none
Issues with ping accross an l2tp vpn to a domain

    Question

  • I have the following basic setup.

    1 Server 2008 Domain Controller 10.243.21.140, 255.255.255.0 gateway 10.243.21.1
    1 Server 2008 VPN Server 10.245.79.36, 255.255.254.0 gateway 10.245.78.1
    1 Server 2008 App Server 10.242.193.159, 255.255.255.0 gateway 10.242.193.1

    All three are on the same domain and can ping each other successfully on the 10.x.x.x addresses

    They are all on diff subnet because the are in the cloud, so I have not control over getting them on same subnet. I setup l2tp vpn, NAT with pre-shared key for now. I assign a static pool 10.0.0.0-10.0.0.128

    I establish a L2TP connection from XP/Vista/7 client with no issue, I get assigned 10.0.0.2, I can ping 10.0.0.1 and VPN server can ping me. I know I am connected successfully (this took me a long time to get right btw).

    I can however not ping any of my servers from my external box by their internal IP addresses, i.e 10.242.x.x, etc. tracert goes through 10.0.0.1 as gateway but then times out or says destination host unreachable. Obviously if I can't even ping how am i going to use the resources.

    I am assuming there is a routing issue but I can't figure out what I am missing. Or maybe my VPN connection is missing something.

    Anybody out there with some ideas?

    In case you where wondering,
    Here is route print from the VPN server

    ===========================================================================
    Interface List
     12 ...02 00 4c 4f 4f 50 ...... Microsoft Loopback Adapter
     11 ...12 31 3d 01 4c d6 ...... RedHat PV NIC Driver
     15 ........................... RAS (Dial In) Interface
      1 ........................... Software Loopback Interface 1
     14 ...00 00 00 00 00 00 00 e0  isatap.{9E9784DE-F79F-48BF-AF55-20DABCC88F0F}
     10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
     13 ...00 00 00 00 00 00 00 e0  isatap.{B344F07A-42D6-4F00-9EEC-3FC6C79E34AC}
     20 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #3
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      10.245.78.1     10.245.79.36    266
             10.0.0.1  255.255.255.255         On-link          10.0.0.1    296
             10.0.0.2  255.255.255.255         10.0.0.2         10.0.0.1     41
       10.242.193.159  255.255.255.255      10.245.76.2     10.245.79.36     11
          10.245.78.0    255.255.254.0         On-link      10.245.79.36    266
        10.245.79.255  255.255.255.255         On-link      10.245.79.36    266
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          169.254.0.0      255.255.0.0         On-link     169.254.7.129    286
        169.254.7.129  255.255.255.255         On-link     169.254.7.129    286
      169.254.255.255  255.255.255.255         On-link     169.254.7.129    286
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link     169.254.7.129    286
            224.0.0.0        240.0.0.0         On-link      10.245.79.36    266
            224.0.0.0        240.0.0.0         On-link          10.0.0.1    296
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link     169.254.7.129    286
      255.255.255.255  255.255.255.255         On-link      10.245.79.36    266
      255.255.255.255  255.255.255.255         On-link          10.0.0.1    296
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0      10.245.78.1  Default
    ===========================================================================


    Here is ipconfig from VPN server

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : EC2-PROD-VPN-02
       Primary Dns Suffix  . . . . . . . : <deleted this>
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : ec2.internal
                                           us-east-1.ec2-utilities.amazonaws.com
                                        
    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Loopback Adapter
       Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::e410:56b2:c32f:781%12(Preferred)
       Autoconfiguration IPv4 Address. . : 169.254.7.129(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Local Area Connection 2:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : RedHat PV NIC Driver
       Physical Address. . . . . . . . . : 12-31-3D-01-4C-D6
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::d0cf:1d7c:8e7e:8a71%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.245.79.36(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       Default Gateway . . . . . . . . . : 10.245.78.1
       DNS Servers . . . . . . . . . . . : <IP of DC/DNS>
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{9E9784DE-F79F-48BF-AF55-20DABCC88
    F0F}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 02-00-54-55-4E-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 11:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{B344F07A-42D6-4F00-9EEC-3FC6C79E3
    4AC}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Here is ipconfig from client


    Windows IP Configuration

            Host Name . . . . . . . . . . . . : pr670
            Primary Dns Suffix  . . . . . . . : <deleted this>
            Node Type . . . . . . . . . . . . : Unknown
            IP Routing Enabled. . . . . . . . : No
            WINS Proxy Enabled. . . . . . . . : No
            DNS Suffix Search List. . . . . . : <deleted this>

    Ethernet adapter Local Area Connection:

            Connection-specific DNS Suffix  . :
            Description . . . . . . . . . . . : Intel(R) PRO/1000 MTW Network Connec
    tion
            Physical Address. . . . . . . . . : 00-0F-1F-88-30-C3
            Dhcp Enabled. . . . . . . . . . . : Yes
            Autoconfiguration Enabled . . . . : Yes
            IP Address. . . . . . . . . . . . : 192.168.1.112
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . : 192.168.1.1
            DHCP Server . . . . . . . . . . . : 192.168.1.150
            DNS Servers . . . . . . . . . . . : 192.168.1.1
                                                192.168.1.150
            Lease Obtained. . . . . . . . . . : Sunday, February 14, 2010 4:10:06 PM

            Lease Expires . . . . . . . . . . : Monday, April 05, 2010 4:10:06 PM

    PPP adapter Mangia:

            Connection-specific DNS Suffix  . :
            Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
            Physical Address. . . . . . . . . : 00-53-45-00-00-00
            Dhcp Enabled. . . . . . . . . . . : No
            IP Address. . . . . . . . . . . . : 10.0.0.2
            Subnet Mask . . . . . . . . . . . : 255.255.255.255
            Default Gateway . . . . . . . . . :
            DNS Servers . . . . . . . . . . . : <IP of DC/DNS>
    Monday, February 15, 2010 4:06 AM

Answers

  • Thielm,

                    Let me start by saying do not trust ping to test connectivity. With Ping you only know something if it connects, if it fails you know nothing. This is because it uses ICMP which is considered "best effort" and many routers will drop even if they meet a minimum threshold, so when you think that the connection failed because the server was offline or unreachable, really the network infrastructure just dropped in route. I would use Telnet to test connections to real ports. Here is the syntax to use: Telnet <IP> <TCP port>.

                    On to the issue. I have seen this a thousand time before. Whether it is Cisco, Microsoft, Juniper, or any other router or VPN termination point, the thing we most often forget it to tell the device what to do with the packet once it receives it. If when using a router (which any VPN termination device is) and you can ping the external interface, but not any internal resource then you have a missing route. This article explains it fully: http://cbfive.com/blog/post/Follow-the-Bouncing-Packet-Routing.aspx.

                    With Microsoft servers when we set up Remote Access this route is not automatically added. This is because you router may have 32 interface and you may one want the VPN traffic to be able to go  to one of those 32. So what we need to do is to add a route for the routing server (you cannot add this at the command line using the Route Add statement). Here is how we do that:

    -Start Server Manager.

    -In the navigation pane, expand Roles, expand Network Policy and Access Services, and then expand Routing and Remote Access.

    -Expand IPv4.

    -In the navigation pane, under IPv4, click General.

    -In the details pane for General under IPv4, right-click each interface and select Properties.

    -On each tab confirm that the interface is configured as required for its routing role on the server.

    -Under IPv4 right-click on Static Routes then select New Static Route...

    -From here you will be able to add the missing route information.

            Interface

                            -What interface is the data received on (i.e. the external interface)

            Destination

            Network Mask

            Gateway

            Metric

     

    Hope this helps. Let us know if you have any further questions.
    If you need extra help, you can reach us at: InitialAssist@cbfive.com See my blogs at http://www.cbfive.com/blog / Jared
    Thursday, February 18, 2010 8:05 AM