VPN/Gateway??

When I VPN into WIN2K it doesn't give the internal gateway address.
However, it does give a internal ip address in place of the gateway address.
I could access all the resource internally but not outside resource while I
am in VPN mode.

What am it doing wrong? How do I set it up so that the client who VPN in
will get the internal gateway address?

Thanks

YH

The gateway is fine. This is because you are effectively using a
Point-to-point link now, and there is only 1 place to send the packet... to
the other end of the link. Now in order to reach remote resources IP
Forwarding must be enabled. If your VPN clients are addressed for a
separate subnet than the resources, then the proper routes must be in place.

quick example:



Resource RRAS VPN Client
[ ]--------------------------{ }>>>>>>| |
192.168.1.X /24 172.16.X.X /16

In this case, notice that the Client is in a separate subnet than the
resource. the resource would need a route that say to get to the 172.16
network, send the packets to the RRAS server.

--
--
Dusty Harper
Microsoft Corporation
----------------------------------------------------------------------------
This posting is provided "AS IS", with NO warranties and confers NO rights
----------------------------------------------------------------------------

"Yieng Him" <(E-Mail Removed)> wrote in message
news:BBDEA5BF.8B5%(E-Mail Removed)...
> When I VPN into WIN2K it doesn't give the internal gateway address.
> However, it does give a internal ip address in place of the gateway
address.
> I could access all the resource internally but not outside resource while
I
> am in VPN mode.
>
> What am it doing wrong? How do I set it up so that the client who VPN in
> will get the internal gateway address?
>
> Thanks
>
> YH
>

On 11/17/03 8:25 PM, in article (E-Mail Removed),
"Dusty Harper {MS}" <(E-Mail Removed)> wrote:

> The gateway is fine. This is because you are effectively using a
> Point-to-point link now, and there is only 1 place to send the packet... to
> the other end of the link. Now in order to reach remote resources IP
> Forwarding must be enabled. If your VPN clients are addressed for a
> separate subnet than the resources, then the proper routes must be in place.
>
> quick example:
>
>
>
> Resource RRAS VPN Client
> [ ]--------------------------{ }>>>>>>| |
> 192.168.1.X /24 172.16.X.X /16
>
> In this case, notice that the Client is in a separate subnet than the
> resource. the resource would need a route that say to get to the 172.16
> network, send the packets to the RRAS server.


I did all that already. But for some reason the VPN client can not access
out source. The client was able to access all the resource inside but not
out side. The internal IP, Gateway and Subnet Mask are different from the
VPN Client. I when to the registry and added the following value.

Value Name: IPEnableRouter
Value Type: REG_DWORD
Value Data: 1

What do I need to add or change to make this work?

Thanks

YH

YH,

What Dusty said was correct. But here is a missing for you I believe. The
VPN client DOES NOT "get" a default route "0.0.0.0" from the server, it only
gets the "segment" the server is attached to, such that if the server is
192.168.0.5, and DHCP (or Static) sends an IP of 192.168.0.30 to you then
your route table will reflect:

192.168.0.0 mask 255.255.255.0 GW 192.168.0.30 Which is understood as the
point 2 point connection

When you send any packet destined for 192.168.0.X it will go towards the
VPN. Your 0.0.0.0 on the other hand is going to go towards your DSL or
whatever was set originally on your system

To push ALL of your traffic down the VPN regardless, then make sure you
click the box "use default GW on remote server" under networking of the VPN
Client.

Open Client: Properties / Networking (tab) / select Internet Protocol (ip) /
Properties / advanced
Then select that option.

Next note. If that option is selected then verify using ROUTE PRINT (Go to
Run/CMD), and check to make sure

0.0.0.0 mask 0.0.0.0 (your GW IP ) Metric 20 (or something greater than)
0.0.0.0 mask 0.0.0.0 (your VPN IP) Metric 10 (Something lower).

The next tests come from your network (the one your attaching too)

The VPN server: can it access the outside world
Is the IP block you are assigning routable though your GW (look for NAT
issues etc)

Hope this is a start

Good luck

On 11/18/03 1:30 PM, in article (E-Mail Removed),
"Alexander G. Paoli [MVP]" <alex.paoli@127.0.0.1> wrote:

> YH,
>
> What Dusty said was correct. But here is a missing for you I believe. The
> VPN client DOES NOT "get" a default route "0.0.0.0" from the server, it only
> gets the "segment" the server is attached to, such that if the server is
> 192.168.0.5, and DHCP (or Static) sends an IP of 192.168.0.30 to you then
> your route table will reflect:
>
> 192.168.0.0 mask 255.255.255.0 GW 192.168.0.30 Which is understood as the
> point 2 point connection
>
> When you send any packet destined for 192.168.0.X it will go towards the
> VPN. Your 0.0.0.0 on the other hand is going to go towards your DSL or
> whatever was set originally on your system
>
> To push ALL of your traffic down the VPN regardless, then make sure you
> click the box "use default GW on remote server" under networking of the VPN
> Client.
>
> Open Client: Properties / Networking (tab) / select Internet Protocol (ip) /
> Properties / advanced
> Then select that option.
>
> Next note. If that option is selected then verify using ROUTE PRINT (Go to
> Run/CMD), and check to make sure
>
> 0.0.0.0 mask 0.0.0.0 (your GW IP ) Metric 20 (or something greater than)
> 0.0.0.0 mask 0.0.0.0 (your VPN IP) Metric 10 (Something lower).
>
> The next tests come from your network (the one your attaching too)
>
> The VPN server: can it access the outside world
> Is the IP block you are assigning routable though your GW (look for NAT
> issues etc)
>
> Hope this is a start
>
> Good luck
>
>
Everything you stated is true. After the "use default GW on remote server"
is checked it still doesn't work.

My internal network can access outside world. I use a dot 10 ip including
the VPN.

Any more suggestion is greatly appreciated.

Thanks

YH

YH

Ok next test.

With your client set to "use default GW" ... Log on to your network

Have someone at your office telnet to your router and see if they can ping
your IP. DOES the server you log onto go to the internet ? What is its
Default GW. If it does not have a path out then neither will you. Make sure
of this.


What is your IP ? Is it part of the 10 Network with the proper Netmask as
the other machine ?

I would look at the following places:

1. The server, and it has a proper 0.0.0.0 pointing to the router and no
where else
2. The block you get assigned IS NOT part of the "nattable" space in your
router
3. The router cant see you, thus your on a different block

Alex Paoli