Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Other VPN problems 1

Status
Not open for further replies.

Tels

IS-IT--Management
Jul 10, 2001
290
GB
Hi there. I've got a Win2k server, and the RRAS (Routing & Remote Access) is up and running.
Nonetheless, other computers have tried to tunnel in and can't. I have made a VPN connection in the other direction, to a Win2k Pro PC, and it worked like a treat, but if you go in the other direction - error messages like 'No answer' and something like 'The VPN client is trying to connect to ports reserved for routing' (or something to that effect, I was told this on the phone)

Anyway, I would like to know *exactly* what settings to tweak in RRAS (Win2k Server) in order to get this running.

I've seen the explanation already offered by melospawn (thanx) and it makes sense, however I can't get to the options you noted through 'Configure your server' because the RRAS service is already started.... when I go through Config. Y. Server it just throws me into RRAS without offering setup options, normal considering it's already set up - supposedly.

Lastly, I would disable the RRAS server but previous experience shows this shuts down the network connections - downtime is a no-no unless neccesary. I hope someone can help as I have no other experience with this....

Just for ref:

Win2k Server with 2 NIC's, (1 ISDN, 1 Ethernet)
Network IPrange 192.168.0.x
Internet IP dynamically allocated. (soon to be permanent, registered)

PLEASE HELP!!!!

Cheers in advance,

Tels
 
Hi there,

I think you may need to add a new rule so you permit packets from a vpn connection (usually ports 1723 and 47) to get into your intranet.

Let's see, have you done this:?¿


Go to Control Panel--> Config Server--> Network--> Remote Access (I'm translating from a spanish W2000, so excuse me if something ain't right).

Now change the remote access directives (I think that's the name in english, is the 5th option. Add a new one. Name it VPN access, and add the next ones: NAS-Port_Type=Virtual(VPN) and Tunel-Type=Point-to-Point Protocol(PPTP).

You must do this in order to let those packets into your intranet (or private network).

If you did, tell me and I will try to find another answer.

By the way, What OS does your client have? I guess W95/98 and if so you must be using PPTP instead of L2TP. Right?¿

Good luck.

Carmelo Lopez
 
IT WORKED!!!

Cheers Carmelo.... It looks like I didn't have enough WAN miniports open - or maybe didn't have the right ones open?

Either way, Thanks..
 
MORE PROBLEMS....

Well I got it to work for a while, then when I tried to dial in again, I got an error message telling me I needed a certificate? I played with the certification service but got nowhere. Then, like magic, it went away!! dialled in fine.

However, the computer dialling in can't see any resources. I can ping the server, by IP address and name, but I can't ping anything else on the LAN.

How can I get this to work?

Thanks again for the last tip, it's a (big) step forward.. but there's more to do to make this a RELIABLE!! connection.... any hints??
 
PS Every computer we use has Win2000...
but the auth. method used is PPTP, addresses are assigned from a static pool, from 192.168.0.200-300

the LAN addresses range 192.168.0.1-100

Cheers

Tels
 
Hi there again.

Can you tell me your mask?¿.

Anyway, you must try to assign a static route, one like 192.168.0.0 mask your_net_mask gateway gateway_ip

I assume that you got an gateway on your LAN, that can be a router, a firewall or a server.

After getting the new static route (you must put that under RRAS, and after that , open and Command windows and execute MMC, that will put the route on the server).

I guess that's all

Goof luck and sorry for the delay

Carmelo
 
The mask is 255.255.255.0

normal class c addr i think
 
Yeah... there is... on the IPX properties tab within the server properties option, and it is already selected.

The issue is now, that the server cannot see the VPN dial in computer (although pings work fine) and vice versa. Is there any way to specify the Win2k server as a DNS server, only for the duration of the VPN connection? Would that help at all? I can see options for 'tunnels' in the routing properties in RRAS... if these aren't related to my problem, what do they do? Ultimately, I want the VPN connection to be transparent, IE the remote computer has a normal network ID and acts and looks as if it were just connected straight to the hub (my network has a 'star' topology with a hub at the center and the server as one of the nodes)

The server has 192.168.0.1 on the physical network connection and something like 192.168.0.200 for the VPN connection, so if the remote computer has 192.168.0.201 for the VPN on its side, does this mean that it should use 192.168.0.200 as a gateway or 192.168.0.1, or something else entirely?

How does the server help this computer to appear to the other computers? How does the server help the other computers appear to the remote computer?

Anyway, Thanks to everyone so far for all the advice. - You've all helped me solve loads of problems and I'm looking forward to readingyour next replies.

Cheers all,

Tels
 
Hi there

The Server is the one who gives the routes to the clients. Your VPN client must not have a gateway. You must add a static route to your VPN server (under RRAS, see my last message) like 192.168.0.0 255.255.255.0 192.168.0.1 (gateway).

Doing this your client will get this route and be able to ping all the resources on your lan (PC's, printers, etc)

If you wanna use a domain, you must change your client workgroup name to the name of the domain the vpn server is in.

Hope this helps

good luck

Carmelo
 
Well, it tells me that I need to use a subnet of 255.255.255.255 as the IP 'cannot be more specific' than the network mask.

There's also an option for NIC selection (2 choices, LAN adapter or Internal, probably referring to the ISDN adapter) and I have tried on both.

When the options refer to 'Destination' IP, is this referring to the destination for data off the network, or the destination for data from the remote computer? Does this relationship work both ways?

Thanx Carmelo

Tels
 
Nope. Already tried that and no cigar. The only mask that is allowed is 255.255.255.255, I've tried 255..255.192 and 255..255.0 etc

When the server speaks of 'gateways' is it talking about the network's gateway to the remote, or the remote's gateway to the network?

Cheers
 
Ok, let's get on the problem, shall we?¿

The static route you add to the RRAS is a route the VPN server will add to the routing table of the client.

So if your network is 192.168.0.0 (see that the problem here is that for a route, this is a class C, and must have mask 255.255.255.0,. but if you have xx.xx.0.0 that means for IP networking that you are using a subnetting (0.0 means network, not client). That's why I asked you your network mask. You can try 255.0.0.0 to see if it works.


The destination is an address of your network (the one the client should see), the mask, and then the gateway (use the LAN interface IP), and the metric will be 1. If you use a router or other server as gateway the metric will increase (2 or more). The interface must be the internal one, because that is the one interface that use your VPN.

You can try one thing, anyway: connect the client to the vpn server. Once you got the tunnel going, add this route to the client:
open an MS-DOS window, type: route add 192.168.0.0 mask 255.255.255.0 192.168.0.200
if not, try changing the mask and if it works but you cannot see the Intranet, try changing 192.168.0.200 for the server LAN NIC IP address (I think is 192.168.0.1)

Good luck

Carmelo
 
Hi, I hope you can help me! I set up a W2K server for VPN and remote access. In my LAN, the computers are on the subnet 137.204.58.0. If I use Ip addresses from this range for remote client, everything works fine, I can ping all the computers in the LAN. But I want to use addresses from the subnet 192.168.12.0. With these addresses I can ping only the server. I think I have to add a static route, I tried some but didn't work.
My settings are
VPN server LAN interface 137.204.58.89
VPN server internal interface 192.168.12.100
Can you tell me exactly which route I need?
thanks

 
Hi Chuc,

as far as I know, you need to use a router so it can "connect" the 2 networks. You have 2 different networks, guess you have some router to connect the two networks.
Is that right?¿ If not, and you have 2 NIC on the VPN server (one for one network and another for the other network), I guess you can try to install a route manager (or something like that) on the W2000. But don't know yet how to do that.

Still, I will find it out. Anyway, do you have a central point where the 2 networks are connected (usually a router)?¿

Good luck Carpe Diem.
Carmelo Lopez-Portilla
CCNA
e-mail:clopez@infoport.digitainer.com
 
Hi, Carmelo. I'm trying to use for remote client the IP address pool 192.168.12.100/200. I think my RRAS server can act as a router and route IP traffic between the two subnet. Is this right? If this is wrong, how I can do?
Thanx
 
Hi Chuc,
Yes, your RRAS Server can act as a router, but don't know how, if anyone here can help me on this one.

Reading your note I guess your VPN Server can see both of the networks, right? If so, you could try to put this static route:

192.168.12.0 mask 255.255.255.0 192.168.12.100, and if that doesn't work, try
192.168.12.0 mask 255.255.255.0 137.204.58.89 (but 99% sure this one won't run).

I'm assuming your mask is 255.255.255.0 , if not, change it up for your real mask.

good luck
Carpe Diem.
Carmelo Lopez-Portilla
CCNA
e-mail:clopez@infoport.digitainer.com
 
I have tried those static routes but didn't work. I can't belive that I had to use the same subnet for my LAN and the remote users if I want IP connectivity between all clients. I hop someone can tell me how to resolve my problem.
Thank you
 
You can configure the server as a router by editing the registry :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Create IPEnableRouter (type REG_DWORD) with a value of 1
---------------------------------------------------------------------
I have not failed, I've just found 10,000 ways that don't work
---------------------------------------------------------------------
Peter Van Eeckhoutte
peter.ve@pandora.be
*:->* Did this post help? Click below to let me know !
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top