locked
Routing for NAT and site-to-site VPN with RRAS RRS feed

  • Question

  • I'm trying to set up a split-tunnel site-to-site VPN using an RRAS server that is currently doing NAT. Right now, the NAT works: all clients are assigned an IP address in the 192.168.2.0/24 range, and they are able to access the internet through the RRAS server.

    I want to add a split-tunnel VPN so that all packets destined for 192.168.1.0/24 are routed through a VPN connection running on the RRAS server, while continuing to route other packets directly to the internet. I thought I could do this by setting up a static route with the VPN connection as the interface, 192.168.1.0 as the destination, and 255.255.255.0 as the mask, but it doesn't work.

    The RRAS server is able to ping computers on the 192.168.1.0 subnet perfectly well, but none of the other computers on the 192.168.2.0 subnet can.

    Is this the right static route to add?

    I think I could do this with 2 VMs, one doing the NAT and one doing the site-to-site VPN, but I'd rather do it without VMs if possible.

    Wednesday, February 4, 2015 4:54 AM

Answers

  • No, you don't need two RRAS servers at this site. That is a standard config for a RRAS server and has a standard setup. What is at the other site? Does it have a RRAS server?

     Site to site VPN routing depends on the routers at both ends having the ability to route traffic for the "other" site through the VPN tunnel.

    Setting up routing at one end only is pointless. Routing is a two-way process. Both routers must know how to route to the "other" site. 


    Bill

    • Proposed as answer by Steven_Lee0510 Thursday, February 5, 2015 6:13 AM
    • Marked as answer by Steven_Lee0510 Thursday, March 5, 2015 6:15 AM
    Thursday, February 5, 2015 1:07 AM

All replies

  • No, you don't need two RRAS servers at this site. That is a standard config for a RRAS server and has a standard setup. What is at the other site? Does it have a RRAS server?

     Site to site VPN routing depends on the routers at both ends having the ability to route traffic for the "other" site through the VPN tunnel.

    Setting up routing at one end only is pointless. Routing is a two-way process. Both routers must know how to route to the "other" site. 


    Bill

    • Proposed as answer by Steven_Lee0510 Thursday, February 5, 2015 6:13 AM
    • Marked as answer by Steven_Lee0510 Thursday, March 5, 2015 6:15 AM
    Thursday, February 5, 2015 1:07 AM
  • Hi,

    Totally agree with Bill.

    Please make sure that the static route for 192.168.2.0 has been added to the remote site.

    Also, here is a guide for how to setup a site-to-site VPN:

    https://technet.microsoft.com/en-us/library/cc758271(v=ws.10).aspx

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, February 5, 2015 6:13 AM