bridging lan > vpn

How do I configure bridging from the LAN to a VPN connection on Win2k or
Win2k3? Or is this not allowed? If so, why?

Define what you mean by "bridging" and why you think or desire to do it. It
is easier to solve when working towards the goal rather than working on a
problem when you don't know where it "leads".


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Kristofer Andersson" <kaatpocodotse.ihatespamandIwillstalkspammers@aol. com>
wrote in message news:(E-Mail Removed)...
> How do I configure bridging from the LAN to a VPN connection on Win2k or
> Win2k3? Or is this not allowed? If so, why?
>
>

Ok, here is what I have:
LAN A. Company we are doing a joint project with. I am not in control of it
but we access it using VPN. They have a Win2k server acting as a VPN server.
LAN B. My lan. I want traffic destined for the address range of LAN A to be
routed through a VPN connection to LAN A by my Win2k server.

I have tried by setting up a routing interface in 'routing and remote
access' (interface is demand dial) and a static route for the network I want
to route to. From my win2k server where the routing is configured I can
access machines in LAN A, but no other machine in LAN B can use this route.

Whatever device your machines are currently using for a Default Gateway must
contain a Static Route for LAN-A that points to the VPN Device. It is just
simple Layer3 Routing, no briding or anything like that. If this can't be
done, then the VPN Device must be the Default Gateway of all machines, then
on the VPN Device its own Default Gateway would point to what ever you
*used* to use as the Default Gateway before all this came along.

Also depending on your proxy server/firewall design you may have to include
LAN-A's IP# range in the proxy/firewall's LAT so that LAN-A is understodd to
be a "local subnet" and not somewhere out in "Internet-land". This may or
may not apply to you, you will have to figure that out.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Kristofer Andersson" <kaatpocodotse.ihatespamandIwillstalkspammers@aol. com>
wrote in message news:%23Hq$$(E-Mail Removed)...
> Ok, here is what I have:
> LAN A. Company we are doing a joint project with. I am not in control of
it
> but we access it using VPN. They have a Win2k server acting as a VPN
server.
> LAN B. My lan. I want traffic destined for the address range of LAN A to
be
> routed through a VPN connection to LAN A by my Win2k server.
>
> I have tried by setting up a routing interface in 'routing and remote
> access' (interface is demand dial) and a static route for the network I
want
> to route to. From my win2k server where the routing is configured I can
> access machines in LAN A, but no other machine in LAN B can use this
route.
>
>

Thanks.

I have tried that but for some reason the win2k server that acts as the vpn
router reports that the destination net is unavailable.

A tracert shows the following:

Tracing route to 10.10.5.29 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms xxx.xxx.net [192.168.112.6]
2 xxx.xxx.net [192.168.112.6] reports: Destination host unreachable.

Trace complete.

However, doing the same tracert on the server goes all the way to the
destination.

Could RIP broadcasts from a router on the same lan cause a conflict even
though I have set the default gateway to be the win2k server?

Well I don't know anything about your network config at this point, so I am
just shooting blind. But if the router machine can see both networks on
each side of it but other machines cannot actually route across it, then one
of the following (or combination of) are wrong:

1. IP Routing is not enabled
2. Routing Table has been messed with and is not correct.
3. Network settings (IP#, Gateway, Mask, etc) of the Nics are not correct
4. Packet Filters of the wrong type have been added, or filters of the right
type in the wrong place.
5. Network settings of the clients sending the packet or receiving the
packet is not correct.
6. The network has other routing devices and the system as a whole is not
configured to work together properly.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Kristofer Andersson" <kaatpocodotse.ihatespamandIwillstalkspammers@aol. com>
wrote in message news:%(E-Mail Removed)...
> Thanks.
>
> I have tried that but for some reason the win2k server that acts as the
vpn
> router reports that the destination net is unavailable.
>
> A tracert shows the following:
>
> Tracing route to 10.10.5.29 over a maximum of 30 hops
>
> 1 <1 ms <1 ms <1 ms xxx.xxx.net [192.168.112.6]
> 2 xxx.xxx.net [192.168.112.6] reports: Destination host unreachable.
>
> Trace complete.
>
> However, doing the same tracert on the server goes all the way to the
> destination.
>
> Could RIP broadcasts from a router on the same lan cause a conflict even
> though I have set the default gateway to be the win2k server?
>
>

Thank's. I looked through the different areas you suggest and here is what I
found:

> 1. IP Routing is not enabled

It is enabled ("enable this computer as a router" is checked and "LAN and
demand-dial routing" is selected.

> 2. Routing Table has been messed with and is not correct.

This is possible. There is a weird entry in the route table on the server
that acts as a router. See the first one - why is gateway 0.0.0.0? (all
these were automatically added when I added the route in "routing and remote
access")

10.10.5.0 255.255.255.0 0.0.0.0 10.10.5.146 3
10.10.5.0 255.255.255.0 10.10.5.150 10.10.5.146 3
10.10.5.146 255.255.255.255 127.0.0.1 127.0.0.1 1
10.10.5.150 255.255.255.255 10.10.5.146 10.10.5.146 1
10.255.255.255 255.255.255.255 10.10.5.146 10.10.5.146 1

> 3. Network settings (IP#, Gateway, Mask, etc) of the Nics are not correct

hasn't changed

> 4. Packet Filters of the wrong type have been added, or filters of the
right
> type in the wrong place.

No packet filters are set up

> 5. Network settings of the clients sending the packet or receiving the
> packet is not correct.

can't find anything wrong

> 6. The network has other routing devices and the system as a whole is not
> configured to work together properly.

Yes, there are two other routers. They are now configured to route all
traffic for the target network (10.10.5.0) through the windows server.

Here's a tracert on the server:
Tracing route to xxx.xxx [10.10.5.29] over a maximum of 30 hops:

1 985 ms 797 ms 953 ms xxx.xxx [10.10.5.150]
2 1062 ms 922 ms 938 ms xxx.xxx [10.10.5.29]

Trace complete.

Here's a tracert on my pc:
Tracing route to 10.10.5.29 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.112.1
2 2 ms 2 ms 2 ms 192.168.112.253
3 4 ms 3 ms 3 ms xxx.xxx [192.168.112.6]
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * ^C

The first and second one are other routers, the third one is the win2k
server that has the vpn route configured.

"Kristofer Andersson" <kaatpocodotse.ihatespamandIwillstalkspammers@aol. com>
wrote in message news:(E-Mail Removed)...
> This is possible. There is a weird entry in the route table on the server
> that acts as a router. See the first one - why is gateway 0.0.0.0? (all
> these were automatically added when I added the route in "routing and
remote
> access")
>
> 10.10.5.0 255.255.255.0 0.0.0.0 10.10.5.146
3

When you added what route in RRAS?

> > 5. Network settings of the clients sending the packet or receiving the
> > packet is not correct.

Forget pinging or tracing across it. Can a client ping the closest
interface of the router?...in other words, just *to* it and not across it?

To tell you the truth, there is just too much "fog" surrounding the design
and configuration of this network for me to do anything with it.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

>
> When you added what route in RRAS?

Under routing interfaces:
a demand dial vpn connection

Under Static Route:
Interface: name of the vpn connection
Destination: 10.10.5.0
Mask: 255.255.255.0
Gateway: grayed out when I selected the vpn interface
Metric: 1
Use this route to initiate demand-dial connections: checked

> > > 5. Network settings of the clients sending the packet or receiving the
> > > packet is not correct.
>
> Forget pinging or tracing across it. Can a client ping the closest
> interface of the router?...in other words, just *to* it and not across it?

It can ping the win2k server that acts as a router on my side. It can not
ping the win2k server that is the vpn server on the other side.

> To tell you the truth, there is just too much "fog" surrounding the design
> and configuration of this network for me to do anything with it.



Let me try to clarify what we have:
1) a DSL connection to the internet. This one has a SOHO firewall device.
This is the default gateway for all PCs. IP 192.168.112.1
Has a route for 10.10.1.0 to gateway 192.168.112.253
2) a T1 connection to another company with a Cisco router. IP
192.168.112.253.
routes traffic for 10.10.0.0 to external network but has an exception route
for 10.10.5.0 to go through 192.168.112.6
3) a win2k server 192.168.112.6 configured as a router and to route all
traffic for 10.10.5.x through a VPN connection to a Win2k VPN server on the
other side of the planet
4) a bunch of PCs with IPs in the 192.168.112.50-192.168.112.252 range, mask
255.255.255.0, default gateway 192.168.112.1

"Kristofer Andersson" <kaatpocodotse.ihatespamandIwillstalkspammers@aol. com>
wrote in message news:(E-Mail Removed)...

> Let me try to clarify what we have:

Ok, it is making more sense. It is late here, let me get back to it in the
morning when I feel all "fresh". Plus I may be able to experiment with a
simlar RRAS box tonight and see what results I get. I'll print out your
description and take it home,..maybe map out a few things.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com