Dual NIC's and VPN

[irbk]

Hello,
I've got an old windows 2000 server that's currently running VPN for my company. This hardware is so old, it's been around longer then I have, and I've been here 9 years. Needless to say, it's starting to act flakey. So I'm working on setting up a 2nd VPN server that will eventually replace the old one. I've taken some newer hardware, installed server 2003 SP2 and all the latest critical updates. I've got Dual NIC's installed on the server as well but I'm not sure how they should be configured. Currently, NIC 1 has an internal IP of X.X.1.19 with a gateway of X.X.1.2. NIC 2 has an external IP of X.X.X.169 with a gateway of X.X.X.161. When I configure the NIC's, windows pops up a message that I shouldn't have 2 different gateways.

First Question: Should I be leaving the gateway blank on one of the NIC cards?

After I've got the NIC's configured, I go through and configure the RRAS setup wizard selecting "Remote Access (dial-up or VPN)" and then selecting just the VPN checkbox. When prompted for "the network interface that connects this server to the internet" I select my NIC with the external IP address. I then specify that I want a range of IP addresses from X.X.2.50 to X.X.2.74. Lastly, I use Routing and Remote Access to authenticate requests. Once this is all set up, I run a few pings to sites on my WAN and make sure I can connect to the internet from the server. All looks good.

Second Question: Even though all looks good on the server and with no firewall between the server and the internet (accept for the packet filtering that's automatically set up by the RRAS wizard) remote clients can't connect. They get an Error 800. What am I missing? All the tutorials I've seen on this make it seems so simple but I'm totally missing something.

Thanks in advance!

 

[irbk]

Well, it looks like my issue has everything to do with how the NIC's are configured and I'm not sure what the proper way to configure them is. Having both NIC's with a default gateway configured and then running an "ipconfig /all" shows that windows has automatically disabled the default gateway on the external NIC. This is why clients can't connect to the VPN server. If I manually remove the default gateway from the local NIC, the external NIC takes over and *poof* remote clients can connect. However, this causes another issue. Most of my users that connect to VPN need to connect to servers that are not on the same subnet as the VPN server, but servers that are on my WAN. With the default gateway for the local NIC removed, neither the server itself nor VPN clients can connect to anything on another subnet. I think it's got everything to do with how those NIC's are configured but I can't find any proper documentation on what the proper way to configure them is. Any advice would be greatly appreciated!

 

[ADB100]

This is a simple routing decision issue on the Windows server. As you have found you can't have two default gateways because the server doesn't know which one to use. What you need to do is make the external gateway the default and add static routes to your internal networks. If, like many companies, you have used RFC1918 addressing internally this is easy as you can use summary routes instead of adding lots and lots of static routes:

route add 10.0.0.0 mask 255.0.0.0 10.1.1.2 -p
route add 192.168.0.0 mask 255.255.0.0 10.1.1.2 -p

This will change the routing table on the server to allow your internal networks to still be reachable whilst having the external gateway as the default. The '-p' makes the entried permanent so they will remain following a NIC reset or a power reset.

HTH

Andy

 

[irbk]

Ok, I've found that I could set up the static routes right in RRAS. If I set 192.168.0.0 255.255.0.0 172.16.1.1 what happens to the VPN client that has a local network that's 192.168.X.X will they loose connection to there local network while on VPN?

 

[irbk]

More in this saga. On Friday, I removed the default gateway for the local NIC, and it allows VPN clients to connect, and once I created static routes for all my remote locations through Routing and Remote Access, all was good. Today, something has gone wrong. While users can still connect to VPN, once connected to VPN, they can no longer access the internet. Also, the server can't browse the internet anymore either.
What went wrong between Friday and today and how do I fix it?