PPTP Site-to-Site VPN problem

Discussion in 'Server Networking' started by Sergio Ricci, Oct 4, 2005.

  1. Sergio Ricci

    Sergio Ricci Guest


    I've setup (or tired to) a site to site VPN using RRAS in Windows 2003 SP1
    but have a few issues that I hope you may be able to help me resolve:



    I have setup demand dial connections on both servers (windows 2003+SP1) and
    they appear to work OK. Note that there are demand dial connections on both
    servers pointing to the other server. The servers can ping each other. The
    clients can ping the servers on their subnets but cannot ping any host on
    the other subnet.

    All this has led me to think (from other posts I have read) that there may
    be an issue with the user account and demand dial interface name but I
    believe I have go them correct.

    Essentially I would like clients on one subnet to be able to transparently
    access and connect to servers/clients/hosts on the other subnet.

    I'm probably missing something quite obvious but at this moment just can't
    see what it is.

    Some other bit's of info that you may need: when I originally configured
    RRAS on both servers I did a custom configuration and selected: NAT, Demand
    Dial, Firewall, LAN Routing (from memory). All clients have internet access.

    If you require any further info, please let me know.

    Thanks in advance for any help/pointers.

    Kind regards,
    Sergio Ricci, Oct 4, 2005
    1. Advertisements

  2. Sergio,
    Does your clients default gateway point to your RRAS servers?
    Wendel Hamilton, Oct 4, 2005
    1. Advertisements

  3. Sergio Ricci

    Sergio Ricci Guest

    Yes. Deafult g/w points to the the internal NIC of the RRAS server.

    One thing I didn't mention if that both servers are DC's.

    Thanks for replying.
    Sergio Ricci, Oct 4, 2005
  4. Sergio Ricci

    Bill Grant Guest

    The servers being DCs is not good, but it should not cause that problem.

    The workstations in the two sites should be able to communicate
    directly. The VPN link should work like a (slow) IP router between them.

    Here is a check list.

    1. Is the default gateway on the LAN NIC of each server blank?
    2. Does each router have a route to the "other" subnet linked to a
    demand-dial interface?
    3. Does the calling router use the name of the demnad-dial interface on
    the answering router when it calls up?
    4. Doe the demand-dial interface on the answering router change to
    "connected" status?

    If these all check out, look at the routing table on both routers. Each
    should have a subnet route to the "other" subnet linked to the VPN
    connection. If the workstations are using the RRAS servers as their default
    gateways, traffic should route across the link (just like two segments using
    a LAN router as their DG).
    Bill Grant, Oct 5, 2005
  5. Sergio,
    Ok I think it is a routing problem.
    use tracert -d to the remote server and workstations and see where it fails.
    Could you post the results?
    I assume that both servers are multi-homed servers. (2 NICs)
    Wendel Hamilton, Oct 5, 2005
  6. Sergio Ricci

    Sergio Ricci Guest


    Firstly thanks for your time and the check list. I agree that using the
    servers as DC's isn't the ideal solution but because fo cost I really didn't
    see an alternative.

    Regarding your checklist, I confirm as follows:

    1) Yes LAN NIC's have no default gateways. Default gateway has values *only*
    for the NIC's connected to the DSL Router. This is true for both servers.

    2) Yes. Each router (i.e. DC server on each subnet) has a static route to
    the other subnet linked to a demand dial interface. The static route is
    entered via the RRAS Console and not manually via the CLI. I also note the
    following: that the static routes do *not* have a default gateway set. The
    field is greyed out when adding the entry. Also, the static routes on both
    servers have the option "use this route to initiate demand dial connections"

    3) Yes...the calling router uses, as dialup credentials, the answering
    routers demand dial interface name. This is true for both routers/DC

    4) I believe the answer is "yes" but will confirm later this evening when
    servers can be taken off-line for a quick test.

    Clients have as their default gateway the RRAS server/router's LAN NIC IP
    address. Connectivity between clients and servers is confirmed. Connectivity
    between the 2 RRAS servers/routers is also confirmed.

    I have seen another post from Wendel below and I will respond to his post
    also with the routing table which may help.

    Thanks again for your assistance. It's appreciated.
    Sergio Ricci, Oct 5, 2005
  7. Sergio Ricci

    Sergio Ricci Guest


    Pls see the output below. The trace was carried out from a client on the subnet who's default g/w points to the LAN NIC of the RRAS
    server on the same subnet. NB: I've abbreviate the output to 4 hops. The
    complete output continues giving "Request timed out".

    Tracing route to over a maximum of 30 hops

    1 <1 ms <1 ms <1 ms
    2 7 ms 7 ms 7 ms
    3 * * * Request timed out.
    4 * * * Request timed out. is the IP address obtained by the RRAS servers PPP adapter
    that is on subnet, so it appears to get as far as the RRAS
    router on the other side of the VPN link but gets stuck there. I note also
    that there is *no* default gateway set for the PPP adapter and so could this
    be the cause?

    I confirm that both servers are multi-homed with each having 1x NIC facing
    the LAN with no default gateway set and the other NIC connected to the DSL
    router with a static IP address and default gateway set.

    Funnily enough, I am able to configure a VPN connection on a client on the subnet to connect to the RRAS server on the subnet
    and it works fine.

    Please let me know if you need any further info and thank you also for you
    help so far.

    Sergio Ricci, Oct 5, 2005
  8. Sergio Ricci

    Ian Guest

    Sergio - A bit off topic to start!! - Are your router capable of VPN

    What IP addresses are on the additional cards? Are the cards in the DMZ
    of your routers or are you using port-forwarding, if so, what ports are
    you forwarding.

    Ian, Oct 5, 2005
  9. Sergio Ricci

    Sergio Ricci Guest


    Yes the routers are able to support VPN connections natively (no problems
    with client to server VPNs and indeed VPN connections between the servers
    themselves). The routers are basic no NAT DSL routers. NATing is done by the
    RRAS service on the servers (Windows 2003 with SP1).

    The additional NIC's (1 in each server) have static public IP addresses.
    These NIC's have the default gateways set to the IP address of the DSL
    routers. Clients behind the servers have their default gateways set to the
    private IP address of the severs.

    I'm pretty sure that the issue I'm experiencing is as a result of the fact
    that the PPP adapters created when the VPN tunnels are established do not
    have (or do not get configured with) a default gateway.

    Thanks for replying.
    Sergio Ricci, Oct 5, 2005
  10. Sergio Ricci

    Ian Guest

    Have you tried temporarily disabling firewall on RRAS?

    I don't think the PPP adaptors need to have default gateways as the ip
    addresses issued will be in the same virtual network.

    Ian, Oct 6, 2005
  11. How about adding a route on the clients to the other subnet through the
    server on its own subnet?

    Stephen Santos, Oct 6, 2005
  12. Sergio Ricci

    Sergio Ricci Guest


    I will try disabling the firewall to see what happens and let you know.

    My understanding has always been that if you route between 2 or more
    different subnets then there has to be a gateway defined. If routing on a
    single subnet then no gateway needs to be defined. I stand to be corrected
    of course.

    Thanks again for getting back to me.
    Sergio Ricci, Oct 6, 2005
  13. Sergio Ricci

    Sergio Ricci Guest

    Hi Stephen,

    I tried your suggestion using the 'route add mask' and carried out a test from a client on the
    subnet. The result is the same and is what I expected.

    I'm still convinced the issue is to do with the fact that the PPP adapters
    created when the site-to-site VPN link is established aren't configured with
    the default gateway.

    Thanks for your post.
    Sergio Ricci, Oct 6, 2005
  14. Sergio Ricci

    Ian Guest

    Hi Sergio

    Just another thought! When did you set the routes for the VPN? did you
    specify the routes when you were conifguring the demand dial interface
    or have you added them manually?

    Ian, Oct 6, 2005
  15. Sergio Ricci

    Sergio Ricci Guest

    Hi Ian,

    Initially the routes were set via the wizard when configuring the demand
    dial interface. I have subsequantly deleted, re-created, tried to modify etc
    the static routes since. All have produced the same result.

    Just for clarification, there is currently only 1x static route on each
    server. The static route details are as below:

    Routes on: Server1
    Server1 IP:
    Routes: mask

    Routes on: Server2
    Server2 IP:
    Routes: mask

    Thanks again.
    Sergio Ricci, Oct 6, 2005
  16. Sergio Ricci

    Sergio Ricci Guest

    I swear that was going to be my next step. I've read a few posts that
    mention that their site-to-site VPN's broke as soon as they installed SP1
    (hence why I pointed out several times that the servers had SP1 installed).

    Thanks for the pointer. Next question: don't suppose you know if MS have
    issued a hotfix or work around for this issue? Can't find anything as yet on
    MS TechNet but will keep looking.

    Thanks again.
    Sergio Ricci, Oct 6, 2005
  17. Sergio Ricci

    Ian Guest

    This could be similiar to another issue i've been having.

    SP1 started RRas playing around with various MTU settings etc - It may
    not be relevant at all but have a look at the hotfix and related article
    to see what you thing


    Ian, Oct 6, 2005
  18. Sergio Ricci

    Bill Grant Guest

    I can only repeat the question that Ian asked. Why are you linking the
    routes to IPs? Why are you not linking the routes to the demand-dial
    interfaces? Just use the new static route wizard in the RRAS console, put in
    the network address and netmask, then select the dd interface from the
    dropdown list.

    The system stores the routes in the registry. When the dd interface
    becomes active, the system adds the routes to the routing table. You don't
    need to know what IP address the connection uses.

    If it makes it clearer for you, think of the dd interface name as the
    symbolic name of the connection. You set up the route to use this name
    (because you don't know yet what its IP will be). When the connection is
    made, the system substitutes an IP address for the dd interface name.
    Traffic for the "other" subnet is sent over the point-to-point link to the
    other site.
    Bill Grant, Oct 7, 2005
  19. Sergio Ricci

    Bill Grant Guest

    Hi Sergio,
    As Ian said, there is no point in having a default gateway on a PPP
    interface. A point to point connection is just like a pipe. What goes in one
    end comes out the other. There is no routing involved between the ends of
    the connection. The data is encrypted and encapsulated, then sent through
    the link. At the other end the header is stripped and the packet decrypted.
    All the point-to-point link did was move the packet from one site to the

    Firewalls between the tunnel endpoints also have no effect on the
    traffic. The private network packets are encrypted when they go through
    these firewalls. All the firewall sees in the header of the wrapper. It
    can't see the encrypted data.

    Where routing is important is in getting the traffic to and from the
    routers which are the endpoints of the connection. When the connection is
    up, it should work just like a simple IP router. If the router is the
    default gateway for the LAN, everything should just work.

    If you can't connect from a workstation in one site to a workstation in
    the other it is a straight forward routing problem. If each router has a
    route to the other site through the tunnel (check the routing table on both
    routers) and the RRAS router is the default gateway for the LAN in both
    sites, it should work. If it doesn't you have a legitimate problem. I would
    call PSS.

    SP1 for Server2003 tightened up network security (as SP1 for XP did). It
    killed a lot of networks which were wrongly configured and a few which were
    correctly set up. If your problem is one of the latter PSS should have a fix
    for it.
    Bill Grant, Oct 7, 2005
  20. Sergio Ricci

    Sergio Ricci Guest

    I'm afraid I have to completely agree with Vincer on this one. I too have
    downloaded the step-by-step guide from Microsoft on how to set up a VPN
    (test network) using PPTP. I too have followed the manual to the letter only
    substituting the IP addresses (for the ones applicable to us) several times
    and it just will not work.

    Admittedly I haven't tried it without SP1 but will post back the results.

    Thanks to all again.
    Sergio Ricci, Oct 7, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.