Site to Site VPN routing issues

I have setup a PPTP site to site VPN using the routing and remote access
wizard. There is a connection and I can reach both end points however the
trouble is on either network on a client PC I can only reach the end point
server and I cannot route to anywhere else on the network.

Network A is setup as follow
Server 192.168.10.2
Subnet 192.168.10.x

Network B
Server 192.168.0.2
Subnet 192.168.0.x

Both have a single NIC and both networks have a router with the PPTP port
forwarded.

Any help would be appreciated.

"Mike" <(E-Mail Removed)> wrote in message
news:7CE95319-B5FB-4A37-8381-(E-Mail Removed)...
>I have setup a PPTP site to site VPN using the routing and remote access
> wizard. There is a connection and I can reach both end points however the
> trouble is on either network on a client PC I can only reach the end point
> server and I cannot route to anywhere else on the network.
>
> Network A is setup as follow
> Server 192.168.10.2
> Subnet 192.168.10.x
>
> Network B
> Server 192.168.0.2
> Subnet 192.168.0.x
>
> Both have a single NIC and both networks have a router with the PPTP port
> forwarded.
>
> Any help would be appreciated.

What is the default gateway setting on the workstations in each site?

Site to site routing only works straight off if the VPN router is the
default router for the local network. If the default gateway is another
router, traffic for the other site goes directly to the gateway router and
is dropped (because it has a private IP).

If this is your problem you need to add a static route to each gateway
router (you cannot fix this with settings on the VPN routers) to bounce the
private traffic to the VPN endpoint. It is then encrypted and encapsulated
before it gets to the gateway router.

Yes, the gateway is set to the VPN router on each machine. I followed the
Microsoft guide for setting up a VPN connection in a test lab.

"Bill Grant" wrote:

>
> "Mike" <(E-Mail Removed)> wrote in message
> news:7CE95319-B5FB-4A37-8381-(E-Mail Removed)...
> >I have setup a PPTP site to site VPN using the routing and remote access
> > wizard. There is a connection and I can reach both end points however the
> > trouble is on either network on a client PC I can only reach the end point
> > server and I cannot route to anywhere else on the network.
> >
> > Network A is setup as follow
> > Server 192.168.10.2
> > Subnet 192.168.10.x
> >
> > Network B
> > Server 192.168.0.2
> > Subnet 192.168.0.x
> >
> > Both have a single NIC and both networks have a router with the PPTP port
> > forwarded.
> >
> > Any help would be appreciated.
>
> What is the default gateway setting on the workstations in each site?
>
> Site to site routing only works straight off if the VPN router is the
> default router for the local network. If the default gateway is another
> router, traffic for the other site goes directly to the gateway router and
> is dropped (because it has a private IP).
>
> If this is your problem you need to add a static route to each gateway
> router (you cannot fix this with settings on the VPN routers) to bounce the
> private traffic to the VPN endpoint. It is then encrypted and encapsulated
> before it gets to the gateway router.
>
>

OK. The next thing to check is that the static routes are in place.

Do you have a static route for the "other" subnet linked to the
demand-dial inerface on each router? That is the first essenial. The second
essential is that these routes become active.

The route on the calling router will be activated when it connects. The
route on the answering router will only become active if you actually
connect to the demand-dial interface on the answering router. For this to
happen, the calling router must use the name of this router as its username
when conncting. The dd interface on the answering router will then become
active and the route should be added to the routing table.

You can check that the interface is active from the RRAS console. You
can check the routing tables from the RRAS console or use the command route
print from a command prompt.

"Mike" <(E-Mail Removed)> wrote in message
news:378E106A-EF42-468C-A872-(E-Mail Removed)...
> Yes, the gateway is set to the VPN router on each machine. I followed the
> Microsoft guide for setting up a VPN connection in a test lab.
>
> "Bill Grant" wrote:
>
>>

Yes, the static routes are setup on both ends pointing to the other subnet. I
also see the routes are added.

"Bill Grant" wrote:

> OK. The next thing to check is that the static routes are in place.
>
> Do you have a static route for the "other" subnet linked to the
> demand-dial inerface on each router? That is the first essenial. The second
> essential is that these routes become active.
>
> The route on the calling router will be activated when it connects. The
> route on the answering router will only become active if you actually
> connect to the demand-dial interface on the answering router. For this to
> happen, the calling router must use the name of this router as its username
> when conncting. The dd interface on the answering router will then become
> active and the route should be added to the routing table.
>
> You can check that the interface is active from the RRAS console. You
> can check the routing tables from the RRAS console or use the command route
> print from a command prompt.
>
> "Mike" <(E-Mail Removed)> wrote in message
> news:378E106A-EF42-468C-A872-(E-Mail Removed)...
> > Yes, the gateway is set to the VPN router on each machine. I followed the
> > Microsoft guide for setting up a VPN connection in a test lab.
> >
> > "Bill Grant" wrote:
> >
> >>
>
>

That should be OK. I guess you will just have to monitor the traffic to
see where it is failing.

"Mike" <(E-Mail Removed)> wrote in message
news:60A97323-69DB-4DD2-B462-(E-Mail Removed)...
> Yes, the static routes are setup on both ends pointing to the other
> subnet. I
> also see the routes are added.
>
> "Bill Grant" wrote:
>
>> OK. The next thing to check is that the static routes are in place.
>>
>> Do you have a static route for the "other" subnet linked to the
>> demand-dial inerface on each router? That is the first essenial. The
>> second
>> essential is that these routes become active.
>>
>> The route on the calling router will be activated when it connects.
>> The
>> route on the answering router will only become active if you actually
>> connect to the demand-dial interface on the answering router. For this to
>> happen, the calling router must use the name of this router as its
>> username
>> when conncting. The dd interface on the answering router will then become
>> active and the route should be added to the routing table.
>>
>> You can check that the interface is active from the RRAS console. You
>> can check the routing tables from the RRAS console or use the command
>> route
>> print from a command prompt.
>>
>> "Mike" <(E-Mail Removed)> wrote in message
>> news:378E106A-EF42-468C-A872-(E-Mail Removed)...
>> > Yes, the gateway is set to the VPN router on each machine. I followed
>> > the
>> > Microsoft guide for setting up a VPN connection in a test lab.
>> >
>> > "Bill Grant" wrote:
>> >
>> >>
>>
>>