none
Windows Server 2008 R2, RRAS, NPS, VPN, LAN routing - not to be able to go beyond the VPN server from VPN client

    Question

  • I have been trying to setup a VPN on Windows Server 2008 R2 Standard. I did exactly what recommended Shilpesh in his answer (http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/0686de84-e278-4820-8576-82351cf128dd)
    It's mean:
    - install RRAS
    - custom configuration
    - check VPN and LANrouting
    - start service
    - configure IPv4 - static IP pool from 172.0.0.64 to 172.0.0.127
    - we use PPPTP protocol with strongest encryption and CHAPv2
    - setup NPS (I created rule for network policies - for RAS(VPN-Dial up))

    So, I can make VPNconnection - situation looks like:
    External World (internet; public IP address 194.228.x.x)---->VDSLmodem(routing public IPaddress to internal IPaddress 10.0.0.43)---->VPN server(internal IP address 10.0.0.43; VPN static IP pool from 172.0.0.64 to 172.0.0.127)---->Internal Networks(10.0.0.x)

    But when I connect to VPN from my NB, I'm not to be able to go beyond the VPN server. I can communicate with VPN server only (IP address is 10.0.0.43 - I already tried ping, tracert, mstsc) but if I want to use other resources from our intranet, I'm not be able to connect them.

    I have ping to VPN server only - 10.0.0.43. When I try another IP, then timeout occurred. 

    From VPN server I got IP address 172.0.0.65 (VPN client's IP address) - when I try trace route to IP address e.g. 10.0.0.200 I see:
    Tracing route to 10.0.0.200 over a maximum of 30 hops
      1    95 ms   108 ms   129 ms  172.0.0.64 (server's "Internal" interface IP)
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.

    BUT!!!When I try ping from intranet to my NB it works! I mean ping from any computer from intranet with IP address 10.0.0.x to 172.0.0.65 (my VPN client's IP address) works! So - routing from intranet to VPNclient's works, but routing from VPNclients to intranet doesn't work

    edited: I was wrong - I get correct ping only from 10.0.0.43. When I try from another LANclients I get:

    C:\Windows\system32>ping 172.0.0.65
    Pinging 172.0.0.65 with 32 bytes of data:
    Reply from 194.228.x.x (our public IP address): TTL expired in transit.
    Reply from 194.228.x.x: TTL expired in transit.
    Reply from 194.228.x.x: TTL expired in transit.
    Reply from 194.228.x.x: TTL expired in transit.

    Ping statistics for 172.0.0.65:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)

    I'm very frustrated.

    So can you help me find where is the problem why I'm not to be able to go beyond the VPN server from VPN client?

    Thank you very much
    Jiri

    • Edited by Jiri.Sokol Wednesday, July 18, 2012 2:23 PM
    Wednesday, July 18, 2012 12:05 PM

Answers

  • I could not found a manual for the VR-3026e but I found one for a similar device.

    - Open Internet Explorer and type in 10.0.0.138 as address

    - type in username and password

    - Click "Advanced Setup" on the left-hand navigation pane

    - Click "Routing"

    - Click "Static routes"

    - Click "Add" to add a new static route

    Destination Network Address: 172.0.0.0

    Subnet Mask: 255.255.255.0

    Enable "Use Gateway IP address" and type in 10.0.0.43

    Deactivate "Use Interface"

    - Click "Save/Apply"


    Hope that helps and yes your description about your laptop is correct.

    Good luck!

    Lutz

    • Marked as answer by Jiri.Sokol Sunday, September 23, 2012 3:05 PM
    Friday, July 20, 2012 9:56 PM

All replies

  • My first guess is that your internal clients do not use the RAS server as default gateway and so the clients do not know how to route to 172.0.0.64 to 172.0.0.127 (your VPN net). If my assumption is correct you need to configure a static route on the device what is default gateway with the VPN network and the gateway is the internal IP of your RAS server.

    Second guess is, that "use default gateway on remote network" is deactivated. It is on by default if you create a new VPN connection. To verify this go on one of your VPN clients into the VPN connection properties, Networking tab, TCP/IP v4 Properties/Advanced.

    Good luck!

    Lutz

    Thursday, July 19, 2012 5:00 AM
  • Hi Jiri,

    Thanks for posting here.

    Please first showing us the routing table and “ipconfig /all” form this RRAS server when it is ready to receive incoming connection request and please also let us see these results from one of VPN client when the tunnel is established .

    Usually We need to adjust the routing table on RRAS server if the address space (172.0.0.64 to 172.0.0.127)we assigned to VPN users are different form our internal address space(10.0.0.x):

    Cannot reach beyond the RRAS server from VPN clients?

    http://blogs.technet.com/b/rrasblog/archive/2006/02/09/419100.aspx

    Also on VPN client ,by default system will use the address we assigned to the virtual PPP interface on RRAS (172.0.0.64 in your case) as the default gateway which would cause the internet connection been broken after tunnel is created :

    Split Tunneling for Concurrent Access to the Internet and an Intranet

    http://technet.microsoft.com/en-us/library/bb878117.aspx

    Hope that help

    Thanks

    Tiger Li


    Tiger Li

    TechNet Community Support

    Thursday, July 19, 2012 5:03 AM
  • Hi to all :)

    Thank you for your time. Here you are ipconfig /all & route print -4 from VPN server nad VPNclient (when connection is established):

    VPN server:
    C:\Windows\system32>ipconfig.exe /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : <server-name>
       Primary Dns Suffix  . . . . . . . : <full domain name>
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : <full domain name>
                                           Home

    PPP adapter RAS (Dial In) Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : RAS (Dial In) Interface
       Physical Address. . . . . . . . . :
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 172.0.0.64(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.255
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : Home
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Notwork Adapter
       Physical Address. . . . . . . . . : 00-15-5D-00-2A-00
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::f955:38d:5957:f878%10(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.0.0.43(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : 12. července 2012 9:51:04
       Lease Expires . . . . . . . . . . : 20. července 2012 9:51:13
       Default Gateway . . . . . . . . . : fe80::1%10
                                           10.0.0.138
       DHCP Server . . . . . . . . . . . : 10.0.0.138
       DHCPv6 IAID . . . . . . . . . . . : 234886493
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-55-8E-CA-00-15-5D-00-2A-00
       DNS Servers . . . . . . . . . . . : 10.0.0.41
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 11:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       
    C:\Windows\system32>route print -4
    ===========================================================================
    Interface List
     25...........................RAS (Dial In) Interface
     10...00 15 5d 00 2a 00 ......Microsoft Virtual Machine Bus Notwork Adapter
      1...........................Software Loopback Interface 1
     11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Notmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0       10.0.0.138        10.0.0.43      5
            10.0.0.43  255.255.255.255         On-link         10.0.0.43    261
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
           172.0.0.64  255.255.255.255         On-link        172.0.0.64    306
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link         10.0.0.43    261
            224.0.0.0        240.0.0.0         On-link        172.0.0.64    306
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link         10.0.0.43    261
      255.255.255.255  255.255.255.255         On-link        172.0.0.64    306
    ===========================================================================
    Persistent Routes:
      None
      
    ----------------------------------------------------------

    VPN clients (when the tunnel is established): 
    C:\windows\system32>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . : <computer name>
       Primary Dns Suffix. . . . . . . : <full domain name>
       Node Type . . . . . . . . . . . : hybrid
       IP Routing Enabled  . . . . . . : No
       WINS Proxy Enabled  . . . . . . : No
       DNS Suffix Search List  . . . . : <full domain name>

    PPP adapter VPN to work:

       Connection-specific DNS Suffix  . . . . :
       Description . . . . . . . . . . . . . . : VPN to work
       Physical Address. . . . . . . . . . . . :
       DHCP Enabled  . . . . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . . . . : Yes
       Adresa IPv4 . . . . . . . . . . . . . . : 172.0.0.67(Preferované)
       Subnet Mask . . . . . . . . . . . . . . : 255.255.255.255
       Default Gateway . . . . . . . . . . . . : 0.0.0.0
       DNS Servers . . . . . . . . . . . . . . : 10.0.0.41
       NetBIOS over Tcpip. . . . . . . . . . . : Enabled

    Wifi Adapter Bezdrátové připojení k síti:

       Connection-specific DNS Suffix  . . . . :
       Description . . . . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
       Physical Address. . . . . . . . . . . . : 08-11-96-E9-0C-14
       DHCP Enabled  . . . . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . . . . : Yes
       IPv4 address  . . . . . . . . . . . . . : 192.168.1.220(Preferované)
       Subnet Mask . . . . . . . . . . . . . . : 255.255.255.0
       Lease Obtained  . . . . . . . . . . . . : 19. července 2012 12:35:27
       Lease Expires . . . . . . . . . . . . . : 19. července 2012 13:35:27
       Default Gateway . . . . . . . . . . . . : 192.168.1.1
       Server DHCP . . . . . . . . . . . . . . : 192.168.1.1
       DNS Servers . . . . . . . . . . . . . . : 192.168.1.1
       NetBIOS over Tcpip. . . . . . . . . . . : Enabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . . . . :
       Description . . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled  . . . . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . . . . : Yes
       Link-local IPv6 Address . . . . . . . . : fe80::c4f:352f:53ff:ffbc%14(Preferované)
       Default Gateway . . . . . . . . . . . . :
       IAID DHCPv6 . . . . . . . . . . . . . . : 520093696
       DUID klienta DHCPv6 . . . . . . . . . . : 00-01-00-01-16-86-61-DB-E4-11-5B-F1-BB-E0
       NetBIOS nad TCP/IP. . . . . . . . . . . : disabled

    Tunnel adapter isatap.{F72E9043-5D24-40AC-A63F-21A498A36B86}:

       Media State . . . . . . . . . . . . . . : disconnected
       Connection-specific DNS Suffix  . . . . :
       Description . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #5
       Physical Address. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled  . . . . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . . . . : Yes

    Tunnel adapter 6TO4 Adapter:

       Connection-specific DNS Suffix. . . . . :
       Description . . . . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled  . . . . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . . . . : Yes
       IPv6 adresa . . . . . . . . . . . . . . : 2002:ac00:43::ac00:43(Preferované)
       Default Gateway . . . . . . . . . . . . : 2002:c058:6301::c058:6301
       DNS Servers . . . . . . . . . . . . . . : 10.0.0.41
       NetBIOS nad TCP/IP. . . . . . . . . . . : disabled



    C:\windows\system32>route print -4
    ===========================================================================
    Interface List
     19...........................VPN to work
     13...08 11 96 e9 0c 14 ......Intel(R) Centrino(R) Advanced-N 6205
      1...........................Software Loopback Interface 1
     14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
     17...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
     33...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Notmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.220   4250
              0.0.0.0          0.0.0.0       On-link        172.0.0.67     26
            127.0.0.0        255.0.0.0       On-link         127.0.0.1   4531
            127.0.0.1  255.255.255.255       On-link         127.0.0.1   4531
      127.255.255.255  255.255.255.255       On-link         127.0.0.1   4531
           172.0.0.67  255.255.255.255       On-link        172.0.0.67    281
          192.168.1.0    255.255.255.0       On-link     192.168.1.220   4506
        192.168.1.220  255.255.255.255       On-link     192.168.1.220   4506
        192.168.1.255  255.255.255.255       On-link     192.168.1.220   4506
      194.228.x.x  255.255.255.255      192.168.1.1    192.168.1.220   4251
            224.0.0.0        240.0.0.0       On-link         127.0.0.1   4531
            224.0.0.0        240.0.0.0       On-link     192.168.1.220   4510
            224.0.0.0        240.0.0.0       On-link        172.0.0.67     26
      255.255.255.255  255.255.255.255       On-link         127.0.0.1   4531
      255.255.255.255  255.255.255.255       On-link     192.168.1.220   4506
      255.255.255.255  255.255.255.255       On-link        172.0.0.67    281
    ===========================================================================
    Persistent Routes:
      None




    • Edited by Jiri.Sokol Thursday, July 19, 2012 12:42 PM
    Thursday, July 19, 2012 11:48 AM
  • Hi Jiri,

    what device is behind 10.0.0.138 and is 10.0.0.138 the default gateway for all your LAN clients.

    Thank you,

    Lutz

    Thursday, July 19, 2012 11:08 PM
  • Hi Jiri,

    Thanks for posting here.

    I verified the routing table on RRAS ,it appears there is no routing entry on RRAS server to internal subnet 10.0.0.0/24 which means even the VPN client was been routed to the RRAS server through VPN tunnel (172.0.0.) but will not be routed to the internal subnet 10.0.0.0/24 from RRAS. So please first adding routing entry below on RRAS server and see how is going :

    Performing command on RRAS server “route add 10.0.0.0 mask 255.255.255.0 10.0.0.43”

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Friday, July 20, 2012 3:02 AM
  • Hi guys!

    10.0.0.138 it's internal LAN IP address of our VDSLmodem - it's gateway from our intranet to internet... => it's end-device :)

    So, I tried add route on RRAS server - but without any effect:
    C:\Windows\system32>route add 10.0.0.0 mask 255.255.255.0 10.0.0.43
    OK!

    C:\Windows\system32>route print -4
    ===========================================================================
    Interface List
     25...........................RAS (Dial In) Interface
     10...00 15 5d 00 2a 00 ......Microsoft Virtual Machine Bus Network Adapter
      1...........................Software Loopback Interface 1
     11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0       10.0.0.138        10.0.0.43      5
             10.0.0.0    255.255.255.0         On-link         10.0.0.43      6
            10.0.0.43  255.255.255.255         On-link         10.0.0.43    261
           10.0.0.255  255.255.255.255         On-link         10.0.0.43    261
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
           172.0.0.64  255.255.255.255         On-link        172.0.0.64    286
           172.0.0.69  255.255.255.255       172.0.0.69       172.0.0.64     31
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link         10.0.0.43    261
            224.0.0.0        240.0.0.0         On-link        172.0.0.64    286
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link         10.0.0.43    261
      255.255.255.255  255.255.255.255         On-link        172.0.0.64    286
    ===========================================================================
    Persistent Routes:
      None

    results on my VPNclient:

    C:\windows\system32>tracert 10.0.0.44
    Výpis trasy k 10.0.0.44 s nejvýše 30 směrováními
     1   210 ms     *      103 ms  172.0.0.64
     2     *        *        *     Request timed out.
     3     *        *        *     Request timed out.
     4  ^C

    C:\windows\system32>ping 10.0.0.44
    Příkaz PING na 10.0.0.44 - 32 bajtů dat:
    Request timed out.

    Statistika ping pro 10.0.0.44:
    Pakety: Sent = 1, Received = 0, Lost = 1 (100% loss),

    Then I tried delete route 10.0.0.0 and create it again for interface of VPNserver (RAS (Dial In) Interface - ID 25) - same bad result :(

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0       10.0.0.138        10.0.0.43      5
             10.0.0.0    255.255.255.0        10.0.0.43       172.0.0.64     31

    Thanks to all

    Jiri

    Friday, July 20, 2012 8:44 AM
  • Hi Jiri,

    add the static route to your VDSL modem instead of to the RAS server.

    Can you post a ipconfig/all of one of your internal clients as well?

    Thank you,

    Lutz

    Friday, July 20, 2012 1:44 PM
  • Hi Lutz,

    do you think that there is some difference between my notebook and server where is VPNserver running? (ipconfig from this server I have already pointed)

    C:\windows\system32>ipconfig /all
    Konfigurace protokolu IP systému Windows
       Host Name . . . . . . . . . . . . : <computer name>
       Primary Dns Suffix. . . . . . . . : <full domain name>
       Node Type . . . . . . . . . . . . : hybrid
       IP Routing Enabled  . . . . . . . : No
       WINS Proxy Enabled  . . . . . . . : No
       DNS Suffix Search List. . . . . . : <full domain name>
                                           Home

    Ethernet adapter Připojení k místní síti:
       Connection-specific DNS Suffix. . . . . : Home
       Description . . . . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
       Physical Address. . . . . . . . . . . . : E4-11-5B-F1-BB-E0
       DHCP Enabled. . . . . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . . . . : Yes
       Link-local IPv6 Address . . . . . . . . : fe80::2c37:b6f0:f2db:b304%10(Prefered)
       IPv4 Address. . . . . . . . . . . . . . : 10.0.0.34(Prefered)
       Subnet Mask . . . . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . . . . : 20. července 2012 10:35:28
       Lease Expires . . . . . . . . . . . . . : 21. července 2012 13:20:44
       Default Gateway . . . . . . . . . . . . : fe80::1%10
                                                 10.0.0.138
       Server DHCP . . . . . . . . . . . . . . : 10.0.0.138
       IAID DHCPv6 . . . . . . . . . . . . . . : 238832274
       DUID klienta DHCPv6 . . . . . . . . . . : 00-01-00-01-16-86-61-DB-E4-11-5B-F1-BB-E0
       DNS Servers . . . . . . . . . . . . . . : 10.0.0.41
       NetBIOS over Tcpip. . . . . . . . . . . : Enabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:
       Media state . . . . . . . . . . . . . . : disconnected
       Connection-specific DNS Suffix. . . . . :
       Description . . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . . . . : Yes

    Tunnel adapter isatap.Home:
       Media state . . . . . . . . . . . . . . : disconnected
       Connection-specific DNS Suffix. . . . . :
       Description . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #6
       Physical Address. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . . . . : Yes


    C:\windows\system32>route print -4
    ===========================================================================
    Interface List
     10...e4 11 5b f1 bb e0 ......Intel(R) 82579LM Gigabit Network Connection
      1...........................Software Loopback Interface 1
     14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     33...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Notmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0       10.0.0.138        10.0.0.34     10
             10.0.0.0    255.255.255.0       On-link           10.0.0.34    266
            10.0.0.34  255.255.255.255       On-link           10.0.0.34    266
           10.0.0.255  255.255.255.255       On-link           10.0.0.34    266
            127.0.0.0        255.0.0.0       On-link           127.0.0.1    306
            127.0.0.1  255.255.255.255       On-link           127.0.0.1    306
      127.255.255.255  255.255.255.255       On-link           127.0.0.1    306
            224.0.0.0        240.0.0.0       On-link           127.0.0.1    306
            224.0.0.0        240.0.0.0       On-link           10.0.0.34    266
      255.255.255.255  255.255.255.255       On-link           127.0.0.1    306
      255.255.255.255  255.255.255.255       On-link           10.0.0.34    266
    ===========================================================================
    Persistent Routes:
      None


    Many thanks for your time

    Jiri

    Friday, July 20, 2012 2:29 PM
  • Hi Jiri,

    I was asking for a ipconfig from one of your clients in your LAN, not from the RAS server and not from a VPN client.

    I assume that all your LAN clients and the RAS server have the same default gateway: 10.0.0.138. Am I correct?
    In that case if you ping a VPN machine the LAN client is sending the IP packet to 10.0.0.138. Problem here is, that 10.0.0.138 has no information how to route to the VPN network (172.0.0.64 to 172.0.0.127). This information has only the RAS server. So you have to do some configuration on the VDSL device and add a static route for 172.0.0.64 to 172.0.0.127 using 10.0.0.43 as next hop/gateway.

    What is the model of your VDSL modem so I can lookup to find out the exact configuration steps.

    Thank you,

    Lutz

    Friday, July 20, 2012 5:12 PM
  • Hi Lutz...

    If I'm connect to our LAN, my NB is LAN client. When I connect to the internet e.g. by my mobile phone and then make VPN connection, my NB is VPN client - correct?

    So, data above is from my NB when I was connected to the our LAN - it was from LAN client. ;-)

    Answer on your question is "yes", all LAN clients and the RRAS server using the same gateway 10.0.0.138. Make static route on the VDSLmodem seems to be good idea :)

    Our model of VDSLmodem is Comtrend VR-3026e.

    Best regards,

    Jiri

    Friday, July 20, 2012 8:24 PM
  • I could not found a manual for the VR-3026e but I found one for a similar device.

    - Open Internet Explorer and type in 10.0.0.138 as address

    - type in username and password

    - Click "Advanced Setup" on the left-hand navigation pane

    - Click "Routing"

    - Click "Static routes"

    - Click "Add" to add a new static route

    Destination Network Address: 172.0.0.0

    Subnet Mask: 255.255.255.0

    Enable "Use Gateway IP address" and type in 10.0.0.43

    Deactivate "Use Interface"

    - Click "Save/Apply"


    Hope that helps and yes your description about your laptop is correct.

    Good luck!

    Lutz

    • Marked as answer by Jiri.Sokol Sunday, September 23, 2012 3:05 PM
    Friday, July 20, 2012 9:56 PM
  • Hi Jiri,

    Thanks for update.

    The reason I ask to add that entry is because there is no entry for that subnet no even traffic form VPN was been received by the PPP interface on RRAS ,there was no way to redirect to our internal subnet.  

    Yes, there is little mistake in my last reply , since this server has been assigned an address where form subnet 10.0.0.0/24 which is 10.0.0.43 so the command should be “route add 10.0.0.0 mask 255.255.255.0 10.0.0.138”.

    Is there any problem to reach any host at 10.0.0.0/24 which also include the default gateway 10.0.0.138 after this command ? (please first removing the current routing entry for subnet 10.0.0.0/24 by command “route delete 10.0.0.0 mask 255.255.255.0”before we add it ).

    External World (internet; public IP address 194.228.x.x)---->VDSLmodem(10.0.0.138)---->VPN server(internal IP address 10.0.0.43; VPN static IP pool from 172.0.0.64 to 172.0.0.127)---->Internal Networks(10.0.0.x)

    After these settings, VPN clients should able to access internal network through interface RRAS server. Please also keep the entry at client after we establish the tunnel :

    Network Destination        Notmask          Gateway       Interface  Metric

              0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.220   4250

              0.0.0.0          0.0.0.0       On-link        172.0.0.67     26

    If we are still unable to get it works, please try to modify the registry entry IPEnableRouter on RRAS in order to force the system to enable IP forward, reboot it after we modify that :

    How to Enable TCP/IP Forwarding in Windows XP

    http://support.microsoft.com/kb/315236

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    • Proposed as answer by Tiger Li Tuesday, July 24, 2012 2:09 AM
    Monday, July 23, 2012 12:45 PM
  • Hi guys!

    To Lutz:

    Well done - this works - I have ping from VPNclients to internal IPaddresses and I have ping from LAN clients to VPNclient... tracert is very slow, but working. That's perfect!

    BUT :( I'm not be able to do anything else... I can't go to share folder on LAN clients, I can't use intranet web etc.

    When I added static route I have problem determine "prefix length" of destination (value after slash in destination definition) and metric. I set:

    Destination: 172.0.0.0/24
    Interface: LAN/br0
    Gateway IP address: 10.0.0.43
    Metric: 200

    is it correct?

    Primary goal of VPN connection is working from home like as from work...

    To Tiger Li:

    Sorry, your recommendation doesn't work :(

    I delete route 10.0.0.0, then I added route again as you wrote - I had not ping from VPN client to the LANclient and from LANclient to the VPNclient. Then I change IPenableRouter in registry from value 0 to 1.

    On VPN client then I saw in routing table:

    Network Destination        Netmask          Gateway       Interface  Metric

              0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.220   4250
              0.0.0.0          0.0.0.0       On-link        172.0.0.68     26
            127.0.0.0        255.0.0.0       On-link         127.0.0.1   4531

    but any ping and I'm not be able to use any service of our intranet :(

    Any next idea?
    Thanks to all!

    Jiri

    Tuesday, July 24, 2012 11:58 AM
  • Hi to all,

    I think, that I found where was my problem...

    First - adding the static route on the VDSL modem do ping from intranet (servers, clients) to vpn clients...

    Second problem was in our new Symantec Endpoint Protection 12.1 :( 

    I have to add pool of ip addresses of VPN to all rules of Symantec FW...

    From this moment I have all services what I need.

    But when I installed Symantec Endpoint Protection client on the VPN server - I lost all services outside the VPN server again (I had still ping response to the entire network). I think, that can be due by IPv6 of VPN - can anybody confirm this? I don't know why, but I think that Symantec AV disable all IPv6 traffic.

    Does anybody know how can I solve this? How can I install Symantec AV client on VPN server and allow all services which I need for seamless traffic?

    Thanks to all again

    Jiri

    Sunday, September 23, 2012 3:31 PM
  • Sorry, I have to pass on Symantec AV.
    Sunday, September 23, 2012 3:46 PM
  • Just you need to allow IP Traffic form SEP:

    Sunday, August 04, 2013 10:32 AM