Dual-Network Card VPN Server?

Hi,

I'm setting up a system running Server 2003, and i've been asked to set up
VPN.

Here's the config:

Internet --> Router (192.168.0.2) (Providing DHCP) --> Server 2003
(192.168.0.254).

The computer has two interfaces, the 192.168.0.254 (VPN) and 192.168.0.1
(LAN).

B will accept the network connection, query the DHCP hopefully (through
LAN?), and then pass data out through LAN.

My attempt has ended like this: It will dialin and login ok, but the system
won't allow access to Internet, or other servers. I can resolve the VPN
server i'm connecting to.

My question is twofold:

a) Can I establish a VPN in a machine and pass it from one to the other card
(both of them connected on the same subnet)

b) How do I pass the DHCP from 192.168.0.2 to VPN?

You should not have two NICs in the same IP subnet. If the router is in
the same subnet as your LAN machines, you only need one NIC in the server.

The two-NIC scenario if for the situation where one NIC is in a private
subnet and the other has a public IP. If you are in a private subnet behind
a router, the router is your public connection.

If the server is configured to use DHCP, the server will lease a batch
of IPs from DHCP to use as its address pool. It will allocate one to itself
(to act as its VPN interface), then allocate addresses from this pool to the
clients as required. This "internal" interface and the LAN NIC are all you
need for the remote client to reach LAN machines. The server acts as a proxy
for the client.

Name resolution doesn't automatically work as it does on a LAN. The WAN
link doesn't carry LAN broadcasts.

JHO wrote:
> Hi,
>
> I'm setting up a system running Server 2003, and i've been asked to
> set up VPN.
>
> Here's the config:
>
> Internet --> Router (192.168.0.2) (Providing DHCP) --> Server 2003
> (192.168.0.254).
>
> The computer has two interfaces, the 192.168.0.254 (VPN) and
> 192.168.0.1 (LAN).
>
> B will accept the network connection, query the DHCP hopefully
> (through LAN?), and then pass data out through LAN.
>
> My attempt has ended like this: It will dialin and login ok, but the
> system won't allow access to Internet, or other servers. I can
> resolve the VPN server i'm connecting to.
>
> My question is twofold:
>
> a) Can I establish a VPN in a machine and pass it from one to the
> other card (both of them connected on the same subnet)
>
> b) How do I pass the DHCP from 192.168.0.2 to VPN?

Thanks, so how do I configure that with RRA? - The wiz gives me the standard
'must have 2 nics'

"Bill Grant" wrote:

> You should not have two NICs in the same IP subnet. If the router is in
> the same subnet as your LAN machines, you only need one NIC in the server.
>
> The two-NIC scenario if for the situation where one NIC is in a private
> subnet and the other has a public IP. If you are in a private subnet behind
> a router, the router is your public connection.
>
> If the server is configured to use DHCP, the server will lease a batch
> of IPs from DHCP to use as its address pool. It will allocate one to itself
> (to act as its VPN interface), then allocate addresses from this pool to the
> clients as required. This "internal" interface and the LAN NIC are all you
> need for the remote client to reach LAN machines. The server acts as a proxy
> for the client.
>
> Name resolution doesn't automatically work as it does on a LAN. The WAN
> link doesn't carry LAN broadcasts.
>
> JHO wrote:
> > Hi,
> >
> > I'm setting up a system running Server 2003, and i've been asked to
> > set up VPN.
> >
> > Here's the config:
> >
> > Internet --> Router (192.168.0.2) (Providing DHCP) --> Server 2003
> > (192.168.0.254).
> >
> > The computer has two interfaces, the 192.168.0.254 (VPN) and
> > 192.168.0.1 (LAN).
> >
> > B will accept the network connection, query the DHCP hopefully
> > (through LAN?), and then pass data out through LAN.
> >
> > My attempt has ended like this: It will dialin and login ok, but the
> > system won't allow access to Internet, or other servers. I can
> > resolve the VPN server i'm connecting to.
> >
> > My question is twofold:
> >
> > a) Can I establish a VPN in a machine and pass it from one to the
> > other card (both of them connected on the same subnet)
> >
> > b) How do I pass the DHCP from 192.168.0.2 to VPN?
>
>
>

That isn't really true. Look a bit more closely at the options
available. All you really need to do on the RRAS server is enable remote
access.

JHO wrote:
> Thanks, so how do I configure that with RRA? - The wiz gives me the
> standard 'must have 2 nics'
>
> "Bill Grant" wrote:
>
>> You should not have two NICs in the same IP subnet. If the
>> router is in the same subnet as your LAN machines, you only need one
>> NIC in the server.
>>
>> The two-NIC scenario if for the situation where one NIC is in a
>> private subnet and the other has a public IP. If you are in a
>> private subnet behind a router, the router is your public connection.
>>
>> If the server is configured to use DHCP, the server will lease a
>> batch of IPs from DHCP to use as its address pool. It will allocate
>> one to itself (to act as its VPN interface), then allocate addresses
>> from this pool to the clients as required. This "internal" interface
>> and the LAN NIC are all you need for the remote client to reach LAN
>> machines. The server acts as a proxy for the client.
>>
>> Name resolution doesn't automatically work as it does on a LAN.
>> The WAN link doesn't carry LAN broadcasts.
>>
>> JHO wrote:
>>> Hi,
>>>
>>> I'm setting up a system running Server 2003, and i've been asked to
>>> set up VPN.
>>>
>>> Here's the config:
>>>
>>> Internet --> Router (192.168.0.2) (Providing DHCP) --> Server 2003
>>> (192.168.0.254).
>>>
>>> The computer has two interfaces, the 192.168.0.254 (VPN) and
>>> 192.168.0.1 (LAN).
>>>
>>> B will accept the network connection, query the DHCP hopefully
>>> (through LAN?), and then pass data out through LAN.
>>>
>>> My attempt has ended like this: It will dialin and login ok, but the
>>> system won't allow access to Internet, or other servers. I can
>>> resolve the VPN server i'm connecting to.
>>>
>>> My question is twofold:
>>>
>>> a) Can I establish a VPN in a machine and pass it from one to the
>>> other card (both of them connected on the same subnet)
>>>
>>> b) How do I pass the DHCP from 192.168.0.2 to VPN?

Ok, I've found it.

I'm not sure If I will use this, or just use the endpoint that my Router
already provides - Would probably be the easiest option to troubleshoot.

"Bill Grant" wrote:

> That isn't really true. Look a bit more closely at the options
> available. All you really need to do on the RRAS server is enable remote
> access.
>
> JHO wrote:
> > Thanks, so how do I configure that with RRA? - The wiz gives me the
> > standard 'must have 2 nics'
> >
> > "Bill Grant" wrote:
> >
> >> You should not have two NICs in the same IP subnet. If the
> >> router is in the same subnet as your LAN machines, you only need one
> >> NIC in the server.
> >>
> >> The two-NIC scenario if for the situation where one NIC is in a
> >> private subnet and the other has a public IP. If you are in a
> >> private subnet behind a router, the router is your public connection.
> >>
> >> If the server is configured to use DHCP, the server will lease a
> >> batch of IPs from DHCP to use as its address pool. It will allocate
> >> one to itself (to act as its VPN interface), then allocate addresses
> >> from this pool to the clients as required. This "internal" interface
> >> and the LAN NIC are all you need for the remote client to reach LAN
> >> machines. The server acts as a proxy for the client.
> >>
> >> Name resolution doesn't automatically work as it does on a LAN.
> >> The WAN link doesn't carry LAN broadcasts.
> >>
> >> JHO wrote:
> >>> Hi,
> >>>
> >>> I'm setting up a system running Server 2003, and i've been asked to
> >>> set up VPN.
> >>>
> >>> Here's the config:
> >>>
> >>> Internet --> Router (192.168.0.2) (Providing DHCP) --> Server 2003
> >>> (192.168.0.254).
> >>>
> >>> The computer has two interfaces, the 192.168.0.254 (VPN) and
> >>> 192.168.0.1 (LAN).
> >>>
> >>> B will accept the network connection, query the DHCP hopefully
> >>> (through LAN?), and then pass data out through LAN.
> >>>
> >>> My attempt has ended like this: It will dialin and login ok, but the
> >>> system won't allow access to Internet, or other servers. I can
> >>> resolve the VPN server i'm connecting to.
> >>>
> >>> My question is twofold:
> >>>
> >>> a) Can I establish a VPN in a machine and pass it from one to the
> >>> other card (both of them connected on the same subnet)
> >>>
> >>> b) How do I pass the DHCP from 192.168.0.2 to VPN?
>
>
>

If the router itself will accept VPN connections, then I would use it!

If it is RADIUS compliant you can connect to it but have Windows do the
authentication (using IAS on the server).

JHO wrote:
> Ok, I've found it.
>
> I'm not sure If I will use this, or just use the endpoint that my
> Router already provides - Would probably be the easiest option to
> troubleshoot.
>
> "Bill Grant" wrote:
>
>> That isn't really true. Look a bit more closely at the options
>> available. All you really need to do on the RRAS server is enable
>> remote access.
>>
>> JHO wrote:
>>> Thanks, so how do I configure that with RRA? - The wiz gives me the
>>> standard 'must have 2 nics'
>>>
>>> "Bill Grant" wrote:
>>>
>>>> You should not have two NICs in the same IP subnet. If the
>>>> router is in the same subnet as your LAN machines, you only need
>>>> one NIC in the server.
>>>>
>>>> The two-NIC scenario if for the situation where one NIC is in a
>>>> private subnet and the other has a public IP. If you are in a
>>>> private subnet behind a router, the router is your public
>>>> connection.
>>>>
>>>> If the server is configured to use DHCP, the server will lease
>>>> a batch of IPs from DHCP to use as its address pool. It will
>>>> allocate one to itself (to act as its VPN interface), then
>>>> allocate addresses from this pool to the clients as required. This
>>>> "internal" interface and the LAN NIC are all you need for the
>>>> remote client to reach LAN machines. The server acts as a proxy
>>>> for the client.
>>>>
>>>> Name resolution doesn't automatically work as it does on a LAN.
>>>> The WAN link doesn't carry LAN broadcasts.
>>>>
>>>> JHO wrote:
>>>>> Hi,
>>>>>
>>>>> I'm setting up a system running Server 2003, and i've been asked
>>>>> to set up VPN.
>>>>>
>>>>> Here's the config:
>>>>>
>>>>> Internet --> Router (192.168.0.2) (Providing DHCP) --> Server 2003
>>>>> (192.168.0.254).
>>>>>
>>>>> The computer has two interfaces, the 192.168.0.254 (VPN) and
>>>>> 192.168.0.1 (LAN).
>>>>>
>>>>> B will accept the network connection, query the DHCP hopefully
>>>>> (through LAN?), and then pass data out through LAN.
>>>>>
>>>>> My attempt has ended like this: It will dialin and login ok, but
>>>>> the system won't allow access to Internet, or other servers. I can
>>>>> resolve the VPN server i'm connecting to.
>>>>>
>>>>> My question is twofold:
>>>>>
>>>>> a) Can I establish a VPN in a machine and pass it from one to the
>>>>> other card (both of them connected on the same subnet)
>>>>>
>>>>> b) How do I pass the DHCP from 192.168.0.2 to VPN?