Need Help... VPN Remote Access on Windows 2003 R2 Server w/ Dual NICS

[reynolwi]

Ok im posting this here and in the VPN forum because im not entirely sure where it falls but im stuck.

I have a file server that is a member server of the enterprise domain. This server is also our VPN remote access server for the enterprise and it has dual nics. We used to have the VPN requests fowarding thru the current internet connection to the secondary nic on this server so it didnt bog down the main nic that all the machines use to connect to it. What we want to do is put the 2nd nic that we have been using for VPN on a seperate router and internet connection so that all remote users come thru on a seperate connection and dont use up all the bandwidth on the main connection.

I setup the new cable modem and router and told it to allow VPN traffic to pass-thru and even did a port foward for VPN to the server nic. Its a static IP on the server nic and i made it a different IP Scheme than the main network.

Its a D-Link EBR-2310 Gigabit Ethernet Routher. The settings are below...

Router 10.25.20.1
Subnet 255.255.255.0

Server IP 10.25.20.10
Subnet 255.255.255.0
Gateway 10.25.20.1
DNS Server 10.25.20.1

I can not get VPN to respond when we try and connect. I can connect using the old method going thru the main internet connection, but i cant get it to respond using the new setup. Is there something that i might need to change to tell it that its on a seperate connection or something? I did a port scan and VPN is open on the router and i checked and it atleast shows that pass-thru is turned on. Suggestions anybody?

Wm. Reynolds
RRWDS | TxPSS

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -
Network Error:
Hit any user to continue

 

[PainOfDeath]

Let's call your existing internet connection WAN1 and your new one WAN2 (the one you set up just for the VPN). Let's call the existing NIC (that your network operates on) LAN1 and the new one is LAN2.

If LAN1 is operating on a subnet that is different from LAN2 then that is one issue. When you try to connect to the server using the WAN1 address, all traffic is routed to LAN1 and presumably you have DHCP set up on the same server, or you have configured RRAS itself to do basic DHCP. Now, trying to connect on WAN2 the traffic is being routed to LAN2. Is RRAS handling this properly? What IP addresses are given to users when they connect on this interface?

My suggestion is to reconfigure RRAS from scratch and make sure that:
1) LAN2 is present in RRAS under your network interface and IP routing
2) LAN2 and LAN1 are routing traffic to each other
3) DHCP or DHCP relay is set up correctly.
Otherwise, even if your users connect, they won't have access to network resources. When configuring RRAS select "Custom configuration" and choose both VPN server as well as LAN routing.

Try that out and see how it goes.

 

[reynolwi]

I do believe it is setup like this already but i will make sure of this. Is that all i need to check and possibly change?

Wm. Reynolds
RRWDS | TxPSS

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -
Network Error:
Hit any user to continue

 

[brianinms]

I would seriously recommend using a hardware firewall appliance with VPN capability. Such as a Cisco ASA or even a Sonicwall. I certainly wouldn't use a fileserver in a enterprise environment as a termination point for VPNs.

 

[PainOfDeath]

It's a starting point... I have found RRAS to be a little finnicky, sometimes it works on the first try, other times it doesn't want to behave. Check your system event log and see where the process is failing - if there is nothing even there, you may have a problem with the D-Link.

I like brinainms' suggestion, especially if you have a lot of users - use a dedicated VPN client solution. Hell, if you are not afraid of Linux, are looking to save money, and have an old PC you can spare, you can run IPCop and use the Zerina OpenVPN add-on to authenticate your users with certificate-based authentication, and the software is free. Might take some time to learn and manage if you are not familiar with it though.

 

[reynolwi]

We do use hardware firewall/vpn devices, but they are for the tunnels to the remote sites. We currently have 1 remote site that is connected full time thru a VPN tunnel. The Remote access server is for our access when we deploy our rescue teams out. Each supervisor has a laptop that is used to connect to the VPN server back here at the office so that they can access the network. When they go to login they tell the computer to dial-in to the VPN Server so that they can fully login to the network. This way they can get to their network drives and all that.

Thats why we want to move the VPN server to its own seperate connection. The second NIC on the VPN server will be for remote access but all network traffic will go thru the first NIC. All IPs are issued by one of the AD servers which handles DNS, DHCP, Antivirus, and a few other things. The VPN server is just remote access and does not issue IP addresses. Yes, it is also a file server but it is not the main server, more like a backup since we i setup replication between the other 2 file servers.


I just can't seem to get the second nic to pass traffic. I will uninstall RRAS and re-install it and see if that might fix it, but i was just seeing if anybody had any suggestions for something i might check.

The RRAS Nic is on 10.25.20.X subnet and the enterprise is on 10.25.18.X and 10.25.19.X

Wm. Reynolds
RRWDS | TxPSS

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -
Network Error:
Hit any user to continue

 

[brianinms]

With a hardware appliance they can fully utilize the network.