Router-to-router VPN connects but nothing else

[James Ellison]

I'm trying to set up a VPN between two small networks each in the same
domain. I thing I have all the correct settings in RAS for the
demand-dial connection (routing interface, each server has user account,
etc.). When they connect, they cannot pass any traffic; I'm assuming I
have to set up the NAT protocol but don't have any idea how to accomplish
this. Thanks for any advice or references.

James

 

[Bill Grant]

If they are both using private IPs, why would you think you needed NAT?

What you do need is routes linked to the demand-dial interfaces at both
ends of the VPN link to route traffic for the "other" subnet through the VPN
link. It is explained in the help files for router to router VPN links.

Particularly note the bit which states that the "calling" router must
connect with the name of the demand-dial interface on the "answering" router
as its username. This is essential to bind both dd interfaces to the
connection and set up the routing.

 

[Robert L [MS-MVP]]

assuming the vpn connects to each other, can you ping?

--
For more and other information, go to http://howtonetworking.com.

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on
http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

 

[James Ellison]

No, cannot ping between networks. In addition, the internal routing
interface has now taken on a new network address 169.x.x.x. Not sure how
this got in there, but it seems to have lost the connection with my two
networks 10.137.13.x and 10.137.15.x.

Thanks

 

[Bill Grant]

If the internal interface gets an APIPA address, it means that you
haven't set up a static address pool and it can't use DHCP for some reason.
That shouldn't really affect your LAN to LAN routing, though.

Do the demand dial interfaces get an IP?

 

[James Ellison]

Thanks for the responses. I spent a few hours last night and today
working on IAS and getting the permissions set up. Now the two servers
seem to connect pretty well.

As far as I can tell, APIPA is not an issue; I have set up a static
address pool and the demand-dial interefaces do get an IP on the other
network. Actually, the demand-dial interfaces seem to get two IP's one
for the RAS inbound connection and another on the other network (for
outbound traffic, it would seem...). So here is the general scheme of
things, where each server has two nic's:

home_office_network: 10.137.13.0 / 255.255.255.0
main server main ip is 10.137.13.10
main server inbound vpn ip is 10.137.13.150
lan dhcp ip's are 10.137.13.100-120
lan vpn static pool is 10.137.13.151-170

downtown_office_network: 10.137.15.0 / 255.255.255.0
main server main ip is 10.137.15.40
main server inbound vpn ip is 10.137.15.150
lan dhcp ip's are 10.137.15.100-120
lan vpn static pool is 10.137.15.151-170

(routers are set at x.x.x.1 and provide dhcp for each network)

here's what i get on the downtown server for vpn ip's

PPP connection RAS (dial-in) 10.137.15.151 / 255.255.255.255

PPP connection <<some long code>> 10.137.13.158 / 255.255.255.255

So, I do seem to be getting the connection and each server seems to get an
ip in the correct block on the other network..... yet no traffic gets
routed.

Any idea, or am i just missing something simple here?

Thanks again..
James

 

[James Ellison]

can now ping from the remote (downtown) server into the other network, but
no other computers at the downtown location can see the other network
computers....

 

[Bill Grant]

Yes, there should be two IPs. One is the IP address of the demand dial
interface. The other is the IP address of the connection (allocated as part
of the PPP/PPTP negotiation setting up the link).

For a simple client/server connection, routing just works. The client's
default gateway is set to the RRAS server, and the server sets up a host
route back to the client. So you have a route both ways.

For a site to site link, no routing is set up automatically. Each demand
dial interface must have a route linked to it to route to the "other" site.
Site to site routing only works if these routes are active, and the traffic
actually gets to the routers. (This last bit is automatic if the RRAS server
is the default gateway for its LAN).

Thanks for the responses. I spent a few hours last night and today
working on IAS and getting the permissions set up. Now the two servers
seem to connect pretty well.

As far as I can tell, APIPA is not an issue; I have set up a static
address pool and the demand-dial interefaces do get an IP on the other
network. Actually, the demand-dial interfaces seem to get two IP's one
for the RAS inbound connection and another on the other network (for
outbound traffic, it would seem...). So here is the general scheme of
things, where each server has two nic's:

home_office_network: 10.137.13.0 / 255.255.255.0
main server main ip is 10.137.13.10
main server inbound vpn ip is 10.137.13.150
lan dhcp ip's are 10.137.13.100-120
lan vpn static pool is 10.137.13.151-170

downtown_office_network: 10.137.15.0 / 255.255.255.0
main server main ip is 10.137.15.40
main server inbound vpn ip is 10.137.15.150
lan dhcp ip's are 10.137.15.100-120
lan vpn static pool is 10.137.15.151-170

(routers are set at x.x.x.1 and provide dhcp for each network)

here's what i get on the downtown server for vpn ip's

PPP connection RAS (dial-in) 10.137.15.151 / 255.255.255.255

PPP connection <<some long code>> 10.137.13.158 / 255.255.255.255

So, I do seem to be getting the connection and each server seems to get an
ip in the correct block on the other network..... yet no traffic gets
routed.

Any idea, or am i just missing something simple here?

Thanks again..
James

If the internal interface gets an APIPA address, it means that you
haven't set up a static address pool and it can't use DHCP for some
reason.
That shouldn't really affect your LAN to LAN routing, though.

Do the demand dial interfaces get an IP?

No, cannot ping between networks. In addition, the internal routing
interface has now taken on a new network address 169.x.x.x. Not sure
how
this got in there, but it seems to have lost the connection with my two
networks 10.137.13.x and 10.137.15.x.

Thanks

On Tue, 1 Feb 2005 22:02:09 -0600, Robert L [MS-MVP]
<[email protected]>
wrote:

assuming the vpn connects to each other, can you ping?

 

[Bill Grant]

OK. That means your connection is up, but your site to site routing isn't
working.

Does each demand dial interface have a route to the "other" subnet
through the link? When your router connects, does the dd interface on the
answering router become active? The routing will only work properly if you
actually connect to the demand dial interface on the answering router.
(Otherwise you are connecting as just a client, not a router, and only
getting a host route set up back through the connection).

When it works properly, a route print on each router will show an active
route to the "other" subnet via the dd interface.

 

[James Ellison]

Yes the connection is up -- both servers have the dd connection and one
answers when the other calls. The route that shows up on route print is
*this* server to the other public IP for the other network. I assume I
have to have a link from 10.137.13.x to 10.137.15.x, but how?

thanks again
James

 

[Bill Grant]

You set up the route (back to the "calling" router's subnet) linked to
the demand dial interface on the answering router (using the new static
route wizard in RRAS). Put in the destination subnet and netmask, then
select the dd interface from the dropdown list. The static route is stored
in the registry until something actually connects to the dd interface.

When you connect, use the name of the dd interface on the answering
router as the username. This ensures that the connection binds to the dd
interface and activates the static route.

Yes the connection is up -- both servers have the dd connection and one
answers when the other calls. The route that shows up on route print is
*this* server to the other public IP for the other network. I assume I
have to have a link from 10.137.13.x to 10.137.15.x, but how?

thanks again
James

OK. That means your connection is up, but your site to site routing
isn't
working.

Does each demand dial interface have a route to the "other" subnet
through the link? When your router connects, does the dd interface on the
answering router become active? The routing will only work properly if
you
actually connect to the demand dial interface on the answering router.
(Otherwise you are connecting as just a client, not a router, and only
getting a host route set up back through the connection).

When it works properly, a route print on each router will show an
active
route to the "other" subnet via the dd interface.

can now ping from the remote (downtown) server into the other network,
but
no other computers at the downtown location can see the other network
computers....


On Tue, 1 Feb 2005 22:02:09 -0600, Robert L [MS-MVP]
<[email protected]>
wrote:

assuming the vpn connects to each other, can you ping?

 

[James Ellison]

Thanks again for response. It seems that I need to set up the routing on
the two servers that are able to establish the site-to-site connection.
Can I use the "route add" command for this, or is setting up the VPN
routing more involved than this?

My idea is to add the following to my 10.137.13.x server:
route add 10.137.15.0 mask 255.255.255.0 <<gateway of other subnet>>

and to add the following to my 10.137.15.x server:
route add 10.137.13.0 mask 255.255.255.0 <<opposite gateway>>

Not sure what to use for the gateway of the other subnet, other than the
ip address of the PPP connections. But since these could change, is there
any way to set up dynamic routing so the router will always automatically
send traffic to the *other* subnet?

Thanks in advance,
James

For a site to site link, no routing is set up automatically. Each
demand
dial interface must have a route linked to it to route to the "other"
site.
Site to site routing only works if these routes are active, and the
traffic
actually gets to the routers. (This last bit is automatic if the RRAS
server
is the default gateway for its LAN).

<<more snippage>>

 

[Bill Grant]

No, you use the New Static Route wizard in RRAS, and link the routes to
the demand-dial interfaces. The system automatically sets up the routes when
the routers connect.

Have you read the documentation on site to site (also called router to
router) VPN connections?

 

[James Ellison]

I have read several sources on the site-to-site VPN connections, including
info at the MS support site. I have completed all of the steps for
completing the connection. The routers connect, but still nothing gets
routed from one network to the other....

One question: looking in RAS >> <servername> >> IP Routing >> General,
what is the function of the Internal interface?

Thanks,
James

 

[Bill Grant]

The internal interface is the default connection for remote users. If
there are no demand-dial interfaces, or if you do not specify a valid dd
interface when you call up, you connect to that interface. If you do
connect to the internal interface, no routes are added (except a host route
back to the calling machine). Routes linked to a dd interface are only added
to the routing table when the dd interface connects.