Lan to Lan VPN question

Discussion in 'Server Networking' started by Pierrot Robert, Nov 16, 2005.

  1. Here is my setup:

    1- Windows 2003 machine with only one nic (10.1.5.12/24) dialing in another
    Windows 2003 machine with only one nic 192.168.10.4/24.

    2- When connecting, the VPN interface receives the 10.1.6.1/24 (static
    pool). The dial-in machine can ping the 192.168.10.4 address. The VPN server
    VPN interface is 10.1.6.0/24.

    3- From the server accepting the connection, I can't ping the private
    (10.1.5.12) address of the dial-in machine. A "tracert 10.1.5.12" reveals
    that it tries to send the packet to its default gateway (Internet access
    router). It is normal because the VPN server does not "know" about the
    10.1.5.x subnet, which is on the "other" side of the dial-in machine.

    Now my question is: how do I add I a route to the 10.1.5.x subnet in the
    server so that it will route the packets to this destination through the VPN
    interface ?
    ------
    Routing table of the server:
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.10.2 192.168.10.4 20
    10.1.6.0 255.255.255.255 127.0.0.1 127.0.0.1 50
    10.1.6.1 255.255.255.255 10.1.6.0 10.1.6.0 1
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.10.0 255.255.255.0 192.168.10.4 192.168.10.4 20
    192.168.10.4 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.168.10.255 255.255.255.255 192.168.10.4 192.168.10.4 20
    224.0.0.0 240.0.0.0 192.168.10.4 192.168.10.4 20
    255.255.255.255 255.255.255.255 192.168.10.4 192.168.10.4 1
    Default Gateway: 192.168.10.2
    ===========================================================================
    Persistent Routes:
    None

    Routing table of the client:
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.1.5.11 10.1.5.12 20
    10.1.5.0 255.255.255.0 10.1.5.12 10.1.5.12 20
    10.1.5.12 255.255.255.255 127.0.0.1 127.0.0.1 20
    10.1.6.0 255.255.255.255 10.1.6.1 10.1.6.1 1
    10.1.6.1 255.255.255.255 127.0.0.1 127.0.0.1 50
    10.255.255.255 255.255.255.255 10.1.5.12 10.1.5.12 20
    10.255.255.255 255.255.255.255 10.1.6.1 10.1.6.1 50
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
    1
    192.168.10.0 255.255.255.0 10.1.6.0 10.1.6.1 1
    224.0.0.0 240.0.0.0 10.1.5.12 10.1.5.12 20
    224.0.0.0 240.0.0.0 10.1.6.1 10.1.6.1 50
    255.255.255.255 255.255.255.255 10.1.5.12 10.1.5.12 1
    255.255.255.255 255.255.255.255 10.1.6.1 10.1.6.1 1
    Default Gateway: 10.1.5.11
    ===========================================================================
    Persistent Routes:
    None

    Thank you !
     
    Pierrot Robert, Nov 16, 2005
    #1
    1. Advertisements

  2. Pierrot Robert

    Bill Grant Guest

    Why did you decide to use 10.1.6.0/24 as the subnet for the remote
    connections? If you had let DHCP decide or used a batch of IP addresses from
    192.168.10.x it would work automatically. The server acts as a proxy for the
    remotes. (This is called on subnet addressing).

    If the remote users are in a different subnet from the LAN (called off
    subnet addressing), you will need to enable IP routing on the RRAS server
    and also make sure that the 192.168.10.0/24 subnet knows how to route
    traffic for 10.1.6.0/24 to the RRAS router. It doesn't need to know about
    the 10.1.5.0 addresses unless you want other machines behind the server to
    be able to use the link. In that case, you would need to set up a site to
    site VPN (ie a routed connection between the RRAS servers).

    If you don't have control of the RRAS server at the 192.168.10.0/24 end,
    there is nothing you can do at the other end. The routing must be set up at
    the 192.168.10.0 end.
     
    Bill Grant, Nov 17, 2005
    #2
    1. Advertisements

  3. Yes, that is what I need. The computers on the 10.1.5.0 subnet need to use
    the VPN link to connect to the 192.168.10.0 subnet.

    So I understand from your answer that I need a site to site VPN. What are
    the steps to achieve this ? I have control of both servers.
     
    Pierrot Robert, Nov 17, 2005
    #3
  4. Pierrot Robert

    Bill Grant Guest

    There is quite a bit of info in Windows help. If you need more, have a
    look at www.microsoft.com/vpn .

    Basically, you configure a routed connection between the two RRAS
    servers. Each server has a demand-dial interface configured, and the routes
    are set up linked to these demand-dial interfaces. When the link comes up,
    the demand-dial interfaces become active and the system automatically adds
    the routes to the routing table. Each router then has a route to the "other"
    site through the VPN link.The VPN link acts as a simple (and slow) IP router
    between the two LANs.
     
    Bill Grant, Nov 18, 2005
    #4
  5. I understand this very well, now my problem is how to enbale GRE passthrough
     
    Pierrot Robert, Nov 18, 2005
    #5
  6. Pierrot Robert

    Bill Grant Guest

    With most Cisco systems its as simple as adding an allow gre statement.
    Remember that you need to allow GRE both in and out. The encrypted data in
    both directions has a GRE header.
     
    Bill Grant, Nov 20, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.