VPN Gateway

Goo Day to All,

I create a vpn and all configuration are ok, except the gateway

so my ipconfig /all are:

PPP adapter GMMP:

Connection-specific DNS Suffix . : tiago.loc
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-35-51-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.176
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.0.176
DNS Servers . . . . . . . . . . . : 192.168.0.11
192.168.0.11
Primary WINS Server . . . . . . . : 192.168.0.11


What is wrong is that gateway should be 192.168.0.1 and not my own ip
address, how can i change that gateway configuration?

Thanks

 

No it should not! The gateway you see is correct. The gateway address
should be the received IP address. This indicates that the gateway address
of the VPN client is the PPP interface, which is what you want it to be.
Traffic which is not local will go across the PPP link. Whatever your
problem is (and you didn't say what it was), the gateway address is not the
cause.

 

But Why i can't ping other computers in my network? even the dns servers i
can't ping?

what i should do?

Thanks

 

A remote access connection (dialup or VPN) just gives you an IP
connection between the client and the server. If you can ping the server,
your VPN connection is working.

You have given your remote client an IP address in the same IP subnet as
the LAN machines. This is called on-subnet addressing. Networking to
machines on the LAN depends on the VPN server doing proxy ARP on the LAN.
The VPN server acts as a proxy for the remote machine, sending the packets
across the point-to-point link. Some switches do not handle this very well.
If this is your problem you will need to put the remote users in their own
IP subnet and route this subnet through the VPN server (ie off-subnet
addressing).

 

Thanks for your answer bill....

so my question is, how can i put the remote users in their own
IP subnet and route this subnet through the VPN server ??

My network ip is 192.168.0.X and my VPN Server have 2 ip's on for external
and one for internal...

can you help-me? thanks again

 

If you set the RRAS server to use DHCP, the RRAS server leases a batch
of addresses from DHCP to use as its address pool. The clients do not get
their network config directly from DHCP, but from the RRAS server as part of
the PPP setup. Since these addresses come from your DHCP server they are in
the same IP subnet as your LAN machines.

To put the remotes in their own subnet you use the static address pool
instead. Set up a pool of addresses in another IP subnet (say 192.168.21.1
to 192.168.21.20). The inernal interface in RRAS and the client(s) will now
get IP addresses in this subnet.

To route between the remotes and the LAN you need to enable IP routing
on the RRAS server. You might also need extra routing on the LAN if the RRAS
server is not the default gateway of your LAN.

 

So, my RRASS is using DHCP wich is provided by DC of my lan(i configure as a
CHCP Relay Agent) and gives the correct address to my remote clients, and i
configure thit static route:

Interface: 192.168.0.27 (is the public interface)
Destination: 192.168.0.0
Network Mask: 255.255.255.255
Gateway: 192.168.0.1 (is my lan gateway)
Metric: 1

With this configuration i can't ping any of my Lan ip's. But it's seems that
i have the correct ip:

the ip for my remote client:

ip: 192.168.0.164
subnetmask: 255.255.255.255
gateway: 192.168.0.164
dns: 192.168.0.11 (is my lan dhcp)
wins: 192.168.0.11 (is my lan wins)

what i'm doing wrong?

PS: enable ip routing is checked

 

NO, that won't help. As I outlined earlier, you are using on-subnet
addresses. No "real" IP addressing is taking place because all the IP
addresses are in the same IP subnet. IP routing only works between subnets.
Your setup can only work by using the VPN server as a proxy for the remote.
If that doesn't work, you will need to use off-subnet addressing.

 

Ok Bill, so i put a second subnet to the vpn clients

at the moment i put Ras giving another subnet ip's to the remote clients,
and looks like this:

ip: 192.168.21.2 (192.168.21.1 to 192.168.21.20)
subnetmask: 255.255.255.255
gateway: 192.168.21.2
dns: 192.168.0.11 (is my lan dhcp)


i can't ping the lan ip's and i think is because the static routes.
what i have to configure in there?

 

I don't know where you got those numbers from. The subnet mask certainly
shouldn't be 255.255.255.255 and a gateway address is not relevant.

The server itself will get an IP address of 192.168.21.n and the
client will get an IP address of 192.168.21.m from the address pool. This is
the point to point link between the client and server. The client will get
its own received IP address as its gateway. This means that its default
route is to the VPN server via the point to point link.

You do not need any static routes on the client. It sends traffic across
the link to the VPN server by default. You do need to enable IP routing on
the VPN server so that it can route between the two IP subnets. If the VPN
server was the default gateway of your LAN, it would now work. LAN machines
send traffic for 192.168.21. addresses to the default gateway (the VPN
server) and it sends it over the VPN link to the client.

If the VPN server is not the default gateway of your LAN it doesn't
work. The traffic for 192.168.21.x goes to the default gateway which doesn't
know where to send it. The private traffic has to go to the VPN server first
so that it can be encrypted and encapsulated. The easiest way to achieve
that is to add a static route to the gateway router to bounce the private
traffic to the VPN server. (If you can't add this route to the gateway
router you will need to add it to every machine on the LAN which you need
the remote clients to see). eg

192.168.21.0 255.255.255.0 192.168.0.27

The RRAS server then encapsulates the packet with a public IP before it
gets to the gateway router. It can then be sent through the Internet to the
client's public IP.

 

Hi Bill..... it works!!!!!! you are very helpfull...

so the next step.... i just can ping by ip address and not by host name...
what you recommend? i have already put my dns server in route list and i can
ping it, but i can't resolve by name...

what i should do?


many thanks again

 

Just make the VPN Server the Default Gateway of the Hosts,...then the Default
Gateway of the VPN Server will be whatever the previous Gateway device used to
be on the Hosts. This way it keeps the "decision making" away from the Hosts
and you have no static routes to maintain at all. All routing decisions can be
determined in one location and the RRAS box will be acting as a combination of
LAN Router and VPN Server which is what it was designed to do anyway.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

 

To resolve names from the client it needs to have both the correct DNS
server IP and the correct DNS suffix. Test it with nslookup from the guest.
If it works using the FQDN, it will work using just the machine name if the
DNS suffix is correct.