Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN

Discussion in 'Server Networking' started by Lee, Jun 8, 2008.

  1. Lee

    Lee Guest

    Greetings,

    I have a client that wants me to setup a Site-to-site VPN (and DFS, but
    I'll ask that in another group). They won't buy additional hardware
    yet, so I'm stuck doing this with Windows VPNs (Sonic Walls and other
    devices are not options right now).

    They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and
    SiteB has a Server 2003 R2 System. I have successfully created a
    Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN
    connection, promote the SiteB server to a DC and DNS server.

    Both sites will have the server acting as a router with Dual NICs (I
    know this is not generally advisable but their budget until next year
    won't allow hardware devices to replace this function). Both sites will
    have public, STATIC, IP addresses.
    SiteB can ping ANY system on SiteA's network
    SiteA can ping ONLY the server on SiteB's network, and then only through
    the IP of the Demand-Dial connection.

    THE QUESTION
    How can I get/what do I have to do to setup this system so that SiteA
    can ping successfully all systems on SiteB's network? (Ultimately, I
    don't care if ping works or not, I need to be able to access these
    systems with Remote Assistance once I'm connected via VPN myself).

    I'll be happy to answer any additional requests for information or post
    settings whenever possible.

    Thanks for your responses!

    -Lee
     
    Lee, Jun 8, 2008
    #1
    1. Advertisements

  2. The problem is the siteB server is DC running VPN and DNS. Since this is the
    situation you face, you may have some options. 1) Install DNS on a different
    server in siteB. 2) re-configure DNS to register only one DNS on the windows
    2003 DC. 3) Perhaps, install WINS on one of the servers on siteB. or this
    search result may help.
    Name resolution on VPN
    Can't ping VPN client by name Connection issues on DC, ISA, DNS and
    WINS server as VPN server DNS and Split Tunneling for VPN? How to assign DNS
    and WINS on ...
    www.chicagotech.net/nameresolutionpnvpn.htm


    --
    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com
     
    Robert L. \(MS-MVP\), Jun 8, 2008
    #2
    1. Advertisements

  3. Lee

    Lee Guest

    Thanks Robert, but I don't know if I agree that this is a DNS problem -
    or at least only a DNS problem. In testing this, I have been pinging by
    IP. So DNS shouldn't come into play (heavily) yet. It will certainly
    be a concern, but I think I can work out the DNS issues later

    The following is the IPCONFIG from SiteA (I've fone a find/replace) on
    potentially sensitive information:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : SiteA
    Primary Dns Suffix . . . . . . . : DOMAIN.LOCAL
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : DOMAIN.LOCAL

    PPP adapter RAS Server (Dial In) Interface:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physical Address. . . . . . . . . : 00-53-45-00-00-00
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.165
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :
    NetBIOS over Tcpip. . . . . . . . : Disabled

    Ethernet adapter Cable WAN:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : DGE-560T Gigabit
    Physical Address. . . . . . . . . : 00-19-5B-C0-83-FE
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : public.ip.122
    Subnet Mask . . . . . . . . . . . : 255.255.255.248
    Default Gateway . . . . . . . . . : public.ip.121
    DNS Servers . . . . . . . . . . . : 192.168.1.133
    NetBIOS over Tcpip. . . . . . . . : Disabled

    Ethernet adapter LAN:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom
    Physical Address. . . . . . . . . : 00-18-8B-FC-B4-B8
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.133
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 192.168.1.133
    Primary WINS Server . . . . . . . : 192.168.1.133

    I do not have the IPCONFIG off the SiteB server right now (I hope to be
    able to get that sometime between now and tuesday, but from memory, it
    was like this:
    Windows IP Configuration

    Host Name . . . . . . . . . . . . : SiteB
    Primary Dns Suffix . . . . . . . : DOMAIN.LOCAL
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : DOMAIN.LOCAL

    PPP adapter RAS Server (Dial In) Interface:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physical Address. . . . . . . . . : 00-53-45-00-00-00
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.162
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :
    NetBIOS over Tcpip. . . . . . . . : Disabled

    Ethernet adapter Cable WAN:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom1
    Physical Address. . . . . . . . . : 00-18-8C-EB-B3-A7
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : public.ip.203
    Subnet Mask . . . . . . . . . . . : 255.255.255.248
    Default Gateway . . . . . . . . . : public.ip.201
    NetBIOS over Tcpip. . . . . . . . : Disabled

    Ethernet adapter LAN:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom2
    Physical Address. . . . . . . . . : 00-18-8C-EB-B3-A6
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 172.17.43.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 172.17.43.1
    Primary WINS Server . . . . . . . : 192.168.1.133

    When I ping by name on from SiteA to the server "SiteB" I get replies
    from the PPP adapter's IP as follows:

    C:\>ping SiteB

    Pinging SiteB.DOMAIN.LOCAL [192.168.1.162] with 32 bytes of data:

    Reply from 192.168.1.162: bytes=32 time=16ms TTL=128
    Reply from 192.168.1.162: bytes=32 time=17ms TTL=128
    Reply from 192.168.1.162: bytes=32 time=16ms TTL=128
    Reply from 192.168.1.162: bytes=32 time=17ms TTL=128

    But if I ping the 172 IP address instead:

    C:\Program Files\Resource Kit>ping 172.17.43.1

    Pinging 172.17.43.1 with 32 bytes of data:

    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    My routing table on SiteA is as such:
    C:\Program Files\Resource Kit>route print

    IPv4 Route Table
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    0x10003 ...00 19 5b c0 83 fe ...... DGE-560T Gigabit
    0x10004 ...00 18 8b fc b4 b8 ...... Broadcom
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 PUBLIC.IPA.121 PUBLIC.IPA.122 20
    UNKNOWN.PUB.IP 255.255.255.255 PUBLIC.IPA.121 PUBLIC.IPA.122 20
    PUBLIC.IPB.203 255.255.255.255 PUBLIC.IPA.121 PUBLIC.IPA.122 20
    PUBLIC.IPA.120 255.255.255.248 PUBLIC.IPA.122 PUBLIC.IPA.122 20
    PUBLIC.IPA.122 255.255.255.255 127.0.0.1 127.0.0.1 20
    X.255.255.255 255.255.255.255 PUBLIC.IPA.122 PUBLIC.IPA.122 20
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    172.17.43.0 255.255.255.0 192.168.1.162 192.168.1.133 1
    192.168.1.0 255.255.255.0 192.168.1.133 192.168.1.133 10
    192.168.1.133 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.1.153 255.255.255.255 192.168.1.165 192.168.1.165 1
    192.168.1.157 255.255.255.255 192.168.1.165 192.168.1.165 1
    192.168.1.162 255.255.255.255 192.168.1.165 192.168.1.165 1
    192.168.1.165 255.255.255.255 127.0.0.1 127.0.0.1 0
    192.168.1.255 255.255.255.255 192.168.1.133 192.168.1.133 0
    224.0.0.0 240.0.0.0 PUBLIC.IPA.122 PUBLIC.IPA.122 0
    224.0.0.0 240.0.0.0 192.168.1.133 192.168.1.133 0
    255.255.255.255 255.255.255.255 PUBLIC.IPA.122 PUBLIC.IPA.122 1
    255.255.255.255 255.255.255.255 192.168.1.133 192.168.1.133 1
    Default Gateway: PUBLIC.IPA.121
    ===========================================================================
    Persistent Routes:
    None

    Both Public IP's start with the same first octet, which is represented
    by X one line above.

    As you can see, I tried adding a route on SITEA using the command:
    ROUTE ADD 172.17.43.0 MASK 255.255.255.0 192.168.1.162
    but that didn't help (the route is still there). I didn't try creating
    a route back from SiteB though... could that be a problem? I wouldn't
    think so because as I said, SiteB can ping all systems in SiteA so it
    apparently has a route back...
     
    Lee, Jun 8, 2008
    #3
  4. Lee

    Bill Grant Guest

    You certainly have plenty of problems ahead, even when you get the site
    to site routing working. Having a multihomed server is not a great problem
    usually but it is on a DC. You will need to make sure that the second NIC
    does not have Netbios over TCP/IP enabled and does not register in DNS. You
    may also have similar problems with the VPN interfaces. If the name of the
    server resolves to an IP other than its local LAN IP you have major
    problems.

    There isn't really enough info here to solve the routing problem. The
    first thing to check is that each router has a route to the "other" subnet
    through the VPN link. This usually requires linking the subnet routes to the
    demand-dial interfaces, an then making sure that these interfaces actually
    bind to the connection. The routes only become active when the interfaces
    are connected.

    If the routing works from one subnet I suspect that you have this bit
    set up correctly. Is the RRAS router the default gateway at both sites? If
    it is not, you will need extra routing to get the private traffic to the
    RRAS router before it goes to the gateway router. If the private traffic
    goes directly to the gateway router it will be dropped. It needs to be
    encrypted and encapsulated first.
     
    Bill Grant, Jun 9, 2008
    #4
  5. Lee

    ThePro Guest

    If I remember correctly, you need to setup 2 VPN connections, one each way.

    You may want to look at
    http://www.microsoft.com/technet/pr...ogies/activedirectory/stepbystep/vpnconn.mspx
    (Step-by-Step Guide to Building a Site-to-Site Virtual Private Network
    Connection) to see if you missed some steps.

    ThePro
     
    ThePro, Jun 9, 2008
    #5
  6. Lee

    leew [MVP] Guest

    Please see comments in-line

    I'm aware of these issues and don't feel these are anything that can be
    overcome. My primary concern is the routing issue.
    Are you suggesting that I have Demand Dial connections from both ends?
    I can try that... but it didn't seem logical at the time.

    We did try to enable RIP what we did did not resolve the issue...
    I don't mind setting up additional static routes. Just need the
    assistance in knowing what they are.

    If there's not enough info, please, tell me what you need and I'll do my
    best to get it.

    Thanks,
    -Lee
     
    leew [MVP], Jun 9, 2008
    #6
  7. Lee

    Bill Grant Guest

    No, that is not correct. You only use one link, but both routers must
    bind to the connection.

    The VPN connection is simply a point to point connection between the two
    routers. When it is connected and you have the routing set up correctly it
    works as a simple (slow) IP router. Each router has a route to the other
    subnet through the VPN link.

    As the step-by-step explains you have a demand dial interface on each
    router. The static subnet route is linked to the demand-dial interface
    (using the new static route wizard. You select the interface by name from
    the dropdown list). This is stored in the registry until the interface
    connects. The system then adds the route to the routing table using the dd
    interface as the gateway. In effect you are using the name of the dd
    interface as a symbolic name for the connection before it actually exists.

    You do not need to use dial on demand. That is optional. You can connect
    from either end and make it a persistent connection. What is essential is
    the demand-dial interfaces and the routes linked to them. The other
    essential is that when you make the connection, the link is bound to the dd
    interface on the answering router. You do that by using the name of the dd
    interface as the username.

    This is what happens at the answering router. When it gets the request
    it checks to see if the username matches one of its dd interfaces. If it
    does it makes the connection to that interface. (This is how it manages
    multiple site connections). If the username does not match, the connection
    is make to the default internal interface. When this happens you do not get
    the subnet route added. RRAS assumes that it is a simple client-server
    connection, not a router to router. You get just a host route back to the
    calling machine, not a subnet router for the machines behind it. You can
    route to the router but not to the subnet behind it.
     
    Bill Grant, Jun 10, 2008
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.