Help with RRAS PHILLIP Windell

Discussion in 'Server Networking' started by \1SE\, Apr 20, 2005.

  1. \1SE\

    \1SE\ Guest

    Phil we were almost there still need your help.
    I have studied, I thank you, VERY MUCH, for your help you're not hearing all
    or understanding all about my setup.
    The 'Caller' is another vpn router. from the WAN location.
    I also have 'Callers' being individual users.
    2, types of 'callers'

    If you'll recall my original setup, I know it was along time back, I have
    Three (3) VPN routers. One at a remote site One as a DMZ at the Main
    location and One on the other side of the main location. I then have the
    2003 server using RRAS to take 'Users' connecting VIA MS-VPN. The Main
    router on the inside of the DMZ is accepting the Tunnel from the Router at
    the remote site.
    The Routers have 'pass-through' capabilities because they are all the same
    model and VPN is already passing thru the DMZ to the Main router and the
    users are passing thru DMZ and Main routers to the 2003 server.
    If their is a way to have the remote location router VPN directly into RRAS.
    THAT's what I'd like to know how to do.
    That seems to be the way to get this to work.
    If I'm understanding correctly, if the remote router could VPN tunnel
    directly into the 2003 box, then the users could connect as they normally do
    and the remote site could sustain it's connection as well.

    Please tell me this makes better sense now?

    George.
    MCSA, MCDBA, MCSEnt4, MCSE2K. MBA-IS

    With this statement???
    {{ (The NAT device IS capable of VPN pass-through, But I don't know how to
    create a connection for the WAN NAT device in RRAS.)

    You don't. That is not what VPN Pass-through does. It simply "relays" the
    Tunnel to the RRAS box and allows the Tunnel to terminate there. The
    connection is between the "caller" and the RRAS Server.}}

    Are you saying that just by enabling the pass thru for VPN on the Main
    router to the RRAS box. that my VPN tunnel will be created from the remote,
    or WAN, location? without any IKE policies needed or user name and
    password? And that my users will still be able to connect via MS-VPN as
    always?
     
    \1SE\, Apr 20, 2005
    #1
    1. Advertisements

  2. It would do it the same as the "users" are doing it. But the NAT/VPN device
    (I refuse to call the routers) may not be capable of running a Site2Site VPN
    with RRAS. RRAS requires two connections (one each direction) for a
    Site2Site VPN to work.

    1. Forget RRAS, run a single Nic in the server.
    2. Get rid of the DMZ and move/run the NAT/VPN device on the network edge.
    3. Then things will work right, because all the NAT/VPN devices are the same
    brand and model and will work fine together. There will no longer be any
    need for the VPN Passthrough" feature.
     
    Phillip Windell, Apr 21, 2005
    #2
    1. Advertisements

  3. \1SE\

    \1SE\ Guest

    Thank you again Phil.
    This is correct Phil.... EXCEPT. You are forgetting about the users VPN'ing
    in.
    I still need the users to be able to remote into the network. (as well as
    the NAT/VPN device)
     
    \1SE\, Apr 21, 2005
    #3
  4. Same suggestions. Those NAT/VPN Devices should be able to accept Remote
    Access VPN (humans "dialing in") as well as doing Site2Site VPNs, and should
    be able to do both at the same time.

    1. Forget RRAS, run a single Nic in the server.
    2. Get rid of the DMZ and move/run the NAT/VPN device on the network edge.
    3. Then things will work right, because all the NAT/VPN devices are the
    same brand and model and will work fine together. There will no longer be
    any need for the VPN Passthrough" feature.
     
    Phillip Windell, Apr 22, 2005
    #4
  5. \1SE\

    \1SE\ Guest

    I cannot use the NAT/VPN devices for Remote Access VPN (humans "dialing in")
    This has been my issue from the beginning. I have to use RRAS for the
    Remote Access VPN (humans "dialing in").
    I do NOT want to have my users try and figure out third party software to
    make a connection.
     
    \1SE\, Apr 22, 2005
    #5
  6. \1SE\

    \1SE\ Guest

    Thanks for your help, anyway.
    Here's what I did.
    I took the second nic, the one that was the WAN, and put it on the same
    subnet as the LAN NIC. I disabled all DNS notifications (so this 'xWAN' nic
    wouldn't register in DNS) Then I reconfigured RRAS custom to do LAN routing
    and VPN acceptance. I then pointed my MSVPN users to this 'xWAN' NIC and
    kept my WAN-VPN hardware the way that it was. I connected the NAT/VPN device
    to the LAN.

    Sorry we couldn't get any other suggestions.
     
    \1SE\, Apr 25, 2005
    #6
  7. You are just creating more "comvolution" and mess. If it is now on the same
    subnet as the LAN Nic then you don't need it to begin with and can just use
    the LAN nic that is already there and run the server as a single-nic server.
     
    Phillip Windell, Apr 26, 2005
    #7
  8. \1SE\

    \1SE\ Guest

    Will RRAS still allow VPN connection from the outside with only one NIC?
     
    \1SE\, May 2, 2005
    #8
  9. \1SE\

    Todd J Heron Guest

    Yes, but the connection will terminate at the RRAS itself and it would be a
    client/server connection only - you couldn't make a site-to-site VPN out of
    it.
     
    Todd J Heron, May 2, 2005
    #9
  10. \1SE\

    \1SE\ Guest

    That's fine that's all I want the clients to be able to do. Sounds like it?

    Will they be able to VPN in and launch remote desktop to get to their
    desktops?
     
    \1SE\, May 3, 2005
    #10
  11. \1SE\

    \1SE\ Guest

    I think it is working with the ONE NIC now.
    Hardware Site to Site VPN and RRAS VPN for clients.

    The VPN only stays connected for 2 MIN. though. I'm not sure if this is
    related or a separated issue. But Every 2 min the MS vpn disconnects,
    without error. disconnects just like it was requested by the client. I've
    tried multiple clients 2K, XP, and multiple ISP's just to confirm. It's is
    like clock work 2min, disconnect.
    The server is now Windows2003 SP1.


     
    \1SE\, May 9, 2005
    #11
  12. \1SE\

    Todd J Heron Guest

    To manage VPN idle time, go to Remote access policies and create a new
    policy.
     
    Todd J Heron, May 10, 2005
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.