Question

Locked

Remote Desktop across two networks in the same range

By kjrees ·
Hi, a software house would like to connect to our network via a vpn connection and then remote desktop onto our server. This seems to work fine from my home internet connection and from other software support houses, but there seems to be an issue with this one. I suspect that it may be because we both have 192.168.10.X domains (same subnets). They can make the vpn connection, but then cannot see anything on our domain. I think this may be because their machines think our machines are local to their domain and cannot find them! I have told them to try a hosts file with our machine and ip, but this does not work. I'm not sure how to resolve the issue. Can anyone help?

This conversation is currently closed to new comments.

15 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

A little more info

by scott_heath In reply to Remote Desktop across two ...

When you connect to a VPN the VPN connection receives an IP address on the network it is connected to. Ask them to run IPCONFIG to ensure they are receiving an IP address on your network. Then see if you can ping this IP address. If you can then have them ping the IP of the machine they are trying to establish a connection with. If this work than the problem may be DNS related and you can have them use the IP or continue troubleshooting. If you would like some more ideas please let us know the result of the pings.

Collapse -

Don't think that's an issue

by CG IT In reply to Remote Desktop across two ...

first how is the tunnel created? is it via a perimeter router? Is that router also responsible for providing external clients with internal addresses?

on the WAN side, what ever device you use for VPN connection sees the public address not the internal address. Once connected via the tunnel, a miniport with an internal address is provided to the external client so that network resources can be accessed. So even if you have the same subnet on your LAN as the remote LAN, the miniport has the local address, not your PC. Your PC doesn't do a DHCP release and renew using VPN.

If the remote user connects and authenticates, then I would say accessing remote network resources is a permissions problem and not a VPN problem.

Collapse -

I don't think it's a permissions issue....

by kjrees In reply to Don't think that's an iss ...

I don't think it's a permissions issue, because i can, from my home internet address, establish a vpn connection over the internet with their dial-in account and use remote desktop as them - i have no problems accessing resources. I'm guessing but will confirm tomorrow that their user is sitting on their lan and from their pc creating a new vpn connection to our routers' internet ip address (obviously through their own router). When i connect from home the vpn (WAN PPP/SLIP interface) I get a secondary ip from dhcp at the office as shown in ipconfig /all by the PPP adapter VPN settings. However their internal ip address range is the same as the one that our server will give their vpn connection. I think it's a question of routing - how does their machine know it's an external address and not internal? It's like they're looking locally for our machines - they can't seem to find them even with a hosts file. I'm not overly experienced with this so i might be talking nonsense! Any feedback would be great - i wonder if i could put in static values for ip address/dns in the vpn connection or try an LMhosts entry..please let me know if you have any more ideas! kind regards,

Kevin

Collapse -

non routable Class C

by CG IT In reply to I don't think it's a perm ...

Dial in over ISDN is not VPN over the internet. The internet isn't involved at all since your dialing directly to a modem.

The different private addressing using non routable Class C isn't an issue, else VPN wouldn't be a viable remote access feature. There are literally millions of small networks out ther with the 192.168.1/24 private Class C address ranges that use VPN all the time.

If you can actually make a connection using PPTP VPN and go through the authentication process, then it's a matter of permission to see network services.

Note: If there are no shared resources, you won't see a thing in my network places. If there are shared resources they may be hidden from users. That's why I bring up the permissions issue. Permissions aren't necessarily NTFS permissions rather shared permission as well. Anyone with any wherewithall would delete the everyone group from folders and assign permissions based on groups. If a user isn't a member of the group for shared resources, they won't see the resource [W2003 Server].

Collapse -

Howdy

by scott_heath In reply to I don't think it's a perm ...

Are you using a Windows RRAS Server for the dial-up/VPN connection?

You never mentioned whether or not the person with the problem was able to ping the IP in question.

It is possible that the computer isn't sure which network to route down. If the routing table entries are identical. I haven't seen this sort of problem before. What I am thinking is that if it is a Windows RRAS Server it wouldn't be that difficult to change the subnet used for the VPN connections and see if it works. Or if the client is dialing in instead of using the internet to connect, have them disable the other network interface and see what happens.

Collapse -

following on....

by kjrees In reply to Howdy

Thanks for your help guys,

I'm not using ISDN at all and i am definitely using the internet for this connection! That much i'm sure! We are using a win2k RRAS Server and the vpn user is just set up as a user with dial in permissions - the RRAS server then lets anyone in with these dial in permissions. I realise there are thousands of class C networks using VPN, but i am sure it is not a network permssions problem. If that was the case i'm sure they could access the shares on the server that have permission for everyone enabled- i can't even see the server, they can't ping anything on our network either.

I've done some IP configs from my end (LAN A)and his end LAN B.

LAN B's router has the same internal address as our RRAS server which also acts as our WINS and DNS server. His DHCP server also exists on our local domain as a member server. So when his VPN connects - it gives him a Primary WINS address which is the same as his router (We are nt4 domain) . Surely this is confusing his machine?!! I'm more inclined to think along the subnet changing route, etc, I'm sure it's not looking externally but i don't really know what to change to resolve it. To change the subnet on the VPN...is that something that needs doing here maybe on the RRAS server or at LAN B's connection.

thanks,

Kevin

Collapse -

RRAS and different IPs for VPN

by scott_heath In reply to following on....

I'd have to fiddle with it in a VM to give you super exact instructions, but you should be a ble to set up a new DHCP scope and in the RRAS configuration use that scope for you VPN addresses. You may need to add a route manually on your RRAS server so that it knows to send packets originating on your new subnet through the network interface you are currently using.

Collapse -

RRAS and different IPs for VPN

by kjrees In reply to RRAS and different IPs fo ...

Hi, thanks for the reply

thanks for that, i'm struggling to understand this a bit, sorry!! LAN_B is trying to RD our server- how does LAN_B's client know to go out through LAN_B's router to get to our (LAN_A) server. I'm not sure where the config change should be - LAN_A (us)or LAN_B(them). This is how i think the connection works:

LANB Client VPN---> LANB Router--internet--LANA Router--->LANA RRAS Server--->LANA Server (Remote Desktop)

I'm sure you'll know better than me, but could i be right in thinking that their router is not forwarding the requests? I asked LAN_B's guy to do some pinging. He can ping hosts on his network but not on ours. On his VPN connection (details tab)he gets the correct Server IP address from our machine and also is issued a Client IP address which looks fine. I'd appreciate any instructions as i'm not very experienced in this area, however i do appreciate everyone's responses to the question so far.

Collapse -

an idea

by richardmarkevans In reply to RRAS and different IPs fo ...

Hello,

If you have no luck with this configuration you can always use a Hamachi client at both ends.

Install Hamachi (www.hamachi.cc) and set-up a network. Do this at LAN_B as well and join the same network. The machine on LAN_B will show the initial machine in its dashboard with a 5.*.*.* IP address - use this to connect to the machine.

Hamachi will automatically negotiate both firewalls - the Remote desktop will just need to be opened with the computer name as the IP address for the Hamachi console (5.*.*.*).

We use this for quite a few Remote Access Scenarios.

Cheers.

Collapse -

How traffic flows...

by scott_heath In reply to RRAS and different IPs fo ...

The normal flow of traffic in basic form:

Computer's NIC - Router - Network

But for the VPN it is:

Computer's VPN Connection - Router at Destination - Network

The VPN connection counts as a second interface. The computers route table tells it where to go. here is some sample routes from my system:

Active Routes:
NetDest - Netmask ----- Gateway -- Interface
0.0.0.0 0.0.0.0 10.1.1.1 10.1.1.18
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
10.1.1.0 255.255.255.0 10.1.1.1 10.1.1.18

OK, so here's what it means. "0.0.0.0" is basically any network not listed in the table. It send it to GW 10.1.1.1 on interface 10.1.1.18.

You see network 10.1.1.0 is listed and is directed to GW 10.1.1.1 through interface 10.1.1.18. If the client's PC has an ip of 10.1.1.18 they connect to the external IP of your company to establish the VPN connection. Say 204.110.45.19. Once the connection is established it give the VPN connection an IP. We'll call it 10.1.1.146. The Server to be termed into is 10.1.1.200. When the client computer attempts to decide where to find this device it checks the route table. Since it sees 10.1.1.0 goes through interface 10.1.1.18 not 10.1.1.146 that is where it send the request. But if 10.1.1.200 doesn't exist on their network it will time out when you ping or connect to the wrong device.

The easiest solution assuming you have a small number of clients on each end and this is a vital operation would be to change the class c private network you use. The next easiest thing would be to set up a network just for the VPN connections.

I would not use Hamachi as it routes your traffic through their servers and depending on your business this could violate any number of regulations since you can't prove who on the Hamachi network has access to your data, encrypted or otherwise. I use Hamachi to play StarCraft (i know, it's 9 years old, but I like it) with friends and it's a great app for that sort of thing. I would not however risk any business data traversing their network.

You could attempt to create a custom route for a single IP address using the "route add" command. If you want to try this let me know and I'll see if it can be done.

Back to Networks Forum
15 total posts (Page 1 of 2)   01 | 02   Next

Hardware Forums