But In our windows server 2003, we have only single NIC.
So, I have deployed VPN server according to single NIC. The procedure as follows
1. Configured RRAS server for single NIC
2. Enable Router to forward PPTP packets (1723)
3. Create a VPN client
After established the VPN connection, the VPN client not able to ping or communicate to the RRAS server. So, I Google it and found the following useful information.
Cannot reach beyond the RRAS server from VPN clients?
Many a time we face this issue - after making a VPN connection to the Routing and Remote Access server, we are unable to reach the machine on the network behind the VPN server. Here are a few tips to troubleshoot this.
Let's consider this example to understand this well.
VPN Client <---Internet---> RRAS server <----------------> LAN client
Static pool configured on RRAS server: 10.0.0.1 - 10.0.0.10 [This means that the VPN clients will get a 10.0.0.X address from this pool]
Public interface of RRAS server to which clients connect: 65.54.46.9
Private interface of RRAS server: 192.168.0.4 (The LAN clients on this network will have addresses 192.168.0.X)
We want to reach the LAN client 192.168.0.16 from the VPN client 10.0.0.2. The following are the things that we need to ensure for this
(1) Need to have proper routes on the VPN client to reach the machines behind the RRAS server
For our example, on the VPN client we need to have a route to reach the LAN client i.e. for 192.168.0.16 as the destination with the VPN server (10.0.0.1) as the gateway as follows.
route add 192.168.0.0 mask 255.255.255.0 10.0.0.1 if
This route makes sure that any packet destined to the LAN clients will go out through the PPP adapter of the client to the server's internal interface. As the RRAS server has one interface on the same network as the LAN client, it will route it accordingly to the LAN client.
On the VPN client side, a default route can also be added which can be used to reach the internet [otherwise even internet requests will go through the RAS server].
This concept is called split- tunneling and is explained in the below article. http://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx
(2) Need to have correct routes on the LAN clients behind the RRAS server for the VPN clients
The packet from the VPN client will reach the LAN client if the route on VPN client is proper which is ensured by (1) above.
However, for the packet from LAN client to reach the VPN client, we should have correct routes on the LAN client too. For example, when you try to ping 192.168.0.16 from the VPN client, the routes on the VPN client will aid in the echo request to reach 192.168.0.16.
However, for the echo reply from 192.168.0.16 to reach the VPN client, you LAN client should have a route for the VPN client with gateway as the private interface of RRAS server as follows:
route add 10.0.0.0 mask 255.255.255.0 192.168.0.4 if
This way, the echo reply destined to 10.0.0.2 will reach the RRAS server which is the next hop according to the above route. Once it reaches the RRAS server, the server knows how to send it to the client as it will have a route for all clients conencted to it.
Note: On the LAN clients, a reverse route can be added individually on all the clients or all LAN clients may be pointing to some router which then can have a reverse route for 10.0.0.0 network OR RRAS server itself can be the default router for LAN clients
1 comments:
I am a network admin for a small company that provides computer and
network support to approx. 200 customers and i have found that it is
deffinatley the case that more and more companies want Remotely
accessible networks. I have tried a number of different solutions
all with their own pros and cons, and I would be very interested in a
tutorial on using OpenBSD as a vpn solution.
Post a Comment