VPN - Routing Traffic between 2 different Networks

[HaierIT]

Good afternoon Techs, I need some advise.

We have VPN setup into our NY Main Office which uses 192.168.0.X as the network address.

We have a direct PPP with our China office which uses 192.168.99.X. The China office physically has our CRM server.

We can connect internally without a problem because we created routes.

The new task is now to get remote users who VPN into our NY Main Office to be able to reach the CRM system in China which is on a different IP Scheme through the VPN. When the remote users connects to the VPN, their laptop does not know that 192.168.99.X is suppose to go through the VPN connection. How can we configure the VPN for accept this traffic for we can allow the remote users to get onto the CRM system in China.

Any thoughts or solutions will be greatly appreciated. Thank you in advance.

 

[jimbopalmer]

Try this. You currently use a VPN subnet mask of 255.255.255.0 which means that any address like 192.168.0.X is over the VPN.

Make your VPN subnet mask 255.255.0.0 which means that any address like 192.168.X.X is over the VPN. That will include both 192.168.0.X and 192.168.99.X plus all the other 192.168's.

I tried to remain child-like, all I acheived was childish.

 

[HaierIT]

Hi Jimbopalmer, excuse me for my mistake. The IP Scheme in china is 10.64.0.X. It's a totally different scheme then NY but both on subnet 255.255.255.0.

Any recommendations?

 

[jimbopalmer]

Sorry, not me.

I tried to remain child-like, all I acheived was childish.

 

[Grenage]

If your VPN router at the NY site has a static route for the 10.64.0.X range (pointing to your China VPN router), and you set a static route on a remote laptop for the 10.64.0.X range (pointing to the VPN router at the NY site), what happens?

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

 

[HaierIT]

Hi Grenage, we use RRAS through Windows 2003 for VPN. I currently have a persistent route on this server pointing to 10.64.0.X.

If I VPN into the network from the remote laptop and then create a static route, I am able to connect succesfully to our CRM System.

The issue is that when the remote laptop connects to the VPN it gets addressed a different IP. So the static route is not valid. I tried to make the static route global but it must be specific to the gateway.

Any idea how to make this work. It seems that I have to make sure the remote laptop send all 10.64.0.x through the VPN. Can i make a static route using something other then IP address? Like some kind of idenifier for the VPN tunnel?

Thanks.

 

[Grenage]

Hi HaierIT,

You'll have to forgive me, since I've never used a Microsoft VPN solution.

The fact that it works when you sign in and assign a static route is very hopeful. I am curious as to what happens when you reconnect to the VPN and receive an different IP address, do you mean an IP address in a different range, or simply a fresh DHCP address in the same range? For the Latter, it should still work.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

 

[HaierIT]

Hey Grenage, if I disconnect from the VPN and then reconnect the VPN Server will automatically assign me a different IP but in the same range.

When I create the static route on the remote user laptop the gateway on the static route is specific to whatever IP the VPN assigns that user. So when i disconnect and reconnect the new IP will not work. Or is their a way to create a static route that will consume the entire range?

I tried 192.168.0.0 as the gateway but it does not work, it was only working for the specific address assigned by the vpn.

 

[Grenage]

Hey again!

let us assume that the range for your network is 192.168.10.0/24, and that the IP address of the VPN server is 192.168.10.50.

When your client connects to the VPN, it is given an address such as 192.168.10.51. When your client connects on another occasion, it's address is 192.168.10.56.

The static route on your remote device is somewhere along the lines of:

route add 10.64.0.0 mask 255.255.255.0 192.168.10.50 -p

Is that correct?

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

 

[HaierIT]

Well everything is correct, except the static route portion.

Lets keep the same scenario as above.

The remote client gets a IP from the VPN Server of 192.168.10.51. I then create a static route on the remote client:
route add 10.64.0.0 mask 255.255.255.0 192.168.0.51

I tried to add the gateway of the actual vpn server. For example:
route add 10.64.0.0 mask 255.255.255.0 192.168.0.50 but then i receive an error.

The error is the following:
The route addtion failed. Either the interface index is wrong or the gateway does not lie on the same network as the interface. check the IP address table for the machine.

 

[Grenage]

Ah I see, I guess the IP address it receives from the server isn't being used directly as a virtual interface.

Is it possible to use DHCP reservations for the mobile devices, or do you have too many of them for this to be viable? If the mobile users kept the same IP address, you'd have an easy answer.

Failing that, does the windows VPN client allow you to perform a command or run an application after the connection has been established? This might allow for a script to be run automatically, creating the correct static route.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

 

[HaierIT]

Hi Grenage, well we have too many mobile users to assign dedicated IP's, we thought about that but not logical for our situation.

We use Windows VPN Client which does not allow you to run scripts.

I am trying to figure out if their is any way to trick the DNS to think that 10.64.0.x is part of the RRAS domain but having no luck.

 

[Grenage]

I suspected that would be the case, otherwise you'd likely be down that road already.

A script on the desktop could be run, so that it takes the current IP address of the virtual adapter and creates a route based on it. If I come up with anything better, or at least more automated, I will post back.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer