Questions

Microsoft VPN issues

+
0 Votes
Locked

Microsoft VPN issues

rnewman
I am a seasoned IT professional, but never, until now, set up microsoft's VPN using the routing and remote access program. While it was relatively simple to set up, a number of issues arose that I'd like to ask for some help on:

1. Once connected to the corporate network via VPN, ALL IP traffic travels through the VPN by default. That's ok, but my lcal workstation still queries the local DNS server (the one configured in my NIC card properties) NOT any of the DNS servers on the corporate network. How do I force DNS resolution over the tunnel, while keeping the configuration simple enough for my users to set up?

2. As soon as I turn on the RRAS service on the server, a block of IP addresses gets taken from the local DHCP servers address pool, even if NO client has connected yet. Is there a way to make the RAS server only take 1 address at a time from the local DHCP server? Or can I make it NAT, and use a different subnet, so that I don't use up the IP pool so quickly?

The network is a Windows 2003 AD Domain, with 2 DC's at the corporate office site. The corporate office subnet is 192.168.1.0, class C mask. The VPN is set up on one of the DC's, which has a single NIC in it, and a public IP mapped to it with the apporpriate ports forwarded.

Any body know about this dns thing>

Thanks

Bob Newman
  • +
    0 Votes
    Howard.Hooper

    Hi Bob,

    To answer question 2 in your post, you can modify the registry key 'InitialAddressPoolSize' in the registry here HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\IP
    The default value is 10 but can be set to any size.

    Unfortunately I too have not seen the error you are having with DNS and VPN clients unless your server is picking up DNS addresses through DHCP, however the following links should hopefully give you some more information;
    http://support.microsoft.com/kb/232703
    http://support.microsoft.com/kb/142303/EN-US/
    http://support.microsoft.com/default.aspx?scid=kb;en-us;243374

    Hope this helps

    Howard

    +
    0 Votes
    rnewman

    H:

    I'll give this a try today, and see what happens. I very much appreciate your response.

    I'll look at the articles too, in the hopes of getting some additional insight.

    Check out your reply however, as the registry key name you posted was cut off by the window pane ....

    +
    0 Votes
    rnewman

    H:

    I couldnt find the value (not a key) you spoke of, but when google searched I found just what I needed.

    Your post was cut off, so I didn't know the value was in the "IP" subkey of the "parameters" key, but again the articles pointed me in the right direction.

    I have another question though......

    What I have been trying to do is setup remote access for corporate clients to the 192.168.1.0 network. My concern was with the use of IP's from the local DHCP server, and that's why I asked the question.

    So here's my new question:

    If I set up a static IP pool on the RAS server, and used a different subnet, like 192.168.10.0, would the clients that connect to the VPN server still be able to access the corporate network servers on the 192.168.1.0 subnet, without making any more changes?

    Bob

    +
    0 Votes
    Churdoo

    With your corp network being 192.168.1.0/24, and with so many home-based routers factory defaulting to the same network, I sense trouble. Since a lot of your home users won't know to change their soho router off of its factory default network, you'll likely have users on a 192.168.1.0/24 trying to vpn into your 192.168.1.0/24 network, which of course won't work, even if you're assigning their VPN client a 192.168.10.0/24 IP -- having nothing to do with your DHCP or DNS questions.

    Can you renumber your corp network to something that 80+% of home users will not be on? Otherwise you'll potentially be getting support calls from home users and will have to walk them all through reconfiguring their home routers to different subnets for them to VPN in.

    But to answer your question about assigning 192.168.10.0 IP's to VPN clients and accessing the 192.168.1.0 network, it won't be that simple, you would then have to set up persistent routes in the server between the two subnets. If you don't want to take from your DHCP pool, do you have static IP space outside of your DHCP pool, but within your production 24-bit network that you can allocate to the VPN clients?

    +
    0 Votes
    Churdoo

    Re: the problem of DNS resolver for VPN clients, when configuring the VPN client on a given remote workstation, I go into the VPN connection properties / Networking / TCP/IP / Properties and set the DNS server and search domain. It's a one-time setup which you can put in the instruction sheets for the clients, and it's only in effect when the client VPN is connected. I have found no way to pass this info automatically from the server to VPN clients.

    +
    0 Votes
    rnewman

    Sounds simple, but sometimes those things are staring you right in the face and you dont see them.

    I'll let you know how things work out.

  • +
    0 Votes
    Howard.Hooper

    Hi Bob,

    To answer question 2 in your post, you can modify the registry key 'InitialAddressPoolSize' in the registry here HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\IP
    The default value is 10 but can be set to any size.

    Unfortunately I too have not seen the error you are having with DNS and VPN clients unless your server is picking up DNS addresses through DHCP, however the following links should hopefully give you some more information;
    http://support.microsoft.com/kb/232703
    http://support.microsoft.com/kb/142303/EN-US/
    http://support.microsoft.com/default.aspx?scid=kb;en-us;243374

    Hope this helps

    Howard

    +
    0 Votes
    rnewman

    H:

    I'll give this a try today, and see what happens. I very much appreciate your response.

    I'll look at the articles too, in the hopes of getting some additional insight.

    Check out your reply however, as the registry key name you posted was cut off by the window pane ....

    +
    0 Votes
    rnewman

    H:

    I couldnt find the value (not a key) you spoke of, but when google searched I found just what I needed.

    Your post was cut off, so I didn't know the value was in the "IP" subkey of the "parameters" key, but again the articles pointed me in the right direction.

    I have another question though......

    What I have been trying to do is setup remote access for corporate clients to the 192.168.1.0 network. My concern was with the use of IP's from the local DHCP server, and that's why I asked the question.

    So here's my new question:

    If I set up a static IP pool on the RAS server, and used a different subnet, like 192.168.10.0, would the clients that connect to the VPN server still be able to access the corporate network servers on the 192.168.1.0 subnet, without making any more changes?

    Bob

    +
    0 Votes
    Churdoo

    With your corp network being 192.168.1.0/24, and with so many home-based routers factory defaulting to the same network, I sense trouble. Since a lot of your home users won't know to change their soho router off of its factory default network, you'll likely have users on a 192.168.1.0/24 trying to vpn into your 192.168.1.0/24 network, which of course won't work, even if you're assigning their VPN client a 192.168.10.0/24 IP -- having nothing to do with your DHCP or DNS questions.

    Can you renumber your corp network to something that 80+% of home users will not be on? Otherwise you'll potentially be getting support calls from home users and will have to walk them all through reconfiguring their home routers to different subnets for them to VPN in.

    But to answer your question about assigning 192.168.10.0 IP's to VPN clients and accessing the 192.168.1.0 network, it won't be that simple, you would then have to set up persistent routes in the server between the two subnets. If you don't want to take from your DHCP pool, do you have static IP space outside of your DHCP pool, but within your production 24-bit network that you can allocate to the VPN clients?

    +
    0 Votes
    Churdoo

    Re: the problem of DNS resolver for VPN clients, when configuring the VPN client on a given remote workstation, I go into the VPN connection properties / Networking / TCP/IP / Properties and set the DNS server and search domain. It's a one-time setup which you can put in the instruction sheets for the clients, and it's only in effect when the client VPN is connected. I have found no way to pass this info automatically from the server to VPN clients.

    +
    0 Votes
    rnewman

    Sounds simple, but sometimes those things are staring you right in the face and you dont see them.

    I'll let you know how things work out.