watch out that the email line-wrap doesn't destroy the
URLs.
Virtual Private Networking with Windows 2000: Deploying Router-to-Router
VPNs
http://www.microsoft.com/technet/itsolutions/network/deploy/depovg/vpnroute.mspx
Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site
VPNs
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
K
Kristofer Andersson
This would need config changes on the other side, something they don't want
to do so I guess we have to stick to individual vpn connections on the
client PCs for now.
Thank you very much for your help and patience in sorting this out!
to do so I guess we have to stick to individual vpn connections on the
client PCs for now.
Thank you very much for your help and patience in sorting this out!
P
Phillip Windell
Kristofer Andersson said:
You're welcomed sir! I hope things work out in the end.
B
Bill Grant
If they won't make any changes at the other end, you are stuck.
Routing is a two-way process, and both sides must know how to handle traffic
for the "other" site. There is no way you can set this up from your end
alone.
Routing is a two-way process, and both sides must know how to handle traffic
for the "other" site. There is no way you can set this up from your end
alone.