yet another vpn/routing question

Was playing around with getting VPN setup on w2k advanced server. When I go
through the VPN wizard in routing and remote access. when I did that it
still lists the correct routes and gateways in the configs, and in network
properties.

IP 10.146.183.251
GW 10.146.183.253
DNS 10.146.183.254
Netmask 255.255.255.0

Above is what everything shows set to. Which should work, but for some
reason when routing and remote access kicks in the network card stops
responding and when I do a route print I now show the following, even though
the above settings still show in routing/remote access.
Network destination Netmask Gateway Interface
10.146.183.251 255.255.255.255 127.0.0.1 127.0.0.1

Any way to fix that or straighten that out? Only way to get the card
working is to disable routing and remote access and reboot. But everytime I
go back through the wizard the above funky settings come back, even though
they are listed in routing and remote access as above.

--


Jeremy Kettelhohn

Hi Jeremy,

The route itself looks to be correct. But is that the only route you see
in the route table?

One thing to be careful of is when you use the Wizard to add the VPN
server, you will get packet filters applied to the network card (for
security reasons). It will only pass 1723 and GRE traffic.

You can go into the properties of the interface ( in RRAS under ip routing
-> general) and remove these. As long as the server is internal (and does
not have a direct connection to the internet), then this should be ok.


Thank you,
Matthew Fresoli
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

No it wasn't the only route, but for ease of typing I only included the one
that changed the most. Is there a easy way to use the wizard and setup VPN
with a internal network Nic and a Nic with Internet? So that in theory that
I could allow vpn's coming in on the internet nic to access the internal
network? I had it working briefly then all the sudden the route got munged
and seemed to be routing everything to the local loopback of 127.0.0.1 even
though with my limited experience I looked everywhere it was listing the
routes as still being what the network cards were set with. But the
route -print didn't match what the cards were set with my example is the
internal nic being set to a gateway of 127.0.0.1 instead of 10.146.183.253

--


Jeremy Kettelhohn


"Matthew [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Jeremy,
>
> The route itself looks to be correct. But is that the only route you see
> in the route table?
>
> One thing to be careful of is when you use the Wizard to add the VPN
> server, you will get packet filters applied to the network card (for
> security reasons). It will only pass 1723 and GRE traffic.
>
> You can go into the properties of the interface ( in RRAS under ip routing
> -> general) and remove these. As long as the server is internal (and does
> not have a direct connection to the internet), then this should be ok.
>
>
> Thank you,
> Matthew Fresoli
> Microsoft Network Support
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> Note: For the benefit of the community-at-large, all responses to this
> message are best directed to the newsgroup/thread from which they
> originated.
>
>

It sounds like the routing table is perfectly fine and you are only thinking
it is wrong and in the process of trying to correct it you may be messing it
up.

What you are looking at is not the Default Gateway entry. It is the Loopback
Route and that is the way it is supposed to look. The Default Gateway route
looks like this:

Destination Netmask Gateway Interface
0.0.0.0 0.0.0.0 10.146.183.253 10.146.183.251

These are loopback routes and should be there as they are. The one for
127.0.0.0 is the "localhost loopback". They do that same thing but one is
used when you use the name "localhost" (or 127.0.0.1), and the other is used
when you use the machine's name (or 10.146.183.251), but in the end they do
that same thing:

Destination Netmask Gateway Interface
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
10.146.183.251 255.255.255.255 127.0.0.1 127.0.0.1

I suspect that your problem lies somewhere in the actual configuration of
RRAS and the problem has nothing to do with the Routing table. If your
network is a single subnet private network, then there is *nothing* to
configure in any routing table. Layer3 Routers (such as RRAS) will
automatically know what to do with networks that are directly connected to
thier ports. They are refered to as simply "Directly Connected Networks" or
in some documentation it may just say "Connected Networks". There is simply
no configuration needed for such networks. "Routes" are only required when
there is more than one "hop" between the Source and Destination (in other
words two or more routers between them).

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Jeremy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> No it wasn't the only route, but for ease of typing I only included the
one
> that changed the most. Is there a easy way to use the wizard and setup
VPN
> with a internal network Nic and a Nic with Internet? So that in theory
that
> I could allow vpn's coming in on the internet nic to access the internal
> network? I had it working briefly then all the sudden the route got
munged
> and seemed to be routing everything to the local loopback of 127.0.0.1
even
> though with my limited experience I looked everywhere it was listing the
> routes as still being what the network cards were set with. But the
> route -print didn't match what the cards were set with my example is the
> internal nic being set to a gateway of 127.0.0.1 instead of 10.146.183.253
>
> --
>
>
> Jeremy Kettelhohn
>
>
> "Matthew [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi Jeremy,
> >
> > The route itself looks to be correct. But is that the only route you
see
> > in the route table?
> >
> > One thing to be careful of is when you use the Wizard to add the VPN
> > server, you will get packet filters applied to the network card (for
> > security reasons). It will only pass 1723 and GRE traffic.
> >
> > You can go into the properties of the interface ( in RRAS under ip
routing
> > -> general) and remove these. As long as the server is internal (and
does
> > not have a direct connection to the internet), then this should be ok.
> >
> >
> > Thank you,
> > Matthew Fresoli
> > Microsoft Network Support
> > --
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> > Note: For the benefit of the community-at-large, all responses to this
> > message are best directed to the newsgroup/thread from which they
> > originated.
> >
> >
>
>

I think I got it, I re-ran the wizard and chose some different options, the
network cards are working now, and vpn appears to work. Now I just have to
figure out how to make the server secure from the internet and still allow
vpn and only vpn.

--


Jeremy Kettelhohn


"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> It sounds like the routing table is perfectly fine and you are only
thinking
> it is wrong and in the process of trying to correct it you may be messing
it
> up.
>
> What you are looking at is not the Default Gateway entry. It is the
Loopback
> Route and that is the way it is supposed to look. The Default Gateway
route
> looks like this:
>
> Destination Netmask Gateway Interface
> 0.0.0.0 0.0.0.0 10.146.183.253 10.146.183.251
>
> These are loopback routes and should be there as they are. The one for
> 127.0.0.0 is the "localhost loopback". They do that same thing but one is
> used when you use the name "localhost" (or 127.0.0.1), and the other is
used
> when you use the machine's name (or 10.146.183.251), but in the end they
do
> that same thing:
>
> Destination Netmask Gateway Interface
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
> 10.146.183.251 255.255.255.255 127.0.0.1 127.0.0.1
>
> I suspect that your problem lies somewhere in the actual configuration of
> RRAS and the problem has nothing to do with the Routing table. If your
> network is a single subnet private network, then there is *nothing* to
> configure in any routing table. Layer3 Routers (such as RRAS) will
> automatically know what to do with networks that are directly connected to
> thier ports. They are refered to as simply "Directly Connected Networks"
or
> in some documentation it may just say "Connected Networks". There is
simply
> no configuration needed for such networks. "Routes" are only required
when
> there is more than one "hop" between the Source and Destination (in other
> words two or more routers between them).
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "Jeremy" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > No it wasn't the only route, but for ease of typing I only included the
> one
> > that changed the most. Is there a easy way to use the wizard and setup
> VPN
> > with a internal network Nic and a Nic with Internet? So that in theory
> that
> > I could allow vpn's coming in on the internet nic to access the internal
> > network? I had it working briefly then all the sudden the route got
> munged
> > and seemed to be routing everything to the local loopback of 127.0.0.1
> even
> > though with my limited experience I looked everywhere it was listing the
> > routes as still being what the network cards were set with. But the
> > route -print didn't match what the cards were set with my example is the
> > internal nic being set to a gateway of 127.0.0.1 instead of
10.146.183.253
> >
> > --
> >
> >
> > Jeremy Kettelhohn
> >
> >
> > "Matthew [MSFT]" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Hi Jeremy,
> > >
> > > The route itself looks to be correct. But is that the only route you
> see
> > > in the route table?
> > >
> > > One thing to be careful of is when you use the Wizard to add the VPN
> > > server, you will get packet filters applied to the network card (for
> > > security reasons). It will only pass 1723 and GRE traffic.
> > >
> > > You can go into the properties of the interface ( in RRAS under ip
> routing
> > > -> general) and remove these. As long as the server is internal (and
> does
> > > not have a direct connection to the internet), then this should be ok.
> > >
> > >
> > > Thank you,
> > > Matthew Fresoli
> > > Microsoft Network Support
> > > --
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Use of included script samples are subject to the terms specified at
> > > http://www.microsoft.com/info/cpyright.htm
> > >
> > > Note: For the benefit of the community-at-large, all responses to
this
> > > message are best directed to the newsgroup/thread from which they
> > > originated.
> > >
> > >
> >
> >
>
>

In the properties of the external interface in RRAS - IP routing - General
- you can set the inbound filters for only VPN ports.

Use this article:
http://support.microsoft.com/default...B;EN-US;324262

If you add the outbound filters, you will need to configure outbound access
for all other protocols as well.


Thank you,
Matthew Fresoli
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

Thanks for all the help, thats exactly what I wanted to do.

--


Jeremy Kettelhohn


"Matthew [MSFT]" <(E-Mail Removed)> wrote in message
news:Pa4%(E-Mail Removed)...
> In the properties of the external interface in RRAS - IP routing - General
> - you can set the inbound filters for only VPN ports.
>
> Use this article:
> http://support.microsoft.com/default...B;EN-US;324262
>
> If you add the outbound filters, you will need to configure outbound
access
> for all other protocols as well.
>
>
> Thank you,
> Matthew Fresoli
> Microsoft Network Support
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> Note: For the benefit of the community-at-large, all responses to this
> message are best directed to the newsgroup/thread from which they
> originated.
>
>