site to site routing through VPN

Hello All!
I've got a server to server VPN set-up for routing
between two sites. Site 1 is NT 4 domain. Site 2 is 2k3
sbs. they are seperate domains. site 1 domain a; site 2
domain b.

I can get the servers connected via vpn. using defined
interfaces. I've added the routes for the networks in
each routing table. I can ping from router in site 1 to
all systems in site 2 and viseversa. But I can't ping
from any workstation in either site across the servers to
the other site, workstation in site 1 can't ping router
or workstations or servers in site 2 and viseversa.

Thus I can't connect to apps or check email either.
anyone got any ideas?

Cheers and ty in advance!

Ping from server to server is easy - they are joined by a point-to-point
link! To get from client to client requires the routing to be working.

How did you add the routes? Are they linked to the demand-dial
interfaces?

Check that the VPN actually binds to both dd interfaces.
Check that the subnet routes are added to the routing table at both
ends, using the VPN endpoint as the interface.
Check that the clients at both ends use the VPN router as their default
gateway.

"Scott Taylor" <(E-Mail Removed)> wrote in message
news:c40d01c4386d$4ffdcb80$(E-Mail Removed)...
> Hello All!
> I've got a server to server VPN set-up for routing
> between two sites. Site 1 is NT 4 domain. Site 2 is 2k3
> sbs. they are seperate domains. site 1 domain a; site 2
> domain b.
>
> I can get the servers connected via vpn. using defined
> interfaces. I've added the routes for the networks in
> each routing table. I can ping from router in site 1 to
> all systems in site 2 and viseversa. But I can't ping
> from any workstation in either site across the servers to
> the other site, workstation in site 1 can't ping router
> or workstations or servers in site 2 and viseversa.
>
> Thus I can't connect to apps or check email either.
> anyone got any ideas?
>
> Cheers and ty in advance!
>

In addition to Bill's comments,...also make sure you actually set it up as
Site-to-Site and not simply a Remote Access VPN.

Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site
VPNs
http://www.microsoft.com/technet/pro.../vpndpls2.mspx


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Scott Taylor" <(E-Mail Removed)> wrote in message
news:c40d01c4386d$4ffdcb80$(E-Mail Removed)...
> Hello All!
> I've got a server to server VPN set-up for routing
> between two sites. Site 1 is NT 4 domain. Site 2 is 2k3
> sbs. they are seperate domains. site 1 domain a; site 2
> domain b.
>
> I can get the servers connected via vpn. using defined
> interfaces. I've added the routes for the networks in
> each routing table. I can ping from router in site 1 to
> all systems in site 2 and viseversa. But I can't ping
> from any workstation in either site across the servers to
> the other site, workstation in site 1 can't ping router
> or workstations or servers in site 2 and viseversa.
>
> Thus I can't connect to apps or check email either.
> anyone got any ideas?
>
> Cheers and ty in advance!
>

Thanks for the response Bill.

I added the routes through the routing and remote access
admin, static routes. The default gateway is the servers
in both cases. Could you elaborate on how to look into
these issues here. I'm not sure what you mean or where to
look:

"Are they linked to the demand-dial
>interfaces?"
do you mean the interface I created? If so I added the
route when I installed the interface and the route uses
the interface as it's gateway.

> Check that the VPN actually binds to both dd
interfaces.
How do I check this?

> Check that the subnet routes are added to the
routing table at both
>ends, using the VPN endpoint as the interface.
Could you elaborate here? Not sure what you mean.

I also wanted to add... there is not a trust between the
two domains yet. Would this cause me to not be able to
ping? Second the 2k3 server is not multi homed, is there
perhaps an issue with this? I think I may have read
something about issues with not being multi homed and
rras. Any ideas?

Cheers! and thanks for the response.


>-----Original Message-----
> Ping from server to server is easy - they are joined
by a point-to-point
>link! To get from client to client requires the routing
to be working.
>
> How did you add the routes? Are they linked to the
demand-dial
>interfaces?
>
> Check that the VPN actually binds to both dd
interfaces.
> Check that the subnet routes are added to the
routing table at both
>ends, using the VPN endpoint as the interface.
> Check that the clients at both ends use the VPN
router as their default
>gateway.
>
>"Scott Taylor" <(E-Mail Removed)>
wrote in message
>news:c40d01c4386d$4ffdcb80$(E-Mail Removed)...
>> Hello All!
>> I've got a server to server VPN set-up for routing
>> between two sites. Site 1 is NT 4 domain. Site 2 is 2k3
>> sbs. they are seperate domains. site 1 domain a; site 2
>> domain b.
>>
>> I can get the servers connected via vpn. using defined
>> interfaces. I've added the routes for the networks in
>> each routing table. I can ping from router in site 1 to
>> all systems in site 2 and viseversa. But I can't ping
>> from any workstation in either site across the servers
to
>> the other site, workstation in site 1 can't ping router
>> or workstations or servers in site 2 and viseversa.
>>
>> Thus I can't connect to apps or check email either.
>> anyone got any ideas?
>>
>> Cheers and ty in advance!
>>
>
>
>.
>

Thanks Phillip, I'm printing out the article now.
I set it up as I've done in the past creating steelhead
servers. That could be where I'm going wrong. I'm new to
2k3 and 2k for that matter.

>-----Original Message-----
>In addition to Bill's comments,...also make sure you
actually set it up as
>Site-to-Site and not simply a Remote Access VPN.
>
>Virtual Private Networking with Windows Server 2003:
Deploying Site-to-Site
>VPNs
>http://www.microsoft.com/technet/pro...l/windowsserve
r2003/technologies/networking/vpndpls2.mspx
>
>
>--
>
>Phillip Windell [MCP, MVP, CCNA]
>www.wandtv.com
>
>
>"Scott Taylor" <(E-Mail Removed)>
wrote in message
>news:c40d01c4386d$4ffdcb80$(E-Mail Removed)...
>> Hello All!
>> I've got a server to server VPN set-up for routing
>> between two sites. Site 1 is NT 4 domain. Site 2 is 2k3
>> sbs. they are seperate domains. site 1 domain a; site 2
>> domain b.
>>
>> I can get the servers connected via vpn. using defined
>> interfaces. I've added the routes for the networks in
>> each routing table. I can ping from router in site 1 to
>> all systems in site 2 and viseversa. But I can't ping
>> from any workstation in either site across the servers
to
>> the other site, workstation in site 1 can't ping router
>> or workstations or servers in site 2 and viseversa.
>>
>> Thus I can't connect to apps or check email either.
>> anyone got any ideas?
>>
>> Cheers and ty in advance!
>>
>
>
>.
>

Resolved!

Thanks Bill and Phillip.
The issue was the interfaces were not connecting to the
proper interface on the remote site. Thus authenticating
as a regular vpn user ='ing no routing.

for it to work correctly the username has to match the vpn
interface name.

interface name: vpn_site1
user name: vpn_site1

if doing 2 way this must be done on each box.
2nd box:
interface name: vpn_site2
user name: vpn_site2

site1 connection credetials set to use the user name:
vpn_site2

and site2 connection credetials set to use the user name:
vpn_site1

Hope that helps someone else. Cheers all!




>-----Original Message-----
>Hello All!
>I've got a server to server VPN set-up for routing
>between two sites. Site 1 is NT 4 domain. Site 2 is 2k3
>sbs. they are seperate domains. site 1 domain a; site 2
>domain b.
>
>I can get the servers connected via vpn. using defined
>interfaces. I've added the routes for the networks in
>each routing table. I can ping from router in site 1 to
>all systems in site 2 and viseversa. But I can't ping
>from any workstation in either site across the servers to
>the other site, workstation in site 1 can't ping router
>or workstations or servers in site 2 and viseversa.
>
>Thus I can't connect to apps or check email either.
>anyone got any ideas?
>
>Cheers and ty in advance!
>
>.
>

Yep, that's it. If the username doesn't match the interface name, you
just connect as a normal "client-server" user, not a router. The dd
interface isn't bound to the connection and the route isn't added to the
routing table.

It works this way because, if you have multiple connections, each one
must connect to the correct interface to set up the correct return route for
the "calling" site.

"scott taylor" <(E-Mail Removed)> wrote in message
news:cca201c4390e$54fc9020$(E-Mail Removed)...
> Resolved!
>
> Thanks Bill and Phillip.
> The issue was the interfaces were not connecting to the
> proper interface on the remote site. Thus authenticating
> as a regular vpn user ='ing no routing.
>
> for it to work correctly the username has to match the vpn
> interface name.
>
> interface name: vpn_site1
> user name: vpn_site1
>
> if doing 2 way this must be done on each box.
> 2nd box:
> interface name: vpn_site2
> user name: vpn_site2
>
> site1 connection credetials set to use the user name:
> vpn_site2
>
> and site2 connection credetials set to use the user name:
> vpn_site1
>
> Hope that helps someone else. Cheers all!
>
>
>
>
> >-----Original Message-----
> >Hello All!
> >I've got a server to server VPN set-up for routing
> >between two sites. Site 1 is NT 4 domain. Site 2 is 2k3
> >sbs. they are seperate domains. site 1 domain a; site 2
> >domain b.
> >
> >I can get the servers connected via vpn. using defined
> >interfaces. I've added the routes for the networks in
> >each routing table. I can ping from router in site 1 to
> >all systems in site 2 and viseversa. But I can't ping
> >from any workstation in either site across the servers to
> >the other site, workstation in site 1 can't ping router
> >or workstations or servers in site 2 and viseversa.
> >
> >Thus I can't connect to apps or check email either.
> >anyone got any ideas?
> >
> >Cheers and ty in advance!
> >
> >.
> >