RRAS two way (pptp) vpn possible?

Here is our situation.. we have a RRAS local domain server in house.. we use
it to connect via vpn from the outside via pptp tunnels.. this works fine
from the outside in, but not vice versa.

We have a dedicated hosting server which sits outside of the local company
in its own domain.. I can create a vpn connection from it to our side with no
trouble, but what i want is to be able to connect from our side to that
machine, so i can do backups via DPM 2007.. so i at least need to be able to
see it from one of our domain machines (not the same machine as the RRAS
server).

We have no access to a firewall at this time on the hosting machine, but can
remote in (2003 enterprise server).

Our firewall is a sonicwall firewall. (Pro 2040)

I'm not sure what the best route to take here would be.. so far all i can
figure is installing RRAS server on the remote dedicated machine and allowing
for pptp incoming onto that box (not as desirable).

It also isnt desirable to configure the hardware vpn on our sonicwall as it
would probably require a software install on the dedicated server (unlike
PPTP)..

Any thoughts on how to achieve this? (I'd prefer ipsec, but from what i can
see there would be no way to do this without some sort of 3rd party install)

Thanks in advance.

 

Do a simple test. Can you ping the outside hosting server from the inside?
If yes, can you telnet port 1723?

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com

 

I tried this ping earlier actually.. tried pinging it via its ip address,
which showed up on our local side RRAS server.. i could ping it... couldnt
browse to it though for some reason.

I didnt try the telnet.. i'm not sure why an inside to the outside dedicated
telnet would work, when its only connecting to our inside RRAS server (IE:
no RRAS installed as of yet on the dedicated, was hoping to avoid that)...

 

You should be able to do that over the existing connection. If you have
a VPN connection from the remote server to a VPN server on your LAN, you
have an IP connection between the remote server and any machine on your LAN
(when the connection is up).

When your VPN clients connect by VPN, can they see all machines on the
LAN? If not, what is it for? When the remote server connects, cannot it see
all the machines on the LAN?

If you cannot connect from a LAN machine to a remote machine (which is
connected by VPN) it is probably because of name resolution or
authentication problems. It should not be a routing problem or a firewall
problem.

 

Well.. i can ping the remote server by ip address but from ONLY the RRAS
local LAN server (and cant get to any shared mappings etc, via ip address)..

Attempts to ping this ip from any other LAN machine dont result in ping
backs, for some reason.

 

Does this server use the VPN server as its default gateway? If not, you
will need a static route on it to get traffic for the "other" private subnet
to the VPN router. Otherwise it will try across the Internet unencrypted and
unencapsulated.

Can your dial-in VPN clients see this server?

 

By your question of if the server uses the default gateway, you mean the
remote server correct? I had unchecked that option.. the reason being, at
least on regular desktops i found that if we had that checked, those remote
machines internet connections max download would become the upload max of our
LAN's gateway router.. by unchecking it, they would have full speed of their
own internet connection..

In setting up a static route.. i could set a static route on our sonicwall
lan gateway (?).. or does it have to be the RRAS server for pptp 2 way to
work.. but i have to set the same static route on the other end correct (the
remote server)? We dont have access to a firewall there, so does this imply
i'd need to install RRAS on that remote box (nervous about doing this, as
once in the past i did this and hosed a server, but at least then i had
physical access )

I'm guessing i'd have to enter the static route on the lan side (sonicwall
or rras) of the remote lan.. ie: 192.168.1.0 and on the remote server's
setting.. the lan gateway 192.168.100.0 etc?

 

When you set up a VPN, it ensures that the traffic gets safely from
point A to point B (the VPN endpoints). No matter how the VPN is set up,
you simply have a point-to-point connection between the two machines, as if
they were cabled together.

When your VPN connection is up, you can connect from your RRAS server
to the VPN client (the hosting server) because they are the VPN endpoints.
To make a connection from another machine on the LAN you need to get the
traffic across the LAN to the VPN server. By default it will go straight to
your default gateway (which is the Sonicwall I presume). If it does that the
connection will fail. Because you are using the hosting server's private IP,
the Sonicwall will discard the packet.

If you get the privately addressed packet to the VPN server instead of the
Sonicwall it will be encrypted and encapsulated (so that it goes through the
tunnel). Now when the packet reaches the Sonicwall it has the hosting
server's public IP in the header and is delivered through the Internet.

To summarise, you can connect from the RRAS server to the target
machine. To connect from another machine on the LAN you need to get the
packet to the RRAS server first. On the machine which you want to connect to
the hosting server, add a static route (either a host route for the
particular IP or a subnet route) to send the traffic addressed to the
hosting server's private IP to the local RRAS server. It will then go
through the VPN tunnel.

 

Ok, i think i understand slightly better.. though i think my own terminology
for describing my setup has confused me..

we'll call the RRAS server, in this case, ServerRRAS
the remote dedicated offsite machine is called, DedicatedServer...

another machine on the private local lan we will call DPM07

My goal of this whole setup is to be able to setup a dpm client on the
DedicatedServer so that i can back up data from their via the pptp vpn (or
eventually ipsec, ie: should i really be using pptp, thats a whole other
story, due to the fact the password is sent clear text)...

So if i'm following how this needs to be setup, i would have to setup a
static route on ServerRRAS's static route section... (or would this be better
suited on the sonicwall gateway pointing to the RRAS server .. i think i have
something amiss here)..

I would think a static gateway from RRASserver to the private ip on the
DedicatedServer subnet (192.168.1.0) would be the answer?

But i think from what you mentioned, this wouldnt let other machines on the
private lan, ie: DPM07, see DedicatedServer.. or would it? Or is this an
extra static route that must be set from RRAS to Sonicwall to have it visible
on any machine in the private lan (without installing RRAS on dpm07)..

Sorry, if i'm still a little confused, but i think the idea is getting
closer here..

Thanks for the input.. much appreciated.

(I've only done static gateways one time in the last 5 years and that was
set (i think) on my physical gateway to allow a virtual private network to
work both ways..

 

No, the RRAS server already has a route to the Dedicated server, because
you can ping it! This is set up automatically when you establish the VPN
connection.

What you need is a static route on the DPM server so that it will send
traffic for the Dedicated server to the RRAS server (so that it can go
through the VPN tunnel).

Assume that the dedicated server has a private IP of 192.168.1.11 and the
RRAS server has a private IP of 192.168.100.11 . On the DPM server you would
need to add a static route to send traffic for 192.168.1.11 to
192.168.100.11 eg

route add -p 192.168.1.11 255.255.255.255 192.168.100.11

(If you do a route print on the RRAS server while your VPN is connected,
you will see that the RRAS server has a host route to 192.168.1.11 through
the tunnel).

Now when the DPM server tries to contact the dedicated server, the packet
goes to the RRAS server which forwards it through the VPN tunnel to the
dedicated server.

The reply comes back through the tunnel (because the dedicated server
knows where the 192.168.100.0 subnet is) and the RRAS server delivers the
packet directly because it has an interface in the same subnet as the DPM
server.

This does not give you an encrypted connection from one server to the
other. The traffic is only encrypted between the VPN endpoints.

IPSec can be tricky to set up unless you are familiar with
certificates.

 

That makes good sense.. i went to attempt this, but ran into an issue..

It seems... on this dedicated server, that there isnt a private ip address
at all..

It is apparently bound to external ips (about 3 or 4 of them).. ip addresses
like 64.239.x.x etc..

So, on the dpm server, what route should i be adding? (pick an external
address in this case instead?)

Sortof side question.. if i wanted this to work on all machines in the
domain not just the dpm server, would i need to find a way to do the static
route in the sonicwall gateway (instead) (fairly easy to find in their
interface)?

Cheers

 

See inline.

Well, it has a private IP as soon as it connects to your LAN by VPN!

No, that won't work.

Why would you want a static route to the Sonicwall? That is where the
traffic goes by default. You only need a static route if you want it to go
somewhere other than the default gateway.

If the dedicated server is on a public network, your best bet is to use
IPSec. VPN is designed to link remote clients to a LAN (ie the client is
"virtually" on the LAN) or to link two private LANs together (site-to-site
VPN). Your existing dialup-type clients are an example of the first type.
What I was suggesting is a variation of this method. Although it is designed
to link a client to a LAN, you can use it backwards to access the client
from the LAN.

You do not really have two private sites to link, so that method isn't
an option.

To set up a secure link between two servers, IPSec is the tool to use.

 

I was mentioning the sonicwall, as i was thinking there has to be a way to
make the remote dedicated server visible to all servers on our local lan, not
just the dpm server..

Wouldnt another option be to simply add a private ip address to the nic on
the dedicated server then set the static route, at least from the DPM server
to it? (though i'm worried this could hose our production server without any
direct control over it).

On the side of ipsec.. is it possible to do ipsec with built in windows
networking.. and certificates.. ie: at least on the private local lan, i do
have an enterprise central authority already set up.. i'm not real clear on
how this would work though.. i've never really been able to find a good guide
to the basic MS ipsec with certs..

 

I may give the option of just adding the private lan address to the existing
ones a shot.. i guess it cant harm anything...