Lan to Lan VPN question

Discussion in 'Server Networking' started by Pierrot Robert, Nov 16, 2005.

  1. Here is my setup:

    1- Windows 2003 machine with only one nic ( dialing in another
    Windows 2003 machine with only one nic

    2- When connecting, the VPN interface receives the (static
    pool). The dial-in machine can ping the address. The VPN server
    VPN interface is

    3- From the server accepting the connection, I can't ping the private
    ( address of the dial-in machine. A "tracert" reveals
    that it tries to send the packet to its default gateway (Internet access
    router). It is normal because the VPN server does not "know" about the
    10.1.5.x subnet, which is on the "other" side of the dial-in machine.

    Now my question is: how do I add I a route to the 10.1.5.x subnet in the
    server so that it will route the packets to this destination through the VPN
    interface ?
    Routing table of the server:
    Active Routes:
    Network Destination Netmask Gateway Interface Metric 20 50 1 1 20 20 20 20 1
    Default Gateway:
    Persistent Routes:

    Routing table of the client:
    Active Routes:
    Network Destination Netmask Gateway Interface Metric 20 20 20 1 50 20 50
    1 1 20 50 1 1
    Default Gateway:
    Persistent Routes:

    Thank you !
    Pierrot Robert, Nov 16, 2005
    1. Advertisements

  2. Pierrot Robert

    Bill Grant Guest

    Why did you decide to use as the subnet for the remote
    connections? If you had let DHCP decide or used a batch of IP addresses from
    192.168.10.x it would work automatically. The server acts as a proxy for the
    remotes. (This is called on subnet addressing).

    If the remote users are in a different subnet from the LAN (called off
    subnet addressing), you will need to enable IP routing on the RRAS server
    and also make sure that the subnet knows how to route
    traffic for to the RRAS router. It doesn't need to know about
    the addresses unless you want other machines behind the server to
    be able to use the link. In that case, you would need to set up a site to
    site VPN (ie a routed connection between the RRAS servers).

    If you don't have control of the RRAS server at the end,
    there is nothing you can do at the other end. The routing must be set up at
    the end.
    Bill Grant, Nov 17, 2005
    1. Advertisements

  3. Yes, that is what I need. The computers on the subnet need to use
    the VPN link to connect to the subnet.

    So I understand from your answer that I need a site to site VPN. What are
    the steps to achieve this ? I have control of both servers.
    Pierrot Robert, Nov 17, 2005
  4. Pierrot Robert

    Bill Grant Guest

    There is quite a bit of info in Windows help. If you need more, have a
    look at .

    Basically, you configure a routed connection between the two RRAS
    servers. Each server has a demand-dial interface configured, and the routes
    are set up linked to these demand-dial interfaces. When the link comes up,
    the demand-dial interfaces become active and the system automatically adds
    the routes to the routing table. Each router then has a route to the "other"
    site through the VPN link.The VPN link acts as a simple (and slow) IP router
    between the two LANs.
    Bill Grant, Nov 18, 2005
  5. I understand this very well, now my problem is how to enbale GRE passthrough
    Pierrot Robert, Nov 18, 2005
  6. Pierrot Robert

    Bill Grant Guest

    With most Cisco systems its as simple as adding an allow gre statement.
    Remember that you need to allow GRE both in and out. The encrypted data in
    both directions has a GRE header.
    Bill Grant, Nov 20, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.