routing problem

A

Andrei Bolboceanu

Hi everybody,
I have the next situation:
2 Windows 2000 Srv (with SP3 an ISA) domains (DC1 and DC2) each with
routable IP (in different locations).
DC1 have a LAN with IP from class 192.168.100.0
DC2 have a LAN with IP from class 192.168.50.0
I made on DC1 a demand dial interface witch point to external IP on DC2.
The interface works fine.
I also add a static route on DC1 witch route all request for 192.168.50.0
thru demand dial interface.
The problem is that only from DC1 I can ping workstations from DC2 but from
workstations in DC1 I can't do that.
Ip routing is enabled, I configure packet filters in ISA to allow vpn call
an receive.
Any ideas?
Thx, Andrew.
 
I

isa i

Andrei Bolboceanu said:
Hi everybody,
I have the next situation:
2 Windows 2000 Srv (with SP3 an ISA) domains (DC1 and DC2) each with
routable IP (in different locations).
DC1 have a LAN with IP from class 192.168.100.0
DC2 have a LAN with IP from class 192.168.50.0
I made on DC1 a demand dial interface witch point to external IP on DC2.
The interface works fine.
I also add a static route on DC1 witch route all request for 192.168.50.0
thru demand dial interface.
The problem is that only from DC1 I can ping workstations from DC2 but from
workstations in DC1 I can't do that.
Ip routing is enabled, I configure packet filters in ISA to allow vpn call
an receive.
Any ideas?
Thx, Andrew.
i have the same problem
also i try dial interface as 'demand dial' as well as 'client' interface -
it's
work all the same as you describe.
i am also notice, that when i look in routing table on one DC i see
some strings with somthing like "... not available for interface: 1677..."

& google keep silence...
 
B

Bill Grant

If both servers are running ISA server, you do not need to set all of
this up yourself using RRAS. You set it up from ISA using the Local ISA
Server VPN wizard. This configures your ISA server as one end of a
router-to-router VPN connection, and also produces a .vpc file to configure
the ISA server at the other end.
 
P

Pawan Agarwal [MSFT]

You need to add static route on DC2 to forward all packects for
192.168.100.0 through demand dial.

What's happening is
1) When you ping from server: Your source address in ping-request is
demand-dial connection end-point's ipaddress and DC2 knows to route it
through demand-dial connection. so ping works.
2) When you ping from some other client: The source address is
192.168.100.x. So when ping request reaches DC2, DC2 does not know how to
reach that subnet. So you need to add static route on DC2 to use demand-dial
to reach 192.168.100.0 subnet.

Hope this helps
Pawan

This posting is provided "AS IS" with no warranties, and confers no rights.
 
A

Andrei Bolboceanu

I'm sorry but maybe I wasn't very clear:
- Only in DC1 I have a demand dial (DC1 have subnet IP 192.168.100.0)
- in DC2 I don't have a demand dial (DC2 have subnet IP 192.168.50.0)

I add a static route on DC1 to route request for 192.168.50.0 thru demand
dial - but this seems not to work because trace from DC1 LAN stop at DC1 IP.

So I must do something else but what?
Thx, Andrew.
 
B

Bill Grant

Routing is a two-way process. There must be a route available in both
directions for you to be able to ping from one LAN to the other.


To successfully set up a router to router VPN connection so that you can
route from one subnet to the other, you must have demand-dial interfaces at
both ends. Even if you only initiate the connection from one side, both
routers must have a route to the "other" subnet through the tunnel. No
routes are set up by default.

So your setup must be symmetrical. Each RRAS router has a demand-dial
interface with a route to the "other" subnet linked to it. The "calling"
router must use the name of the demand-dial interface on the answering
router to establish the connection. This binds the demand-dial interface to
the VPN connection, and the system adds the route to the routing table.

Now each router has a route to the "other" subnet through the VPN
connection. If the RRAS routers are the default gateway for the LANs, you
can now route through the VPN connection. A workstation on one LAN can ping
a workstation on the other, just as if they were connected by a "normal" IP
router (but a fair bit slower!).
 
A

Andrei Bolboceanu

Ok - I understand now - but the problem is that I can't start both demand
dial interfaces on both sides. If I start one of them (on each side works
the same) - then the second demand dial (at the other side) won't start
(return an unreachable error - timeout) and vice versa.
It is strange - isn't it? What can I do?

thx, Andrew
 
B

Bill Grant

You only have to start it once (from either end). When the connection
is made, both demand-dial interfaces should be bound to the connection.
Check in the RRAS console that both interfaces have changed to "connected"
status. If they have, also check that the subnet routes has been added to
the routing table (by doing a route print command).

If the interface at the "answering" router is not connected, check that
you are using its demand-dial interface name as the username when calling
up. The username must match the dd interface name to bind it to the
connection. Otherwise you just connect as a "normal" VPN client (not a
router), and the route is not added to the routing table.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top