Announcement

Collapse
No announcement yet.

Strange Routing and remote access Issue with PPTP vpn

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Strange Routing and remote access Issue with PPTP vpn

    Ill start by explaining the setup. Its pretty standard.
    1) Domain controller running Win 2003 Server standard ed.
    2) My network 10.200.7.0 255.255.255.0
    3) Domain controller IP on net card: 10.200.7.203
    4) IP static pool configured for handout to vpn clients: 10.200.7.224 to .239 (255.255.255.240 mask)
    5) IP of Routing remote access virtual interface takes IP 10.200.7.224

    1st let me say that normal vpn clients connect fine. I can make a single workstation connection to the server above, get an ip out of the static pool and do work on the 10.200.7.0 network as if Im directly attached to the LAN.

    I have a remote network (192.168.2.0) that Im trying to connect to our 10.200.7.0 network via a PPTP tunnel the server above. The router for the 192.168.2.0 connects its pptp tunnel perfectly to the Windows 2003 server above. It gets IP 10.200.7.230. I can ping 10.200.7.224 from the router.

    1) I add a route 10.200.7.0 and route it out the virtual PPP1 interface on the router.

    2) I have the windows 2003 server automatically add a route 192.168.2.0 255.255.255.0 back to the 192.168.2.0 network (route is assigned to the username the 192.168.2.0 router uses to log into the PPTP tunnel so the windows 2003 server adds the route automatically when the tunnel comes up).

    3) Computers on the 192.168.2.0 have the default route set to the only router on the network which has the pptp tunnel to 10.200.7.0.

    Problem: LAN stations on 192.168.2.0 network cannot ping the 10.200.7.224 address of the routing and remote access server nor can they ping anything behind it. LAN stations on 10.200.7.0 network cannot ping anything on the 192.168.2.0 network including 192.168.2.1 which is the IP of the LAN side of the remote router.

    The crazy part: The routes are working. I setup a packet sniffer on the PPTP tunnel, also one on the LAN interface of the 192.168.2.0 router AND on the RRAS interface of the windows 2003 box AND on the LAN interface of the Windows 2003 box....... With the sniffers running I pinged from the windows 2003 server to 192.168.2.1... The ping reply went out AND CAME BACK correctly with a source IP of 192.168.2.1 and a destination IP of 10.200.7.224... BUT I WAS GETTING NO REPLY, no reply, no reply in the ping window!!!! I try pinging from a workstation on the 10.200.7.0 LAN... SAME THING the packets go down the PPTP tunnel, the 192.168.2.1 router sends a reply back up the tunnel... the packet comes in the RRAS interface (10.200.7.224) with the correct source IP of 192.168.2.1 and destination IP of the LAN client (10.200.7.252)... BUT IT NEVER GOES OUT the lan interface of the Windows 2003 server (10.200.7.203) The packet gets lost in a black hole of the server!! The sniffer I have running on the LAN interface of the windows 2003 server shows NO icmp packets going out just the ICMP echo requests comming into it from 10.200.7.252.

    Let me say this... I can connect the 192.168.2.0 router to other networks using the method above just fine.. I can even connect it to another Linux router via pptp and route between the networks just fine... This problem just boggles my mind... it has to be some kind of arp issue? Any help would be much appreciated.

  • #2
    Re: Strange Routing and remote access Issue with PPTP vpn

    Originally posted by josh-RR View Post
    Ill start by explaining the setup. Its pretty standard.
    1) Domain controller running Win 2003 Server standard ed.
    2) My network 10.200.7.0 255.255.255.0
    3) Domain controller IP on net card: 10.200.7.203
    4) IP static pool configured for handout to vpn clients: 10.200.7.224 to .239 (255.255.255.240 mask)
    5) IP of Routing remote access virtual interface takes IP 10.200.7.224
    I may not be understanding but don't points 4 and 5 conflict? 10.200.7.224 is the network name (255.255.255.240 mask) and can't be used as an address? This is why it isn't pingable but you say this is a pingable address on your LAN? Maybe my sums are wrong?

    I believe a diagram would be handy also if you can.
    I don't know anything about (you or your) computers.
    Research/test for yourself when listening to free advice.

    Comment


    • #3
      Re: Strange Routing and remote access Issue with PPTP vpn

      Thats a totally valid concern but in this case that is the normal behavior for Windows 2003 Routing and remote access when you use a static ip block to hand to your dialup and vpn clients. The RRAS adapter always takes the 1st IP for itself regardless and never actually uses that netmask. When a client dials in then grabs next IP out of the list (10.200.7.225) and uses a mask of 255.255.255.255 and routes it to the PPP interface and on and on so that netmask is actually never used. It routes the individual IPs on an ip by ip basis.

      So if I look at the routing table for RRAS it looks like this:
      10.200.7.224 255.255.255.255 GW 127.0.0.1 IF Internal (the looback address is normal since its a virtual device)
      then a client route looks like this:
      10.200.7.225 255.255.255.255 GW 10.200.7.224 IF ....
      and it auto adds the 192.168.2.0 route like this:
      192.168.2.0 255.255.255.0 GW 10.200.7.225 IF...

      Attached is a diagram

      Thanks!
      Attached Files

      Comment

      Working...
      X