Announcement

Collapse
No announcement yet.

Unable to ping internal LAN after VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unable to ping internal LAN after VPN

    OS: Windows Server 2008 R2 SP1
    Role: RRAS
    NIC: 1
    Domain: No (Standalone)


    Hello

    I have searched around the net for other users who have had similar issues as I am experiencing now, but I was unable to gather the actual resolutions to the problems and apply them to mine. So here I go.

    I can successfully establish VPN connections but once the connection is established I am unable to ping anything in the internal LAN, that includes the gateway and the VPN server both by DNS or by IP.

    I have noticed that once a VPN connection is established in ipconfig there is no gateway retrieved, but there is a correct IP address set on the same subnet as the router and other clients.

    On the client which is connecting to the VPN server I have set the "Use default gateway on remote network" option and still no luck.

    The VPN server lies behind a home router (ASUS WL600g) with all of the VPN ports (1723, 500, 1701) and presumably the other protocols such as GRE pointing to it.

    The firewall is disabled on the VPN server and I am able to ping the gateway and other clients on the network from it.

    As there is only one NIC do I have to configure NAT on the VPN server?

    Do I have (or is it recommended) to have the VPN IP range on a different subnet?

    Do I have to manually route the traffic between the two IP subnets on the router?


    Regards

  • #2
    Re: Unable to ping internal LAN after VPN

    make sure your RRAS server is actually providing a gateway as part of theDHCP Scope it gives to the vpn client

    I think this is option 003 or similar.. ?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Unable to ping internal LAN after VPN

      Apologies for my n00bness, I have been unable to find the DHCP Scope settings on the RRAS server.

      The RRAS server is not part of any domain and gets it's IP address along with any DHCP information from the router.

      Hopefully the below information might help:

      I decided to install another NIC in the server.

      The topology looks something like this:

      Code:
      VPN Client -------- > ROUTER ------> WIN-2K8-DEV EXT ----------------- > WIN-2K8-DEV INT ----------------- > LAN Client
      
      10.0.0.x              192.168.1.1           192.168.15.1                                192.168.1.91                                192.168.1.20
      ipconfig /all & route print gives the following:

      SERVER
      Code:
      C:\Users\Administrator>ipconfig /all
      
      Windows IP Configuration
      
        Host Name . . . . . . . . . . . . : WIN-2K8-DEV
        Primary Dns Suffix . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No
      
      PPP adapter RAS (Dial In) Interface:
      
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : RAS (Dial In) Interface
        Physical Address. . . . . . . . . :
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes
        IPv4 Address. . . . . . . . . . . : 192.168.15.10(Preferred)
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
        NetBIOS over Tcpip. . . . . . . . : Enabled
      
      Ethernet adapter External:
      
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
      2
        Physical Address. . . . . . . . . : 00-0C-29-9B-62-5F
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes
        IPv4 Address. . . . . . . . . . . : 192.168.15.1(Preferred)
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        NetBIOS over Tcpip. . . . . . . . : Enabled
      
      Ethernet adapter Internal:
      
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
        Physical Address. . . . . . . . . : 00-0C-29-9B-62-55
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes
        IPv4 Address. . . . . . . . . . . : 192.168.1.91(Preferred)
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.1
        NetBIOS over Tcpip. . . . . . . . : Enabled
      
      Tunnel adapter isatap.{0D57B9C8-0CFC-4D1A-B522-AF38F4655BDC}:
      
        Media State . . . . . . . . . . . : Media disconnected
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Microsoft ISATAP Adapter
        Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes
      
      Tunnel adapter Local Area Connection* 9:
      
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
        Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes
        IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:3009:256c:3f57:fea4(Pref
      erred)
        Link-local IPv6 Address . . . . . : fe80::3009:256c:3f57:fea4%13(Preferred)
        Default Gateway . . . . . . . . . : ::
        NetBIOS over Tcpip. . . . . . . . : Disabled
      
      Tunnel adapter isatap.{E9A87389-062B-4D38-BCA5-C2E8807752C5}:
      
        Media State . . . . . . . . . . . : Media disconnected
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
        Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes
      
      Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:
      
        Media State . . . . . . . . . . . : Media disconnected
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
        Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes
      
      C:\Users\Administrator>
      
      
      C:\Users\Administrator>route print
      ===========================================================================
      Interface List
       24...........................RAS (Dial In) Interface
       21...00 0c 29 9b 62 5f ......Intel(R) PRO/1000 MT Network Connection #2
       11...00 0c 29 9b 62 55 ......Intel(R) PRO/1000 MT Network Connection
       1...........................Software Loopback Interface 1
       12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
       13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
       14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
       15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
      ===========================================================================
      
      IPv4 Route Table
      ===========================================================================
      Active Routes:
      Network Destination    Netmask     Gateway    Interface Metric
           0.0.0.0     0.0.0.0   192.168.1.1   192.168.1.91  266
          127.0.0.0    255.0.0.0     On-link     127.0.0.1  306
          127.0.0.1 255.255.255.255     On-link     127.0.0.1  306
       127.255.255.255 255.255.255.255     On-link     127.0.0.1  306
         192.168.1.0  255.255.255.0     On-link   192.168.1.91  266
         192.168.1.91 255.255.255.255     On-link   192.168.1.91  266
        192.168.1.255 255.255.255.255     On-link   192.168.1.91  266
         192.168.15.0  255.255.255.0     On-link   192.168.15.1  266
         192.168.15.1 255.255.255.255     On-link   192.168.15.1  266
        192.168.15.10 255.255.255.255     On-link   192.168.15.10  306
        192.168.15.255 255.255.255.255     On-link   192.168.15.1  266
          224.0.0.0    240.0.0.0     On-link     127.0.0.1  306
          224.0.0.0    240.0.0.0     On-link   192.168.1.91  266
          224.0.0.0    240.0.0.0     On-link   192.168.15.1  266
          224.0.0.0    240.0.0.0     On-link   192.168.15.10  306
       255.255.255.255 255.255.255.255     On-link     127.0.0.1  306
       255.255.255.255 255.255.255.255     On-link   192.168.1.91  266
       255.255.255.255 255.255.255.255     On-link   192.168.15.1  266
       255.255.255.255 255.255.255.255     On-link   192.168.15.10  306
      ===========================================================================
      Persistent Routes:
       Network Address     Netmask Gateway Address Metric
           0.0.0.0     0.0.0.0   192.168.1.1 Default
      ===========================================================================
      
      IPv6 Route Table
      ===========================================================================
      Active Routes:
       If Metric Network Destination   Gateway
       13   58 ::/0           On-link
       1  306 ::1/128         On-link
       13   58 2001::/32        On-link
       13  306 2001:0:5ef5:79fd:3009:256c:3f57:fea4/128
                        On-link
       13  306 fe80::/64        On-link
       13  306 fe80::3009:256c:3f57:fea4/128
                        On-link
       1  306 ff00::/8         On-link
       13  306 ff00::/8         On-link
      ===========================================================================
      Persistent Routes:
       None
      
      C:\Users\Administrator>

      Comment


      • #4
        Re: Unable to ping internal LAN after VPN

        And the client information as I was unable to post it all in one go:

        CLIENT

        Code:
        C:\Users\user>ipconfig /all
        
        Windows IP Configuration
        
          Host Name . . . . . . . . . . . . : client1
          Primary Dns Suffix . . . . . . . : demo.local
          Node Type . . . . . . . . . . . . : Hybrid
          IP Routing Enabled. . . . . . . . : No
          WINS Proxy Enabled. . . . . . . . : No
          DNS Suffix Search List. . . . . . : demo.local
        
        PPP adapter NKT:
        
          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : NKT
          Physical Address. . . . . . . . . :
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
          IPv4 Address. . . . . . . . . . . : 192.168.15.15(Preferred)
          Subnet Mask . . . . . . . . . . . : 255.255.255.255
          Default Gateway . . . . . . . . . : 0.0.0.0
          DNS Servers . . . . . . . . . . . : 192.168.1.1
          NetBIOS over Tcpip. . . . . . . . : Enabled
        
        Wireless LAN adapter Wireless Network Connection:
        
          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : Intel(R) WiFi Link 5100 AGN
          Physical Address. . . . . . . . . : 00-21-5D-42-24-20
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
          IPv4 Address. . . . . . . . . . . : 10.0.0.73(Preferred)
          Subnet Mask . . . . . . . . . . . : 255.255.255.0
          Default Gateway . . . . . . . . . : 10.0.0.3
          DNS Servers . . . . . . . . . . . : 10.0.0.1
          NetBIOS over Tcpip. . . . . . . . : Enabled
        
        Ethernet adapter VirtualBox Host-Only Network:
        
          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
          Physical Address. . . . . . . . . : 08-00-27-00-E4-65
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
          Autoconfiguration IPv4 Address. . : 169.254.205.49(Preferred)
          Subnet Mask . . . . . . . . . . . : 255.255.0.0
          Default Gateway . . . . . . . . . :
          NetBIOS over Tcpip. . . . . . . . : Enabled
        
        Tunnel adapter isatap.{F548E8FF-2F23-4A96-A428-337A49F9A1B8}:
        
          Media State . . . . . . . . . . . : Media disconnected
          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : Microsoft ISATAP Adapter
          Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
        
        Tunnel adapter Teredo Tunneling Pseudo-Interface:
        
          Media State . . . . . . . . . . . : Media disconnected
          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
          Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
        
        Tunnel adapter 6TO4 Adapter:
        
          Media State . . . . . . . . . . . : Media disconnected
          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : Microsoft 6to4 Adapter
          Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
        
        Tunnel adapter isatap.{BF0894E8-F3DB-4ADF-B84A-EC898D0FC144}:
        
          Media State . . . . . . . . . . . : Media disconnected
          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
          Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
        
        Tunnel adapter isatap.{C5557665-EA55-4CAB-9CEB-BB3528358696}:
        
          Media State . . . . . . . . . . . : Media disconnected
          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
          Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
        
        Tunnel adapter isatap.10.0.0.1:
        
          Media State . . . . . . . . . . . : Media disconnected
          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
          Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
        
        C:\Users\user>
        
        C:\Users\user>route print
        ===========================================================================
        Interface List
         15...00 21 5d 42 24 20 ......Intel(R) WiFi Link 5100 AGN
         28...08 00 27 00 e4 65 ......VirtualBox Host-Only Ethernet Adapter
         1...........................Software Loopback Interface 1
         30...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
         11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
         21...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
         22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
         20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
        ===========================================================================
        
        IPv4 Route Table
        ===========================================================================
        Active Routes:
        Network Destination    Netmask     Gateway    Interface Metric
             0.0.0.0     0.0.0.0     10.0.0.3    10.0.0.73   26
             10.0.0.0  255.255.255.0     On-link     10.0.0.73  281
            10.0.0.73 255.255.255.255     On-link     10.0.0.73  281
            10.0.0.255 255.255.255.255     On-link     10.0.0.73  281
            127.0.0.0    255.0.0.0     On-link     127.0.0.1  306
            127.0.0.1 255.255.255.255     On-link     127.0.0.1  306
         127.255.255.255 255.255.255.255     On-link     127.0.0.1  306
           169.254.0.0   255.255.0.0     On-link  169.254.205.49  276
          169.254.205.49 255.255.255.255     On-link  169.254.205.49  276
         169.254.255.255 255.255.255.255     On-link  169.254.205.49  276
            224.0.0.0    240.0.0.0     On-link     127.0.0.1  306
            224.0.0.0    240.0.0.0     On-link  169.254.205.49  276
            224.0.0.0    240.0.0.0     On-link     10.0.0.73  281
         255.255.255.255 255.255.255.255     On-link     127.0.0.1  306
         255.255.255.255 255.255.255.255     On-link  169.254.205.49  276
         255.255.255.255 255.255.255.255     On-link     10.0.0.73  281
        ===========================================================================
        Persistent Routes:
         Network Address     Netmask Gateway Address Metric
             0.0.0.0     0.0.0.0     10.0.0.3    1
        ===========================================================================
        
        IPv6 Route Table
        ===========================================================================
        Active Routes:
         If Metric Network Destination   Gateway
         1  306 ::1/128         On-link
         1  306 ff00::/8         On-link
        ===========================================================================
        Persistent Routes:
         None
        
        C:\Users\user>
        I am pretty sure it's something to do with the routing. But I am unsure where to do the routing? At the router level? On the VPN Client, on the Server? Or on all three?

        Thanks in advance

        Comment


        • #5
          Re: Unable to ping internal LAN after VPN

          There are two options when configuring RRAS in W2k8 regarding the way that addresses are assigned to clients that successfully connect to the network.

          The first option is for the VPN server to assign the addresses itself. The second option is for the VPN server to contact a DHCP server and grab a set of addresses.

          As tehcamel says, unless the gateway has been configured on your DHCP server on your network (Option 003), and the correct DNS server info is entered too (Option 006), the client won't get this information.

          Hope this helps.
          Attached Files
          A recent poll suggests that 6 out of 7 dwarfs are not happy

          Comment


          • #6
            Re: Unable to ping internal LAN after VPN

            OK. So even though I have the router dishing out IP addresses and other network information via DHCP I still need a DHCP server role on the network on one of the servers?

            I'm sorry guys for the rookie questions, just trying to get my head around this.

            Comment


            • #7
              Re: Unable to ping internal LAN after VPN

              In general MS DHCP is a far, far better option than router DHCP, where you have no control over the configuration.
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Unable to ping internal LAN after VPN

                If you are using Win2008 Active Directory it is best practice to use the servers to host DNS, DHCP and WINS. When configured this way, these services properly integrate with Active Directory. Active Directory absolutely requires a fully functional DNS server to operate properly. If you have DHCP on a home router handing out IP addresses, it will not properly integrate with AD.

                Your VPN clients are authenticating on the domain, not with the router, which according to you, is located outside the domain. Unless you can set their IP parameters (DNS, WINS, Gateway), after they have connected they won't be able to navigate the network. This is usually done via DHCP that can be configured with the options tehcamel described and which I attached in my last post.
                A recent poll suggests that 6 out of 7 dwarfs are not happy

                Comment


                • #9
                  Re: Unable to ping internal LAN after VPN

                  Should I still be able to configure successfully and well a server with DHCP, DNS and VPN roles but without being part of a domain?

                  Or would you guys separate the DHCP and DNS roles on one server and VPN on the other and have them both part of a domain?

                  The VPN, DHCP, DNS etc I would like to keep as part of my labs - but in this instance still be able to access other clients on the local LAN which are not part of a domain.

                  Does it make it sense? Or am I going the long way around to trying things out?


                  Regards

                  Comment


                  • #10
                    Re: Unable to ping internal LAN after VPN

                    If you are reluctant to configure DNS/DHCP on the target LAN so that the VPN client can land there, I would look into setting up a static route on RRAS that points to the separate LAN:

                    http://technet.microsoft.com/en-us/l.../dd469825.aspx
                    A recent poll suggests that 6 out of 7 dwarfs are not happy

                    Comment


                    • #11
                      Re: Unable to ping internal LAN after VPN

                      You can also set the DHCP server IP address (your home router) via the properties of the internal relay in RRAS.

                      However, if the router cannot be configured to specify the options described, you will still have clients with no gateway or dns info.
                      A recent poll suggests that 6 out of 7 dwarfs are not happy

                      Comment

                      Working...
                      X