Router-to-Router VPN connects but doesn't route

I have a Windows Server 2003 computer on the 192.168.100.0 network in
WA and a Windows Server 2003 computer on the 192.168.1.0 network in VT.
Both computers use DSL to get to the Internet. I am trying to setup a
router-to-router demand dial VPN connection between them over the
Internet.

I have setup demand-dial connections on each server and either one can
initiate the connection and connect successfully. I have setup a static
route on each server to route to the remote network using the
demand-dial interface.

The problem is that after the demand-dial connections connect, I cannot
ping any addresses on the remote network. Neither side can ping the
other network. Routing tables on both servers show a route to the
remote network using the appropriate demand-dial interface. The only
thing that does work is if I ping the IP address that the server
assigns the remote client on the same network. I can tell the ping is
working over the Internet because of the response time. It's just not
working when pinging the remote network IP's.

Any help would be greatly appreciated!

Thanks!
Dave Gray

posting the result of both site routing tables may help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
"dg3274" <(E-Mail Removed)> wrote in message news:(E-Mail Removed) oups.com...
I have a Windows Server 2003 computer on the 192.168.100.0 network in
WA and a Windows Server 2003 computer on the 192.168.1.0 network in VT.
Both computers use DSL to get to the Internet. I am trying to setup a
router-to-router demand dial VPN connection between them over the
Internet.

I have setup demand-dial connections on each server and either one can
initiate the connection and connect successfully. I have setup a static
route on each server to route to the remote network using the
demand-dial interface.

The problem is that after the demand-dial connections connect, I cannot
ping any addresses on the remote network. Neither side can ping the
other network. Routing tables on both servers show a route to the
remote network using the appropriate demand-dial interface. The only
thing that does work is if I ping the IP address that the server
assigns the remote client on the same network. I can tell the ping is
working over the Internet because of the response time. It's just not
working when pinging the remote network IP's.

Any help would be greatly appreciated!

Thanks!
Dave Gray

In your post you say you can ping the server that assigns the remote client
on the same network. Are you stating the remote server gives out an IP
address from it's local subnet? There is no need to do that, and that could
be breaking things. Your routing between sites with the VPN, not remotely
connecting (like RAS) correct?

"dg3274" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I have a Windows Server 2003 computer on the 192.168.100.0 network in
> WA and a Windows Server 2003 computer on the 192.168.1.0 network in VT.
> Both computers use DSL to get to the Internet. I am trying to setup a
> router-to-router demand dial VPN connection between them over the
> Internet.
>
> I have setup demand-dial connections on each server and either one can
> initiate the connection and connect successfully. I have setup a static
> route on each server to route to the remote network using the
> demand-dial interface.
>
> The problem is that after the demand-dial connections connect, I cannot
> ping any addresses on the remote network. Neither side can ping the
> other network. Routing tables on both servers show a route to the
> remote network using the appropriate demand-dial interface. The only
> thing that does work is if I ping the IP address that the server
> assigns the remote client on the same network. I can tell the ping is
> working over the Internet because of the response time. It's just not
> working when pinging the remote network IP's.
>
> Any help would be greatly appreciated!
>
> Thanks!
> Dave Gray
>

For example, the computer on the 192.168.100.0 network has the IP
192.168.100.4. When the remote computer on the 192.168.1.0 network
(which has the IP 192.168.1.99) dials the 100.4 computer, the 100.4
computer assigns it an IP of 192.168.100.20. I can ping 192.168.100.20
from 192.168.100.4 and the response times for the ping are around 100ms
indicating that i'm reaching the remote computer that way. But I cannot
ping 192.168.1.99 from 192.168.100.4.

As Neteng said, if the client machine is receiving a second IP address,
you are not using a router to router VPN. The clients use their normal local
IP address. Only the routers receive an extra IP address. The clients are
not aware that they are using VPN at all. They simply send the traffic to
the router, and the router forwards the traffic through the VPN tunnel. The
VPN link just works like a (slow) IP router between the two subnets.


dg3274 wrote:
> For example, the computer on the 192.168.100.0 network has the IP
> 192.168.100.4. When the remote computer on the 192.168.1.0 network
> (which has the IP 192.168.1.99) dials the 100.4 computer, the 100.4
> computer assigns it an IP of 192.168.100.20. I can ping 192.168.100.20
> from 192.168.100.4 and the response times for the ping are around
> 100ms indicating that i'm reaching the remote computer that way. But
> I cannot ping 192.168.1.99 from 192.168.100.4.

"Bill Grant" <not.available@online> wrote in message
news:O%23Jof9%(E-Mail Removed)...
> As Neteng said, if the client machine is receiving a second IP
address,
> you are not using a router to router VPN. The clients use their normal
local

But the routers do. Each VPN Router gets an address from the opposite
network when it connects. I think that may be what he is saying. And that
should be correct. There is still a problem somewhere, I don't know what,
but I'm sure this isn't it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

I guess I don't understand why you would use a "demand-dial" VPN. The point
of VPNs is to create an extended network with encrypted tunnels over the
already existing internet connection. DDR is normally used for sporadic
network connectivity, like in the old days of costly ISDN. Why would you
bother now-a-days with something like that?

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "Bill Grant" <not.available@online> wrote in message
> news:O%23Jof9%(E-Mail Removed)...
> > As Neteng said, if the client machine is receiving a second IP
> address,
> > you are not using a router to router VPN. The clients use their normal
> local
>
> But the routers do. Each VPN Router gets an address from the opposite
> network when it connects. I think that may be what he is saying. And that
> should be correct. There is still a problem somewhere, I don't know what,
> but I'm sure this isn't it.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>

Bill Grant wrote:
> As Neteng said, if the client machine is receiving a second IP address,
> you are not using a router to router VPN. The clients use their normal local
> IP address. Only the routers receive an extra IP address. The clients are
> not aware that they are using VPN at all. They simply send the traffic to
> the router, and the router forwards the traffic through the VPN tunnel. The
> VPN link just works like a (slow) IP router between the two subnets.
>

I think you have misunderstood what I mean.
I'm not dealing with any client machines yet. I'm just talking about 2
servers trying to establish a router-to-router vpn session here. When
one server calls the other server and initiates the demand-dial
connection, the connection is made.

When Server 1 calls Server 2, Server 1 assigns Server 2 an IP address
that is part of Server 1's local subnet. Server 2 also does the same
thing. It assigns Server 1 an IP address on it's local subnet.

What I was saying is that for example, Server 1 can ping the IP address
that it assigned to Server 2. But it cannont ping Server 2's actual
local IP that is set in it's NIC.

Neteng wrote:
> I guess I don't understand why you would use a "demand-dial" VPN. The point
> of VPNs is to create an extended network with encrypted tunnels over the
> already existing internet connection. DDR is normally used for sporadic
> network connectivity, like in the old days of costly ISDN. Why would you
> bother now-a-days with something like that?


I would use demand-dial because I don't need the VPN tunnel to exist
permanently, just when it is needed.

OK. There should be only one connection. You can set it up to connect
from either end, but once it connects there should be routing in both
directions.

Have you linked the static routes to the demand-dial interfaces? Do you
use the name of the "answering" demand-dial interface as the username for
the connection? The calling router must "bind" to the demand-dial interface
on the answering router to activate the route.

dg3274 wrote:
> Bill Grant wrote:
>> As Neteng said, if the client machine is receiving a second IP
>> address,
>> you are not using a router to router VPN. The clients use their
>> normal local IP address. Only the routers receive an extra IP
>> address. The clients are not aware that they are using VPN at all.
>> They simply send the traffic to the router, and the router forwards
>> the traffic through the VPN tunnel. The VPN link just works like a
>> (slow) IP router between the two subnets.
>>
>
> I think you have misunderstood what I mean.
> I'm not dealing with any client machines yet. I'm just talking about 2
> servers trying to establish a router-to-router vpn session here. When
> one server calls the other server and initiates the demand-dial
> connection, the connection is made.
>
> When Server 1 calls Server 2, Server 1 assigns Server 2 an IP address
> that is part of Server 1's local subnet. Server 2 also does the same
> thing. It assigns Server 1 an IP address on it's local subnet.
>
> What I was saying is that for example, Server 1 can ping the IP
> address that it assigned to Server 2. But it cannont ping Server 2's
> actual local IP that is set in it's NIC.