locked
Can connect to VPN, cannot access remote resources RRS feed

  • Question

  • After 3 days of searching for similar cases, I've come to believe I've exhausted myself and possible solutions.

    I'm setting up a PPTP VPN on a 2012 server. I've forwarded ports 1723, 50, 500, and 47 to the VPN server (192.168.0.5).

    Work subnet is 192.168.0.*

    Home subnet is 192.168.1.*

    When I connect with my home PC (home IP: 192.168.1.20), I am assigned 192.168.0.59 from the Work DHCP pool.

    I can ping 192.168.0.5, and the VPN internal interface (192.168.0.60), as well as access shares, RDP, etc. via those IP's, but cannot ping nor access any other resource on the Work network

    I've granted access in NPS and all of the VPN settings appear to be correct. Below is my routing table at Home...

    ===========================================================================
    Interface List
    31...........................IQ
    18...00 23 15 92 c1 a4 ......Intel(R) Centrino(R) Advanced-N 6250 AGN
    12...64 d4 da 18 e0 b2 ......Intel(R) Centrino(R) WiMAX 6250
    11...88 ae 1d fd ed 1f ......Realtek PCIe FE Family Controller
    1...........................Software Loopback Interface 1
    19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    32...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    33...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    34...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.20 30
    72.94.51.18 255.255.255.255 192.168.1.1 192.168.1.20 31
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    192.168.0.0 255.255.255.0 192.168.0.60 192.168.0.58 26
    192.168.0.58 255.255.255.255 On-link 192.168.0.58 281
    192.168.1.0 255.255.255.0 On-link 192.168.1.20 286
    192.168.1.20 255.255.255.255 On-link 192.168.1.20 286
    192.168.1.255 255.255.255.255 On-link 192.168.1.20 286
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 192.168.1.20 286
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 On-link 192.168.1.20 286
    255.255.255.255 255.255.255.255 On-link 192.168.0.58 281
    ===========================================================================
    Persistent Routes:
    None


    • Edited by Charlie8901 Wednesday, September 26, 2012 2:42 PM Fixed IP
    Wednesday, September 26, 2012 2:38 PM

Answers

  • Thanks Ace. However, I gave up on having it on the virtual server and gave it it's own physical machine.

    .

    It pretty much worked 'out of the box'.

    .

    I'm not sure if it was 2012 or that VPN doesn't like virtual environments, but it was one of the two. (I'm more inclined to believe virtual was the problem.)

    .

    I really appreciate you taking the time to lend a hand.

    • Marked as answer by Charlie8901 Monday, October 1, 2012 1:34 PM
    Monday, October 1, 2012 1:34 PM

All replies

  • When you went through the wizard to configure RRAS and VPN, did you allow for LAN Routing, and uncheck the filters checkbox?

    1. Verify if you've enabled RRAS as an IPV4 Router--LAN and demand-dial routing.

    Enable RRAS as a LAN and WAN Router
    http://technet.microsoft.com/en-us/library/dd458974.aspx

    2. Try to connect Intranet resource with IP address instead of server name.

    You cannot access network resources and domain name resolution is not successful when you establish a VPN connection to the corporate network from a Windows Vista-based computer
    http://support.microsoft.com/kb/929853

    3. You need add static route if your VPN client and Intranet resource is not in same subnet.

    VPN clients are unable to access resources beyond the VPN server
    http://technet.microsoft.com/en-us/library/cc772616(WS.10).aspx#BKMK_5

    .

    .

     I've forwarded ports 1723, 50, 500, and 47 to the VPN server (192.168.0.5).

    Btw - If you enabled (assuming TCP) TCP 47 for PPTP VPNs, that's actually not a port number. It's actually a "Protocol ID" number.

    What was TCP 50 opened for?

    I assume that's UDP 500? That's usually for the SA portion of an IPSec security association to be established, such as for L2TP VPNs. That's not needed for PPTP.

    .

    Here's the break down:

    PPTP VPN port translation requirements:
    TCP 1723
    Protocol ID 47 (also known as GRE, such as how a Cisco ASA or other firewalls refers to it, Linksys refers to it as "PPTP Passthrough."

    .

    L2TP VPN port translation requirements:
    TCP 1701
    UDP 500
    Protocol ID 50   (also know as AH or Authentication Headers for IPSec - Linksys refers to this as "L2TP Passthrough")
    Protocol ID 51   (also known as ESP - Encapsulated Secure Payload - Linksys refers to this as "L2TP Passthrough")

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, September 27, 2012 6:28 AM
  • "1. Verify if you've enabled RRAS as an IPV4 Router--LAN and demand-dial routing."

    It's configured that way.

    "2. Try to connect Intranet resource with IP address instead of server name."

    I've been using IP addresses to remove DNS as a potential point of failure. If, when I am able to access resources by IP but not hostname, I'll look at DNS.

    "3. You need add static route if your VPN client and Intranet resource is not in same subnet."

    They are on the same subnet. VPN is pulling 10 addresses from the DHCP pool. DHCP is located on the VPN server (and is working fine to my knowlege). The DHCP Relay Agent is pointing to 0.5.

    "Ports..."

    I read it somewhere and tried it. So I don't need 500 since I'm not using L2TP?


    • Edited by Charlie8901 Thursday, September 27, 2012 1:34 PM
    Thursday, September 27, 2012 1:33 PM
  • "Ports..."

    I read it somewhere and tried it. So I don't need 500 since I'm not using L2TP?


    Correct. Same with TCP 50, but that's not used with L2TP anyway, because it uses the Protocol ID number (note: a Protocol ID is NOT a port number).

    What I'm concerned with is you configured Port 47 (you didn't specify TCP or UDP), but as I pointed out, it's important to understand that PPTP needs "Protocol ID 47" and NOT Port 47. A Port is NOT the same as a Protocol ID.

    A "Protocol ID" signifies a specific application language the service is using. With Protocol ID 47 that PPTP uses, the application language is actually called GRE (Granular Encapsulated Routing).

    .

    I hope you understand the difference and are able to properly configure that in your firewall. If not sure, here's a good explanation:

    What is the difference between a port and a protocol?
    http://stackoverflow.com/questions/586882/what-is-the-difference-between-a-port-and-a-protocol

    .

    I believe we need to determine if you properly configured the port translation in your firewall (how-to depends on the name brand of your firewall) before we can move on with troubleshooting.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Thursday, September 27, 2012 5:24 PM
  • The post I read said 'port', which is why I had that port forwarded, but I understand what you mean.

    I've double checked with the firewall admin and it's configured to forward PPTP traffic on TCP 1723 using TCP and GRE. It's a Verizon Fios router.

    It's kind of late in the game to mention this, and I'm not sure why I didn't before, but this server is a Xen VM. Does that make a difference?



    • Edited by Charlie8901 Thursday, September 27, 2012 7:26 PM
    Thursday, September 27, 2012 6:17 PM
  • Seems a few people that have recently posted are having the same issue. I have it setup at a few customers with no problems. I believe it may be a simple misconfig when running the wizard. Try to go through the setup again (follow the video below), or see if the other links help:

    How To Install and Configure RRAS NAT & VPN (YouTube Video): 2008/2008 R2
      How to install routing and remote access server and test the installation with a VPN connection.
      http://www.youtube.com/watch?v=wpt2z3LA0dQ

    How to Enable NAT on Windows Server 2008 R2
     http://www.youtube.com/watch?v=nQhFbEPlRsU&feature=related

    .

    Lose connection to RRAS server once a VPN client connects.
    Technet Thread: "Difficult with VPN on Server 2008 Standard R2" 12/21/2011
     http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2bad6260-328a-4727-bde0-8fcaca572db5/

    How to detect if RRAS server is dropping all other traffic except VPN traffic (such as when a VPN client connects, internal users lose access to the server)
     http://blogs.technet.com/b/rrasblog/archive/2006/07/06/enabling-rras-drops-all-other-traffic-except-vpn-traffic.aspx


    Lost Internet on computer after VPN is established
     http://forums.techarena.in/small-business-server/889332.htm

    Routing Issues with VPN:
     http://www.chicagotech.net/routingissuesonvpn.htm
     
    Can't Ping External Network Adapter After Configuring RRAS as a VPN Server
     Quoted" "... When you use the Routing and Remote Access Server Setup Wizard to configure RRAS as a VPN server, Input and Output filters are automatically configured on the external network adapter to process only VPN traffic ..."
    "... for the security reason, the RRAS modify the routing table and enable incoming VPN connections only so that no other forward packets over the interface except PPTP or L2TP traffic."
     http://www.chicagotech.net/vpnasrouter.htm

    .

    One solution posted from a previous thread:

    Technet thread: "Internet Access through VPN server - need help please"  6/28/2010
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/8db49948-1962-408b-9996-4a9584b3500d/

    Quoted solution from above link:
    1.Open Server Manager
    2.Network Policy and Access Services
    3.Routing and Remote Access
    4.IPv4
    5.NAT
    6.Right mouse, New Interface
    7.Choose a NIC (in my case the options were 'Local Area Connection 3' and 'Internal', so I went with the first one)
    8. Uncheck the box "Enable security on the selected interface by setting uip Basic Firewall," otherwise if a VPN user connects, no one in the network will be able to access the VPN server for files, resources, etc, and especially detrimental if it is a DC, which is part of the reason we recommend RRAS not be on a DC and be on a separate server.
    9.On the NAT tab, selected "Public Interface connected to the internet"
    10.Ticked "Enable NAT on this interface"
    11.Click OK
    12.All done - now test your VPN connection from the client 


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Spider3 Tuesday, November 6, 2012 7:57 AM
    Thursday, September 27, 2012 10:41 PM
  • How To Install and Configure RRAS NAT & VPN (YouTube Video): 2008/2008 R2
      How to install routing and remote access server and test the installation with a VPN connection.
      http://www.youtube.com/watch?v=wpt2z3LA0dQ

    How to Enable NAT on Windows Server 2008 R2
     http://www.youtube.com/watch?v=nQhFbEPlRsU&feature=related

    I don't have NAT set up because I don't have a public IP I can assign to an external interface. I went through the motions anyway, and the problem persists: I can connect to VPN, and access resources on the VPN server (ping all of it's IP's, access shares, etc.), but I cannot access resources on the remote network.

    Lose connection to RRAS server once a VPN client connects.
    Technet Thread: "Difficult with VPN on Server 2008 Standard R2" 12/21/2011
     http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2bad6260-328a-4727-bde0-8fcaca572db5/

    That's not the problem I'm having, but it did lead me to another post which said, "Verify that either the protocol is enabled for routing or that dial-in clients are allowed to access the entire network for LAN protocols being used by the VPN clients."

    The question is, HOW do I verify that "dial-in clients are allowed to access the entire network for LAN protocols being used by the VPN clients"? The post I read didn't specify, and I am unable to find anything within RRAS configuration for this (aside from NAT configuration, which I'm not using at this point).

    Lost Internet on computer after VPN is established 
     http://forums.techarena.in/small-business-server/889332.htm

    I'm not having this problem.

    Routing Issues with VPN:
     http://www.chicagotech.net/routingissuesonvpn.htm 

    Symptom: after establishing VPN, you can ping and access the VPN server, but not other servers and the network resources.

    Cause: 1. incorrect NAT/Firewall settings.
    2. ISA/Proxy blocking.
    3. Disable IP routing/forwarding.

    That's not terribly helpful. I'm not using NAT, and the firewall is allowing traffic through. I'm not running ISA, nor do I have any proxies set up. "Disable IP routing/forwarding"? Do they mean IP routing/forwarding being disabled is a cause? This isn't the case.

    Can't Ping External Network Adapter After Configuring RRAS as a VPN Server 
     Quoted" "... When you use the Routing and Remote Access Server Setup Wizard to configure RRAS as a VPN server, Input and Output filters are automatically configured on the external network adapter to process only VPN traffic ..."
    "... for the security reason, the RRAS modify the routing table and enable incoming VPN connections only so that no other forward packets over the interface except PPTP or L2TP traffic."
     http://www.chicagotech.net/vpnasrouter.htm

    I don't have an external interface. Right now, the  server has 1 interface.

    Your last suggestion doesn't really apply, as I'm not using NAT for internet access.

    If I can get access to the internal network (past the VPN server), I will worry about clients having internet access. I was reading a pretty good article about split tunneling earlier that would help, but I'm not at that point yet.

    Friday, September 28, 2012 2:47 PM
  • I created screenshots from a working 2008 R2 VPN server with a single NIC. I haven't put together a blog on it yet, whcih I will shortly, but here are the screenshots. Maybe they will help out:

    http://sdrv.ms/PwMSvS

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, September 28, 2012 8:07 PM
  • I created screenshots from a working 2008 R2 VPN server with a single NIC. I haven't put together a blog on it yet, whcih I will shortly, but here are the screenshots. Maybe they will help out:

    http://sdrv.ms/PwMSvS

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, September 28, 2012 8:35 PM
  • Thanks Ace. However, I gave up on having it on the virtual server and gave it it's own physical machine.

    .

    It pretty much worked 'out of the box'.

    .

    I'm not sure if it was 2012 or that VPN doesn't like virtual environments, but it was one of the two. (I'm more inclined to believe virtual was the problem.)

    .

    I really appreciate you taking the time to lend a hand.

    • Marked as answer by Charlie8901 Monday, October 1, 2012 1:34 PM
    Monday, October 1, 2012 1:34 PM
  • One solution posted from a previous thread:

    Technet thread: "Internet Access through VPN server - need help please"  6/28/2010
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/8db49948-1962-408b-9996-4a9584b3500d/

    Quoted solution from above link:
    1.Open Server Manager
    2.Network Policy and Access Services
    3.Routing and Remote Access
    4.IPv4
    5.NAT
    6.Right mouse, New Interface
    7.Choose a NIC (in my case the options were 'Local Area Connection 3' and 'Internal', so I went with the first one)
    8. Uncheck the box "Enable security on the selected interface by setting uip Basic Firewall," otherwise if a VPN user connects, no one in the network will be able to access the VPN server for files, resources, etc, and especially detrimental if it is a DC, which is part of the reason we recommend RRAS not be on a DC and be on a separate server.
    9.On the NAT tab, selected "Public Interface connected to the internet"
    10.Ticked "Enable NAT on this interface"
    11.Click OK
    12.All done - now test your VPN connection from the client 


    I spent the whole day yesterday investigating this problem. I have the same configuration applied to different customers (Single Nic RRAS Vpn, ipv4 Routing enabled), but there is one site where I can connect the vpn successfully but unable to access the network, just rras server itself.

    Thanks to this "workaround" (not applied to other customers with exactly the same configuation) now it's working perfectly and I got access to all resources on the network. Thanks!

    Tuesday, November 6, 2012 8:03 AM
  • I'm happy to hear it helped you, Spider! :-)

    And sorry it didn't help Charlie.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, November 6, 2012 3:09 PM
  • I ran into the same issue on an SBS11 OS. The PPTP VPN establishes a session, but only resources on the SBS were accessible. I could ping the other resources in the environment, but nothing above layer 3 was accessible. Alternate VPNs (SonicWALL GVPN and SSL-VPN) to the same location worked fine; all resources were accessible.

    In my case, another tech from our shop installed the "Full Server Protection" Symantec SEP package on the SBS which included Symantec's firewall. I changed the installation to "Basic", restarted the server and verified the PPTP VPN could now access all resources in the environment -- including shared folders on a member server.

    Saturday, February 9, 2013 6:34 PM
  • AV software are known to block necessary traffic. Glad to hear you figured it out. I hope it helps others.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, February 9, 2013 7:01 PM
  • Hi All,

    Building on this conversation, I am trying to set up a site to site vpn between two windows 2008 R2 Servers. (remote and Central Sites)

    Remote Site 192.168.1.*

    Central Site 192.168 69.*

    I am able to get a Demand Dial VPN from the Remote to Central working where I can ping all resources on the central 192.168.69.8 subnet, but I cannot get to the Central 192.168.69.8 resources from any other computer on the 192.168.1.8 Subnet

    I believe this prooves that the actual VPN Tunnel works and that my issue is routing related

    I have added a static route 192.168.69.0 255.255.255.0 metric 1 to the server on the 192.168.1.* remote subnet end (no Gateway)
    and
    I have added a static route 192.168.1.0 255.255.255.0 metric 1 to the server on the 192.168.69.* central subnet end (No Gateway)

    However, when I enable a demand dial interface on the Central Server (which connects with the incoming Vpn from Remote Somehow, I do not understand this, but have done it as per examples googled) I have no connectivity at all to anything at all

    I have removed all firewalls between the servers, including the sonic wall on the remote sit

    Remote network is as follows

    Router 192.168.1.10 (only one interface on Lan, Gateway is to Internet)
    Gateway 192.168.1.1
    Subnet 192.168.1.0
    Mask 255.255.255.0

    Central Server

    Router 192.168.69.42 (Lan) 172.xxx.xxx.xxx (WAN) (Two Interfaces)
    Lan Gateway 192.168.69.3 (Set to force Windows to recognize the Lan as Private, we have no internet access from the Lan)
    Lan Subnet 192.168.69.0
    Mask 255.255.255.0

    The central router also has another vpn from a second windows server demand dial connection, this is on ip 192.168.69.11. From this server, i can see the whole 192.168.69.* subnet, but cannot access resources on this server from the Central router or any other computer on the central subnet. (ie: It appears to be a "One Way" Connection)

    All vpn's are pptp

    I have been at this for over one week now, and am at a dead end, any help will be greatly appreciated

    Thanks

    Mark

    Routing Table from the Remote router is

    C:\Users\Administrator>route print
    ===========================================================================
    Interface List
     30...........................web2.markware.net
     29...........................RAS (Dial In) Interface
     15...00 1c c0 0e 0b f4 ......Intel(R) PRO/100 VM Network Connection
     13...00 1b 11 66 0c 28 ......Realtek RTL8139/810x Family Fast Ethernet NIC #2
     11...00 1b 11 66 0e 52 ......Realtek RTL8139/810x Family Fast Ethernet NIC
      1...........................Software Loopback Interface 1
     12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
     19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.10    276
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       173.231.15.222  255.255.255.255      192.168.1.1     192.168.1.10     21
          192.168.1.0    255.255.255.0         On-link      192.168.1.10    276
         192.168.1.10  255.255.255.255         On-link      192.168.1.10    276
         192.168.1.15  255.255.255.255         On-link      192.168.1.15    306
        192.168.1.255  255.255.255.255         On-link      192.168.1.10    276
         192.168.69.0    255.255.255.0     192.168.1.11    192.168.69.10     21
        192.168.69.10  255.255.255.255         On-link     192.168.69.10    276
        192.168.224.0    255.255.224.0      192.168.1.1     192.168.1.10     22
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link      192.168.1.10    276
            224.0.0.0        240.0.0.0         On-link      192.168.1.15    306
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link      192.168.1.10    276
      255.255.255.255  255.255.255.255         On-link      192.168.1.15    306
      255.255.255.255  255.255.255.255         On-link     192.168.69.10    276
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0      192.168.1.1  Default
    ===========================================================================

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     14     58 ::/0                     On-link
      1    306 ::1/128                  On-link
     14     58 2001::/32                On-link
     14    306 2001:0:9d38:953c:282c:7ff1:86c9:8f41/128
                                        On-link
     14    306 fe80::/64                On-link
     14    306 fe80::282c:7ff1:86c9:8f41/128
                                        On-link
      1    306 ff00::/8                 On-link
     14    306 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None

    Routing Table from the Central router is

    C:\Users\Administrator.web2>route print
    ===========================================================================
    Interface List
     29 ........................... Doomsville
     17 ...00 15 5d 0f 8c 57 ...... Microsoft Virtual Machine Bus Network Adapter #7

     16 ...00 15 5d 0f 8c 54 ...... Microsoft Virtual Machine Bus Network Adapter #6

     28 ........................... RAS (Dial In) Interface
      1 ........................... Software Loopback Interface 1
     18 ...00 00 00 00 00 00 00 e0  isatap.{3E877E89-1A10-4050-B95F-96CF29D34554}
     20 ...00 00 00 00 00 00 00 e0  6TO4 Adapter
     10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
     19 ...00 00 00 00 00 00 00 e0  isatap.local
     21 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #3
     22 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #4
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     173.231.15.1   173.231.15.222     15
              0.0.0.0          0.0.0.0     192.168.69.3    192.168.69.21    261
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
         173.231.15.0    255.255.255.0         On-link    173.231.15.222    261
       173.231.15.222  255.255.255.255         On-link    173.231.15.222    261
       173.231.15.255  255.255.255.255         On-link    173.231.15.222    261
          192.168.1.0    255.255.255.0    192.168.69.10     192.168.1.11     11
         192.168.1.11  255.255.255.255         On-link      192.168.1.11    266
         192.168.69.0    255.255.255.0         On-link     192.168.69.21    261
        192.168.69.21  255.255.255.255         On-link     192.168.69.21    261
       192.168.69.240  255.255.255.255         On-link    192.168.69.240    306
       192.168.69.255  255.255.255.255         On-link     192.168.69.21    261
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link     192.168.69.21    261
            224.0.0.0        240.0.0.0         On-link    173.231.15.222    261
            224.0.0.0        240.0.0.0         On-link    192.168.69.240    306
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link     192.168.69.21    261
      255.255.255.255  255.255.255.255         On-link    173.231.15.222    261
      255.255.255.255  255.255.255.255         On-link    192.168.69.240    306
      255.255.255.255  255.255.255.255         On-link      192.168.1.11    266
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0   173.231.27.193  Default
              0.0.0.0          0.0.0.0     173.231.15.1      10
              0.0.0.0          0.0.0.0   173.231.27.193  Default
              0.0.0.0          0.0.0.0     192.168.69.1     100
              0.0.0.0          0.0.0.0     67.222.151.1  Default
              0.0.0.0          0.0.0.0     173.231.15.1      10
              0.0.0.0          0.0.0.0     192.168.69.3  Default
    ===========================================================================

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     20   1105 ::/0                     2002:c058:6301::c058:6301
      1    306 ::1/128                  On-link
     10     18 2001::/32                On-link
     10    266 2001:0:9d38:6ab8:803:2d1b:5218:f021/128
                                        On-link
     20   1005 2002::/16                On-link
     20    261 2002:ade7:fde::ade7:fde/128
                                        On-link
     10    266 fe80::/64                On-link
     10    266 fe80::803:2d1b:5218:f021/128
                                        On-link
      1    306 ff00::/8                 On-link
     10    266 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None


    Wednesday, February 27, 2013 6:42 AM
  • Did you create a static route on the 172 or whatever router connected to the ISP, for the 192.168.1.0 subnet?

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 27, 2013 1:48 PM
  • Hi Ace, I created static routes on both routers, on the Demand Dial Connections, on the Remote site, 192.168.69.0 255.255.255.0 (no Gateway) and on the Central Site 192.168.1.0 255.255.255.0 (no Gateway).

    I did not create a static route on the physical adaptors. Should I? If so, not sure what to use for the gateway?

    Cheers

    Mark


    Wednesday, February 27, 2013 11:08 PM
  • Ace's advice regarding MS's RRAS service is spot on, but I'd like to offer a suggestion. I hate to jump in the middle of this conversation Ace, but I have a very, very simple solution. If you have a SonicWALL firewall device at one location, just make sure you have one at the other site(s). Then you take advantage of their built-in site-to-site VPN service. I've been using their S2S VPN services for about nine years, and they've worked flawlessly at hundreds of locations. Configure it once, verify connectivity and you never have to worry about it again.
    If you're not comfortable configuring the SonicWALL S2S VPN connection, you can always take advantage of SW's free tech support if the devices have a current support agreement. Just give them a call, and they'll walk you through the config.
    While I live, eat and breath Microsoft every day, I have a strong Cisco networking background. So I have an obvious bias that routers should handle services like this. Lots of SMBs can't afford Cisco's solutions, so I've been using SW's for services like this for a very, very long time.


    • Edited by JD000 Thursday, February 28, 2013 6:40 AM typo
    Thursday, February 28, 2013 6:19 AM
  • Hi JD

    If I could, I would use Sonic walls both sides. (we have several VPNS running using Sonic Walls) Unfortunately, our central site is in a Data Center (This is a new rollout using off shore capability for us) and the data center will not put external devices in for us, otherwise I would not be doing what I am doing. The Sonic Wall VPN's are excellent and just work forever once running.

    FYI, I first actually tried to get an old Sonicwall TZ170 to connect to win 2008 R2 router using IPSec on the Firewall Policies, got the tunnel running, but could not get to the network or servers, so gave up and reverted to a Server to Server RRAS solution, but hit a roadblock on this as well.

    Sonic Walls rock .. :) Win Server 2008 Rolls ... :)

    Cheers

    Mark



    Thursday, February 28, 2013 7:32 AM
  • Sorry about the negroing of your post but I came across it while troubleshooting my own VPN issues.

    When your using a VPN connection to create an remote desktop connection to your work PC
    The RRAS (Routing and Remote Access Server) vill assign you a uniqe port number.
    That port number is between 49152 - 65535.

    So in order for the remote desktop connection to work, you need to add that port range
    Allong with port 3389, in your firewall allow list

    Ex.

    Local port: 49152-65535 (assigned by RRAS)
    Remote port: 3389 (remote desktop port)
    Protocol: TCP
    Direction: Both
    Rule: Allow

    Here is how it works, and the port numbers:

    Home PC----3389---VPN ---3389---Company Router/Firewall---3389---RRAS---49152-65535---Work PC

    Tuesday, February 20, 2018 2:51 PM