VPN Tunnel Connects,can't access resources

Using (2) Linksys RV042s in Gateway-to-Gateway VPN -Site A & Site B.
Each site has a Static IP from ISP. I have established the VPN tunnel,
however cannot connect to shared resource to/from either location and
I think it is related to a networking/subnet issue.We only need to
access a shared folder on our Server At Site A that has 10.10.10.150
as Internal NIC IP.

SITE A NETWORK: is a Win2K3 Domain running Active Directory with a
server that has (2) Network adapters. The NICS are setup like this:

Internal NIC:
IP=10.10.10.150
SN=255.255.255.0
GW=empty
DNS1=10.10.10.150

External NIC:
IP= 192.168.16.1
sn=255.255.255.0
GW=192.168.16.254 (this is the LAN IP of the RV042 Router at Site A)
DNS=10.10.10.150

The workstations on this domain use static IPs on LAN:
IP: 10.10.10.xxx
DG: 10.10.10.150
DNS 10.10.10.150

RV042- SITE A -SETUP:

Local Group Setup:
IP Only
Static IP from ISP
Local Security Group Type: Subnet
IP: 10.10.10.0
SN: 255.255.255.0

Remote Group Setup:
IP Only
IP Addr: Static IP for remote site
RS Group Type: Subnet
IP: 192.168.1.0
SN: 255.255.255.0

IPSEC setup matches router at Site B as follows:

Preshared key/3DES/SHA1/14400 PFS checked; Phase 2 same as Phase 1.

SITE B NETWORK:

Windows XP PCs on peer-to-peer in a worksgroup. The RV042 here is
running DHCP.
The LAN IP of the Router is: 192.168.1.1. The workstations get
192.168.1.xxx addresses.

While at Site B, I can ping & remotely administer the router at Site
A.

While at Site B, I cannot connect to \\10.10.10.150\sharedfolder. I
tried adding username from SiteB to the SiteA domain, and tried the
"Connect as User" method.

Any ideas? Should we change the SiteB network to 10.10.10.xxx based or
192.168.16.xxx-based?

Why do you have two NICs in the DC? (Multihoming a DC is bad
practice and is not recommended. It causes all sorts of odd problems). Why
are the machines at site A using the server as their default gateway? Why
are they not using the Linksys? How do machines at site A access the
Internet?


I have not used the Linksys RV042 but I didn't think it was capable of
site to site VPN. If it is not, each client at site B will be setting up a
unique tunnel to the router at site A. If that is the case, it doesn't
matter what IP addressing you use at site B (as long as it is not identical
to the LAN machines at Site A). Each client will get an IP which matches the
LAN addresss at site A for its "virtual" connection. It will use this
address for communicating with the devices at site A. That is what VPN does.
The client is "virtually" on the remote LAN.

Trying to join remote clients to a domain can be a problem. You should
be able to share files if the user has logged on with a username and
password which matches an AD account. (I am talking about the original logon
to the machine, not the username entered to set up the VPN)You will probably
need to make your workgroup name the same as the Netbios name of your domain
for this to work. Then the user's workgroup/username/password sequence will
exactly match the domain/username/password of the account in AD.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Using (2) Linksys RV042s in Gateway-to-Gateway VPN -Site A & Site B.
> Each site has a Static IP from ISP. I have established the VPN tunnel,
> however cannot connect to shared resource to/from either location and
> I think it is related to a networking/subnet issue.We only need to
> access a shared folder on our Server At Site A that has 10.10.10.150
> as Internal NIC IP.
>
> SITE A NETWORK: is a Win2K3 Domain running Active Directory with a
> server that has (2) Network adapters. The NICS are setup like this:
>
> Internal NIC:
> IP=10.10.10.150
> SN=255.255.255.0
> GW=empty
> DNS1=10.10.10.150
>
> External NIC:
> IP= 192.168.16.1
> sn=255.255.255.0
> GW=192.168.16.254 (this is the LAN IP of the RV042 Router at Site A)
> DNS=10.10.10.150
>
> The workstations on this domain use static IPs on LAN:
> IP: 10.10.10.xxx
> DG: 10.10.10.150
> DNS 10.10.10.150
>
> RV042- SITE A -SETUP:
>
> Local Group Setup:
> IP Only
> Static IP from ISP
> Local Security Group Type: Subnet
> IP: 10.10.10.0
> SN: 255.255.255.0
>
> Remote Group Setup:
> IP Only
> IP Addr: Static IP for remote site
> RS Group Type: Subnet
> IP: 192.168.1.0
> SN: 255.255.255.0
>
> IPSEC setup matches router at Site B as follows:
>
> Preshared key/3DES/SHA1/14400 PFS checked; Phase 2 same as Phase 1.
>
> SITE B NETWORK:
>
> Windows XP PCs on peer-to-peer in a worksgroup. The RV042 here is
> running DHCP.
> The LAN IP of the Router is: 192.168.1.1. The workstations get
> 192.168.1.xxx addresses.
>
> While at Site B, I can ping & remotely administer the router at Site
> A.
>
> While at Site B, I cannot connect to \\10.10.10.150\sharedfolder. I
> tried adding username from SiteB to the SiteA domain, and tried the
> "Connect as User" method.
>
> Any ideas? Should we change the SiteB network to 10.10.10.xxx based or
> 192.168.16.xxx-based?
>

On Feb 23, 1:53 am, "Bill Grant" <not.available@online> wrote:
> Why do you have two NICs in the DC? (Multihoming a DC is bad
> practice and is not recommended. It causes all sorts of odd problems). Why
> are the machines at site A using the server as their default gateway? Why
> are they not using the Linksys? How do machines at site A access the
> Internet?
>
> I have not used the Linksys RV042 but I didn't think it was capable of
> site to site VPN. If it is not, each client at site B will be setting up a
> unique tunnel to the router at site A. If that is the case, it doesn't
> matter what IP addressing you use at site B (as long as it is not identical
> to the LAN machines at Site A). Each client will get an IP which matches the
> LAN addresss at site A for its "virtual" connection. It will use this
> address for communicating with the devices at site A. That is what VPN does.
> The client is "virtually" on the remote LAN.
>
> Trying to join remote clients to a domain can be a problem. You should
> be able to share files if the user has logged on with a username and
> password which matches an AD account. (I am talking about the original logon
> to the machine, not the username entered to set up the VPN)You will probably
> need to make your workgroup name the same as the Netbios name of your domain
> for this to work. Then the user's workgroup/username/password sequence will
> exactly match the domain/username/password of the account in AD.
>
> <compsos...@gmail.com> wrote in message
>
> news:(E-Mail Removed) oups.com...
>
> > Using (2) Linksys RV042s in Gateway-to-Gateway VPN -Site A & Site B.
> > Each site has a Static IP from ISP. I have established the VPN tunnel,
> > however cannot connect to shared resource to/from either location and
> > I think it is related to a networking/subnet issue.We only need to
> > access a shared folder on our Server At Site A that has 10.10.10.150
> > as Internal NIC IP.
>
> > SITE A NETWORK: is a Win2K3 Domain running Active Directory with a
> > server that has (2) Network adapters. The NICS are setup like this:
>
> > Internal NIC:
> > IP=10.10.10.150
> > SN=255.255.255.0
> > GW=empty
> > DNS1=10.10.10.150
>
> > External NIC:
> > IP= 192.168.16.1
> > sn=255.255.255.0
> > GW=192.168.16.254 (this is the LAN IP of the RV042 Router at Site A)
> > DNS=10.10.10.150
>
> > The workstations on this domain use static IPs on LAN:
> > IP: 10.10.10.xxx
> > DG: 10.10.10.150
> > DNS 10.10.10.150
>
> > RV042- SITE A -SETUP:
>
> > Local Group Setup:
> > IP Only
> > Static IP from ISP
> > Local Security Group Type: Subnet
> > IP: 10.10.10.0
> > SN: 255.255.255.0
>
> > Remote Group Setup:
> > IP Only
> > IP Addr: Static IP for remote site
> > RS Group Type: Subnet
> > IP: 192.168.1.0
> > SN: 255.255.255.0
>
> > IPSEC setup matches router at Site B as follows:
>
> > Preshared key/3DES/SHA1/14400 PFS checked; Phase 2 same as Phase 1.
>
> > SITE B NETWORK:
>
> > Windows XP PCs on peer-to-peer in a worksgroup. The RV042 here is
> > running DHCP.
> > The LAN IP of the Router is: 192.168.1.1. The workstations get
> > 192.168.1.xxx addresses.
>
> > While at Site B, I can ping & remotely administer the router at Site
> > A.
>
> > While at Site B, I cannot connect to \\10.10.10.150\sharedfolder. I
> > tried adding username from SiteB to the SiteA domain, and tried the
> > "Connect as User" method.
>
> > Any ideas? Should we change the SiteB network to 10.10.10.xxx based or
> > 192.168.16.xxx-based?

Ok, the 2 NICs were pre-VPN setup, pre Linksys RV042 routers. This was
a recommended configuration for isolating the Server & LAN from the
Internet (WAN). We can go back to 1 NIC but would like to learn how
this can be accomplished using 2.Our Server is not intended to be the
VPN endpoint as we understand this gateway-to-gateway suing (2) RV042
routers.

I remember when the 2nd NIC was added to the server we ran RRAS so
that the workstations could access the Internet through the external
interface on the server. We had to add the DNS information for the
Server's internal NIC to the TCP/IP properties on the workstations.

If you have an example setup of a gateway-to-gateway vpn, using 1 NIC
on the server, including physical cable connections between Server,
Router, & cable modem, main switch, it would be appreciated. We are
not running DHCP on the Server and prefer not to change that--if
possible. Maybe we need to go back to basics.

I am confused by the fact that we have a tunnel created/connected
between the sites but cannot ping the Main office's LAN. In short, if
we have this connection, what troubleshooting steps can you recommend
to prove where our problem is?

Thank you so much!

When you set up a VPN link, you set up a situation where the remote user
or site is "virtually" on your LAN. The problem with your setup is that the
VPN router is not on your LAN. Your LAN is using the 10.10.10 IP subnet, but
your router is not connected to that subnet.

As I said before I am not familiar with your router but I would expect
it to be the default gateway of your LAN, not isolated from it by your
server. I would run the server with one NIC and set the Linksys to be the
default gateway of the LAN. The Linksys would be your connection to the
public network, not the second NIC of the server. Then the router would have
an interface in the 10.10.10 subnet and the remote site would have a chance
to contact machines in that subnet. The router connects your LAN to the
Internet and also is the endpoint of your VPN link to the remote site. eg

Internet
|
public interface
Linksys
10.10.10.n
|
server
10.10.10.150 dg 10.10.10.n
| dns 10.10.10.150
clients
10.10.10.x dg 10.10.10.n
dns 10.10.10.150


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> On Feb 23, 1:53 am, "Bill Grant" <not.available@online> wrote:
>> Why do you have two NICs in the DC? (Multihoming a DC is bad
>> practice and is not recommended. It causes all sorts of odd problems).
>> Why
>> are the machines at site A using the server as their default gateway? Why
>> are they not using the Linksys? How do machines at site A access the
>> Internet?
>>
>> I have not used the Linksys RV042 but I didn't think it was capable
>> of
>> site to site VPN. If it is not, each client at site B will be setting up
>> a
>> unique tunnel to the router at site A. If that is the case, it doesn't
>> matter what IP addressing you use at site B (as long as it is not
>> identical
>> to the LAN machines at Site A). Each client will get an IP which matches
>> the
>> LAN addresss at site A for its "virtual" connection. It will use this
>> address for communicating with the devices at site A. That is what VPN
>> does.
>> The client is "virtually" on the remote LAN.
>>
>> Trying to join remote clients to a domain can be a problem. You
>> should
>> be able to share files if the user has logged on with a username and
>> password which matches an AD account. (I am talking about the original
>> logon
>> to the machine, not the username entered to set up the VPN)You will
>> probably
>> need to make your workgroup name the same as the Netbios name of your
>> domain
>> for this to work. Then the user's workgroup/username/password sequence
>> will
>> exactly match the domain/username/password of the account in AD.
>>
>> <compsos...@gmail.com> wrote in message
>>
>> news:(E-Mail Removed) oups.com...
>>
>> > Using (2) Linksys RV042s in Gateway-to-Gateway VPN -Site A & Site B.
>> > Each site has a Static IP from ISP. I have established the VPN tunnel,
>> > however cannot connect to shared resource to/from either location and
>> > I think it is related to a networking/subnet issue.We only need to
>> > access a shared folder on our Server At Site A that has 10.10.10.150
>> > as Internal NIC IP.
>>
>> > SITE A NETWORK: is a Win2K3 Domain running Active Directory with a
>> > server that has (2) Network adapters. The NICS are setup like this:
>>
>> > Internal NIC:
>> > IP=10.10.10.150
>> > SN=255.255.255.0
>> > GW=empty
>> > DNS1=10.10.10.150
>>
>> > External NIC:
>> > IP= 192.168.16.1
>> > sn=255.255.255.0
>> > GW=192.168.16.254 (this is the LAN IP of the RV042 Router at Site A)
>> > DNS=10.10.10.150
>>
>> > The workstations on this domain use static IPs on LAN:
>> > IP: 10.10.10.xxx
>> > DG: 10.10.10.150
>> > DNS 10.10.10.150
>>
>> > RV042- SITE A -SETUP:
>>
>> > Local Group Setup:
>> > IP Only
>> > Static IP from ISP
>> > Local Security Group Type: Subnet
>> > IP: 10.10.10.0
>> > SN: 255.255.255.0
>>
>> > Remote Group Setup:
>> > IP Only
>> > IP Addr: Static IP for remote site
>> > RS Group Type: Subnet
>> > IP: 192.168.1.0
>> > SN: 255.255.255.0
>>
>> > IPSEC setup matches router at Site B as follows:
>>
>> > Preshared key/3DES/SHA1/14400 PFS checked; Phase 2 same as Phase 1.
>>
>> > SITE B NETWORK:
>>
>> > Windows XP PCs on peer-to-peer in a worksgroup. The RV042 here is
>> > running DHCP.
>> > The LAN IP of the Router is: 192.168.1.1. The workstations get
>> > 192.168.1.xxx addresses.
>>
>> > While at Site B, I can ping & remotely administer the router at Site
>> > A.
>>
>> > While at Site B, I cannot connect to \\10.10.10.150\sharedfolder. I
>> > tried adding username from SiteB to the SiteA domain, and tried the
>> > "Connect as User" method.
>>
>> > Any ideas? Should we change the SiteB network to 10.10.10.xxx based or
>> > 192.168.16.xxx-based?
>
> Ok, the 2 NICs were pre-VPN setup, pre Linksys RV042 routers. This was
> a recommended configuration for isolating the Server & LAN from the
> Internet (WAN). We can go back to 1 NIC but would like to learn how
> this can be accomplished using 2.Our Server is not intended to be the
> VPN endpoint as we understand this gateway-to-gateway suing (2) RV042
> routers.
>
> I remember when the 2nd NIC was added to the server we ran RRAS so
> that the workstations could access the Internet through the external
> interface on the server. We had to add the DNS information for the
> Server's internal NIC to the TCP/IP properties on the workstations.
>
> If you have an example setup of a gateway-to-gateway vpn, using 1 NIC
> on the server, including physical cable connections between Server,
> Router, & cable modem, main switch, it would be appreciated. We are
> not running DHCP on the Server and prefer not to change that--if
> possible. Maybe we need to go back to basics.
>
> I am confused by the fact that we have a tunnel created/connected
> between the sites but cannot ping the Main office's LAN. In short, if
> we have this connection, what troubleshooting steps can you recommend
> to prove where our problem is?
>
> Thank you so much!
>

On Feb 23, 8:12 pm, "Bill Grant" <not.available@online> wrote:
> When you set up a VPN link, you set up a situation where the remote user
> or site is "virtually" on your LAN. The problem with your setup is that the
> VPN router is not on your LAN. Your LAN is using the 10.10.10 IP subnet, but
> your router is not connected to that subnet.
>
> As I said before I am not familiar with your router but I would expect
> it to be the default gateway of your LAN, not isolated from it by your
> server. I would run the server with one NIC and set the Linksys to be the
> default gateway of the LAN. The Linksys would be your connection to the
> public network, not the second NIC of the server. Then the router would have
> an interface in the 10.10.10 subnet and the remote site would have a chance
> to contact machines in that subnet. The router connects your LAN to the
> Internet and also is the endpoint of your VPN link to the remote site. eg
>
> Internet
> |
> public interface
> Linksys
> 10.10.10.n
> |
> server
> 10.10.10.150 dg 10.10.10.n
> | dns 10.10.10.150
> clients
> 10.10.10.x dg 10.10.10.n
> dns 10.10.10.150
>
> <compsos...@gmail.com> wrote in message
>
> news:(E-Mail Removed) ups.com...
>
>
>
> > On Feb 23, 1:53 am, "Bill Grant" <not.available@online> wrote:
> >> Why do you have two NICs in the DC? (Multihoming a DC is bad
> >> practice and is not recommended. It causes all sorts of odd problems).
> >> Why
> >> are the machines at site A using the server as their default gateway? Why
> >> are they not using the Linksys? How do machines at site A access the
> >> Internet?
>
> >> I have not used the Linksys RV042 but I didn't think it was capable
> >> of
> >> site to site VPN. If it is not, each client at site B will be setting up
> >> a
> >> unique tunnel to the router at site A. If that is the case, it doesn't
> >> matter what IP addressing you use at site B (as long as it is not
> >> identical
> >> to the LAN machines at Site A). Each client will get an IP which matches
> >> the
> >> LAN addresss at site A for its "virtual" connection. It will use this
> >> address for communicating with the devices at site A. That is what VPN
> >> does.
> >> The client is "virtually" on the remote LAN.
>
> >> Trying to join remote clients to a domain can be a problem. You
> >> should
> >> be able to share files if the user has logged on with a username and
> >> password which matches an AD account. (I am talking about the original
> >> logon
> >> to the machine, not the username entered to set up the VPN)You will
> >> probably
> >> need to make your workgroup name the same as the Netbios name of your
> >> domain
> >> for this to work. Then the user's workgroup/username/password sequence
> >> will
> >> exactly match the domain/username/password of the account in AD.
>
> >> <compsos...@gmail.com> wrote in message
>
> >>news:(E-Mail Removed) groups.com...
>
> >> > Using (2) Linksys RV042s in Gateway-to-Gateway VPN -Site A & Site B.
> >> > Each site has a Static IP from ISP. I have established the VPN tunnel,
> >> > however cannot connect to shared resource to/from either location and
> >> > I think it is related to a networking/subnet issue.We only need to
> >> > access a shared folder on our Server At Site A that has 10.10.10.150
> >> > as Internal NIC IP.
>
> >> > SITE A NETWORK: is a Win2K3 Domain running Active Directory with a
> >> > server that has (2) Network adapters. The NICS are setup like this:
>
> >> > Internal NIC:
> >> > IP=10.10.10.150
> >> > SN=255.255.255.0
> >> > GW=empty
> >> > DNS1=10.10.10.150
>
> >> > External NIC:
> >> > IP= 192.168.16.1
> >> > sn=255.255.255.0
> >> > GW=192.168.16.254 (this is the LAN IP of the RV042 Router at Site A)
> >> > DNS=10.10.10.150
>
> >> > The workstations on this domain use static IPs on LAN:
> >> > IP: 10.10.10.xxx
> >> > DG: 10.10.10.150
> >> > DNS 10.10.10.150
>
> >> > RV042- SITE A -SETUP:
>
> >> > Local Group Setup:
> >> > IP Only
> >> > Static IP from ISP
> >> > Local Security Group Type: Subnet
> >> > IP: 10.10.10.0
> >> > SN: 255.255.255.0
>
> >> > Remote Group Setup:
> >> > IP Only
> >> > IP Addr: Static IP for remote site
> >> > RS Group Type: Subnet
> >> > IP: 192.168.1.0
> >> > SN: 255.255.255.0
>
> >> > IPSEC setup matches router at Site B as follows:
>
> >> > Preshared key/3DES/SHA1/14400 PFS checked; Phase 2 same as Phase 1.
>
> >> > SITE B NETWORK:
>
> >> > Windows XP PCs on peer-to-peer in a worksgroup. The RV042 here is
> >> > running DHCP.
> >> > The LAN IP of the Router is: 192.168.1.1. The workstations get
> >> > 192.168.1.xxx addresses.
>
> >> > While at Site B, I can ping & remotely administer the router at Site
> >> > A.
>
> >> > While at Site B, I cannot connect to \\10.10.10.150\sharedfolder. I
> >> > tried adding username from SiteB to the SiteA domain, and tried the
> >> > "Connect as User" method.
>
> >> > Any ideas? Should we change the SiteB network to 10.10.10.xxx based or
> >> > 192.168.16.xxx-based?
>
> > Ok, the 2 NICs were pre-VPN setup, pre Linksys RV042 routers. This was
> > a recommended configuration for isolating the Server & LAN from the
> > Internet (WAN). We can go back to 1 NIC but would like to learn how
> > this can be accomplished using 2.Our Server is not intended to be the
> > VPN endpoint as we understand this gateway-to-gateway suing (2) RV042
> > routers.
>
> > I remember when the 2nd NIC was added to the server we ran RRAS so
> > that the workstations could access the Internet through the external
> > interface on the server. We had to add the DNS information for the
> > Server's internal NIC to the TCP/IP properties on the workstations.
>
> > If you have an example setup of a gateway-to-gateway vpn, using 1 NIC
> > on the server, including physical cable connections between Server,
> > Router, & cable modem, main switch, it would be appreciated. We are
> > not running DHCP on the Server and prefer not to change that--if
> > possible. Maybe we need to go back to basics.
>
> > I am confused by the fact that we have a tunnel created/connected
> > between the sites but cannot ping the Main office's LAN. In short, if
> > we have this connection, what troubleshooting steps can you recommend
> > to prove where our problem is?
>
> > Thank you so much!- Hide quoted text -
>
> - Show quoted text -

Thanks so much. I will try this..next week.