VPN Gateway

Discussion in 'Server Networking' started by Tiago, May 18, 2007.

  1. Tiago

    Tiago Guest

    Goo Day to All,

    I create a vpn and all configuration are ok, except the gateway

    so my ipconfig /all are:

    PPP adapter GMMP:

    Connection-specific DNS Suffix . : tiago.loc
    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physical Address. . . . . . . . . : 00-35-51-00-00-00
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    Primary WINS Server . . . . . . . :

    What is wrong is that gateway should be and not my own ip
    address, how can i change that gateway configuration?

    Tiago, May 18, 2007
    1. Advertisements

  2. Tiago

    Bill Grant Guest

    No it should not! The gateway you see is correct. The gateway address
    should be the received IP address. This indicates that the gateway address
    of the VPN client is the PPP interface, which is what you want it to be.
    Traffic which is not local will go across the PPP link. Whatever your
    problem is (and you didn't say what it was), the gateway address is not the
    Bill Grant, May 18, 2007
    1. Advertisements

  3. Tiago

    Tiago Guest

    But Why i can't ping other computers in my network? even the dns servers i
    can't ping?

    what i should do?

    Tiago, May 18, 2007
  4. Tiago

    Bill Grant Guest

    A remote access connection (dialup or VPN) just gives you an IP
    connection between the client and the server. If you can ping the server,
    your VPN connection is working.

    You have given your remote client an IP address in the same IP subnet as
    the LAN machines. This is called on-subnet addressing. Networking to
    machines on the LAN depends on the VPN server doing proxy ARP on the LAN.
    The VPN server acts as a proxy for the remote machine, sending the packets
    across the point-to-point link. Some switches do not handle this very well.
    If this is your problem you will need to put the remote users in their own
    IP subnet and route this subnet through the VPN server (ie off-subnet
    Bill Grant, May 19, 2007
  5. Tiago

    Tiago Guest

    Thanks for your answer bill....

    so my question is, how can i put the remote users in their own
    IP subnet and route this subnet through the VPN server ??

    My network ip is 192.168.0.X and my VPN Server have 2 ip's on for external
    and one for internal...

    can you help-me? thanks again
    Tiago, May 22, 2007
  6. Tiago

    Bill Grant Guest

    If you set the RRAS server to use DHCP, the RRAS server leases a batch
    of addresses from DHCP to use as its address pool. The clients do not get
    their network config directly from DHCP, but from the RRAS server as part of
    the PPP setup. Since these addresses come from your DHCP server they are in
    the same IP subnet as your LAN machines.

    To put the remotes in their own subnet you use the static address pool
    instead. Set up a pool of addresses in another IP subnet (say
    to The inernal interface in RRAS and the client(s) will now
    get IP addresses in this subnet.

    To route between the remotes and the LAN you need to enable IP routing
    on the RRAS server. You might also need extra routing on the LAN if the RRAS
    server is not the default gateway of your LAN.
    Bill Grant, May 23, 2007
  7. Tiago

    Tiago Guest

    So, my RRASS is using DHCP wich is provided by DC of my lan(i configure as a
    CHCP Relay Agent) and gives the correct address to my remote clients, and i
    configure thit static route:

    Interface: (is the public interface)
    Network Mask:
    Gateway: (is my lan gateway)
    Metric: 1

    With this configuration i can't ping any of my Lan ip's. But it's seems that
    i have the correct ip:

    the ip for my remote client:

    dns: (is my lan dhcp)
    wins: (is my lan wins)

    what i'm doing wrong?

    PS: enable ip routing is checked
    Tiago, May 23, 2007
  8. Tiago

    Bill Grant Guest

    NO, that won't help. As I outlined earlier, you are using on-subnet
    addresses. No "real" IP addressing is taking place because all the IP
    addresses are in the same IP subnet. IP routing only works between subnets.
    Your setup can only work by using the VPN server as a proxy for the remote.
    If that doesn't work, you will need to use off-subnet addressing.
    Bill Grant, May 24, 2007
  9. Tiago

    Tiago Guest

    Ok Bill, so i put a second subnet to the vpn clients

    at the moment i put Ras giving another subnet ip's to the remote clients,
    and looks like this:

    ip: ( to
    dns: (is my lan dhcp)

    i can't ping the lan ip's and i think is because the static routes.
    what i have to configure in there?
    Tiago, May 24, 2007
  10. Tiago

    Bill Grant Guest

    I don't know where you got those numbers from. The subnet mask certainly
    shouldn't be and a gateway address is not relevant.

    The server itself will get an IP address of 192.168.21.n and the
    client will get an IP address of 192.168.21.m from the address pool. This is
    the point to point link between the client and server. The client will get
    its own received IP address as its gateway. This means that its default
    route is to the VPN server via the point to point link.

    You do not need any static routes on the client. It sends traffic across
    the link to the VPN server by default. You do need to enable IP routing on
    the VPN server so that it can route between the two IP subnets. If the VPN
    server was the default gateway of your LAN, it would now work. LAN machines
    send traffic for 192.168.21. addresses to the default gateway (the VPN
    server) and it sends it over the VPN link to the client.

    If the VPN server is not the default gateway of your LAN it doesn't
    work. The traffic for 192.168.21.x goes to the default gateway which doesn't
    know where to send it. The private traffic has to go to the VPN server first
    so that it can be encrypted and encapsulated. The easiest way to achieve
    that is to add a static route to the gateway router to bounce the private
    traffic to the VPN server. (If you can't add this route to the gateway
    router you will need to add it to every machine on the LAN which you need
    the remote clients to see). eg

    The RRAS server then encapsulates the packet with a public IP before it
    gets to the gateway router. It can then be sent through the Internet to the
    client's public IP.
    Bill Grant, May 25, 2007
  11. Tiago

    Tiago Guest

    Hi Bill..... it works!!!!!! you are very helpfull...

    so the next step.... i just can ping by ip address and not by host name...
    what you recommend? i have already put my dns server in route list and i can
    ping it, but i can't resolve by name...

    what i should do?

    many thanks again
    Tiago, May 25, 2007
  12. Just make the VPN Server the Default Gateway of the Hosts,...then the Default
    Gateway of the VPN Server will be whatever the previous Gateway device used to
    be on the Hosts. This way it keeps the "decision making" away from the Hosts
    and you have no static routes to maintain at all. All routing decisions can be
    determined in one location and the RRAS box will be acting as a combination of
    LAN Router and VPN Server which is what it was designed to do anyway.

    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft, or
    anyone else associated with me, including my cats.
    Phillip Windell, May 25, 2007
  13. Tiago

    Bill Grant Guest

    To resolve names from the client it needs to have both the correct DNS
    server IP and the correct DNS suffix. Test it with nslookup from the guest.
    If it works using the FQDN, it will work using just the machine name if the
    DNS suffix is correct.
    Bill Grant, May 26, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.