Supply route to VPN clients

Discussion in 'Server Networking' started by Massimo, May 1, 2004.

  1. Massimo

    Massimo Guest

    My office LAN (192.168.42.0/24) is connected to a remote site
    (192.168.43.0/24) through a VPN connection.
    We also have a VPN server (Windows 2003) in the main LAN to allow our users
    access to our network.
    When I connect to the VPN server from home (Windows XP), I get a valid IP
    address (192.168.42.X) and everything works fine, but I can't access the
    remote site, because my Windows doesn't know how to reach the
    192.168.43.0/24 subnet: it only knows about the 192.168.42.0/24 one.
    If I manually add a route, telling it to reach the remote site through the
    VPN connection to the main LAN (ROUTE ADD 192.168.43.0 MASK 255.255.255.0
    192.168.42.X), everything is ok; but I need to do this manually each time I
    connect to the office. Is there any way to make my RRAS server automatically
    supply this route to its clients when they connect?
    Thanks

    Massimo
     
    Massimo, May 1, 2004
    #1
    1. Advertisements

  2. Massimo

    Massimo Guest

    Any thoughts on this?

    Massimo
     
    Massimo, May 2, 2004
    #2
    1. Advertisements

  3. You may want to do this on VPN server. If I remember correctly, IP
    routing>static routes.

    Robert Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
    http://www.ChicagoTech.net
    This posting is provided "AS IS" with no warranties.
     
    Robert L [MS-MVP], May 3, 2004
    #3
  4. Massimo

    Jimmy Boy Guest

    dido robert,

    all you have to do is do it on the vpn server since the clients are using
    the vpn server as their gateway.
     
    Jimmy Boy, May 3, 2004
    #4
  5. Massimo

    Massimo Guest

    No, those are the static routes for the server itself... and, anyway, a
    route to the remote LAN is already specified there.

    Massimo
     
    Massimo, May 3, 2004
    #5
  6. Massimo

    Massimo Guest

    Unfortunately, that's not the case: a VPN client doesn't use the VPN server
    as its default gateway, since it has to continue reaching the Internet when
    the VPN is up. A VPN client uses the server as gateway only for the LAN
    accessed through the VPN, i.e., in this case, 192.168.42.0/24. I want to
    tell clients they should use the VPN server as gateway for 192.168.43.0/24
    also.

    Massimo
     
    Massimo, May 3, 2004
    #6
  7. Massimo

    Massimo Guest

    I found a workaround: I used the option for specifying the static route on
    the DHCP server used by RRAS to supply addresses to clients; now that route
    is also supplied to all of the LAN clients, but I don't think this is a
    problem.
    Anyway, is there a way to make the RRAS server supply the route to its
    client without setting it on the DHCP server?

    Massimo
     
    Massimo, May 3, 2004
    #7
  8. Massimo

    Mike Guest

    I am having the same issue as you. How do you know what to set as the
    default gateway, if your VPN clients are assigned ip addresses via DHCP?

    --Mike
     
    Mike, May 7, 2004
    #8
  9. Massimo

    Mike Guest

    Let me rephrase that last question.
    How do you know what to set as the
    gateway for the VPN client's static route, if your VPN clients are assigned
    ip addresses via DHCP?

    --Mike
     
    Mike, May 7, 2004
    #9
  10. I believe it is handled automatically when you enable "Use Gateway on Remote
    Network" in the TCP Properties of the Dialup-Connection on the Client.

    It also makes a big difference whether this is a "Remote Access VPN" or a
    "Site-to-Site VPN" (aka Router-to-Router VPN). The two don't behave the
    same. I no longer have any past messages of this thread so I don't know the
    context. I've dealt with too many similar ones to keep track of who was who.
     
    Phillip Windell, May 7, 2004
    #10
  11. Massimo

    Mike Guest

    Also if you are running in Native mode, you can set static routes for the
    VPN clients in AD Users and computers--> User Properties-->Dial-In tab-->
    Static routes.
    This is only available in native mode, not mixed mode. :(

    --Mike
     
    Mike, May 7, 2004
    #11
  12. Massimo

    Massimo Guest

    I use the static internal address of the RRAS server, 192.168.42.1; since
    the VPN client knows how to reach the 192.168.42.0/24 network, it can use
    any addresss of that network as a router for any other network.

    Massimo
     
    Massimo, May 9, 2004
    #12
  13. Massimo

    Massimo Guest

    The original question was how to supply a static route to VPN clients. I
    have my office LAN (192.168.42.0/24) which is connected via VPN to another
    LAN (192.168.43.0/24). The main LAN has a VPN server for remote users, and I
    want VPN clients to be able to talk to the remote LAN too; so I have to
    supply them a route for 192.168.43.0/24, which they don't know anything
    about. I was hoping to find a way to do this on the VPN server, but I didn't
    find any... I worked around this by assigning it from the DHCP server which
    supplies addesses to the VPN server for remote clients.

    Massimo
     
    Massimo, May 9, 2004
    #13
  14. Massimo

    Massimo Guest

    Uh? Really?
    I didn't now anything about this... I'll give it a look, thanks for the tip.

    Massimo
     
    Massimo, May 9, 2004
    #14
  15. In a LAN-to-LAN VPN you don't do anything with the clients at all. the
    routing is handled by your own LAN's Layer3 Routing scheme. You clients use
    your LAN's Router as their Default Gateway. Then the LAN Router uses static
    routes within itself to handle sending the proper traffic to theVPN Device.
    Then Your LAN Router's Default Gateway is typically the Firewall leading to
    the Internet.

    If you don't have a LAN Router then the VPN Box would be the Client's
    Default Gateway and then the VPN Box would know what to do with the right
    traffic from there. Then the VPN Box would typically use the Firewall as it
    Default Gateway.

    If the VPN Box also doubles as the LAN's Firewall, then the Clients use it
    as the Default Gateway and that is all.
     
    Phillip Windell, May 10, 2004
    #15
  16. Massimo

    Mike Guest

    Did this work?

     
    Mike, May 10, 2004
    #16
  17. Massimo

    Massimo Guest

    Yes, but I'm talking about *another* VPN :)
    There's the lan-to-lan VPN between the two sites, but there's also the VPN
    access to the main LAN for remote users... I'm talking about these clients,
    who use their Internet connection as their default gateway, and also use the
    VPN server as their gateway to the office LAN. I want to tell them to use it
    also for reaching the second LAN (through the first one).

    Massimo
     
    Massimo, May 10, 2004
    #17
  18. Massimo

    Massimo Guest

    Didn't have time to test it... I'll do some tests as soon as I can.

    Massimo
     
    Massimo, May 10, 2004
    #18
  19. Ok.
    That is "Remote Access VPN". It is not meant to be as flexable as the
    other. But the way to handle the routing is the enable "Use Gateway on
    Remote Network" in the Dial-up connection Settings on the client machine.

    Then the Default Gateway in your system becomes thier Default Gateway as
    well (overriding their normal Default Gateway) , and they follow your same
    routing scheme as all the other clients.
     
    Phillip Windell, May 10, 2004
    #19
  20. Massimo

    Massimo Guest

    Of course, but then they're going to route any packet through the office
    LAN, and this slows down any other Internet connection and generates a lot
    of unnecessary traffic on the VPN, the office LAN and the main RRAS server.
    So I want them to use the VPN connection only to reach the two LANs, and the
    main Internet connection to reach any other site.

    Massimo
     
    Massimo, May 10, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.