locked
2008 R2 RRAS dial-out routing RRS feed

  • Question

  • Hello,

    I would like to connect two networks via VPN. On a 2008 R2 server, I've configured "dial on demand" over VPN to a 2003 R2 server on the other network. The connection comes up, and from one server I can ping the other one (even the LAN IPs, not just the VPN IPs.)

    On the network containing the 2008 R2 server, the machines have this server as default gateway. On the server, default gateway points to a (local) router, and a route for the remote network IP range points to the VPN adapter.

    Now the clients can access the internet (already routed via the 2008 server, but then going to the local router), but can not ping the other network (supposed to go over VPN.)

    Why is this the case? If I do a tracert from a local client to the remote server, I see the local server as the first hop, then only timeouts. If I do the tracert on the local server, the first hop is the remote server.

    Why does the local server not route the local traffic to the remote server, but does so for traffic originating on the local server itself?


    Regards, AngusMac




    • Edited by AngusMac Wednesday, May 9, 2012 8:48 PM
    Wednesday, May 9, 2012 8:46 PM

Answers

  •   It is nt as simple as that. Routing is a two-way process. You must have routes on both sides to make it work. Search for site to site VPN or router to router VPN or LAN to LAN VPN to see what is required. Basically you need a VPN server in both sites and the VPN connection is between the two VPN servers (ie it is a router to router connection).

      The normal VPN setup only works for a client-server connction. It cannot handle routing for machines other then the connecting client itself.

     

    Bill

    Thursday, May 10, 2012 1:01 AM
  • In addition to Bill's suggestions, here are my notes and links on this:

    =================

    It's possible to create a site-to-site VPN using just RRAS but you have to be very careful with setting it up. The static routes which route traffic from one site to the other must bind properly to the demand-dial interfaces when the connection is made. You have to set this up manually. Only when this happens will the routing work between sites. Each site must have a static route to the other site through the VPN connection.

    The following link is an excellent write-up from a poster that had trouble with setting up a Site to Site L2TP VPN with two Windows 2008 server with a certificate from his own Certificate Authority. He finally got it working. He took the time to document and screenshot every step for anyone else that has problems setting it up.

    Step by Step - Site to Site or Router to Router VPN Server 2008 on SkyDrive:
    https://skydrive.live.com/P.mvc#!/view.aspx/Site%20to%20Site%20or%20Router%20to%20Router%20VPN%20Server%202008.docx?cid=e81114cae704d772&sc=documents

    Step-by-Step Guide for Setting Up a PPTP-based Site-to-Site VPN Connection in a Test Lab
    http://technet.microsoft.com/en-us/library/cc758271(WS.10).aspx

    Windows 2003 L2TP-based router-to-router VPN deployment
    http://technet.microsoft.com/en-us/library/cc778515(WS.10).aspx

    Unable to ping the tunnel address of a Demand Dial Connection on Windows Server 2008 RRAS
    As a best practice recommendation a server hosting RRAS should contain two NICs and be hosted on its own server. This helps keep the networking simple and if the server is compromised it keeps it a step away from sensitive data that may exist on other servers.
    A Quick Review – Setting up a RRAS Demand Dial Connection
    http://blogs.technet.com/b/networking/archive/2008/11/07/unable-to-ping-the-tunnel-address-of-a-demand-dial-connection-on-windows-server-2008-rras.aspx

    How do I... Configure a network to use demand dial routing?
    http://www.techrepublic.com/article/how-do-i-configure-a-network-to-use-demand-dial-routing/6103901

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, May 10, 2012 4:55 AM
  • Hi AngusMac,

    Thanks for posting here.

    > On the server, default gateway points to a (local) router, and a route for the remote network IP range points to the VPN adapter.

    > Now the clients can access the internet (already routed via the 2008 server, but then going to the local router), but can not ping the other network (supposed to go over VPN.)

    (Remote B networks)-----RRAS 2003-----(Internet)-----Router----- 2008 R2-----(Internal A network)-----Clients

    First at all RRAS 2003 host should aware of the routing entries which point to other internal subnets at B network . Meanwhile, hosts at other subnets in B network should also aware of the routing entries which point to IP segments of A network or just simply using RRAS 2003 as the default gateway . The point we have to set in this way because clients at B network need also know where to send the traffics that destination to an IP segment at remote A network by going through the proper tunnel just like what we did on hosts at A network.

    IPv4 Routing

    http://technet.microsoft.com/en-us/library/bb727001.aspx#EEAA

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Monday, May 14, 2012 2:24 AM

All replies

  •   It is nt as simple as that. Routing is a two-way process. You must have routes on both sides to make it work. Search for site to site VPN or router to router VPN or LAN to LAN VPN to see what is required. Basically you need a VPN server in both sites and the VPN connection is between the two VPN servers (ie it is a router to router connection).

      The normal VPN setup only works for a client-server connction. It cannot handle routing for machines other then the connecting client itself.

     

    Bill

    Thursday, May 10, 2012 1:01 AM
  • In addition to Bill's suggestions, here are my notes and links on this:

    =================

    It's possible to create a site-to-site VPN using just RRAS but you have to be very careful with setting it up. The static routes which route traffic from one site to the other must bind properly to the demand-dial interfaces when the connection is made. You have to set this up manually. Only when this happens will the routing work between sites. Each site must have a static route to the other site through the VPN connection.

    The following link is an excellent write-up from a poster that had trouble with setting up a Site to Site L2TP VPN with two Windows 2008 server with a certificate from his own Certificate Authority. He finally got it working. He took the time to document and screenshot every step for anyone else that has problems setting it up.

    Step by Step - Site to Site or Router to Router VPN Server 2008 on SkyDrive:
    https://skydrive.live.com/P.mvc#!/view.aspx/Site%20to%20Site%20or%20Router%20to%20Router%20VPN%20Server%202008.docx?cid=e81114cae704d772&sc=documents

    Step-by-Step Guide for Setting Up a PPTP-based Site-to-Site VPN Connection in a Test Lab
    http://technet.microsoft.com/en-us/library/cc758271(WS.10).aspx

    Windows 2003 L2TP-based router-to-router VPN deployment
    http://technet.microsoft.com/en-us/library/cc778515(WS.10).aspx

    Unable to ping the tunnel address of a Demand Dial Connection on Windows Server 2008 RRAS
    As a best practice recommendation a server hosting RRAS should contain two NICs and be hosted on its own server. This helps keep the networking simple and if the server is compromised it keeps it a step away from sensitive data that may exist on other servers.
    A Quick Review – Setting up a RRAS Demand Dial Connection
    http://blogs.technet.com/b/networking/archive/2008/11/07/unable-to-ping-the-tunnel-address-of-a-demand-dial-connection-on-windows-server-2008-rras.aspx

    How do I... Configure a network to use demand dial routing?
    http://www.techrepublic.com/article/how-do-i-configure-a-network-to-use-demand-dial-routing/6103901

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, May 10, 2012 4:55 AM
  •    The normal VPN setup only works for a client-server connction. It cannot handle routing for machines other then the connecting client itself.

     

    Bill

    Did I understand you correctly: Let's say I have Networks A and B and the machines Server and Client. A_Server connects via RRAS to B_Server. Then even if A_Client is routing everything through A_Server as a default gateway, A_Client will never be able to reach B_Server? There will absolutly no routing be performed by A_Server?


    Regards, AngusMac

    Thursday, May 10, 2012 10:52 AM
  • The difference between my setup and those in all of the guides is that I indeed only have a single connection, not two. That is to say, A_Server dials out to B_Server, but B_Server does not "dial back into" A_Server.

    What still eludes me is the failure mode here: If A_Client routes through A_Server, and A_Server can ping B_Server, why can't A_Client ping B_Server?

    I still don't see how the second connection could play a part here. (In contrast, I fully understand why B_client can't ping A_Server as long as B_Server isn't dialling into A_Server.)


    Regards, AngusMac


    • Edited by AngusMac Thursday, May 10, 2012 11:15 AM
    Thursday, May 10, 2012 11:14 AM
  • With a single dialout, the last article in the list indicates to specify a static route so traffic can flow both ways.

    Some of my notes on single demand dial configs:

    .

    =============
    Issues with Demand-Dial

    Behavior of Unreachable Demand Dial Interfaces in RRAS
    http://support.microsoft.com/kb/193834/en-us
    "When RRAS attempts to connect a Demand-Dial interface, the status field has a value of "Connecting." The static route that is used to activate the Demand-Dial interface is viewable under Static Routes in RRAS.

    If the phone number or VPN server that is dialed is not available, the Demand-Dial interface will be marked "Unreachable" only after it has failed all redial attempts. It will then stay Unreachable for a default period of 10 minutes. The static route disappears from the routing table when the interface status is marked "Unreachable."

    After the wait interval, the status of the Demand-Dial interface will change to "Disconnected," at which point the Demand-Dial interface is available for use.
    If the Demand-Dial interface fails to connect again after this wait interval, it will then be marked "Unreachable" for a period of 20 minutes and, again, the static route will disappear from the routing table. Then, when the wait period is over, the status goes back to "Disconnected."

    This cycle continues in 10 minute intervals until 6 hours has been reached. The default maximum wait time remains at 6 hours until one of the following occurs:

    •A successful connection has been established [through either the wait interval described here or manual dialing].
    -or-
    •The router has been stopped and restarted.
     
    Choosing an On-Demand or Persistent Connection
    http://technet.microsoft.com/en-us/library/cc780660(WS.10).aspx

    How to Use Static Routes with Routing and Remote Access Service (using the RRAS Console)
    http://support.microsoft.com/kb/178993

    =============================

    .

    Any possibility to set it up as a tunnel between two RRAS server on each end? That seems to be the better option for what you're trying to achieve, or go wtih a non-RRAS solution, such as a pair of Cisco ASA 5505's on each side.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, May 10, 2012 4:10 PM
  • Hi AngusMac,

    Thanks for posting here.

    > On the server, default gateway points to a (local) router, and a route for the remote network IP range points to the VPN adapter.

    > Now the clients can access the internet (already routed via the 2008 server, but then going to the local router), but can not ping the other network (supposed to go over VPN.)

    (Remote B networks)-----RRAS 2003-----(Internet)-----Router----- 2008 R2-----(Internal A network)-----Clients

    First at all RRAS 2003 host should aware of the routing entries which point to other internal subnets at B network . Meanwhile, hosts at other subnets in B network should also aware of the routing entries which point to IP segments of A network or just simply using RRAS 2003 as the default gateway . The point we have to set in this way because clients at B network need also know where to send the traffics that destination to an IP segment at remote A network by going through the proper tunnel just like what we did on hosts at A network.

    IPv4 Routing

    http://technet.microsoft.com/en-us/library/bb727001.aspx#EEAA

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Monday, May 14, 2012 2:24 AM
  • Hi AngusMac,

    If there is any update on this issue, please feel free to let us know.

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Tuesday, May 15, 2012 8:29 AM
  • Hi 

    If possible I'd like to join discussion.
    I'm working 12 years as MCSA so I'm not entirely green but still - I've run into exact same issue as described by AngusMac.

    My setup is very simple, that is why I can nicely test it and describe the differences.

    1. I'm switching from dual site to site Demand-dial RRAS 2003 R2 to same setup on RRAS 2008 R2
    2. Confirmed - I can observe important change/limitation introduced wirh RRAS 2008 R2
    3. I'm afraid it works as designed and was limited by business strategy
    4. However ... I still hope that there is some solution for small single server branch offices?


    Please review and advice:

    Setup:
    1. Site A clients (with default gateway to NAT 3rd party router) --- 
    2. (Site A network, single subnet) --- 
    3. RRAS 2003 single NIC gateway to NAT 3rd party router 
       (plus single D-d interface to site B and single static rout entry to site B through D-d) --- 
    4. NAT 3rd party router (with single static route to site B through RRAS) ---

    --- (Internet) --- 

    4. NAT 3rd party router (with single static route to site A through RRAS) ---  
    3.  RRAS 2003 single NIC gateway to NAT 3rd party router 
        (plus single D-d interface to site A and single static rout entry to site A through D-d)  --- 
    2. (Site B network, single subnet) --- 
    4. Site B clients (with default gateway to NAT 3rd party router)

    In above setup all works as designed.

    1. Clients can reach all resources in both sites
    2. RRAS servers can reach all resources in both sites
    3. RRAS servers can communicate with each other (Replicate DFSr or Active Directory information)

    When switching to same set-up but with RRAS 2008 R2:

    1. Clients can reach all resources in both sites
    2 RRAS servers can no longer reach resources on the other side of D-d
    3. RRAS servers can no longer communicate with each other so no option for DFSr on AD on board.

    Simple prove:

    2003 R2:
    Tracert from RRAS A tracing RRAS B is responding at once with one hoop - direct tunnel connection
    2008 R2:
    Tracert from RRAS A tracing RRAS B can't find the way at all - 30 blind hoops

    while Tracert from client A or client B to any resources and any RRAS server is working as designed (no complains)
    (through NAT 3rd party next  through RRAS to the other side)
    Crucial difference:
    2003 R2 - RRAS server could play other functions (DFSr, even DC - I know it is not advised)
    2008 R2 - RRAS server can play only RRAS role (DFSr, DC etc. can't communicate with servers on the other side of D-d so those roles need to be handled by second server on site)
    As mentioned before - I hope there is some small switch that I could turn and go back to the functionality we had with 2003 R2. 
    However ... it might be caused by the business reasons.
    With 2008 R2 I would need now 2 separate systems to have same functionality (e.g. RRAS server with DFSr file server on board and replication between 2 sites).

    Please review and advise.

    Regards

    3xM

    Sunday, June 10, 2012 12:32 PM
  • It would have been better to post this as a new thread so everyone can see it, and you own the thread and mark a post as an answer if it answered your question.

    .

    If the info above didn't help, there may be a RRAS filter you enabled as you set it up. Here's more info on this below. If you do create a new thread, please reference this one with a link.

    Routing Issues with VPN:
    http://www.chicagotech.net/routingissuesonvpn.htm

    Can't Ping External Network Adapter After Configuring RRAS as a VPN Server
    http://www.chicagotech.net/vpnasrouter.htm

    Lose connection to RRAS server once a VPN client connects.
    Technet Thread: "Difficult with VPN on Server 2008 Standard R2" 12/21/2011
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2bad6260-328a-4727-bde0-8fcaca572db5/

    How to detect if RRAS server is dropping all other traffic except VPN traffic (such as when a VPN client connects, internal users lose access to the server)
    http://blogs.technet.com/b/rrasblog/archive/2006/07/06/enabling-rras-drops-all-other-traffic-except-vpn-traffic.aspx


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, June 11, 2012 2:57 AM