Router to Router

[Yay Deutschland!]

Hello

I have two LANs I want to connect together using RRAS on Windows 2003
Server. Both of the LANs are connected to the internet using cable modem.
LAN1 is running Windows 2003 Server with ISA Server 2000 running on the same
machine. LAN2 is a Windows 2000 machine no ISA running RRAS. Right now I
have created a Demand Dial VPN to LAN2 from LAN1. On the server console, I
can ping all the resources on LAN2, but I cannot ping anything on LAN2 from
a Client workstation on LAN1.

From reading previous posts, I relized that it is MOST likely to be a Static
Routing problem. Can you please tell me exactly what to type into the Static
Routes, based on the information that I have provided here? This is my first
time setting this up, and I am totally new to this.

LAN1 (RRAS Server with ISA)
Nic1: <Internet>

Nic2: 10.33.39.254
Subnet: 255.255.240.0

PPP adapter RAS Server (Dial In) Interface:
IP: 10.33.32.15
Subnet: 255.255.255.255

PPP adapter DEMAND_DIAL:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.123.7
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

As for the static routes that I put in:
Dst: 192.168.123.0 Mask: 255.255.255.0 Metric 1 on Interface DEMAND_DIAL
Dst: 192.168.123.0 Mask: 255.255.255.0 Gateway: 10.33.32.15 Metric 1 on
Interface NIC2

LAN2 (Win2000 with RRAS):
Nic1: <Internet>
Nic 2: 192.168.123.253
Subnet: 255.255.255.0

Danke Schön!!!

 

[Yay Deutschland!]

Ok I think I solved my own problem, I needed to create a Remote access
server on my side and create another demand dial vpn connection from the
other side to my side. Right now all the systems in LAN1 can communicate
ONLY with the RRAS server on the other side the internet gateway and not the
clients ie. all systems on LAN1 can talk to 192.168.123.254 and
192.168.123.253 (see below). Only the RRAS server on LAN1 can access an IP
address like 192.168.123.4, if you try to access that from a client on LAN 1
it will time out.

The setup on the other side is like so:

Internet<<==>>USR Router with Port 1723 forwarded to RRAS<<==>>RRAS Server,
Clients
USR Router's Internal IP: 192.168.123.254
Subnet: 255.255.255.0
Gateway: none

RRAS Server's IP: 192.168.123.253
Subnet: 255.255.255.0
Gateway: 192.168.123.254

All Client Machines + Print Servers etc...: On the 192.168.123.0/24 and
Gateway Bound to: 192.168.123.254
Print Server: 192.168.123.4

==================
My Question:
==================
Tell me if my theorie is correct: The RRAS Server on LAN1 can ping
192.168.123.4 because it has an IP-Address on the D-D interface as
192.168.123.12 so the Client with IP of 192.168.123.4 (which thinks
192.168.123.12 is on its own local network) is sending the return packets
to 192.168.123.12.

-HOWEVER-

A Client on LAN1 with an IP Address of 10.33.33.17 can NOT ping
192.168.123.4, (although the packet does get there), because the system
192.168.123.4 can not find a return route to 10.33.33.17 because it's
gateway is bound to 192.168.123.254 and the return packets to 10.33.33.17
when it tries to respond is lost through the internet, or gets dropped.
==================

Please give me a reply, as I am trying to learn about routers and
networking.
Thanks

 

[Bill Grant]

Yes, you do need a static route at each end for routing to work
properly. To get full "site to site" routing (ie a client at one site can
ping a client at the other), the RRAS routers must both have a static route
to the "other" site through the VPN link.

Your problem is probably caused by the fact that you have ISA at one end
and RRAS at the other. In ISA, this is configured from an ISA wizard, and
this takes care of the return route. When you set up one end, the wizard
creates a file to configure the "other" router.

With RRAS, you need to configure it manually. This involves setting up a
demand dial interface on the answering router, and adding a static route
back to the calling router's local subnet linked to the demand dial
interface.

To make this work, the calling router uses the name of the dd interface
as the username for the connection. When the answering router receives to
call, it sees that it is to a dd interface, and makes the right connection.
This activates the return route.

If the dd interface doesn't exist, or if the username doesn't match a dd
interface name, the server assumes that the caller is just a remote client
(not a router) and connects to the default internal interface. In this case,
only a host route back to the calling machine is set up. I assume that is
the situation you are seeing.

When it is set up properly (ie with routes at both ends), the VPN link
works like a simple (slow) IP router, and site to site routing works.

 

[Yay Deutschland!]

Ok on I tried what you suggested:
RRAS on LAN1 domain1.com

Interface Name: ddlan2
Username: (e-mail address removed)

RRAS on LAN2 on domain2.com
Interface Name: ddlan1
Username: (e-mail address removed)

And I still get the same problem. Can it be just the fact that the gateway
settings on clients on LAN2 is bound to 192.168.123.254 (US Robotics Router)
and ===!!==>>NOT the RRAS router<<===!!===, which is having its VPN port
forwarded by the US Robotics Router?

Thanks again for your time =)

 

[Bill Grant]

If the default gateway of the LAN is not the RRAS router, you will need
extra routing to get the traffic to the RRAS router.

The simplest way to do that is to add a static route to the gateway
router to redirect traffic destined for the "other" site back to the RRAS
router. It will then be encrypted and encapsulated before going to the
gateway router.