Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN - Incorrect DHCP address

Status
Not open for further replies.
peterve

peterve

IS-IT--Management
Mar 19, 2000
1,348
0
0
NL
I've set up a VPN PPTP server in my network.
The public IP address is dynamic,
the internal IP address is fixed
I'm running NAT on the server

I can connect to the VPN server, I'm getting an IP address from a DHCP server
But when I look to the gateway address on the VPN client side, I've noticed that it points to the VPN client IP address instead of the RRAS server in my network.

This means that DHCP is not assigning this address to the VPN client.
Does anybody know how I can solve this problem ? Peter Van Eeckhoutte
peter.ve@pandora.be

 
Sort by date Sort by votes
peter,

a little more info would be helpful. when you say the public address is dynamic, does this mean one of the endpoint of your tunnel is an IP via a public ISP? what is the topology of the VPN solution you're trying to implement? home to office? office to office? who's doing the NATing?

-christian
 
Upvote 0 Downvote
Ok, here are more details :

The VPN endpoint is the public IP address of my server.
The IP address is dynamic, but I've set up a dynamic DNS service so I always know what IP address my server has.
Anyway, I can connect to the external interface just fine.

The internal interface is 192.168.0.5 (255.255.255.0)
I have another server running on my network : 192.168.0.1 (255.255.255.0), and that machine is running DHCP

I've set up NAT on the RRAS server, so my clients can go on the internet by using 192.168.0.5 as default gateway.

When I connect with my Win2K professional computer, which is dialed into the internet, I'm validated, registered, ...
I get an IP address from the only scope in my DHCP server : e.g. 192.168.0.15

I can ping 192.168.0.15, I can ping 192.168.0.5, 192.168.0.1 or any other PC in my LAN network.

After creating the VPN tunnel, when I do a ipconfig /all on my client computer, I've noticed that the default gateway on my VPN client is the same IP address as the client itself. However, I want the default gateway to be something else (e.g. 192.168.0.4, which is another router to the internet, or even 192.168.0.5, which should allow me to go back to the internet using my RRAS server...)

My DHCP server has some scope options which work fine on my LAN clients (including the default gateway address)
When a VPN client receives an IP address, the router option is not passed on... I think this is normal, but I would like to solve this...

My servers are running in native mode.

Peter Van Eeckhoutte
peter.ve@pandora.be

 
Upvote 0 Downvote
peter,

i think i understand your situation. if you do a route print on your client you will see that you have a 0.0.0.0 route to the GW of your dialup ISP. this has to be the case since that's the route used to make initial non-encrypted communication to the external interface of your VPN host and, after you've negotiated, subsequent encrypted connectivity w/secure internal host (192.168.0.X). what happens is a net route is added to your table that uses whatever address is given to you (192.168.0.15) on the logical VPN interface, and not a default route update, which is still that of your ISP's GW. any hosts outside of your secure network (ie. the Internet) have to use the ISP's GW via your physical interface, not the GW on your secure network. hope this helps.

-christian
 
Upvote 0 Downvote
Isn't there also something about VPN that after you get a tunnel in to a different network, you have to relog onto the new network/domain that you are tunnelling into. And teh VPN connection will stay connected when you are re-logging on. I heard this and will be trying it soon but have not yet?
 
Upvote 0 Downvote
Hi all,

After I connected to my VPN, when I do a route print on my client (the one that's connected to the VPN server) :
The 0.0.0.0 default route is pointing to the local VPN client IP address..
I can ping to all the clients behind the VPN server, but I also want to go on the internet through my RRAS server (which is the same as the VPN server)
Therefor, I want the VPN client's default gateway to point to the internal interface of the RRAS instead of to the IP address of the VPN client...

Is there a way (using another server, ...) to solve this ?
I think this must be a common problem...

To encourage all people to solve this problem, I will make a promise : When this problem is fixed, I will post a full step-by-step procedure how to set up a client-to-server VPN, and a server-to-server (gateway-to-gateway, to link remote sites over the internet) VPN ... :)

Thanks guys !
Peter Van Eeckhoutte
peter.ve@pandora.be

 
Upvote 0 Downvote
I'm having the same exact issue. If you find an answer please post it here, I will do the same.

Good luck..

zexxal@yahoo.com

 
Upvote 0 Downvote
I switched over to Nortel VPN instead... Windows 2000 VPN is no good for complex solutions...

good luck anyways --------------------------------------------------------------------
--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
 
Upvote 0 Downvote
Heh, you guys gave up to early. :) I had this problem and solved it with a little detective work. Turned out it was a config error.

Windows 2000 VPN is rock solid.

Two things to check, is make sure that under the server properties in routing and remote access administrator that the computer is NOT set to be a router, and IP routing is enabled.

After that, I offer my services to take a look at your config. :)

Jeff Warmuth
MCSE, CNE
ICQ 129152989
 
Upvote 0 Downvote
Hey pete!

I was not initially running NAT, But after trying out what they suggested I was surprised to find out everything worked flawlessly.

Here is the information. Not that you would need it now, but for anyone else who might run into this issue.

Microsoft Article # Q310888



If you have one Routing and Remote Access Service (RRAS) server that acts as both a RAS server for dial-in or VPN clients and as a NAT server for LAN clients, the LAN clients can access the Internet, but RAS clients have no Internet connectivity.


The reason for this is because the RRAS server treats the incoming RAS connections as an external connection and attempts to route these packets to the Internet.

This does not work if the incoming RAS connections are using a private IP address range. These addresses are not routable on the Internet.

You can use either of the following two methods to work around this behavior:


Use separate servers. Use one RRAS server for Incoming RAS connections and a different RRAS server for NAT connectivity to the Internet.

RRAS uses the interface named "Internal" as an endpoint for the incoming RAS connections. Using the RRAS MMC, you cannot add the "Internal" interface to NAT. From a command prompt, use the netsh routing ip nat add interface internal private command to add the interface (named "Internal" in this example) to NAT as a private interface. After you run this command, you should be able to see that the interface that is named "Internal" has been added to NAT as a private interface. This would allow the incoming RAS connections to be treated as private interfaces, and the RRAS server would NAT those connections.


I hope this helps someone out.

Zexxal
 
Upvote 0 Downvote
I called Microsoft and was willing to pay $245 to get VPN running on Windows 2000 Server. I was using a linksys router and was told it is not possible to use NAT for VPN. They refund my money.

Now I am all confuse now after reading what you guys have posted. Is it possible to do VPN on NAT. Don't you have to have a public static IP address to do VPN?

I am going to have to do more research and read those articles you guys have posted.

Trimelater
 
Upvote 0 Downvote
Trimelater,

I'll be putting together a Setup guide on this procedure, so I can distribute it out to my remote locations.

I'm a little swamped right now with work, so it might take a couple days, but let me know if you would be interested in a copy of it. I'll have to make some adjustments with the nework information, but I should be able to help you out.

Good luck..

Zexxal
 
Upvote 0 Downvote
I have a vpn configured through a NAT server right now. It's so easy I'm blown away that MS couldn't help you out.

Simply setup the VPN portion on the server. Then go into your Linksys Router setup. In the 'advanced' group you'll find a 'forwarding' tab. Map ports 47, 500, and 1723 to your VPN server using TCP. That's it. Jeff Warmuth
MCSE, CNE
ICQ 129152989
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
192
mangentle
mangentle
pomazip
  • Locked
  • Question
Windows Server 2019 mac address issue
Replies
2
Views
146
pomazip
pomazip
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
77
StevenFromSouth
StevenFromSouth
bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
64
DrB0b
DrB0b
bechna
  • Locked
  • Question
Unable to connect to VPN windows server 2019
Replies
0
Views
51
bechna
bechna

Part and Inventory Search

Sponsor

Back
Top