RRAS two way (pptp) vpn possible?

Discussion in 'Server Networking' started by markm75, Aug 21, 2008.

  1. markm75

    markm75 Guest

    Here is our situation.. we have a RRAS local domain server in house.. we use
    it to connect via vpn from the outside via pptp tunnels.. this works fine
    from the outside in, but not vice versa.

    We have a dedicated hosting server which sits outside of the local company
    in its own domain.. I can create a vpn connection from it to our side with no
    trouble, but what i want is to be able to connect from our side to that
    machine, so i can do backups via DPM 2007.. so i at least need to be able to
    see it from one of our domain machines (not the same machine as the RRAS
    server).

    We have no access to a firewall at this time on the hosting machine, but can
    remote in (2003 enterprise server).

    Our firewall is a sonicwall firewall. (Pro 2040)

    I'm not sure what the best route to take here would be.. so far all i can
    figure is installing RRAS server on the remote dedicated machine and allowing
    for pptp incoming onto that box (not as desirable).

    It also isnt desirable to configure the hardware vpn on our sonicwall as it
    would probably require a software install on the dedicated server (unlike
    PPTP)..

    Any thoughts on how to achieve this? (I'd prefer ipsec, but from what i can
    see there would be no way to do this without some sort of 3rd party install)

    Thanks in advance.
     
    markm75, Aug 21, 2008
    #1
    1. Advertisements

  2. Do a simple test. Can you ping the outside hosting server from the inside?
    If yes, can you telnet port 1723?

    --
    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com
     
    Robert L. \(MS-MVP\), Aug 22, 2008
    #2
    1. Advertisements

  3. markm75

    markm75 Guest


    I tried this ping earlier actually.. tried pinging it via its ip address,
    which showed up on our local side RRAS server.. i could ping it... couldnt
    browse to it though for some reason.

    I didnt try the telnet.. i'm not sure why an inside to the outside dedicated
    telnet would work, when its only connecting to our inside RRAS server (IE:
    no RRAS installed as of yet on the dedicated, was hoping to avoid that)...
     
    markm75, Aug 22, 2008
    #3
  4. markm75

    Bill Grant Guest

    You should be able to do that over the existing connection. If you have
    a VPN connection from the remote server to a VPN server on your LAN, you
    have an IP connection between the remote server and any machine on your LAN
    (when the connection is up).

    When your VPN clients connect by VPN, can they see all machines on the
    LAN? If not, what is it for? When the remote server connects, cannot it see
    all the machines on the LAN?

    If you cannot connect from a LAN machine to a remote machine (which is
    connected by VPN) it is probably because of name resolution or
    authentication problems. It should not be a routing problem or a firewall
    problem.
     
    Bill Grant, Aug 22, 2008
    #4
  5. markm75

    markm75 Guest

    Well.. i can ping the remote server by ip address but from ONLY the RRAS
    local LAN server (and cant get to any shared mappings etc, via ip address)..

    Attempts to ping this ip from any other LAN machine dont result in ping
    backs, for some reason.
     
    markm75, Aug 22, 2008
    #5
  6. markm75

    Bill Grant Guest

    Does this server use the VPN server as its default gateway? If not, you
    will need a static route on it to get traffic for the "other" private subnet
    to the VPN router. Otherwise it will try across the Internet unencrypted and
    unencapsulated.

    Can your dial-in VPN clients see this server?
     
    Bill Grant, Aug 23, 2008
    #6
  7. markm75

    markm75 Guest


    By your question of if the server uses the default gateway, you mean the
    remote server correct? I had unchecked that option.. the reason being, at
    least on regular desktops i found that if we had that checked, those remote
    machines internet connections max download would become the upload max of our
    LAN's gateway router.. by unchecking it, they would have full speed of their
    own internet connection..

    In setting up a static route.. i could set a static route on our sonicwall
    lan gateway (?).. or does it have to be the RRAS server for pptp 2 way to
    work.. but i have to set the same static route on the other end correct (the
    remote server)? We dont have access to a firewall there, so does this imply
    i'd need to install RRAS on that remote box (nervous about doing this, as
    once in the past i did this and hosed a server, but at least then i had
    physical access :) )

    I'm guessing i'd have to enter the static route on the lan side (sonicwall
    or rras) of the remote lan.. ie: 192.168.1.0 and on the remote server's
    setting.. the lan gateway 192.168.100.0 etc?
     
    markm75, Aug 23, 2008
    #7
  8. markm75

    Bill Grant Guest

    When you set up a VPN, it ensures that the traffic gets safely from
    point A to point B (the VPN endpoints). No matter how the VPN is set up,
    you simply have a point-to-point connection between the two machines, as if
    they were cabled together.

    When your VPN connection is up, you can connect from your RRAS server
    to the VPN client (the hosting server) because they are the VPN endpoints.
    To make a connection from another machine on the LAN you need to get the
    traffic across the LAN to the VPN server. By default it will go straight to
    your default gateway (which is the Sonicwall I presume). If it does that the
    connection will fail. Because you are using the hosting server's private IP,
    the Sonicwall will discard the packet.

    If you get the privately addressed packet to the VPN server instead of the
    Sonicwall it will be encrypted and encapsulated (so that it goes through the
    tunnel). Now when the packet reaches the Sonicwall it has the hosting
    server's public IP in the header and is delivered through the Internet.

    To summarise, you can connect from the RRAS server to the target
    machine. To connect from another machine on the LAN you need to get the
    packet to the RRAS server first. On the machine which you want to connect to
    the hosting server, add a static route (either a host route for the
    particular IP or a subnet route) to send the traffic addressed to the
    hosting server's private IP to the local RRAS server. It will then go
    through the VPN tunnel.
     
    Bill Grant, Aug 24, 2008
    #8
  9. markm75

    markm75 Guest

    Ok, i think i understand slightly better.. though i think my own terminology
    for describing my setup has confused me..

    we'll call the RRAS server, in this case, ServerRRAS
    the remote dedicated offsite machine is called, DedicatedServer...

    another machine on the private local lan we will call DPM07

    My goal of this whole setup is to be able to setup a dpm client on the
    DedicatedServer so that i can back up data from their via the pptp vpn (or
    eventually ipsec, ie: should i really be using pptp, thats a whole other
    story, due to the fact the password is sent clear text)...

    So if i'm following how this needs to be setup, i would have to setup a
    static route on ServerRRAS's static route section... (or would this be better
    suited on the sonicwall gateway pointing to the RRAS server .. i think i have
    something amiss here)..

    I would think a static gateway from RRASserver to the private ip on the
    DedicatedServer subnet (192.168.1.0) would be the answer?

    But i think from what you mentioned, this wouldnt let other machines on the
    private lan, ie: DPM07, see DedicatedServer.. or would it? Or is this an
    extra static route that must be set from RRAS to Sonicwall to have it visible
    on any machine in the private lan (without installing RRAS on dpm07)..

    Sorry, if i'm still a little confused, but i think the idea is getting
    closer here..

    Thanks for the input.. much appreciated.

    (I've only done static gateways one time in the last 5 years and that was
    set (i think) on my physical gateway to allow a virtual private network to
    work both ways..
     
    markm75, Aug 24, 2008
    #9
  10. markm75

    Bill Grant Guest

    No, the RRAS server already has a route to the Dedicated server, because
    you can ping it! This is set up automatically when you establish the VPN
    connection.

    What you need is a static route on the DPM server so that it will send
    traffic for the Dedicated server to the RRAS server (so that it can go
    through the VPN tunnel).

    Assume that the dedicated server has a private IP of 192.168.1.11 and the
    RRAS server has a private IP of 192.168.100.11 . On the DPM server you would
    need to add a static route to send traffic for 192.168.1.11 to
    192.168.100.11 eg

    route add -p 192.168.1.11 255.255.255.255 192.168.100.11

    (If you do a route print on the RRAS server while your VPN is connected,
    you will see that the RRAS server has a host route to 192.168.1.11 through
    the tunnel).

    Now when the DPM server tries to contact the dedicated server, the packet
    goes to the RRAS server which forwards it through the VPN tunnel to the
    dedicated server.

    The reply comes back through the tunnel (because the dedicated server
    knows where the 192.168.100.0 subnet is) and the RRAS server delivers the
    packet directly because it has an interface in the same subnet as the DPM
    server.

    This does not give you an encrypted connection from one server to the
    other. The traffic is only encrypted between the VPN endpoints.

    IPSec can be tricky to set up unless you are familiar with
    certificates.
     
    Bill Grant, Aug 24, 2008
    #10
  11. markm75

    markm75 Guest

    That makes good sense.. i went to attempt this, but ran into an issue..

    It seems... on this dedicated server, that there isnt a private ip address
    at all..

    It is apparently bound to external ips (about 3 or 4 of them).. ip addresses
    like 64.239.x.x etc..

    So, on the dpm server, what route should i be adding? (pick an external
    address in this case instead?)

    Sortof side question.. if i wanted this to work on all machines in the
    domain not just the dpm server, would i need to find a way to do the static
    route in the sonicwall gateway (instead) (fairly easy to find in their
    interface)?

    Cheers
     
    markm75, Aug 24, 2008
    #11
  12. markm75

    Bill Grant Guest

    See inline.

    Well, it has a private IP as soon as it connects to your LAN by VPN!
    No, that won't work.
    Why would you want a static route to the Sonicwall? That is where the
    traffic goes by default. You only need a static route if you want it to go
    somewhere other than the default gateway.

    If the dedicated server is on a public network, your best bet is to use
    IPSec. VPN is designed to link remote clients to a LAN (ie the client is
    "virtually" on the LAN) or to link two private LANs together (site-to-site
    VPN). Your existing dialup-type clients are an example of the first type.
    What I was suggesting is a variation of this method. Although it is designed
    to link a client to a LAN, you can use it backwards to access the client
    from the LAN.

    You do not really have two private sites to link, so that method isn't
    an option.

    To set up a secure link between two servers, IPSec is the tool to use.
     
    Bill Grant, Aug 25, 2008
    #12
  13. markm75

    markm75 Guest

    I was mentioning the sonicwall, as i was thinking there has to be a way to
    make the remote dedicated server visible to all servers on our local lan, not
    just the dpm server..

    Wouldnt another option be to simply add a private ip address to the nic on
    the dedicated server then set the static route, at least from the DPM server
    to it? (though i'm worried this could hose our production server without any
    direct control over it).

    On the side of ipsec.. is it possible to do ipsec with built in windows
    networking.. and certificates.. ie: at least on the private local lan, i do
    have an enterprise central authority already set up.. i'm not real clear on
    how this would work though.. i've never really been able to find a good guide
    to the basic MS ipsec with certs..
     
    markm75, Aug 26, 2008
    #13
  14. markm75

    markm75 Guest

    I may give the option of just adding the private lan address to the existing
    ones a shot.. i guess it cant harm anything...
     
    markm75, Aug 28, 2008
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.