Make a VPN client's internal network visible to the VPN server

Hi, does anyone know if it is possible to have a VPN client's internal
network visible from the VPN server upon connection?

If so, how do you do this for both the client & server?

I'm using XP Pro as the client & Windows Server 2003 with RRAS.

Thanks

Rob,

as far as i know this is not possible. As soon as you make a
VPN-connection you will get an extra IP on your client. there are
logically several reasons why the server cannot connect to the "other
network" the client is on. Two i stated here:

* The server does not know the adress ranges the client has connected.
There is no trigger to put those ranges in the routing tabke of the
server, so the server will direct all IP-traffic to those "client
ranges" to it's default gateway.

* The client will not route between the VPN and the "client networks",
unless ICS is enabled. In that case there will be NATting, and that is
in this case "one way inititated" for the same reason as above.

Greetz,

Trumpeteer

Interesting, thank you.

The basic reason that this doesn't work is that a normal VPN connection is
just a client-server setup. The client sends all non-local traffic across
the VPN link by default and the server has a host route back to the client.
Any other machines behind this client machine can't route to the remote
server because the remote server/router doesn't have a return route for
them - it only has a host route for the VPN client. See KB 254231 .

To get full routing between two sites requires a site-to-site VPN.
Instead of a simple client-server connection you set up a router-to-router
VPN connection. You configure routes on these routers to route trafffic for
the "other" site through the VPN link. Clearly this requires a router at
both ends, and you can find documentation to do this with RRAS or with ISA.

It is possible (but not recommended) to use XP as the router at one end
if you have RRAS at the other. It is not as versatile as the full setup with
two RRAS servers. You can only initiate the connection from the XP end. You
configure the RRAS server as for a site to site VPN (setting up the return
route linked to a demand-dial interface). At the other end, you enable IP
routing on the XP and when you connect the VPN, you use the name of the
demand-dial interface on the answering router as the username. This binds
the VPN to the demand-dial interface and sets up the return route through
the VPN for the subnet behind the XP. (In other words, the XP machine
connects as a router, not as a normal VPN client). So you have default
routing to get traffic from the XP's network to the RRAS server and a static
route through the VPN to get the return traffic back to the XP router from
the RRAS router.

""Rob"" <@> wrote in message
news:OCqZ7OI%(E-Mail Removed)...
> Interesting, thank you.
>

Thanks Bill, that was extremely clear & concise info.

Thanks for your help.

"Rob"

"Bill Grant" <not.available@online> wrote in message
news:e4NShAK%(E-Mail Removed)...
> The basic reason that this doesn't work is that a normal VPN connection
> is just a client-server setup. The client sends all non-local traffic
> across the VPN link by default and the server has a host route back to the
> client. Any other machines behind this client machine can't route to the
> remote server because the remote server/router doesn't have a return route
> for them - it only has a host route for the VPN client. See KB 254231 .
>
> To get full routing between two sites requires a site-to-site VPN.
> Instead of a simple client-server connection you set up a router-to-router
> VPN connection. You configure routes on these routers to route trafffic
> for the "other" site through the VPN link. Clearly this requires a router
> at both ends, and you can find documentation to do this with RRAS or with
> ISA.
>
> It is possible (but not recommended) to use XP as the router at one end
> if you have RRAS at the other. It is not as versatile as the full setup
> with two RRAS servers. You can only initiate the connection from the XP
> end. You configure the RRAS server as for a site to site VPN (setting up
> the return route linked to a demand-dial interface). At the other end, you
> enable IP routing on the XP and when you connect the VPN, you use the name
> of the demand-dial interface on the answering router as the username. This
> binds the VPN to the demand-dial interface and sets up the return route
> through the VPN for the subnet behind the XP. (In other words, the XP
> machine connects as a router, not as a normal VPN client). So you have
> default routing to get traffic from the XP's network to the RRAS server
> and a static route through the VPN to get the return traffic back to the
> XP router from the RRAS router.
>
> ""Rob"" <@> wrote in message
> news:OCqZ7OI%(E-Mail Removed)...
>> Interesting, thank you.
>>
>
>

Hi Rob,
You can archieve this by having to ISA server on the two site and setup VPN
tunnel accross the two ISA Server.

Hope this helps,

Patrick

""Rob"" wrote:

> Hi, does anyone know if it is possible to have a VPN client's internal
> network visible from the VPN server upon connection?
>
> If so, how do you do this for both the client & server?
>
> I'm using XP Pro as the client & Windows Server 2003 with RRAS.
>
> Thanks
>
>
>