RRAS two way (pptp) vpn possible?

Here is our situation.. we have a RRAS local domain server in house.. we use
it to connect via vpn from the outside via pptp tunnels.. this works fine
from the outside in, but not vice versa.

We have a dedicated hosting server which sits outside of the local company
in its own domain.. I can create a vpn connection from it to our side with no
trouble, but what i want is to be able to connect from our side to that
machine, so i can do backups via DPM 2007.. so i at least need to be able to
see it from one of our domain machines (not the same machine as the RRAS
server).

We have no access to a firewall at this time on the hosting machine, but can
remote in (2003 enterprise server).

Our firewall is a sonicwall firewall. (Pro 2040)

I'm not sure what the best route to take here would be.. so far all i can
figure is installing RRAS server on the remote dedicated machine and allowing
for pptp incoming onto that box (not as desirable).

It also isnt desirable to configure the hardware vpn on our sonicwall as it
would probably require a software install on the dedicated server (unlike
PPTP)..

Any thoughts on how to achieve this? (I'd prefer ipsec, but from what i can
see there would be no way to do this without some sort of 3rd party install)

Thanks in advance.

Do a simple test. Can you ping the outside hosting server from the inside?
If yes, can you telnet port 1723?

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"markm75" <(E-Mail Removed)> wrote in message
news:EFEA0205-BD18-4C9E-BD29-(E-Mail Removed)...
> Here is our situation.. we have a RRAS local domain server in house.. we
> use
> it to connect via vpn from the outside via pptp tunnels.. this works fine
> from the outside in, but not vice versa.
>
> We have a dedicated hosting server which sits outside of the local company
> in its own domain.. I can create a vpn connection from it to our side with
> no
> trouble, but what i want is to be able to connect from our side to that
> machine, so i can do backups via DPM 2007.. so i at least need to be able
> to
> see it from one of our domain machines (not the same machine as the RRAS
> server).
>
> We have no access to a firewall at this time on the hosting machine, but
> can
> remote in (2003 enterprise server).
>
> Our firewall is a sonicwall firewall. (Pro 2040)
>
> I'm not sure what the best route to take here would be.. so far all i can
> figure is installing RRAS server on the remote dedicated machine and
> allowing
> for pptp incoming onto that box (not as desirable).
>
> It also isnt desirable to configure the hardware vpn on our sonicwall as
> it
> would probably require a software install on the dedicated server (unlike
> PPTP)..
>
> Any thoughts on how to achieve this? (I'd prefer ipsec, but from what i
> can
> see there would be no way to do this without some sort of 3rd party
> install)
>
> Thanks in advance.
>
>

"Robert L. (MS-MVP)" wrote:

> Do a simple test. Can you ping the outside hosting server from the inside?
> If yes, can you telnet port 1723?
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net


I tried this ping earlier actually.. tried pinging it via its ip address,
which showed up on our local side RRAS server.. i could ping it... couldnt
browse to it though for some reason.

I didnt try the telnet.. i'm not sure why an inside to the outside dedicated
telnet would work, when its only connecting to our inside RRAS server (IE:
no RRAS installed as of yet on the dedicated, was hoping to avoid that)...

"markm75" <(E-Mail Removed)> wrote in message
news:EFEA0205-BD18-4C9E-BD29-(E-Mail Removed)...
> Here is our situation.. we have a RRAS local domain server in house.. we
> use
> it to connect via vpn from the outside via pptp tunnels.. this works fine
> from the outside in, but not vice versa.
>
> We have a dedicated hosting server which sits outside of the local company
> in its own domain.. I can create a vpn connection from it to our side with
> no
> trouble, but what i want is to be able to connect from our side to that
> machine, so i can do backups via DPM 2007.. so i at least need to be able
> to
> see it from one of our domain machines (not the same machine as the RRAS
> server).
>
> We have no access to a firewall at this time on the hosting machine, but
> can
> remote in (2003 enterprise server).
>
> Our firewall is a sonicwall firewall. (Pro 2040)
>
> I'm not sure what the best route to take here would be.. so far all i can
> figure is installing RRAS server on the remote dedicated machine and
> allowing
> for pptp incoming onto that box (not as desirable).
>
> It also isnt desirable to configure the hardware vpn on our sonicwall as
> it
> would probably require a software install on the dedicated server (unlike
> PPTP)..
>
> Any thoughts on how to achieve this? (I'd prefer ipsec, but from what i
> can
> see there would be no way to do this without some sort of 3rd party
> install)
>
> Thanks in advance.
>
>
You should be able to do that over the existing connection. If you have
a VPN connection from the remote server to a VPN server on your LAN, you
have an IP connection between the remote server and any machine on your LAN
(when the connection is up).

When your VPN clients connect by VPN, can they see all machines on the
LAN? If not, what is it for? When the remote server connects, cannot it see
all the machines on the LAN?

If you cannot connect from a LAN machine to a remote machine (which is
connected by VPN) it is probably because of name resolution or
authentication problems. It should not be a routing problem or a firewall
problem.

> You should be able to do that over the existing connection. If you have
> a VPN connection from the remote server to a VPN server on your LAN, you
> have an IP connection between the remote server and any machine on your LAN
> (when the connection is up).
>
> When your VPN clients connect by VPN, can they see all machines on the
> LAN? If not, what is it for? When the remote server connects, cannot it see
> all the machines on the LAN?
>
> If you cannot connect from a LAN machine to a remote machine (which is
> connected by VPN) it is probably because of name resolution or
> authentication problems. It should not be a routing problem or a firewall
> problem.
>
>

Well.. i can ping the remote server by ip address but from ONLY the RRAS
local LAN server (and cant get to any shared mappings etc, via ip address)..

Attempts to ping this ip from any other LAN machine dont result in ping
backs, for some reason.

"markm75" <(E-Mail Removed)> wrote in message
news:30625F49-1B0E-47E3-8A60-(E-Mail Removed)...
>
>> You should be able to do that over the existing connection. If you
>> have
>> a VPN connection from the remote server to a VPN server on your LAN, you
>> have an IP connection between the remote server and any machine on your
>> LAN
>> (when the connection is up).
>>
>> When your VPN clients connect by VPN, can they see all machines on
>> the
>> LAN? If not, what is it for? When the remote server connects, cannot it
>> see
>> all the machines on the LAN?
>>
>> If you cannot connect from a LAN machine to a remote machine (which
>> is
>> connected by VPN) it is probably because of name resolution or
>> authentication problems. It should not be a routing problem or a firewall
>> problem.
>>
>>
>
> Well.. i can ping the remote server by ip address but from ONLY the RRAS
> local LAN server (and cant get to any shared mappings etc, via ip
> address)..
>
> Attempts to ping this ip from any other LAN machine dont result in ping
> backs, for some reason.

Does this server use the VPN server as its default gateway? If not, you
will need a static route on it to get traffic for the "other" private subnet
to the VPN router. Otherwise it will try across the Internet unencrypted and
unencapsulated.

Can your dial-in VPN clients see this server?
>

"Bill Grant" wrote:

>
>
> "markm75" <(E-Mail Removed)> wrote in message
> news:30625F49-1B0E-47E3-8A60-(E-Mail Removed)...
> >
> >> You should be able to do that over the existing connection. If you
> >> have
> >> a VPN connection from the remote server to a VPN server on your LAN, you
> >> have an IP connection between the remote server and any machine on your
> >> LAN
> >> (when the connection is up).
> >>
> >> When your VPN clients connect by VPN, can they see all machines on
> >> the
> >> LAN? If not, what is it for? When the remote server connects, cannot it
> >> see
> >> all the machines on the LAN?
> >>
> >> If you cannot connect from a LAN machine to a remote machine (which
> >> is
> >> connected by VPN) it is probably because of name resolution or
> >> authentication problems. It should not be a routing problem or a firewall
> >> problem.
> >>
> >>
> >
> > Well.. i can ping the remote server by ip address but from ONLY the RRAS
> > local LAN server (and cant get to any shared mappings etc, via ip
> > address)..
> >
> > Attempts to ping this ip from any other LAN machine dont result in ping
> > backs, for some reason.
>
> Does this server use the VPN server as its default gateway? If not, you
> will need a static route on it to get traffic for the "other" private subnet
> to the VPN router. Otherwise it will try across the Internet unencrypted and
> unencapsulated.
>
> Can your dial-in VPN clients see this server?
> >
>


By your question of if the server uses the default gateway, you mean the
remote server correct? I had unchecked that option.. the reason being, at
least on regular desktops i found that if we had that checked, those remote
machines internet connections max download would become the upload max of our
LAN's gateway router.. by unchecking it, they would have full speed of their
own internet connection..

In setting up a static route.. i could set a static route on our sonicwall
lan gateway (?).. or does it have to be the RRAS server for pptp 2 way to
work.. but i have to set the same static route on the other end correct (the
remote server)? We dont have access to a firewall there, so does this imply
i'd need to install RRAS on that remote box (nervous about doing this, as
once in the past i did this and hosed a server, but at least then i had
physical access )

I'm guessing i'd have to enter the static route on the lan side (sonicwall
or rras) of the remote lan.. ie: 192.168.1.0 and on the remote server's
setting.. the lan gateway 192.168.100.0 etc?

"markm75" <(E-Mail Removed)> wrote in message
news:EFEA0205-BD18-4C9E-BD29-(E-Mail Removed)...
> Here is our situation.. we have a RRAS local domain server in house.. we
> use
> it to connect via vpn from the outside via pptp tunnels.. this works fine
> from the outside in, but not vice versa.
>
> We have a dedicated hosting server which sits outside of the local company
> in its own domain.. I can create a vpn connection from it to our side with
> no
> trouble, but what i want is to be able to connect from our side to that
> machine, so i can do backups via DPM 2007.. so i at least need to be able
> to
> see it from one of our domain machines (not the same machine as the RRAS
> server).
>
> We have no access to a firewall at this time on the hosting machine, but
> can
> remote in (2003 enterprise server).
>
> Our firewall is a sonicwall firewall. (Pro 2040)
>
> I'm not sure what the best route to take here would be.. so far all i can
> figure is installing RRAS server on the remote dedicated machine and
> allowing
> for pptp incoming onto that box (not as desirable).
>
> It also isnt desirable to configure the hardware vpn on our sonicwall as
> it
> would probably require a software install on the dedicated server (unlike
> PPTP)..
>
> Any thoughts on how to achieve this? (I'd prefer ipsec, but from what i
> can
> see there would be no way to do this without some sort of 3rd party
> install)
>
> Thanks in advance.
>
>

When you set up a VPN, it ensures that the traffic gets safely from
point A to point B (the VPN endpoints). No matter how the VPN is set up,
you simply have a point-to-point connection between the two machines, as if
they were cabled together.

When your VPN connection is up, you can connect from your RRAS server
to the VPN client (the hosting server) because they are the VPN endpoints.
To make a connection from another machine on the LAN you need to get the
traffic across the LAN to the VPN server. By default it will go straight to
your default gateway (which is the Sonicwall I presume). If it does that the
connection will fail. Because you are using the hosting server's private IP,
the Sonicwall will discard the packet.

If you get the privately addressed packet to the VPN server instead of the
Sonicwall it will be encrypted and encapsulated (so that it goes through the
tunnel). Now when the packet reaches the Sonicwall it has the hosting
server's public IP in the header and is delivered through the Internet.

To summarise, you can connect from the RRAS server to the target
machine. To connect from another machine on the LAN you need to get the
packet to the RRAS server first. On the machine which you want to connect to
the hosting server, add a static route (either a host route for the
particular IP or a subnet route) to send the traffic addressed to the
hosting server's private IP to the local RRAS server. It will then go
through the VPN tunnel.

"Bill Grant" wrote:

>
>
> "markm75" <(E-Mail Removed)> wrote in message
> news:EFEA0205-BD18-4C9E-BD29-(E-Mail Removed)...
> > Here is our situation.. we have a RRAS local domain server in house.. we
> > use
> > it to connect via vpn from the outside via pptp tunnels.. this works fine
> > from the outside in, but not vice versa.
> >
> > We have a dedicated hosting server which sits outside of the local company
> > in its own domain.. I can create a vpn connection from it to our side with
> > no
> > trouble, but what i want is to be able to connect from our side to that
> > machine, so i can do backups via DPM 2007.. so i at least need to be able
> > to
> > see it from one of our domain machines (not the same machine as the RRAS
> > server).
> >
> > We have no access to a firewall at this time on the hosting machine, but
> > can
> > remote in (2003 enterprise server).
> >
> > Our firewall is a sonicwall firewall. (Pro 2040)
> >
> > I'm not sure what the best route to take here would be.. so far all i can
> > figure is installing RRAS server on the remote dedicated machine and
> > allowing
> > for pptp incoming onto that box (not as desirable).
> >
> > It also isnt desirable to configure the hardware vpn on our sonicwall as
> > it
> > would probably require a software install on the dedicated server (unlike
> > PPTP)..
> >
> > Any thoughts on how to achieve this? (I'd prefer ipsec, but from what i
> > can
> > see there would be no way to do this without some sort of 3rd party
> > install)
> >
> > Thanks in advance.
> >
> >
>
> When you set up a VPN, it ensures that the traffic gets safely from
> point A to point B (the VPN endpoints). No matter how the VPN is set up,
> you simply have a point-to-point connection between the two machines, as if
> they were cabled together.
>
> When your VPN connection is up, you can connect from your RRAS server
> to the VPN client (the hosting server) because they are the VPN endpoints.
> To make a connection from another machine on the LAN you need to get the
> traffic across the LAN to the VPN server. By default it will go straight to
> your default gateway (which is the Sonicwall I presume). If it does that the
> connection will fail. Because you are using the hosting server's private IP,
> the Sonicwall will discard the packet.
>
> If you get the privately addressed packet to the VPN server instead of the
> Sonicwall it will be encrypted and encapsulated (so that it goes through the
> tunnel). Now when the packet reaches the Sonicwall it has the hosting
> server's public IP in the header and is delivered through the Internet.
>
> To summarise, you can connect from the RRAS server to the target
> machine. To connect from another machine on the LAN you need to get the
> packet to the RRAS server first. On the machine which you want to connect to
> the hosting server, add a static route (either a host route for the
> particular IP or a subnet route) to send the traffic addressed to the
> hosting server's private IP to the local RRAS server. It will then go
> through the VPN tunnel.
>
>
>
>

Ok, i think i understand slightly better.. though i think my own terminology
for describing my setup has confused me..

we'll call the RRAS server, in this case, ServerRRAS
the remote dedicated offsite machine is called, DedicatedServer...

another machine on the private local lan we will call DPM07

My goal of this whole setup is to be able to setup a dpm client on the
DedicatedServer so that i can back up data from their via the pptp vpn (or
eventually ipsec, ie: should i really be using pptp, thats a whole other
story, due to the fact the password is sent clear text)...

So if i'm following how this needs to be setup, i would have to setup a
static route on ServerRRAS's static route section... (or would this be better
suited on the sonicwall gateway pointing to the RRAS server .. i think i have
something amiss here)..

I would think a static gateway from RRASserver to the private ip on the
DedicatedServer subnet (192.168.1.0) would be the answer?

But i think from what you mentioned, this wouldnt let other machines on the
private lan, ie: DPM07, see DedicatedServer.. or would it? Or is this an
extra static route that must be set from RRAS to Sonicwall to have it visible
on any machine in the private lan (without installing RRAS on dpm07)..

Sorry, if i'm still a little confused, but i think the idea is getting
closer here..

Thanks for the input.. much appreciated.

(I've only done static gateways one time in the last 5 years and that was
set (i think) on my physical gateway to allow a virtual private network to
work both ways..

"markm75" <(E-Mail Removed)> wrote in message
news:12C1BB47-71DA-4C50-86DD-(E-Mail Removed)...
>
>
> "Bill Grant" wrote:
>
>>
>>
>> "markm75" <(E-Mail Removed)> wrote in message
>> news:EFEA0205-BD18-4C9E-BD29-(E-Mail Removed)...
>> > Here is our situation.. we have a RRAS local domain server in house..
>> > we
>> > use
>> > it to connect via vpn from the outside via pptp tunnels.. this works
>> > fine
>> > from the outside in, but not vice versa.
>> >
>> > We have a dedicated hosting server which sits outside of the local
>> > company
>> > in its own domain.. I can create a vpn connection from it to our side
>> > with
>> > no
>> > trouble, but what i want is to be able to connect from our side to that
>> > machine, so i can do backups via DPM 2007.. so i at least need to be
>> > able
>> > to
>> > see it from one of our domain machines (not the same machine as the
>> > RRAS
>> > server).
>> >
>> > We have no access to a firewall at this time on the hosting machine,
>> > but
>> > can
>> > remote in (2003 enterprise server).
>> >
>> > Our firewall is a sonicwall firewall. (Pro 2040)
>> >
>> > I'm not sure what the best route to take here would be.. so far all i
>> > can
>> > figure is installing RRAS server on the remote dedicated machine and
>> > allowing
>> > for pptp incoming onto that box (not as desirable).
>> >
>> > It also isnt desirable to configure the hardware vpn on our sonicwall
>> > as
>> > it
>> > would probably require a software install on the dedicated server
>> > (unlike
>> > PPTP)..
>> >
>> > Any thoughts on how to achieve this? (I'd prefer ipsec, but from what
>> > i
>> > can
>> > see there would be no way to do this without some sort of 3rd party
>> > install)
>> >
>> > Thanks in advance.
>> >
>> >
>>
>> When you set up a VPN, it ensures that the traffic gets safely from
>> point A to point B (the VPN endpoints). No matter how the VPN is set up,
>> you simply have a point-to-point connection between the two machines, as
>> if
>> they were cabled together.
>>
>> When your VPN connection is up, you can connect from your RRAS
>> server
>> to the VPN client (the hosting server) because they are the VPN
>> endpoints.
>> To make a connection from another machine on the LAN you need to get the
>> traffic across the LAN to the VPN server. By default it will go straight
>> to
>> your default gateway (which is the Sonicwall I presume). If it does that
>> the
>> connection will fail. Because you are using the hosting server's private
>> IP,
>> the Sonicwall will discard the packet.
>>
>> If you get the privately addressed packet to the VPN server instead of
>> the
>> Sonicwall it will be encrypted and encapsulated (so that it goes through
>> the
>> tunnel). Now when the packet reaches the Sonicwall it has the hosting
>> server's public IP in the header and is delivered through the Internet.
>>
>> To summarise, you can connect from the RRAS server to the target
>> machine. To connect from another machine on the LAN you need to get the
>> packet to the RRAS server first. On the machine which you want to connect
>> to
>> the hosting server, add a static route (either a host route for the
>> particular IP or a subnet route) to send the traffic addressed to the
>> hosting server's private IP to the local RRAS server. It will then go
>> through the VPN tunnel.
>>
>>
>>
>>
>
> Ok, i think i understand slightly better.. though i think my own
> terminology
> for describing my setup has confused me..
>
> we'll call the RRAS server, in this case, ServerRRAS
> the remote dedicated offsite machine is called, DedicatedServer...
>
> another machine on the private local lan we will call DPM07
>
> My goal of this whole setup is to be able to setup a dpm client on the
> DedicatedServer so that i can back up data from their via the pptp vpn (or
> eventually ipsec, ie: should i really be using pptp, thats a whole other
> story, due to the fact the password is sent clear text)...
>
> So if i'm following how this needs to be setup, i would have to setup a
> static route on ServerRRAS's static route section... (or would this be
> better
> suited on the sonicwall gateway pointing to the RRAS server .. i think i
> have
> something amiss here)..
>
> I would think a static gateway from RRASserver to the private ip on the
> DedicatedServer subnet (192.168.1.0) would be the answer?
>
> But i think from what you mentioned, this wouldnt let other machines on
> the
> private lan, ie: DPM07, see DedicatedServer.. or would it? Or is this an
> extra static route that must be set from RRAS to Sonicwall to have it
> visible
> on any machine in the private lan (without installing RRAS on dpm07)..
>
> Sorry, if i'm still a little confused, but i think the idea is getting
> closer here..
>
> Thanks for the input.. much appreciated.
>
> (I've only done static gateways one time in the last 5 years and that was
> set (i think) on my physical gateway to allow a virtual private network to
> work both ways..
>
>

No, the RRAS server already has a route to the Dedicated server, because
you can ping it! This is set up automatically when you establish the VPN
connection.

What you need is a static route on the DPM server so that it will send
traffic for the Dedicated server to the RRAS server (so that it can go
through the VPN tunnel).

Assume that the dedicated server has a private IP of 192.168.1.11 and the
RRAS server has a private IP of 192.168.100.11 . On the DPM server you would
need to add a static route to send traffic for 192.168.1.11 to
192.168.100.11 eg

route add -p 192.168.1.11 255.255.255.255 192.168.100.11

(If you do a route print on the RRAS server while your VPN is connected,
you will see that the RRAS server has a host route to 192.168.1.11 through
the tunnel).

Now when the DPM server tries to contact the dedicated server, the packet
goes to the RRAS server which forwards it through the VPN tunnel to the
dedicated server.

The reply comes back through the tunnel (because the dedicated server
knows where the 192.168.100.0 subnet is) and the RRAS server delivers the
packet directly because it has an interface in the same subnet as the DPM
server.

This does not give you an encrypted connection from one server to the
other. The traffic is only encrypted between the VPN endpoints.

IPSec can be tricky to set up unless you are familiar with
certificates.