Hi everyone, I have two Windows Servers setup. 2003 at the office which we'll call Office VPN server and 2008R2 (RC) at Site2 which we'll call Site2 VPN server. I have a D-Link Gaming Router (DGL-4100, don't ask why we have these, I didn't buy them) setup at each site. The router supports RIP btw. I setup Routing and Remote Access on both of them. I setup a Demand Dial adapter for routing connections on both of them and their corresponding user names. They connect to each other and the corresponding Demand Dial adapter/inferface on each machine updates its connection status correctly. I have RIP installed on both servers. I've looked over this website for the past few weeks. http://technet.microsoft.com/en-us/network/bb545442.aspx esp the parts about Site-to-Site testing and deployment. Both D-link routers are configured exactly the same (same firmware even). The router even has a firewall exception option for PPTP (and IPSec) which is set to allow. I've even moved each VPN server into the DMZ. The problem is I can't get anything to route from Office to Site 2. Site 2 will route to Office.Site 2 is sending and receiving RIP annoucements fine. Office VPN is send RIP announcements, but not receiving them. Office VPN has exceptions in its firewall, even disabled it entirely. There's no IP filtering enabled on it. Something is blocking the receiption of RIP annoucements from Site2, but I can't find what it is. Keep in mind, Site2 is working fine. The Site-to-Site VPN seems to be setup and functioning properly. It's just Office VPN machine is blocking/not receiving the RIP updates. If anyone has an ideas, I would really appreciate it. If anyone needs further information, I'm willing to supply it.

Hi,Thanks for posting here.If the network is not complex and will not change, he may also consider referring to the following KB to configure static routes in RRAS: 178993 How to Use Static Routes with Routing and Remote Access Service http://support.microsoft.com/default.aspx?scid=kb;EN-US;178993 This posting is provided "AS IS" with no warranties, and confers no rights.

Site to site routing works fine if the VPN routers are the default routers fo both sites. If your machines are using some other device, such as the D-Link, as their default router (or default gateway, which means the same thing), site to site routing will fail. You will need extra routing to get the traffic to the VPN router. Otherwise the private traffic will try to cross the Internet unencrypted andunencapsulated. This traffic will be dropped by the Internet router. A simple diagram of your network would help. eg Site 1 192.168.21.x dg 192.168.21.254 | 192.168.21.254 dg blank RRASpublic IP | Internet | public IP... ... ... Site 2Bill

Sorry I took so long to reply, Bill, but I changed my setup. I now have Windows Server 2008 R2 setup at both sites. I installed routing and remote access. The site-to-site vpn connects just fine. IP addresses assigned. Installed RIP for automatic routing update. That seems to be working. However, I can't route anything between the two sites at all.Setting this up really shouldn't be this hard. :(Office has a D-Link router as 192.168.10.1. Domain controller is 192.168.10.11. VPN server is 192.168.10.17.Remote has D-Link router as 192.168.20.1. VPN server is 192.168.10.11 (no domain controller, but if added will be on this one.)Both sites have the D-Link router as the gateway cause it's actually what is the gateway to the internet. Had it set like this on the other builds, and it worked mostly. When I check RIP, there's been no Responses Sent or Responses Received from either machine. They're both set to Auto-static. And I do a manually "Update Routes" even and no change.In Network Management, it shows the VPN connections as Public. I even changed that to Private (work place). Still no go.In the Office machine, I have the local network and the VPN showing up. On the Remote machine, I have local, vpn, and RAS (dial-in) interface. I'm not sure I should have the RAS one on Remote since it's not designed for remote dial-in.** Ignore this. Seems the dialing computer gets assigned the right IP, and the answering one gets a random assigned.**On the Office domain, I set the dial-in account to be assigned a static IP. This works. On the Remote machine (I'm just using local as no domain setup here yet), I set the dial-in account to use a static IP, but it's not getting assigned one. Instead it grabs one from the static pool assigned to the connection.Office is set to give out static IPs in the range 192.168.10.91 to .99. Remote is set to give 192.168.20.91 to .99. Office has the dial-in account for the Remote server to get ip address 192.168.10.90. Remote is set to give the IP address of 192.168.20.90 to Office. Remote gets its proper IP of 90, but Office gets one of the random IPs from 91-99.** **Here's the routing table from Office===========================================================================Interface List20...........................Remote18...........................RAS (Dial In) Interface11...00 24 e8 1a 08 9d ......Intel(R) 82567LM-3 Gigabit Network Connection 1...........................Software Loopback Interface 112...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #221...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3=========================================================================== IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.17 10 98.185.149.62 255.255.255.255 192.168.10.1 192.168.10.17 11 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.10.0 255.255.255.0 On-link 192.168.10.17 266 192.168.10.17 255.255.255.255 On-link 192.168.10.17 266 192.168.10.91 255.255.255.255 On-link 192.168.10.91 306 192.168.10.255 255.255.255.255 On-link 192.168.10.17 266 192.168.20.90 255.255.255.255 On-link 192.168.20.90 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.10.17 266 224.0.0.0 240.0.0.0 On-link 192.168.10.91 306 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.10.17 266 255.255.255.255 255.255.255.255 On-link 192.168.10.91 306 255.255.255.255 255.255.255.255 On-link 192.168.20.90 266===========================================================================Persistent Routes: None IPv6 Route Table===========================================================================Active Routes:If Metric Network Destination Gateway 1 306 ::1/128 On-link11 266 fe80::/64 On-link11 266 fe80::31fa:9b78:e9a4:a5dd/128 On-link 1 306 ff00::/8 On-link11 266 ff00::/8 On-link18 306 ff00::/8 On-link===========================================================================Persistent Routes: NoneHere's the routing table from Remote===========================================================================Interface List19...........................RAS (Dial In) Interface11...00 24 e8 1a 08 76 ......Intel(R) 82567LM-3 Gigabit Network Connection20...........................Office 1...........................Software Loopback Interface 112...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #222...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3=========================================================================== IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.20.1 192.168.20.11 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.10.99 255.255.255.255 On-link 192.168.10.99 266 192.168.20.0 255.255.255.0 On-link 192.168.20.11 266 192.168.20.11 255.255.255.255 On-link 192.168.20.11 266 192.168.20.91 255.255.255.255 On-link 192.168.20.91 306 192.168.20.255 255.255.255.255 On-link 192.168.20.11 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.20.11 266 224.0.0.0 240.0.0.0 On-link 192.168.20.91 306 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.20.11 266 255.255.255.255 255.255.255.255 On-link 192.168.20.91 306 255.255.255.255 255.255.255.255 On-link 192.168.10.99 266===========================================================================Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 192.168.20.1 Default=========================================================================== IPv6 Route Table===========================================================================Active Routes:If Metric Network Destination Gateway13 58 ::/0 On-link 1 306 ::1/128 On-link13 58 2001::/32 On-link13 306 2001:0:4137:9e50:3481:1971:3f57:ebf4/128 On-link11 266 fe80::/64 On-link13 306 fe80::/64 On-link13 306 fe80::3481:1971:3f57:ebf4/128 On-link11 266 fe80::ad48:484:c0b3:efba/128 On-link 1 306 ff00::/8 On-link13 306 ff00::/8 On-link11 266 ff00::/8 On-link19 306 ff00::/8 On-link===========================================================================I've even set static routes of 192.168.10.0 / 255.255.255.0 on Remote and 192.168.20.0 / 255.255.255.0 on Office. Doing a tracert, when I try to connect to one of the IPs on the other network segment, the system is trying to route by going out over the internet instead of the VPN connection.If there's any more information I can give you, please let me know.

Bump.Anyone have any help they can give me? My two VPN servers do not have two NICs in them, only one. They are not the default gateway because I have the routers setup to be. If I manually configure their IP settings not to detail a default gateway, then they can't reach anything on the internet, and therefore can't dial into the other servers. :/ I'm really at a loss with this.

If your VPN routers are not the default gateway for the sites, nothing will cross the link except traffic between the routers. To get this to route between sites, you will need to set up static routes on the default gateways, not on the VPN servers. As you said, in your current setup traffic for the other site will go to the default gateway. This knows nothing about your VPN link, so it tries to send the traffic through its default route (which is out to the Internet). On each gateway router, add a static route to send traffic for the other site to the local VPN router. The traffic will then be encrypted and encapsulated before the VPN server sends it on to the gateway. For example, on the router with IP address 192.168.10.1, add a static route 192.168.20.0 255.255.255.0 192.168.10.17 This will bounce traffic for 192.168.20 to the VPN router istead of trying to sent it to the Internet. Add a corresponding static route to the other site.Bill

Let me add a few additional words:You need (at least) two NICs installed on your RAS servers.Than you have two scenarios:1. Dismount your D-Link routers from your LANs. Connect the second NIC (on RAS-servers) directly "to the Internet". And add NAT in RAS. Make these servers Default Gateway for your LANs ...2. If there are some special reasons and it is not possible to dismount these D-Link routers from your LANs, connect them only to the second NIC and ... see 1.About RIP - I think you do not need RIP for "site-to-site VPN" ... if I am wrong, please correct me.

(Note: 10 server was called Office in previous posts. 20 server was called Remote.) Tried that, Bill. It sent the VPN traffic to the D-Link router/gateway like it's been doing. The Router sent the traffic back to the VPN server. The VPN server got it, then sent it back to the D-Link. Round and round. Still seems like the problem is at the VPN servers. :( It doesn't know to send traffic over the VPN connection. And even if I setup static routes on it, it winds up telling me destination host is unreachable. If I add a static route in the server, set the interface to the VPN connection, set the IP range as 192.168.10.0 (or 20.0, opposite from local segment), set subnet as 255.255.255.0, gateway is blank cause it's grayed out, it automatically sets the gateway to the local subnet IP address the remote VPN router was assigned. The local VPN router can't route to that at all though. For instance: 192.168.10.11 router gets assigned 192.168.20.90 as VPN IP.192.168.20.11 router gets assigned 192.168.10.95 as VPN IP. So if I set a static route on 20 to use the VPN connection, it creates:192.168.10.0 255.255.255.0 192.168.20.90. But the 90 is unreachable. If I set a static route on 10 to use the VPN connection, it creates:192.168.20.0 255.255.255.0 192.168.10.95. But the 95 is unreachable. If I set a static route on 20 to use LAN, I can specify gateway.192.168.10.0 255.255.255.0 192.168.10.95, but then it just tries to send it out to the internet instead of over 95 VPN IP. On 20 server: Destination Network mask Gateway Interface Metric Protocol0.0.0.0 0.0.0.0 192.168.20.1 Local Area Connection 266 Network management127.0.0.0 255.0.0.0 127.0.0.1 Loopback 51 Local127.0.0.1 255.255.255.255 127.0.0.1 Loopback 306 Local192.168.20.0 255.255.255.0 0.0.0.0 Local Area Connection 266 Network management192.168.20.11 255.255.255.255 0.0.0.0 Local Area Connection 266 Network management192.168.20.90 255.255.255.255 192.168.10.95 VPN_Center 11 Network management192.168.20.255 255.255.255.255 0.0.0.0 Local Area Connection 266 Network management224.0.0.0 240.0.0.0 0.0.0.0 Local Area Connection 266 Network management255.255.255.255 255.255.255.255 0.0.0.0 Local Area Connection 266 Network management On 10 server: Destination Network mask Gateway Interface Metric Protocol0.0.0.0 0.0.0.0 192.168.10.1 Onboard NIC 10 Network management98.185.149.62 255.255.255.255 192.168.10.1 Onboard NIC 11 Network management127.0.0.0 255.0.0.0 127.0.0.1 Loopback 51 Local127.0.0.1 255.255.255.255 127.0.0.1 Loopback 306 Local192.168.10.0 255.255.255.0 0.0.0.0 Onboard NIC 266 Network management192.168.10.19 255.255.255.255 0.0.0.0 Onboard NIC 266 Network management192.168.10.95 255.255.255.255 192.168.20.90 VPN_Site2 11 Network management192.168.10.255 255.255.255.255 0.0.0.0 Onboard NIC 266 Network management224.0.0.0 240.0.0.0 0.0.0.0 Internal 306 Network management255.255.255.255 255.255.255.255 0.0.0.0 Onboard NIC 266 Network management I cannot figure out why it won't route properly. Granted I'm new to routing, but it seems to me if it got an IP address from another server, it should be able to connect to that server.

Thanks for the help, DimiterS. Unfortunately I do not have computers with 2 nics. I'm stuck with 2 computers with just 1 nic each. No option to upgrade. I know it's possible to do this, it's just a matter of coordinating the routing tables.

Looks like you just have not configured the site-to-site link properly. You should not have to add any extra routing after it connects. What are you using as a guide for the site to site config? It is quite different from a normal client-server VPN connection. Have you configured static routes to the "other" site's subnet on each router linked them to the demand-dial interfaces? These are stored in the registry and are added to the routing table automatically when the connection is made. there is no sign of them in your routing table.Bill

Hi Bill,Yup, I know about how site-to-site is different from client-server VPN. Configured a demand-dial connection on Office to connect to Remote. Set it up to auth with a username and pass that resides on Remote. Setup Remote with a demand-dial connection to Office, and also told it to use a username and pass residing on Office. Each one also uses the proper username to match the name of the demand-dial connection on the other server. When I tell Office to connect, it does, and if I look at Remotes console, it shows the connection as connected automatically. Same if I dial from Remote. If I tell it to disconnect from either, it automatically shows as disconnected on the other server as well. Since they interact with each other like that, I assume I do have them setup properly. I used several documents to research what I was doing to make sure I did it correctly, specifically some test lab step-by-step documents from Microsoft. http://www.microsoft.com/downloads/details.aspx?FamilyID=58a8b58a-5655-4cc1-9d6a-91119b54ae0a&DisplayLang=en is the link directly to it. Unfortunately it does presume you have a 2nic setup, so I had to adjust a few things.I did try with static routes like the ones I detailed above (using the VPN demand-dial connection and letting it automatically set gateway, and using the LAN connection and manually pointing it to the IP assinged by the other router on the other subnet). If I use the VPN connection, it winds up with host unreachable, it doesn't know how to route it. If I use the LAN connection even pointing to the VPN IP as the gateway, it still sends it to the internet instead.Using RRAS, how exactly would you create a static route between the two? Maybe I'm doing it wrong.Do you think deleting the demand-dial connections and user accounts on both servers and starting from scratch may weild better results? Again, I really appreciate the help you're offering me here. I've even talked with some other pro-techs in my area about the situation, and they're all stumped as well. You're the only person who's even come close to doing more than shrugging his shoulders in bewilderment. :)Edit: Further info that may help. In the user accounts, on the dial-in tab, I set each account to have use a static IP instead of being assigned one by the VPN pool. (I originally had it set to the default dynamic assigned, but still had same problem.) The calling router will be assigned its static IP, however the answering router will be assigned a dynamic IP from the VPN pool. It's this way if I dial with the Office server or the Remote server.

Regarding setting up the static routes, I use the new static routes wizard and select the demand dial interface from the dropdown list. If you connect using the name of the dd interface as the username, it should connect properly. Does the status of the interface change to "Connected"? I can't think of any reason to use a static IP for the connection. Have you given IP addresses to the demand-dial interfaces? They cannot get an IP from the address pool.Bill

Status does change to "Connected".I was giving them statics (via the Dial-Up tab of the User Properties) when the default dynamic IP didn't work and was trying to get static to work.I have a couple of IP address pools. There's the DHCP system on both networks obviously. (On both sides, I use .100-.254 for DHCP systems.) I have RRAS using .91-.99. So when you say, "They cannot get an IP from the address pool" which do you mean exactly? They should get IPs from the .91-.99 pool, no?I just reset everything so they don't have statics assigned at all and get fully dynamic. Routing protocols installed are RIP and IGMP on both sides. Tried it with both no static routes, and a static route using the wizard (setting to use the demand-dial interface).With no statics set, it tries to send to the internet.With a static via the demand-dial set, it tries to send to the demand-dial, but it times out.I'm truly at a loss. :(

May be static routes on client PCs will help ?! Let leave their default gateway as is, but add a static route on these PC for VPN-trafic. And in this static route, to point that the gateway for VPN-traffic is the local RAS server.EDITOn the client PCs, you can use(Command Prompt) ...>route add ...to add static routes

If the demand dial interface on the answering router does not change to connected, you will not get the subnet route added to routing table. Are you sure that you are using the name of this interface as the username when you connect? This is how the system knows which demand dial interface to conect to. (Remember that there could be many sites connecting to a server needing different subnet routes. This is the mechanism used to connect to the correct interface). When you make a VPN connection, the connection receives an IP address as part of the PPP dialog. This is not the same thing as the IP address of the demand dial interface.Bill

They show connected on each demand-dial interface when one calls the other. They both show disconnected if I tell one to manually disconnect. IE, they synch up properly.