Discussion in 'Server Networking' started by Yieng Him, Nov 17, 2003.

  1. Yieng Him

    Yieng Him Guest

    When I VPN into WIN2K it doesn't give the internal gateway address.
    However, it does give a internal ip address in place of the gateway address.
    I could access all the resource internally but not outside resource while I
    am in VPN mode.

    What am it doing wrong? How do I set it up so that the client who VPN in
    will get the internal gateway address?


    Yieng Him, Nov 17, 2003
    1. Advertisements

  2. The gateway is fine. This is because you are effectively using a
    Point-to-point link now, and there is only 1 place to send the packet... to
    the other end of the link. Now in order to reach remote resources IP
    Forwarding must be enabled. If your VPN clients are addressed for a
    separate subnet than the resources, then the proper routes must be in place.

    quick example:

    Resource RRAS VPN Client
    [ ]--------------------------{ }>>>>>>| |
    192.168.1.X /24 172.16.X.X /16

    In this case, notice that the Client is in a separate subnet than the
    resource. the resource would need a route that say to get to the 172.16
    network, send the packets to the RRAS server.
    Dusty Harper {MS}, Nov 18, 2003
    1. Advertisements

  3. Yieng Him

    Yieng Him Guest

    I did all that already. But for some reason the VPN client can not access
    out source. The client was able to access all the resource inside but not
    out side. The internal IP, Gateway and Subnet Mask are different from the
    VPN Client. I when to the registry and added the following value.

    Value Name: IPEnableRouter
    Value Type: REG_DWORD
    Value Data: 1

    What do I need to add or change to make this work?


    Yieng Him, Nov 18, 2003
  4. YH,

    What Dusty said was correct. But here is a missing for you I believe. The
    VPN client DOES NOT "get" a default route "" from the server, it only
    gets the "segment" the server is attached to, such that if the server is, and DHCP (or Static) sends an IP of to you then
    your route table will reflect: mask GW Which is understood as the
    point 2 point connection

    When you send any packet destined for 192.168.0.X it will go towards the
    VPN. Your on the other hand is going to go towards your DSL or
    whatever was set originally on your system

    To push ALL of your traffic down the VPN regardless, then make sure you
    click the box "use default GW on remote server" under networking of the VPN

    Open Client: Properties / Networking (tab) / select Internet Protocol (ip) /
    Properties / advanced
    Then select that option.

    Next note. If that option is selected then verify using ROUTE PRINT (Go to
    Run/CMD), and check to make sure mask (your GW IP ) Metric 20 (or something greater than) mask (your VPN IP) Metric 10 (Something lower).

    The next tests come from your network (the one your attaching too)

    The VPN server: can it access the outside world
    Is the IP block you are assigning routable though your GW (look for NAT
    issues etc)

    Hope this is a start

    Good luck
    Alexander G. Paoli [MVP], Nov 18, 2003
  5. Yieng Him

    Yieng Him Guest

    Everything you stated is true. After the "use default GW on remote server"
    is checked it still doesn't work.

    My internal network can access outside world. I use a dot 10 ip including
    the VPN.

    Any more suggestion is greatly appreciated.


    Yieng Him, Nov 18, 2003
  6. YH

    Ok next test.

    With your client set to "use default GW" ... Log on to your network

    Have someone at your office telnet to your router and see if they can ping
    your IP. DOES the server you log onto go to the internet ? What is its
    Default GW. If it does not have a path out then neither will you. Make sure
    of this.

    What is your IP ? Is it part of the 10 Network with the proper Netmask as
    the other machine ?

    I would look at the following places:

    1. The server, and it has a proper pointing to the router and no
    where else
    2. The block you get assigned IS NOT part of the "nattable" space in your
    3. The router cant see you, thus your on a different block

    Alex Paoli
    Alexander G. Paoli [MVP], Nov 18, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.