PPTP Site-to-Site VPN problem

Hi,

I've setup (or tired to) a site to site VPN using RRAS in Windows 2003 SP1
but have a few issues that I hope you may be able to help me resolve:

Subnet 192.168.30.0/24<------------------------------------------>Subnet
192.168.31.0/24

ClientsA-------Server1----Router1--------Internet--------Router2---Server2-----ClientsB

I have setup demand dial connections on both servers (windows 2003+SP1) and
they appear to work OK. Note that there are demand dial connections on both
servers pointing to the other server. The servers can ping each other. The
clients can ping the servers on their subnets but cannot ping any host on
the other subnet.

All this has led me to think (from other posts I have read) that there may
be an issue with the user account and demand dial interface name but I
believe I have go them correct.

Essentially I would like clients on one subnet to be able to transparently
access and connect to servers/clients/hosts on the other subnet.

I'm probably missing something quite obvious but at this moment just can't
see what it is.

Some other bit's of info that you may need: when I originally configured
RRAS on both servers I did a custom configuration and selected: NAT, Demand
Dial, Firewall, LAN Routing (from memory). All clients have internet access.

If you require any further info, please let me know.

Thanks in advance for any help/pointers.

Kind regards,
Sergio

Sergio,
Does your clients default gateway point to your RRAS servers?


"Sergio Ricci" wrote:

> Hi,
>
> I've setup (or tired to) a site to site VPN using RRAS in Windows 2003 SP1
> but have a few issues that I hope you may be able to help me resolve:
>
> Subnet 192.168.30.0/24<------------------------------------------>Subnet
> 192.168.31.0/24
>
> ClientsA-------Server1----Router1--------Internet--------Router2---Server2-----ClientsB
>
> I have setup demand dial connections on both servers (windows 2003+SP1) and
> they appear to work OK. Note that there are demand dial connections on both
> servers pointing to the other server. The servers can ping each other. The
> clients can ping the servers on their subnets but cannot ping any host on
> the other subnet.
>
> All this has led me to think (from other posts I have read) that there may
> be an issue with the user account and demand dial interface name but I
> believe I have go them correct.
>
> Essentially I would like clients on one subnet to be able to transparently
> access and connect to servers/clients/hosts on the other subnet.
>
> I'm probably missing something quite obvious but at this moment just can't
> see what it is.
>
> Some other bit's of info that you may need: when I originally configured
> RRAS on both servers I did a custom configuration and selected: NAT, Demand
> Dial, Firewall, LAN Routing (from memory). All clients have internet access.
>
> If you require any further info, please let me know.
>
> Thanks in advance for any help/pointers.
>
> Kind regards,
> Sergio
>
>
>

Yes. Deafult g/w points to the the internal NIC of the RRAS server.

One thing I didn't mention if that both servers are DC's.

Thanks for replying.
Sergio

"Wendel Hamilton" <(E-Mail Removed)> wrote in
message news:0F15E7AE-11C1-4B7A-8476-(E-Mail Removed)...
> Sergio,
> Does your clients default gateway point to your RRAS servers?
>
>
> "Sergio Ricci" wrote:
>
>> Hi,
>>
>> I've setup (or tired to) a site to site VPN using RRAS in Windows 2003
>> SP1
>> but have a few issues that I hope you may be able to help me resolve:
>>
>> Subnet 192.168.30.0/24<------------------------------------------>Subnet
>> 192.168.31.0/24
>>
>> ClientsA-------Server1----Router1--------Internet--------Router2---Server2-----ClientsB
>>
>> I have setup demand dial connections on both servers (windows 2003+SP1)
>> and
>> they appear to work OK. Note that there are demand dial connections on
>> both
>> servers pointing to the other server. The servers can ping each other.
>> The
>> clients can ping the servers on their subnets but cannot ping any host on
>> the other subnet.
>>
>> All this has led me to think (from other posts I have read) that there
>> may
>> be an issue with the user account and demand dial interface name but I
>> believe I have go them correct.
>>
>> Essentially I would like clients on one subnet to be able to
>> transparently
>> access and connect to servers/clients/hosts on the other subnet.
>>
>> I'm probably missing something quite obvious but at this moment just
>> can't
>> see what it is.
>>
>> Some other bit's of info that you may need: when I originally configured
>> RRAS on both servers I did a custom configuration and selected: NAT,
>> Demand
>> Dial, Firewall, LAN Routing (from memory). All clients have internet
>> access.
>>
>> If you require any further info, please let me know.
>>
>> Thanks in advance for any help/pointers.
>>
>> Kind regards,
>> Sergio
>>
>>
>>

The servers being DCs is not good, but it should not cause that problem.

The workstations in the two sites should be able to communicate
directly. The VPN link should work like a (slow) IP router between them.

Here is a check list.

1. Is the default gateway on the LAN NIC of each server blank?
2. Does each router have a route to the "other" subnet linked to a
demand-dial interface?
3. Does the calling router use the name of the demnad-dial interface on
the answering router when it calls up?
4. Doe the demand-dial interface on the answering router change to
"connected" status?

If these all check out, look at the routing table on both routers. Each
should have a subnet route to the "other" subnet linked to the VPN
connection. If the workstations are using the RRAS servers as their default
gateways, traffic should route across the link (just like two segments using
a LAN router as their DG).

Sergio Ricci wrote:
> Yes. Deafult g/w points to the the internal NIC of the RRAS server.
>
> One thing I didn't mention if that both servers are DC's.
>
> Thanks for replying.
> Sergio
>
> "Wendel Hamilton" <(E-Mail Removed)> wrote in
> message news:0F15E7AE-11C1-4B7A-8476-(E-Mail Removed)...
>> Sergio,
>> Does your clients default gateway point to your RRAS servers?
>>
>>
>> "Sergio Ricci" wrote:
>>
>>> Hi,
>>>
>>> I've setup (or tired to) a site to site VPN using RRAS in Windows
>>> 2003 SP1
>>> but have a few issues that I hope you may be able to help me
>>> resolve: Subnet
>>> 192.168.30.0/24<------------------------------------------>Subnet
>>> 192.168.31.0/24
>>> ClientsA-------Server1----Router1--------Internet--------Router2---Server2-----ClientsB
>>>
>>> I have setup demand dial connections on both servers (windows
>>> 2003+SP1) and
>>> they appear to work OK. Note that there are demand dial connections
>>> on both
>>> servers pointing to the other server. The servers can ping each
>>> other. The
>>> clients can ping the servers on their subnets but cannot ping any
>>> host on the other subnet.
>>>
>>> All this has led me to think (from other posts I have read) that
>>> there may
>>> be an issue with the user account and demand dial interface name
>>> but I believe I have go them correct.
>>>
>>> Essentially I would like clients on one subnet to be able to
>>> transparently
>>> access and connect to servers/clients/hosts on the other subnet.
>>>
>>> I'm probably missing something quite obvious but at this moment just
>>> can't
>>> see what it is.
>>>
>>> Some other bit's of info that you may need: when I originally
>>> configured RRAS on both servers I did a custom configuration and
>>> selected: NAT, Demand
>>> Dial, Firewall, LAN Routing (from memory). All clients have internet
>>> access.
>>>
>>> If you require any further info, please let me know.
>>>
>>> Thanks in advance for any help/pointers.
>>>
>>> Kind regards,
>>> Sergio

Sergio,
Ok I think it is a routing problem.
use tracert -d to the remote server and workstations and see where it fails.
Could you post the results?
I assume that both servers are multi-homed servers. (2 NICs)

"Sergio Ricci" wrote:

> Yes. Deafult g/w points to the the internal NIC of the RRAS server.
>
> One thing I didn't mention if that both servers are DC's.
>
> Thanks for replying.
> Sergio
>
> "Wendel Hamilton" <(E-Mail Removed)> wrote in
> message news:0F15E7AE-11C1-4B7A-8476-(E-Mail Removed)...
> > Sergio,
> > Does your clients default gateway point to your RRAS servers?
> >
> >
> > "Sergio Ricci" wrote:
> >
> >> Hi,
> >>
> >> I've setup (or tired to) a site to site VPN using RRAS in Windows 2003
> >> SP1
> >> but have a few issues that I hope you may be able to help me resolve:
> >>
> >> Subnet 192.168.30.0/24<------------------------------------------>Subnet
> >> 192.168.31.0/24
> >>
> >> ClientsA-------Server1----Router1--------Internet--------Router2---Server2-----ClientsB
> >>
> >> I have setup demand dial connections on both servers (windows 2003+SP1)
> >> and
> >> they appear to work OK. Note that there are demand dial connections on
> >> both
> >> servers pointing to the other server. The servers can ping each other.
> >> The
> >> clients can ping the servers on their subnets but cannot ping any host on
> >> the other subnet.
> >>
> >> All this has led me to think (from other posts I have read) that there
> >> may
> >> be an issue with the user account and demand dial interface name but I
> >> believe I have go them correct.
> >>
> >> Essentially I would like clients on one subnet to be able to
> >> transparently
> >> access and connect to servers/clients/hosts on the other subnet.
> >>
> >> I'm probably missing something quite obvious but at this moment just
> >> can't
> >> see what it is.
> >>
> >> Some other bit's of info that you may need: when I originally configured
> >> RRAS on both servers I did a custom configuration and selected: NAT,
> >> Demand
> >> Dial, Firewall, LAN Routing (from memory). All clients have internet
> >> access.
> >>
> >> If you require any further info, please let me know.
> >>
> >> Thanks in advance for any help/pointers.
> >>
> >> Kind regards,
> >> Sergio
> >>
> >>
> >>
>
>
>

Bill,

Firstly thanks for your time and the check list. I agree that using the
servers as DC's isn't the ideal solution but because fo cost I really didn't
see an alternative.

Regarding your checklist, I confirm as follows:

1) Yes LAN NIC's have no default gateways. Default gateway has values *only*
for the NIC's connected to the DSL Router. This is true for both servers.

2) Yes. Each router (i.e. DC server on each subnet) has a static route to
the other subnet linked to a demand dial interface. The static route is
entered via the RRAS Console and not manually via the CLI. I also note the
following: that the static routes do *not* have a default gateway set. The
field is greyed out when adding the entry. Also, the static routes on both
servers have the option "use this route to initiate demand dial connections"
set.

3) Yes...the calling router uses, as dialup credentials, the answering
routers demand dial interface name. This is true for both routers/DC
servers.

4) I believe the answer is "yes" but will confirm later this evening when
servers can be taken off-line for a quick test.

Clients have as their default gateway the RRAS server/router's LAN NIC IP
address. Connectivity between clients and servers is confirmed. Connectivity
between the 2 RRAS servers/routers is also confirmed.

I have seen another post from Wendel below and I will respond to his post
also with the routing table which may help.

Thanks again for your assistance. It's appreciated.
Sergio


"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> The servers being DCs is not good, but it should not cause that
> problem.
>
> The workstations in the two sites should be able to communicate
> directly. The VPN link should work like a (slow) IP router between them.
>
> Here is a check list.
>
> 1. Is the default gateway on the LAN NIC of each server blank?
> 2. Does each router have a route to the "other" subnet linked to a
> demand-dial interface?
> 3. Does the calling router use the name of the demnad-dial interface on
> the answering router when it calls up?
> 4. Doe the demand-dial interface on the answering router change to
> "connected" status?
>
> If these all check out, look at the routing table on both routers. Each
> should have a subnet route to the "other" subnet linked to the VPN
> connection. If the workstations are using the RRAS servers as their
> default gateways, traffic should route across the link (just like two
> segments using a LAN router as their DG).
>
> Sergio Ricci wrote:
>> Yes. Deafult g/w points to the the internal NIC of the RRAS server.
>>
>> One thing I didn't mention if that both servers are DC's.
>>
>> Thanks for replying.
>> Sergio
>>
>> "Wendel Hamilton" <(E-Mail Removed)> wrote in
>> message news:0F15E7AE-11C1-4B7A-8476-(E-Mail Removed)...
>>> Sergio,
>>> Does your clients default gateway point to your RRAS servers?
>>>
>>>
>>> "Sergio Ricci" wrote:
>>>
>>>> Hi,
>>>>
>>>> I've setup (or tired to) a site to site VPN using RRAS in Windows
>>>> 2003 SP1
>>>> but have a few issues that I hope you may be able to help me
>>>> resolve: Subnet
>>>> 192.168.30.0/24<------------------------------------------>Subnet
>>>> 192.168.31.0/24
>>>> ClientsA-------Server1----Router1--------Internet--------Router2---Server2-----ClientsB
>>>>
>>>> I have setup demand dial connections on both servers (windows
>>>> 2003+SP1) and
>>>> they appear to work OK. Note that there are demand dial connections
>>>> on both
>>>> servers pointing to the other server. The servers can ping each
>>>> other. The
>>>> clients can ping the servers on their subnets but cannot ping any
>>>> host on the other subnet.
>>>>
>>>> All this has led me to think (from other posts I have read) that
>>>> there may
>>>> be an issue with the user account and demand dial interface name
>>>> but I believe I have go them correct.
>>>>
>>>> Essentially I would like clients on one subnet to be able to
>>>> transparently
>>>> access and connect to servers/clients/hosts on the other subnet.
>>>>
>>>> I'm probably missing something quite obvious but at this moment just
>>>> can't
>>>> see what it is.
>>>>
>>>> Some other bit's of info that you may need: when I originally
>>>> configured RRAS on both servers I did a custom configuration and
>>>> selected: NAT, Demand
>>>> Dial, Firewall, LAN Routing (from memory). All clients have internet
>>>> access.
>>>>
>>>> If you require any further info, please let me know.
>>>>
>>>> Thanks in advance for any help/pointers.
>>>>
>>>> Kind regards,
>>>> Sergio
>
>

Wendel,

Pls see the output below. The trace was carried out from a client on the
192.168.31.0 subnet who's default g/w points to the LAN NIC of the RRAS
server on the same subnet. NB: I've abbreviate the output to 4 hops. The
complete output continues giving "Request timed out".

Tracing route to 192.168.30.5 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.31.4
2 7 ms 7 ms 7 ms 192.168.31.110
3 * * * Request timed out.
4 * * * Request timed out.

192.168.31.110 is the IP address obtained by the RRAS servers PPP adapter
that is on subnet 192.168.30.0, so it appears to get as far as the RRAS
router on the other side of the VPN link but gets stuck there. I note also
that there is *no* default gateway set for the PPP adapter and so could this
be the cause?

I confirm that both servers are multi-homed with each having 1x NIC facing
the LAN with no default gateway set and the other NIC connected to the DSL
router with a static IP address and default gateway set.

Funnily enough, I am able to configure a VPN connection on a client on the
192.168.31.0 subnet to connect to the RRAS server on the 192.168.30.0 subnet
and it works fine.

Please let me know if you need any further info and thank you also for you
help so far.

Sergio


"Wendel Hamilton" <(E-Mail Removed)> wrote in
message news:47D20B6B-F0E2-4F81-B9DC-(E-Mail Removed)...
> Sergio,
> Ok I think it is a routing problem.
> use tracert -d to the remote server and workstations and see where it
> fails.
> Could you post the results?
> I assume that both servers are multi-homed servers. (2 NICs)
>
> "Sergio Ricci" wrote:
>
>> Yes. Deafult g/w points to the the internal NIC of the RRAS server.
>>
>> One thing I didn't mention if that both servers are DC's.
>>
>> Thanks for replying.
>> Sergio
>>
>> "Wendel Hamilton" <(E-Mail Removed)> wrote in
>> message news:0F15E7AE-11C1-4B7A-8476-(E-Mail Removed)...
>> > Sergio,
>> > Does your clients default gateway point to your RRAS servers?
>> >
>> >
>> > "Sergio Ricci" wrote:
>> >
>> >> Hi,
>> >>
>> >> I've setup (or tired to) a site to site VPN using RRAS in Windows
>> >> 2003
>> >> SP1
>> >> but have a few issues that I hope you may be able to help me resolve:
>> >>
>> >> Subnet
>> >> 192.168.30.0/24<------------------------------------------>Subnet
>> >> 192.168.31.0/24
>> >>
>> >> ClientsA-------Server1----Router1--------Internet--------Router2---Server2-----ClientsB
>> >>
>> >> I have setup demand dial connections on both servers (windows
>> >> 2003+SP1)
>> >> and
>> >> they appear to work OK. Note that there are demand dial connections on
>> >> both
>> >> servers pointing to the other server. The servers can ping each other.
>> >> The
>> >> clients can ping the servers on their subnets but cannot ping any host
>> >> on
>> >> the other subnet.
>> >>
>> >> All this has led me to think (from other posts I have read) that there
>> >> may
>> >> be an issue with the user account and demand dial interface name but I
>> >> believe I have go them correct.
>> >>
>> >> Essentially I would like clients on one subnet to be able to
>> >> transparently
>> >> access and connect to servers/clients/hosts on the other subnet.
>> >>
>> >> I'm probably missing something quite obvious but at this moment just
>> >> can't
>> >> see what it is.
>> >>
>> >> Some other bit's of info that you may need: when I originally
>> >> configured
>> >> RRAS on both servers I did a custom configuration and selected: NAT,
>> >> Demand
>> >> Dial, Firewall, LAN Routing (from memory). All clients have internet
>> >> access.
>> >>
>> >> If you require any further info, please let me know.
>> >>
>> >> Thanks in advance for any help/pointers.
>> >>
>> >> Kind regards,
>> >> Sergio
>> >>
>> >>
>> >>
>>
>>
>>

Sergio Ricci wrote:
> Wendel,
>
> Pls see the output below. The trace was carried out from a client on the
> 192.168.31.0 subnet who's default g/w points to the LAN NIC of the RRAS
> server on the same subnet. NB: I've abbreviate the output to 4 hops. The
> complete output continues giving "Request timed out".
>
> Tracing route to 192.168.30.5 over a maximum of 30 hops
>
> 1 <1 ms <1 ms <1 ms 192.168.31.4
> 2 7 ms 7 ms 7 ms 192.168.31.110
> 3 * * * Request timed out.
> 4 * * * Request timed out.
>
> 192.168.31.110 is the IP address obtained by the RRAS servers PPP adapter
> that is on subnet 192.168.30.0, so it appears to get as far as the RRAS
> router on the other side of the VPN link but gets stuck there. I note also
> that there is *no* default gateway set for the PPP adapter and so could this
> be the cause?
>
> I confirm that both servers are multi-homed with each having 1x NIC facing
> the LAN with no default gateway set and the other NIC connected to the DSL
> router with a static IP address and default gateway set.
>
> Funnily enough, I am able to configure a VPN connection on a client on the
> 192.168.31.0 subnet to connect to the RRAS server on the 192.168.30.0 subnet
> and it works fine.
>
> Please let me know if you need any further info and thank you also for you
> help so far.
>
> Sergio
>
>
> "Wendel Hamilton" <(E-Mail Removed)> wrote in
> message news:47D20B6B-F0E2-4F81-B9DC-(E-Mail Removed)...
>
>>Sergio,
>>Ok I think it is a routing problem.
>>use tracert -d to the remote server and workstations and see where it
>>fails.
>>Could you post the results?
>>I assume that both servers are multi-homed servers. (2 NICs)
>>
>>"Sergio Ricci" wrote:
>>
>>
>>>Yes. Deafult g/w points to the the internal NIC of the RRAS server.
>>>
>>>One thing I didn't mention if that both servers are DC's.
>>>
>>>Thanks for replying.
>>>Sergio
>>>
>>>"Wendel Hamilton" <(E-Mail Removed)> wrote in
>>>message news:0F15E7AE-11C1-4B7A-8476-(E-Mail Removed)...
>>>
>>>>Sergio,
>>>>Does your clients default gateway point to your RRAS servers?
>>>>
>>>>
>>>>"Sergio Ricci" wrote:
>>>>
>>>>
>>>>>Hi,
>>>>>
>>>>>I've setup (or tired to) a site to site VPN using RRAS in Windows
>>>>>2003
>>>>>SP1
>>>>>but have a few issues that I hope you may be able to help me resolve:
>>>>>
>>>>>Subnet
>>>>>192.168.30.0/24<------------------------------------------>Subnet
>>>>>192.168.31.0/24
>>>>>
>>>>>ClientsA-------Server1----Router1--------Internet--------Router2---Server2-----ClientsB
>>>>>
>>>>>I have setup demand dial connections on both servers (windows
>>>>>2003+SP1)
>>>>>and
>>>>>they appear to work OK. Note that there are demand dial connections on
>>>>>both
>>>>>servers pointing to the other server. The servers can ping each other.
>>>>>The
>>>>>clients can ping the servers on their subnets but cannot ping any host
>>>>>on
>>>>>the other subnet.
>>>>>
>>>>>All this has led me to think (from other posts I have read) that there
>>>>>may
>>>>>be an issue with the user account and demand dial interface name but I
>>>>>believe I have go them correct.
>>>>>
>>>>>Essentially I would like clients on one subnet to be able to
>>>>>transparently
>>>>>access and connect to servers/clients/hosts on the other subnet.
>>>>>
>>>>>I'm probably missing something quite obvious but at this moment just
>>>>>can't
>>>>>see what it is.
>>>>>
>>>>>Some other bit's of info that you may need: when I originally
>>>>>configured
>>>>>RRAS on both servers I did a custom configuration and selected: NAT,
>>>>>Demand
>>>>>Dial, Firewall, LAN Routing (from memory). All clients have internet
>>>>>access.
>>>>>
>>>>>If you require any further info, please let me know.
>>>>>
>>>>>Thanks in advance for any help/pointers.
>>>>>
>>>>>Kind regards,
>>>>>Sergio
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>
>
Sergio - A bit off topic to start!! - Are your router capable of VPN
natively?

What IP addresses are on the additional cards? Are the cards in the DMZ
of your routers or are you using port-forwarding, if so, what ports are
you forwarding.

Ian

Ian,

Yes the routers are able to support VPN connections natively (no problems
with client to server VPNs and indeed VPN connections between the servers
themselves). The routers are basic no NAT DSL routers. NATing is done by the
RRAS service on the servers (Windows 2003 with SP1).

The additional NIC's (1 in each server) have static public IP addresses.
These NIC's have the default gateways set to the IP address of the DSL
routers. Clients behind the servers have their default gateways set to the
private IP address of the severs.

I'm pretty sure that the issue I'm experiencing is as a result of the fact
that the PPP adapters created when the VPN tunnels are established do not
have (or do not get configured with) a default gateway.

Thanks for replying.
Sergio

"Ian" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Sergio Ricci wrote:
>> Wendel,
>>
>> Pls see the output below. The trace was carried out from a client on the
>> 192.168.31.0 subnet who's default g/w points to the LAN NIC of the RRAS
>> server on the same subnet. NB: I've abbreviate the output to 4 hops. The
>> complete output continues giving "Request timed out".
>>
>> Tracing route to 192.168.30.5 over a maximum of 30 hops
>>
>> 1 <1 ms <1 ms <1 ms 192.168.31.4
>> 2 7 ms 7 ms 7 ms 192.168.31.110
>> 3 * * * Request timed out.
>> 4 * * * Request timed out.
>>
>> 192.168.31.110 is the IP address obtained by the RRAS servers PPP adapter
>> that is on subnet 192.168.30.0, so it appears to get as far as the RRAS
>> router on the other side of the VPN link but gets stuck there. I note
>> also that there is *no* default gateway set for the PPP adapter and so
>> could this be the cause?
>>
>> I confirm that both servers are multi-homed with each having 1x NIC
>> facing the LAN with no default gateway set and the other NIC connected to
>> the DSL router with a static IP address and default gateway set.
>>
>> Funnily enough, I am able to configure a VPN connection on a client on
>> the 192.168.31.0 subnet to connect to the RRAS server on the 192.168.30.0
>> subnet and it works fine.
>>
>> Please let me know if you need any further info and thank you also for
>> you help so far.
>>
>> Sergio
>>
>>
>> "Wendel Hamilton" <(E-Mail Removed)> wrote in
>> message news:47D20B6B-F0E2-4F81-B9DC-(E-Mail Removed)...
>>
>>>Sergio,
>>>Ok I think it is a routing problem.
>>>use tracert -d to the remote server and workstations and see where it
>>>fails.
>>>Could you post the results?
>>>I assume that both servers are multi-homed servers. (2 NICs)
>>>
>>>"Sergio Ricci" wrote:
>>>
>>>
>>>>Yes. Deafult g/w points to the the internal NIC of the RRAS server.
>>>>
>>>>One thing I didn't mention if that both servers are DC's.
>>>>
>>>>Thanks for replying.
>>>>Sergio
>>>>
>>>>"Wendel Hamilton" <(E-Mail Removed)> wrote in
>>>>message news:0F15E7AE-11C1-4B7A-8476-(E-Mail Removed)...
>>>>
>>>>>Sergio,
>>>>>Does your clients default gateway point to your RRAS servers?
>>>>>
>>>>>
>>>>>"Sergio Ricci" wrote:
>>>>>
>>>>>
>>>>>>Hi,
>>>>>>
>>>>>>I've setup (or tired to) a site to site VPN using RRAS in Windows
>>>>>>2003
>>>>>>SP1
>>>>>>but have a few issues that I hope you may be able to help me resolve:
>>>>>>
>>>>>>Subnet
>>>>>>192.168.30.0/24<------------------------------------------>Subnet
>>>>>>192.168.31.0/24
>>>>>>
>>>>>>ClientsA-------Server1----Router1--------Internet--------Router2---Server2-----ClientsB
>>>>>>
>>>>>>I have setup demand dial connections on both servers (windows
>>>>>>2003+SP1)
>>>>>>and
>>>>>>they appear to work OK. Note that there are demand dial connections on
>>>>>>both
>>>>>>servers pointing to the other server. The servers can ping each other.
>>>>>>The
>>>>>>clients can ping the servers on their subnets but cannot ping any host
>>>>>>on
>>>>>>the other subnet.
>>>>>>
>>>>>>All this has led me to think (from other posts I have read) that there
>>>>>>may
>>>>>>be an issue with the user account and demand dial interface name but I
>>>>>>believe I have go them correct.
>>>>>>
>>>>>>Essentially I would like clients on one subnet to be able to
>>>>>>transparently
>>>>>>access and connect to servers/clients/hosts on the other subnet.
>>>>>>
>>>>>>I'm probably missing something quite obvious but at this moment just
>>>>>>can't
>>>>>>see what it is.
>>>>>>
>>>>>>Some other bit's of info that you may need: when I originally
>>>>>>configured
>>>>>>RRAS on both servers I did a custom configuration and selected: NAT,
>>>>>>Demand
>>>>>>Dial, Firewall, LAN Routing (from memory). All clients have internet
>>>>>>access.
>>>>>>
>>>>>>If you require any further info, please let me know.
>>>>>>
>>>>>>Thanks in advance for any help/pointers.
>>>>>>
>>>>>>Kind regards,
>>>>>>Sergio
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>
>>
> Sergio - A bit off topic to start!! - Are your router capable of VPN
> natively?
>
> What IP addresses are on the additional cards? Are the cards in the DMZ of
> your routers or are you using port-forwarding, if so, what ports are you
> forwarding.
>
> Ian

Sergio Ricci wrote:
> Ian,
>
> Yes the routers are able to support VPN connections natively (no problems
> with client to server VPNs and indeed VPN connections between the servers
> themselves). The routers are basic no NAT DSL routers. NATing is done by the
> RRAS service on the servers (Windows 2003 with SP1).
>
> The additional NIC's (1 in each server) have static public IP addresses.
> These NIC's have the default gateways set to the IP address of the DSL
> routers. Clients behind the servers have their default gateways set to the
> private IP address of the severs.
>
> I'm pretty sure that the issue I'm experiencing is as a result of the fact
> that the PPP adapters created when the VPN tunnels are established do not
> have (or do not get configured with) a default gateway.
>
> Thanks for replying.
> Sergio
>
> "Ian" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>Sergio Ricci wrote:
>>
>>>Wendel,
>>>
>>>Pls see the output below. The trace was carried out from a client on the
>>>192.168.31.0 subnet who's default g/w points to the LAN NIC of the RRAS
>>>server on the same subnet. NB: I've abbreviate the output to 4 hops. The
>>>complete output continues giving "Request timed out".
>>>
>>>Tracing route to 192.168.30.5 over a maximum of 30 hops
>>>
>>>1 <1 ms <1 ms <1 ms 192.168.31.4
>>>2 7 ms 7 ms 7 ms 192.168.31.110
>>>3 * * * Request timed out.
>>>4 * * * Request timed out.
>>>
>>>192.168.31.110 is the IP address obtained by the RRAS servers PPP adapter
>>>that is on subnet 192.168.30.0, so it appears to get as far as the RRAS
>>>router on the other side of the VPN link but gets stuck there. I note
>>>also that there is *no* default gateway set for the PPP adapter and so
>>>could this be the cause?
>>>
>>>I confirm that both servers are multi-homed with each having 1x NIC
>>>facing the LAN with no default gateway set and the other NIC connected to
>>>the DSL router with a static IP address and default gateway set.
>>>
>>>Funnily enough, I am able to configure a VPN connection on a client on
>>>the 192.168.31.0 subnet to connect to the RRAS server on the 192.168.30.0
>>>subnet and it works fine.
>>>
>>>Please let me know if you need any further info and thank you also for
>>>you help so far.
>>>
>>>Sergio
>>>
>>>
>>>"Wendel Hamilton" <(E-Mail Removed)> wrote in
>>>message news:47D20B6B-F0E2-4F81-B9DC-(E-Mail Removed)...
>>>
>>>
>>>>Sergio,
>>>>Ok I think it is a routing problem.
>>>>use tracert -d to the remote server and workstations and see where it
>>>>fails.
>>>>Could you post the results?
>>>>I assume that both servers are multi-homed servers. (2 NICs)
>>>>
>>>>"Sergio Ricci" wrote:
>>>>
>>>>
>>>>
>>>>>Yes. Deafult g/w points to the the internal NIC of the RRAS server.
>>>>>
>>>>>One thing I didn't mention if that both servers are DC's.
>>>>>
>>>>>Thanks for replying.
>>>>>Sergio
>>>>>
>>>>>"Wendel Hamilton" <(E-Mail Removed)> wrote in
>>>>>message news:0F15E7AE-11C1-4B7A-8476-(E-Mail Removed)...
>>>>>
>>>>>
>>>>>>Sergio,
>>>>>>Does your clients default gateway point to your RRAS servers?
>>>>>>
>>>>>>
>>>>>>"Sergio Ricci" wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Hi,
>>>>>>>
>>>>>>>I've setup (or tired to) a site to site VPN using RRAS in Windows
>>>>>>>2003
>>>>>>>SP1
>>>>>>>but have a few issues that I hope you may be able to help me resolve:
>>>>>>>
>>>>>>>Subnet
>>>>>>>192.168.30.0/24<------------------------------------------>Subnet
>>>>>>>192.168.31.0/24
>>>>>>>
>>>>>>>ClientsA-------Server1----Router1--------Internet--------Router2---Server2-----ClientsB
>>>>>>>
>>>>>>>I have setup demand dial connections on both servers (windows
>>>>>>>2003+SP1)
>>>>>>>and
>>>>>>>they appear to work OK. Note that there are demand dial connections on
>>>>>>>both
>>>>>>>servers pointing to the other server. The servers can ping each other.
>>>>>>>The
>>>>>>>clients can ping the servers on their subnets but cannot ping any host
>>>>>>>on
>>>>>>>the other subnet.
>>>>>>>
>>>>>>>All this has led me to think (from other posts I have read) that there
>>>>>>>may
>>>>>>>be an issue with the user account and demand dial interface name but I
>>>>>>>believe I have go them correct.
>>>>>>>
>>>>>>>Essentially I would like clients on one subnet to be able to
>>>>>>>transparently
>>>>>>>access and connect to servers/clients/hosts on the other subnet.
>>>>>>>
>>>>>>>I'm probably missing something quite obvious but at this moment just
>>>>>>>can't
>>>>>>>see what it is.
>>>>>>>
>>>>>>>Some other bit's of info that you may need: when I originally
>>>>>>>configured
>>>>>>>RRAS on both servers I did a custom configuration and selected: NAT,
>>>>>>>Demand
>>>>>>>Dial, Firewall, LAN Routing (from memory). All clients have internet
>>>>>>>access.
>>>>>>>
>>>>>>>If you require any further info, please let me know.
>>>>>>>
>>>>>>>Thanks in advance for any help/pointers.
>>>>>>>
>>>>>>>Kind regards,
>>>>>>>Sergio
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>Sergio - A bit off topic to start!! - Are your router capable of VPN
>>natively?
>>
>>What IP addresses are on the additional cards? Are the cards in the DMZ of
>>your routers or are you using port-forwarding, if so, what ports are you
>>forwarding.
>>
>>Ian
>
>
>
Have you tried temporarily disabling firewall on RRAS?

I don't think the PPP adaptors need to have default gateways as the ip
addresses issued will be in the same virtual network.

Ian