RAS through a VPN instead of dial-up?

is it possible to do the following: use a VPN tunnel instead of a dial-up
session to connec to an RAS server? i'll elaborate...

on a worksation, dial in to some random ISP to establish internet
connectivity, then open a PPTP session to a win2k3 server which will cause
the workstation to stop using the random ISP's gateway settings using the
dialup connetion only as a circut switched connection... and instead use the
VPN connection to use the win2k3 server as it's RAS server?

the best way to describe is by thinking of it as having a dial-up session
within a dial-up session.

this the VPN tunnel acts much the same was as a circut switched network
connection that terminates at the VPN RAS server... and uses that VPN RAS
server to access the internet etc.

if it can be done, can someone tell me how or give me a reference/howto that
i can read?

That is pretty much the standard setup. The system will even dial the ISP
first, then make the VPN connection over the dialup connection. When you
have the connection to your ISP set up, run the VPN connection wizard.

"Sameer" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> is it possible to do the following: use a VPN tunnel instead of a dial-up
> session to connec to an RAS server? i'll elaborate...
>
> on a worksation, dial in to some random ISP to establish internet
> connectivity, then open a PPTP session to a win2k3 server which will cause
> the workstation to stop using the random ISP's gateway settings using the
> dialup connetion only as a circut switched connection... and instead use
the
> VPN connection to use the win2k3 server as it's RAS server?
>
> the best way to describe is by thinking of it as having a dial-up session
> within a dial-up session.
>
> this the VPN tunnel acts much the same was as a circut switched network
> connection that terminates at the VPN RAS server... and uses that VPN RAS
> server to access the internet etc.
>
> if it can be done, can someone tell me how or give me a reference/howto
that
> i can read?
>
>

thanks for the quick reply.

unfortunately, this isn't working for me. maybe there's a routing issue
somewhere.

i have a win2k3 server with two nics. both nics on are on the same subnet.
i want the VPN NIC to take incomming VPN traffic and push it outta' the
other standard NIC. the way it's working now... well this isn't happening.

i can access the network shares and even RD, but i can't say browse the net
on the XP client that's connected to the server via a VPN connection.

"Sameer" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> unfortunately, this isn't working for me. maybe there's a routing issue
somewhere.
> i have a win2k3 server with two nics. both nics on are on the same
subnet.

You can't run both nics in the same subnet. "Routing" is subnet to subnet,
not host to host.
It doesn't matter if it is VPN, Dialup, or LAN,...TCP/IP is still TCP/IP.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

i only recently moved the nic to the same subnet... before it was on an
entirely different subnet, but i was still having the same problem.

can someone tell me how to get this to work?

additionally... one of the reasons i did this is because the VPN NIC, when
placed on a different subnet hijacks the route to the different subnet. i
tried to overcome this by adding a persistant route and increasing the
interface metric value on the VPN NIC, but still i have the same problem. :/

We would need more details about what you have there. Right now we are just
running around blind.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Sameer" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> additionally... one of the reasons i did this is because the VPN NIC, when
> placed on a different subnet hijacks the route to the different subnet. i
> tried to overcome this by adding a persistant route and increasing the
> interface metric value on the VPN NIC, but still i have the same problem.
:/
>
>

yeah that would help.

alright, here's the setup intially:

laptop
||
||
(VPN)
||
||
*internet*
|
||
||
||
broadband router
||
||
||
||
(int0)
firewall (int1)= = = = = = \VPN interface\
(int2) |
|| ||
|| ||
|| ||
|| |
/LAN interface/-----------win2k3 server

as you can see the interfaces were on separate subnets. the routing/vlan
switching is sound on the firewall.

since it was causing issues (i have another server on the int1 subnet), i
changed it to the following:

laptop
||
||
(VPN)
||
||
*internet*
||
||
||
||
broadband router
||
||
||
||
(int0)
firewall (int1)\VPN interface\
(int2)
||
||
||
||
||-----------/LAN interface/ ------\
|| >win2k3 server
||-----------\VPN interface\ ------/

i've pretty much described what i want to do... which i was told is the
standard anyways. i want to the w2k3 server to be a RAS server so that the
laptop can connect through a VPN tunnel and use the w2k3 machine as a router
for net connections and whatever else i need it to do (i'll be running the
exchange, etc)

i so upon connection i want the client to consider the RAS server it's new
gateway and forget all about the ISP other than have it be the pathway for
the VPN tunnel.

does that make more sense?

I don't see any point in the "VPN Interface" on the Int1 of the firewall.
The third interface on most Firewall's is designed for using as an
"untrusted" DMZ segment.

You are doing double NAT which will make it even more difficult. You should
consider getting rid of the Broadband Router and replacing it with a
Broadband Modem (layer2 only, has no IP#) an apply the public IP# to the
Firewall's Int0.

You'll have to find out from the firewall vendor how this VPN is supposed to
be done with their product and the same with the Broadband router (if you
keep it). Often the methods are proprietary per each manufacturer. The
incomming request must be NATed across the Broadband Router, and then NATed
a second time across the Firewall to get to the Win2k3 Server which should
be acting as the VPN Router.

Personally I would get rid of the Broadband Router and use a Broadband
Modem, run the Firewall with the Public IP# that the Broadband Router *used*
to have. Then I would use the Firewall itself as the VPN Router and
connection point and forget about the Win2k3 Server as the VPN box. Most
Firewalls now-a-days have VPN abilities themselves.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Sameer" <(E-Mail Removed)> wrote in message
news:ufLwQ$(E-Mail Removed)...
> yeah that would help.
>
> alright, here's the setup intially:
>
> laptop
> ||
> ||
> (VPN)
> ||
> ||
> *internet*
> |
> ||
> ||
> ||
> broadband router
> ||
> ||
> ||
> ||
> (int0)
> firewall (int1)= = = = = = \VPN interface\
> (int2) |
> || ||
> || ||
> || ||
> || |
> /LAN interface/-----------win2k3 server
>
> as you can see the interfaces were on separate subnets. the routing/vlan
> switching is sound on the firewall.
>
> since it was causing issues (i have another server on the int1 subnet), i
> changed it to the following:
>
> laptop
> ||
> ||
> (VPN)
> ||
> ||
> *internet*
> ||
> ||
> ||
> ||
> broadband router
> ||
> ||
> ||
> ||
> (int0)
> firewall (int1)\VPN interface\
> (int2)
> ||
> ||
> ||
> ||
> ||-----------/LAN interface/ ------\
> || >win2k3 server
> ||-----------\VPN interface\ ------/
>
> i've pretty much described what i want to do... which i was told is the
> standard anyways. i want to the w2k3 server to be a RAS server so that
the
> laptop can connect through a VPN tunnel and use the w2k3 machine as a
router
> for net connections and whatever else i need it to do (i'll be running the
> exchange, etc)
>
> i so upon connection i want the client to consider the RAS server it's new
> gateway and forget all about the ISP other than have it be the pathway for
> the VPN tunnel.
>
> does that make more sense?
>
>

while i appreciate your response, i think you've missed the core issue. the
core issue is getting the win2k3 server to route. everything else is
working properly.

>I don't see any point in the "VPN Interface" on the Int1 of the firewall.
>The third interface on most Firewall's is designed for using as an
>"untrusted" DMZ segment.

that's a mistake actually. my applogies, it should look like this:

laptop
||
||
(VPN)
||
||
*internet*
||
||
||
||
broadband router
||
||
||
||
(int0)
firewall
(int2)
||
||
||
||
||-----------/LAN interface/ ------\
|| >win2k3 server
||-----------\VPN interface\ ------/

>You are doing double NAT which will make it even more difficult. You
should
>consider getting rid of the Broadband Router and replacing it with a
>Broadband Modem (layer2 only, has no IP#) an apply the public IP# to the
>Firewall's Int0.

i'm not running IPSec. this is a simple PPTP setup, with proper port
forwarding in place. the VPN does work, and this is verified with the fact
once the tunnel is formed, i can browse shared directories and open RD
sessions to the win2k3 server.

>Personally I would get rid of the Broadband Router and use a Broadband
>Modem, run the Firewall with the Public IP# that the Broadband Router
*used*
>to have. Then I would use the Firewall itself as the VPN Router and
>connection point and forget about the Win2k3 Server as the VPN box. Most
>Firewalls now-a-days have VPN abilities themselves.

in future this might not be a bad learning experience with the OpenBSD
firewall, but at the moment, like i said, i want to get the setup the way
it's working.

if it WON'T work this way, then i have a whole new set of problems.

again, thanks for the input... but i wasn't really looking for a critique on
the setup. i simply wanted it to work. i know for a fact the
firewall/router isn't the source of problems so i'd like to leave that in
place. there are specific reasons why it's set the way it is, and those
reasons aren't what's in question.