Multiple VPN Routing Question

[Matt Will]

Hello, need your help on this one, please.

Setting:

Network A:
192.168.1.0 mask 255.255.255.0
Win2k VPN Server A is: 192.168.1.5

Network B:
192.168.2.0 mask 255.255.255.0
Win2K VPN Server B is: 192.168.2.7

Home clients config ("network C")
10.1.1.0 mask 255.255.255.0


Network A and B are connected with a 2-way PPTP VPN Connection through
the Internet (i.e. Server A has a connection to server B, and server B
has a connection to server A).
Servers and clients on both networks have specific routes set to be
able to connect to the other subnet through the respective servers.

Default routes on the VPN servers go to 192.168.1.1 / 192.168.2.1
(external routers/NAT to internet).

Everything works fine up to this point.

Now, when employees connect to Network A/Server A from home (VPN via
internet), they are only able to reach all the hosts in network A, but
no hosts in network B.
A ping and traceroute only show "request timed out".

Manually setting a route on their clients for the remote network B
does not help
(e.g. route add 192.168.2.0 mask 255.255.255.0 192.168.1.5 metric 2).


Is there a way to accomplish that the remote clients can reach network
A and B by just connecting to the VPN server in network A?

Thanks in advance!

 

[Robert L [MS-MVP]]

I had a case similar like this one. based on that case, I wrote a how to http://www.howtonetworking.com/Networking/multiplerouters1.htm. To fix the problem, you may need route back to the VPN client. post back with the result.

Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

Hello, need your help on this one, please.

Setting:

Network A:
192.168.1.0 mask 255.255.255.0
Win2k VPN Server A is: 192.168.1.5

Network B:
192.168.2.0 mask 255.255.255.0
Win2K VPN Server B is: 192.168.2.7

Home clients config ("network C")
10.1.1.0 mask 255.255.255.0


Network A and B are connected with a 2-way PPTP VPN Connection through
the Internet (i.e. Server A has a connection to server B, and server B
has a connection to server A).
Servers and clients on both networks have specific routes set to be
able to connect to the other subnet through the respective servers.

Default routes on the VPN servers go to 192.168.1.1 / 192.168.2.1
(external routers/NAT to internet).

Everything works fine up to this point.

Now, when employees connect to Network A/Server A from home (VPN via
internet), they are only able to reach all the hosts in network A, but
no hosts in network B.
A ping and traceroute only show "request timed out".

Manually setting a route on their clients for the remote network B
does not help
(e.g. route add 192.168.2.0 mask 255.255.255.0 192.168.1.5 metric 2).


Is there a way to accomplish that the remote clients can reach network
A and B by just connecting to the VPN server in network A?

Thanks in advance!

 

[Phillip Windell]

I don't think you should be using static routes on individual machines.
Sometimes such things are legit, but most of the time it is just a
"band-ade" to cover up a bad routing design. Your LAN's routing scheme
should be controlled only by the routing devices. A network's routing and
connectivity should fully function all by istself apart from the Client
Computers and most of the Servers that run on it. The fact that it is VPN
does not matter. The individual machines should only have their Default
Gateway and nothing else. If the routing scheme on the LAN is not "clean &
tidy" then the Remote Access VPN users aren't going to work right.

Assuming you don't have a LAN Router and the VPN Server is both the VPN and
the way out to the Internet at the same time (does two
jobs)..................

The Users in Net-A should use 192.168.1.5 as the Dafault Gateway. VPN
Server-A should be the only thing that contains the Route to Network-B. The
Client machines done't need to be concerned about any "routes".

The Users in Net-B should use 192.168.2.7 as the Dafault Gateway. VPN
Server-B should be the only thing that contains the Route to Network-A. The
Client machines done't need to be concerned about any "routes".

The only thing the Remote Access VPN users (home clients) need is to be sure
they don't do split tunneling,...that is the "Use Gateway on Remote Network"
option must be *enabled*. This means that they will get their routing
information only from the VPN Router they dialing into and nothing else,
therfore all the non-local traffic goes to it, and it is then up that VPN
Router to be smart enough to know what to do with it from there.

There are some known problems when the same machine is serving as both the
Internet NAT Device and the VPN Router at the same time.

How to Use NAT for Incoming RAS Connections on the Same RRAS Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;310888

 

[Mike]

Helpful websites.

Mike

I had a case similar like this one. based on that case, I wrote a how to http://www.howtonetworking.com/Networking/multiplerouters1.htm. To fix the problem, you may need route back to the VPN client. post back with the result.

Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

Hello, need your help on this one, please.

Setting:

Network A:
192.168.1.0 mask 255.255.255.0
Win2k VPN Server A is: 192.168.1.5

Network B:
192.168.2.0 mask 255.255.255.0
Win2K VPN Server B is: 192.168.2.7

Home clients config ("network C")
10.1.1.0 mask 255.255.255.0


Network A and B are connected with a 2-way PPTP VPN Connection through
the Internet (i.e. Server A has a connection to server B, and server B
has a connection to server A).
Servers and clients on both networks have specific routes set to be
able to connect to the other subnet through the respective servers.

Default routes on the VPN servers go to 192.168.1.1 / 192.168.2.1
(external routers/NAT to internet).

Everything works fine up to this point.

Now, when employees connect to Network A/Server A from home (VPN via
internet), they are only able to reach all the hosts in network A, but
no hosts in network B.
A ping and traceroute only show "request timed out".

Manually setting a route on their clients for the remote network B
does not help
(e.g. route add 192.168.2.0 mask 255.255.255.0 192.168.1.5 metric 2).


Is there a way to accomplish that the remote clients can reach network
A and B by just connecting to the VPN server in network A?

Thanks in advance!