I'm have a workstation running Windows 7 Pro that has two NICs, one with IP address 10.95.64.25/255.255.255.0 (corporate network) and the other with IP address 192.168.99.1/255.255.255.0 (Private network). There are several PCs on the private network that need Internet access through the corporate network so I have enabled Internet Connection Sharing on the workstation. (I hacked the workstations registry to use the 192.168.99.x subnet instead of the default 192.168.137.x subnet.) I have confirmed that PCs on the private subnet have access to the Internet. I also need to be able to gain direct access to control devices (i.e., Programmable Logic Controllers, or PLCs) on the private network from the corporate side (i.e., 10.95.64.x subnet). With XP in the past, I've been able to get this to work by creating an incoming VPN connection and setting some static routing. However, I'm not able to get this working with Windows 7. I can connect successfully to the VPN from the corporate side and am given an IP address in the 10.95.64.x subnet with subnet mask 255.255.255.255 and default gateway of 0.0.0.0. I cannot ping any host on the 192.168.99.x subnet. What I would like to happen is to be assigned an IP address on the 192.168.99.x subnet when connected to the VPN. First, is this possible with Windows 7? If so, what am I doing wrong and how should I do it?

I have been able to get further with the VPN configuration. Here's what I've been able to do... 1. Configure the workstation's incoming VPN connection to assign IP addresses via DHCP. The workstation gets address 10.95.64.113 and address 10.95.64.111 gets assigned to the VPN client. 2. Configure the VPN client to not use the default gateway on remote network so that nothing but VPN traffic is routed to the workstation. 3. Add a route to the routing table of the VPN client that directs any addresses on the 192.168.99.x subnet to VPN clients VPN IP address 10.95.64.111 (i.e., route add 192.168.99.0 mask 255.255.255.0 10.95.64.111). 3. Ping the workstation at IP 192.168.99.1, a PC on the private network at address 192.168.99.20, and a PLC on the private network at address 192.168.99.140. However, I cannot ping a second PLC on the private network at address 192.168.99.100. 4. Ping the PLC at address 192.168.99.100 from the PC at address 192.168.99.20 so I know that the PLC at address 192.168.99.100 is alive and ping-able from the private network. 5. Ping the VPN client at address 10.95.64.111 from the PC at 192.168.99.20. Here's a map, if you will, of the network: VPN Client (10.95.64.111) -> Workstation RAS Adapter (10.95.64.113) |-> Workstation Private Net (192.168.99.1) |-> PLC 1 (192.168.99.140) | |-> PLC 2 (192.168.99.100) | |-> PC (192.168.99.20) |-> Workstation Corporate Net (10.95.64.25) What I don't understand is why I can ping everything but the PLC at address 192.168.99.100 from the VPN client (10.95.64.111). Also, does anyone have suggestions on how to make the routing dynamic so that I don't have to add routes manually for the VPN client? I also don't have control of the DHCP server on the corporate network so the IP addresses assigned to the workstation (i.e. VPN server) and VPN client aren't always guaranteed to be the same from one time to the next. Any suggestions will be greatly appreciated.

Hi, Thanks for posting in Microsoft TechNet Forum. Currently, please use TRACET command to check the status of problematical PLC: Open an elevated command prompt, type the following command: tracert 192.168.99.100 Also, please use command route print to collect the IP routing table information on VPN client and problematic PLC and post the result in forum. I am looking forward your reply. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, I'm just writing to see if you have had an opportunity to gather the requested information. If you have any further questions or concerns, please feel free to let us know. Have a good day! Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

check any tutorial for setting . i think you do not have good setting . here some tutorial for that .. http://www.bestvpnservice.com/tutorial.php

check any tutorial for setting . i think you do not have good setting . here some tutorial for that .. http://www.bestvpnservice.com/tutorial.php

Hi, As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for the feedback. Sorry I haven't responded sooner but I've been otherwise occupied. I solved the issue with not being able to ping the PLC at 192.168.99.100. It was the gateway configuration on the PLC. Once I set its default gateway to the workstation running ICS, it worked fine. The next challenge is to figure out a way to configure the system so that an additional route table entry doesn't have to be added after making the VPN connection. Again, the workstation is configured to assign IP configurations via DHCP and typically get address 10.95.64.113 itself and assigns either 10.95.64.111 or 10.95.64.115 to the remote client. All works okay if I add a route to forward 192.168.99.x to 10.95.64.111/115. Is there a way to configure things so that routing happens as it should without explicitly adding a new route? I know I can specify a range of IP addresses to use for the VPN connection. Is there a way to utilize that so that routing happens automatically, or is there a way to automatically "push" the required route to the client?

Thanks for the feedback. Sorry I haven't responded sooner but I've been otherwise occupied. I solved the issue with not being able to ping the PLC at 192.168.99.100. It was the gateway configuration on the PLC. Once I set its default gateway to the workstation running ICS, it worked fine. The next challenge is to figure out a way to configure the system so that an additional route table entry doesn't have to be added after making the VPN connection. Again, the workstation is configured to assign IP configurations via DHCP and typically get address 10.95.64.113 itself and assigns either 10.95.64.111 or 10.95.64.115 to the remote client. All works okay if I add a route to forward 192.168.99.x to 10.95.64.111/115. Is there a way to configure things so that routing happens as it should without explicitly adding a new route? I know I can specify a range of IP addresses to use for the VPN connection. Is there a way to utilize that so that routing happens automatically, or is there a way to automatically "push" the required route to the client? you have to let us to know how you are connected to the internet, what is your Router or ADSL modem IP. when you are configing your VPN server you must select IP range in a same range of your router, now when your clients connect to VPN their IP will changed to the same range of the IP address and they can connect to the internet.

Amini, Thanks for your reply. However, I don't think your questions are relevant. I connect to the corporate network from my home office via OpenVPN. That gets me on the corporate network. Once on the corporate network, the workstation I need to connect to is multi-homed with one NIC on the corporate network (10.95.64.x subnet) and another on the PLC network (192.168.99.x). The complication comes in when I want to gain "direct" access (i.e., tunnel) to the PLC network. (If I only wanted to talk to devices on the corporate network, I wouldn't have to VPN to the workstation since I'm already connected via OpenVPN.) To connect to devices on the PLC network, I configured an incoming VPN connection on the workstation. I configured the workstation to issue IP addresses via DHCP. The workstation is not the DHCP server. The DHCP server is another device on the 10.95.64.x subnet so it issues addresses in that subnet. I don't have control over the DHCP server nor do I even know what it is. I could reconfigure the workstation to issue IP addresses in a different address range/subnet but I'm not sure that I would gain anything by doing that. (In my opinion, the best solution would be to put a router running OpenVPN server between the corporate and PLC networks but corporate IT won't let me for "security reasons". They will, however, let me use the multi-homed workstation since it's needed for other purposes. It's my opinion that the multi-homed PC is less secure than a properly configured router but IT folks can sometimes be strong willed.) With my current configuration, the real issue is how to tell the client computer to route IP packets destined for the 192.168.99.x subnet to the multi-home workstation VPN when the IP address assigned to the client is dynamic. I can use ipconfig /all and get the IP address assigned by the workstation for the VPN connection and then add a route manually. However, this is a nuisance. I would prefer to configure the system, if possible, for the routing to work automatically. I guess I could develop an sexy script that determines the IP address and adds the appropriate route but I'd rather not go there unless I have no other choice.