Win Srv 2008 R2, VPN site-to-site Routing problem
We’ve recently setup a department offsite, and I’m having trouble getting the two sites to talk to one another. I’m using Windows Server 2008 R2’s Routing and Remote Access role to create a site-to-site link. I can get them to connect and all seems okay, but they won’t actually route anything to the other site. Doing a trace route reveals all traffic ends at the server starting the traffic. The problem seems to lie in routing, whether using static or automatically configured ones. We have two offices: the Center and Leap. I’m trying to setup a Site-to-Site router between them so they can share all services such as Active Directory, a Distributed File System (DFS), Printing, routing to other servers computers (to share email server especially), etc. I’d like the two sites to think of themselves on the same LAN just with different subnets that can talk to one another. At both places, I have a Windows Server 2008 R2 server with 2 NICs. On each machine, one NIC connects directly to the internet, the other directly to the LAN. I can have either server call the other and its partner will answer and connect. I verify the connection is successful cause in RRAS the corresponding demand dialer shows as connected. They receive their respective IPs from each other when connecting as well. The problem is I cannot ping across the VPN Site-to-Site connection. I know the basics of the VPN are setup correctly though because if I have either router call as a client (rather than as a router), the VPN works normally. Also I have several staff members who connect to the network daily using VPN and have no problem functioning. I know the one difference between router and client calling is router does not automatically setup routes where client does. I’ve used static routes as well as automatically configured ones (such as with IGMP and RIP) but have had no luck. I suspect it’s some small detail I’m overlooking or just don’t know about or misconfigured. I’ve never had to use routes before this project. Here’s details of our setup: Center office: SRV-Victor is the server. IP is 192.168.10.19 with netmask 255.255.255.0 and no gateway. LAN IP range is 192.168.10.0/24. VPN has been set to give out IP addresses to VPN connections as 192.168.10.80 to 192.168.10.99 (as well as 192.168.110.100 to 192.168.110.255 in testing). Static routes were set as 192.168.30.0/24 using the RRAS console tied to the demand dial adapter. The demand dial adapter is called VPN_Leap and has a local account for dial-in called VPN_Leap. When calling, it uses credentials of VPN_Center. Leap: SRV-Leap is the server. IP is 192.168.30.19 with netmask 255.255.255.0 and no gateway. LAN IP range is 192.168.30.0/24. VPN has been set to give IP addresses of 192.168.30.80 to 192.168.30.99 (and 192.168.130.100 to 192.168.130.255 in testing). Static routes were setup as 192.168.10.0/24 using the RRAS console tied to the demand dial adapter. The demand dial adapter is called VPN_Center and has a local account for dial in called VPN_Center. When calling, it uses credentials of VPN_Leap. The internet connected NIC used ISP provided information. When setting up RRAS, told it to enable security on the Internet NIC. This created the default inbound/outbound filters on the connection which prevented all but VPN traffic. This had to be removed because the servers were acting as first gateway for the buildings. Also the Leap site only has the 1 server, so that one can’t have filters. We do not have any Edge routers or a perimeter network yet. (That’s something I need a bit more training on.) Previously we were just using cheap routers (D-Link and Linksys consumer grade) to do basic firewall and NAT and acted as the gateway for the entire sites. I removed the one for the Center for testing, and moved the Leap one to just be a device on network since it’s providing DHCP for the network at moment. I’d like to keep using them as gateways, but I don’t think they’ll function properly with our setup. I made sure Internet Connection Sharing is turned off since the tutorials stated it couldn’t work with RRAS. I tried with the Windows Firewall off and on and so no change. I made sure the Windows Firewall had the exceptions in place to allow VPN. (Since clients can connect, I’m assuming it’s not that anyway.) 0.0.0.0 is the default route all undefined traffic takes. If the server doesn’t find the destined network segment on its route list, it sends traffic there. It’s Gateway is the LUS Fiber gateway. Any undefined traffic gets sent to the internet. The 76.* addresses are the ISP's IPs, those on their network as well as the one assigned to the “Internet” nic. They use Gateway 0.0.0.0 because the system figures if it’s not on a defined network segment, it must be an internet address. The 192.168.10.* addresses point to 0.0.0.0 as their gateway cause when using RRAS you have to define the LAN nic without a Gateway according to all the tutorials. In my production environment, this network segment shows the same Gateway, and it functions fine. Though the Gateway is defined in the NIC’s IP4 properties as 192.168.10.1 (which is our router connected to ISP.) The 192.168.30.0 address points to the 192.168.110.* address which is the IP assigned VPN clients and points to the VPN_Leap connection (the demand dial connecting to the LEAP server). And 196.18.110.* points to 192.168.130.* Gateway which is the IP assigned VPN clients by the LEAP server. So, route for LEAP’s LAN points to the IP assigned to the LEAP VPN connection, which points to the IP assigned to the Center VPN connection. Hm. This may be causing an infinite loop. But the second one is assigned by RRAS. I may try connecting them all up again and manually deleting the one assigned by RRAS while connected. I’m not that savvy on networking and routing to spot this outright earlier. (Tried deleting this route to verify not infinite loop, but didn't help.) I’ve also tried using RIP (after removing the static routing). I bind it to the VPN demand-dial interfaces. When checking RIP status, it never shows as sending any broadcasts or receiving any. Also the route table never updates. I’ve also assigned the RIP properties with matching passwords on both servers, wondering if this might be a cause. I hope this gives you all the info you need. I’m pretty sure it’s just a routes problem. I know enough about networks to get them working, but I’m not as knowledgeable on them as I’d like. What about using DirectAccess? Does that require IPv6? We haven’t setup IPv6 at either office yet as I have to train on it first. And I’d rather learn all I can about DirectAccess and IPv6 before we implement them. I’m apparently having a hard enough time with just VPN and IPv4. Here's the routing tables: Interface List 27...........................VPN_Leap 26...........................RAS (Dial In) Interface 14...00 10 18 18 37 61 ......Broadcom NetXtreme Gigabit Ethernet 12...00 13 72 0b 63 c2 ......Broadcom NetXtreme Gigabit Ethernet #2 1...........................Software Loopback Interface 1 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 18...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter IPv4 Route Table (not connected to other router) =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 76.72.16.1 76.72.18.104 20 76.72.16.0 255.255.248.0 On-link 76.72.18.104 276 76.72.18.104 255.255.255.255 On-link 76.72.18.104 276 76.72.23.255 255.255.255.255 On-link 76.72.18.104 276 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.10.0 255.255.255.0 On-link 192.168.10.19 266 192.168.10.19 255.255.255.255 On-link 192.168.10.19 266 192.168.10.255 255.255.255.255 On-link 192.168.10.19 266 192.168.30.0 255.255.255.0 On-link 127.0.0.1 306 192.168.30.255 255.255.255.255 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 76.72.18.104 276 224.0.0.0 240.0.0.0 On-link 192.168.10.19 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 76.72.18.104 276 255.255.255.255 255.255.255.255 On-link 192.168.10.19 266 =========================================================================== IPv4 Route Table (connected to other router) =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 76.72.16.1 76.72.18.104 20 76.72.16.0 255.255.248.0 On-link 76.72.18.104 276 76.72.18.104 255.255.255.255 On-link 76.72.18.104 276 76.72.23.255 255.255.255.255 On-link 76.72.18.104 276 76.72.29.54 255.255.255.255 76.72.16.1 76.72.18.104 21 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.10.0 255.255.255.0 On-link 192.168.10.19 266 192.168.10.19 255.255.255.255 On-link 192.168.10.19 266 192.168.10.255 255.255.255.255 On-link 192.168.10.19 266 192.168.30.0 255.255.255.0 192.168.110.81 192.168.130.81 276 192.168.110.80 255.255.255.255 On-link 192.168.110.80 306 192.168.130.81 255.255.255.255 On-link 192.168.130.81 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 76.72.18.104 276 224.0.0.0 240.0.0.0 On-link 192.168.10.19 266 224.0.0.0 240.0.0.0 On-link 192.168.110.80 306 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 76.72.18.104 276 255.255.255.255 255.255.255.255 On-link 192.168.10.19 266 255.255.255.255 255.255.255.255 On-link 192.168.110.80 306 255.255.255.255 255.255.255.255 On-link 192.168.130.81 276 ===========================================================================
May 12th, 2011 8:52pm

What you have done looks fine. Have you checked that the router at the other end also gets a route back to your subnet? (Your router has a route to 192.168.30.0 through the VPN link. Check that at the other end, the link to 192.168.10.0 is also active, not still pointing to the loopback address 127.0.0.1). If that is OK, the routers are set up correctly. What about your LAN machines? Are they set to use the RRAS server as their default gateway? The routers can only route your site traffic through the VPN link if the traffic actually reaches the RRAS router. If the RRAS routers are not the dg of your LAN machines you need extra routing on the gateway router to get the trafffic for the "other" site to the RRAS router. Otherwise the gateway router will try to send the private traffic to the Internet and it will be dropped. It has to go to the RRAS router to be encripted and encapsulated before it goes to a gateway router. It only works "out of the box" if the RRAS router is the gateway router for the LAN. Bill
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 8:38am

Hi Ferret, Thanks for posting here. Ok , so the RRAS servers on both sites are directly connect to internet right now and you have properly created VPN connection between both RRAS servers right now .am I correct ? 192.168.10.0/24---<(192.168.10.19)Center RRAS server>---Internet---<leap RRAS(192.168.30.19)>---192.168.30.0/24 So what about the IP address you assigned for virtual interface of VPN connection on both RRAS servers when the site to site VPN connection was established? Generally , you should assigned the address of remote virtual interface on local RRAS server for routing to remote IP segment. Here is the example for reference : Center RRAS server: LAN interface : 192.168.10.19 Site to Site VPN interface : 192.168.1.10 (assumed) Route: 192.168.30.0 255.255.255.0 192.168.1.20 Leap RRAS server: LAN Interface : 192.168.30.19 Site to Site VPN interface : 192.168.1.20 (assumed) Route: 192.168.10.0 255.255.255.0 192.168.1.10 However, according your output, incorrect routing entry for remote IP segment may cause this issue. IPv4 Route Table (not connected to other router) =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 192.168.30.0 255.255.255.0 On-link 127.0.0.1 306 =========================================================================== Please also remove the default gateway entry for troubleshooting first. For more information regarding with site to site VPN connection scenario ,you may also refer to the article below: Step-by-Step Guide for Setting Up a PPTP-based Site-to-Site VPN Connection in a Test Lab http://technet.microsoft.com/en-us/library/cc758271(WS.10).aspx Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 13th, 2011 9:19am

Hi Ferret, If there is any update on this issue, please feel free to let us know. We are looking forward to your reply. Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2011 12:59pm

Hi Tiger. I'm not totally sure what you mean by the 192.168.1.10 and .20 line. The Site-to-Site VPN interface, called "VPN_Leap" on the Center server has it's IP addressing set to automatic. It gets IP 192.168.130.x (let's say 81, when it connects). Quoting my tables above, 192.168.30.0 255.255.255.0 192.168.110.81 192.168.130.81 276 So, traffic meant for 192.168.30.0 should go to interface 192.168.130.81, which is the VPN connection, using gateway 192.168.110.81, which is the IP of the VPN connection the Leap server gets from the Center server. Is that not correct? It's assigned automatically by RRAS. Also why doens't RIP work across the connection? I remove all static routes and such, but nothing. Which default gateway should I remove? From the Internet, VPN, or LAN interfaces? LAN and VPN have no default gateways defined, and without a default GW on Internet, nothing works. I used the guide you referenced to setup my network. I even went through the document and manually changed all the examples to actual numbers I was using, so I would understand it better. If I can't get this working in a couple of days, we're considering buying some inexpensive routers to handle this for us. But I think my problem is in designing the network (and subnets), so I'm not sure that would work either. In the meantime, I'm thinking of setting up the LEAP server as a VPN client (rather than router), and installing the Active Directory and DFS (distributed file system) on it, then letting it all synch via VPN Client. The machines on the LEAP network could just point to the LEAP server and ignore the Center stuff. Only thing is they'll have to stick to OWA cause they won't be able to reach the email server.
May 23rd, 2011 8:50pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics