Questions

Remote Desktop across two networks in the same range

Tags:
+
0 Votes
Locked

Remote Desktop across two networks in the same range

kjrees
Hi, a software house would like to connect to our network via a vpn connection and then remote desktop onto our server. This seems to work fine from my home internet connection and from other software support houses, but there seems to be an issue with this one. I suspect that it may be because we both have 192.168.10.X domains (same subnets). They can make the vpn connection, but then cannot see anything on our domain. I think this may be because their machines think our machines are local to their domain and cannot find them! I have told them to try a hosts file with our machine and ip, but this does not work. I'm not sure how to resolve the issue. Can anyone help?
  • +
    0 Votes
    scott_heath

    When you connect to a VPN the VPN connection receives an IP address on the network it is connected to. Ask them to run IPCONFIG to ensure they are receiving an IP address on your network. Then see if you can ping this IP address. If you can then have them ping the IP of the machine they are trying to establish a connection with. If this work than the problem may be DNS related and you can have them use the IP or continue troubleshooting. If you would like some more ideas please let us know the result of the pings.

    +
    0 Votes
    CG IT

    first how is the tunnel created? is it via a perimeter router? Is that router also responsible for providing external clients with internal addresses?

    on the WAN side, what ever device you use for VPN connection sees the public address not the internal address. Once connected via the tunnel, a miniport with an internal address is provided to the external client so that network resources can be accessed. So even if you have the same subnet on your LAN as the remote LAN, the miniport has the local address, not your PC. Your PC doesn't do a DHCP release and renew using VPN.

    If the remote user connects and authenticates, then I would say accessing remote network resources is a permissions problem and not a VPN problem.

    +
    0 Votes
    kjrees

    I don't think it's a permissions issue, because i can, from my home internet address, establish a vpn connection over the internet with their dial-in account and use remote desktop as them - i have no problems accessing resources. I'm guessing but will confirm tomorrow that their user is sitting on their lan and from their pc creating a new vpn connection to our routers' internet ip address (obviously through their own router). When i connect from home the vpn (WAN PPP/SLIP interface) I get a secondary ip from dhcp at the office as shown in ipconfig /all by the PPP adapter VPN settings. However their internal ip address range is the same as the one that our server will give their vpn connection. I think it's a question of routing - how does their machine know it's an external address and not internal? It's like they're looking locally for our machines - they can't seem to find them even with a hosts file. I'm not overly experienced with this so i might be talking nonsense! Any feedback would be great - i wonder if i could put in static values for ip address/dns in the vpn connection or try an LMhosts entry..please let me know if you have any more ideas! kind regards,

    Kevin

    +
    0 Votes
    CG IT

    Dial in over ISDN is not VPN over the internet. The internet isn't involved at all since your dialing directly to a modem.

    The different private addressing using non routable Class C isn't an issue, else VPN wouldn't be a viable remote access feature. There are literally millions of small networks out ther with the 192.168.1/24 private Class C address ranges that use VPN all the time.

    If you can actually make a connection using PPTP VPN and go through the authentication process, then it's a matter of permission to see network services.

    Note: If there are no shared resources, you won't see a thing in my network places. If there are shared resources they may be hidden from users. That's why I bring up the permissions issue. Permissions aren't necessarily NTFS permissions rather shared permission as well. Anyone with any wherewithall would delete the everyone group from folders and assign permissions based on groups. If a user isn't a member of the group for shared resources, they won't see the resource [W2003 Server].

    +
    0 Votes
    scott_heath

    Are you using a Windows RRAS Server for the dial-up/VPN connection?

    You never mentioned whether or not the person with the problem was able to ping the IP in question.

    It is possible that the computer isn't sure which network to route down. If the routing table entries are identical. I haven't seen this sort of problem before. What I am thinking is that if it is a Windows RRAS Server it wouldn't be that difficult to change the subnet used for the VPN connections and see if it works. Or if the client is dialing in instead of using the internet to connect, have them disable the other network interface and see what happens.

    +
    0 Votes
    kjrees

    Thanks for your help guys,

    I'm not using ISDN at all and i am definitely using the internet for this connection! That much i'm sure! We are using a win2k RRAS Server and the vpn user is just set up as a user with dial in permissions - the RRAS server then lets anyone in with these dial in permissions. I realise there are thousands of class C networks using VPN, but i am sure it is not a network permssions problem. If that was the case i'm sure they could access the shares on the server that have permission for everyone enabled- i can't even see the server, they can't ping anything on our network either.

    I've done some IP configs from my end (LAN A)and his end LAN B.

    LAN B's router has the same internal address as our RRAS server which also acts as our WINS and DNS server. His DHCP server also exists on our local domain as a member server. So when his VPN connects - it gives him a Primary WINS address which is the same as his router (We are nt4 domain) . Surely this is confusing his machine?!! I'm more inclined to think along the subnet changing route, etc, I'm sure it's not looking externally but i don't really know what to change to resolve it. To change the subnet on the VPN...is that something that needs doing here maybe on the RRAS server or at LAN B's connection.

    thanks,

    Kevin

    +
    0 Votes
    scott_heath

    I'd have to fiddle with it in a VM to give you super exact instructions, but you should be a ble to set up a new DHCP scope and in the RRAS configuration use that scope for you VPN addresses. You may need to add a route manually on your RRAS server so that it knows to send packets originating on your new subnet through the network interface you are currently using.

    +
    0 Votes
    kjrees

    Hi, thanks for the reply

    thanks for that, i'm struggling to understand this a bit, sorry!! LAN_B is trying to RD our server- how does LAN_B's client know to go out through LAN_B's router to get to our (LAN_A) server. I'm not sure where the config change should be - LAN_A (us)or LAN_B(them). This is how i think the connection works:

    LANB Client VPN---> LANB Router--internet--LANA Router--->LANA RRAS Server--->LANA Server (Remote Desktop)

    I'm sure you'll know better than me, but could i be right in thinking that their router is not forwarding the requests? I asked LAN_B's guy to do some pinging. He can ping hosts on his network but not on ours. On his VPN connection (details tab)he gets the correct Server IP address from our machine and also is issued a Client IP address which looks fine. I'd appreciate any instructions as i'm not very experienced in this area, however i do appreciate everyone's responses to the question so far.

    +
    0 Votes
    richardmarkevans

    Hello,

    If you have no luck with this configuration you can always use a Hamachi client at both ends.

    Install Hamachi (www.hamachi.cc) and set-up a network. Do this at LAN_B as well and join the same network. The machine on LAN_B will show the initial machine in its dashboard with a 5.*.*.* IP address - use this to connect to the machine.

    Hamachi will automatically negotiate both firewalls - the Remote desktop will just need to be opened with the computer name as the IP address for the Hamachi console (5.*.*.*).

    We use this for quite a few Remote Access Scenarios.

    Cheers.

    +
    0 Votes
    scott_heath

    The normal flow of traffic in basic form:

    Computer's NIC - Router - Network

    But for the VPN it is:

    Computer's VPN Connection - Router at Destination - Network

    The VPN connection counts as a second interface. The computers route table tells it where to go. here is some sample routes from my system:

    Active Routes:
    NetDest - Netmask ----- Gateway -- Interface
    0.0.0.0 0.0.0.0 10.1.1.1 10.1.1.18
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
    10.1.1.0 255.255.255.0 10.1.1.1 10.1.1.18

    OK, so here's what it means. "0.0.0.0" is basically any network not listed in the table. It send it to GW 10.1.1.1 on interface 10.1.1.18.

    You see network 10.1.1.0 is listed and is directed to GW 10.1.1.1 through interface 10.1.1.18. If the client's PC has an ip of 10.1.1.18 they connect to the external IP of your company to establish the VPN connection. Say 204.110.45.19. Once the connection is established it give the VPN connection an IP. We'll call it 10.1.1.146. The Server to be termed into is 10.1.1.200. When the client computer attempts to decide where to find this device it checks the route table. Since it sees 10.1.1.0 goes through interface 10.1.1.18 not 10.1.1.146 that is where it send the request. But if 10.1.1.200 doesn't exist on their network it will time out when you ping or connect to the wrong device.

    The easiest solution assuming you have a small number of clients on each end and this is a vital operation would be to change the class c private network you use. The next easiest thing would be to set up a network just for the VPN connections.

    I would not use Hamachi as it routes your traffic through their servers and depending on your business this could violate any number of regulations since you can't prove who on the Hamachi network has access to your data, encrypted or otherwise. I use Hamachi to play StarCraft (i know, it's 9 years old, but I like it) with friends and it's a great app for that sort of thing. I would not however risk any business data traversing their network.

    You could attempt to create a custom route for a single IP address using the "route add" command. If you want to try this let me know and I'll see if it can be done.

    +
    0 Votes
    CG IT

    you keep mentioning dial in and dial in is to a modem over the phone lines. It's not a VPN in over the Internet.

    open up RRAS console. look at your DHCP relay agent and configure it. look at the miniports and the addresses assign to them from DHCP [or the static pool you create for it].

    Inbound traffic over the internet requires a public, routable address which then connects to RRAS for authentication. Once authenticated, RRAS provides a local LAN address to the public connection. It doesn't matter if both LAN have the same addressing. IF that were the case, then the 192.168.1.1-253 class c non routable addressing couldn't be used for VPN except by just 1 LAN world wide. That's just not the case.

    +
    0 Votes
    CG IT

    once you make a connection to the other network, you have to log in on the remote computer. unless you use something like gotomypc or some other 3rd party GUI, your not going to have a GUI to use unless your network supports something like Remote web workplace.

    +
    0 Votes
    yurki3

    "Demand-dial interfaces do not necessarily describe dial-up connections. VPN interfaces in Routing And Remote Access are always considered a type of demand-dial interface, even when they initiate and respond to communication over a T1 line."

    --

    Page 10-49, MCSA/MCSE exam 70-291, Windows Server 2003 Network Infrastructure.
    Self-Paced Training Kit, Second Edition. Microsoft Press.

    +
    0 Votes
    yurki3

    At the moment i am reading "windows server 2003 network infrastructure" book, and i just read that last phase when creating VPN access from one domain to another over internet, is to have static routes deployed on each VPN server.<p>

    Purpose is to direct traffic that goes to another VPN endpoint to correct "demand-dial interface".
    This routes are also used for return traffic.
    <br>
    Maybe that is what you need?
    <br><br>

    Alternative to static route is to use routing protocol, like RIP.<br>
    1. take it in use at every VPN server<br>
    2. add VPN demand-dial interface to RIP and configure other VPN servers to RIP neighbors.
    <br>
    Microsoft also says that when using routing protocol ensure that other routers support that potocol..<br>
    Also it is needed to configure network routers to accept updates from VPN servers.

  • +
    0 Votes
    scott_heath

    When you connect to a VPN the VPN connection receives an IP address on the network it is connected to. Ask them to run IPCONFIG to ensure they are receiving an IP address on your network. Then see if you can ping this IP address. If you can then have them ping the IP of the machine they are trying to establish a connection with. If this work than the problem may be DNS related and you can have them use the IP or continue troubleshooting. If you would like some more ideas please let us know the result of the pings.

    +
    0 Votes
    CG IT

    first how is the tunnel created? is it via a perimeter router? Is that router also responsible for providing external clients with internal addresses?

    on the WAN side, what ever device you use for VPN connection sees the public address not the internal address. Once connected via the tunnel, a miniport with an internal address is provided to the external client so that network resources can be accessed. So even if you have the same subnet on your LAN as the remote LAN, the miniport has the local address, not your PC. Your PC doesn't do a DHCP release and renew using VPN.

    If the remote user connects and authenticates, then I would say accessing remote network resources is a permissions problem and not a VPN problem.

    +
    0 Votes
    kjrees

    I don't think it's a permissions issue, because i can, from my home internet address, establish a vpn connection over the internet with their dial-in account and use remote desktop as them - i have no problems accessing resources. I'm guessing but will confirm tomorrow that their user is sitting on their lan and from their pc creating a new vpn connection to our routers' internet ip address (obviously through their own router). When i connect from home the vpn (WAN PPP/SLIP interface) I get a secondary ip from dhcp at the office as shown in ipconfig /all by the PPP adapter VPN settings. However their internal ip address range is the same as the one that our server will give their vpn connection. I think it's a question of routing - how does their machine know it's an external address and not internal? It's like they're looking locally for our machines - they can't seem to find them even with a hosts file. I'm not overly experienced with this so i might be talking nonsense! Any feedback would be great - i wonder if i could put in static values for ip address/dns in the vpn connection or try an LMhosts entry..please let me know if you have any more ideas! kind regards,

    Kevin

    +
    0 Votes
    CG IT

    Dial in over ISDN is not VPN over the internet. The internet isn't involved at all since your dialing directly to a modem.

    The different private addressing using non routable Class C isn't an issue, else VPN wouldn't be a viable remote access feature. There are literally millions of small networks out ther with the 192.168.1/24 private Class C address ranges that use VPN all the time.

    If you can actually make a connection using PPTP VPN and go through the authentication process, then it's a matter of permission to see network services.

    Note: If there are no shared resources, you won't see a thing in my network places. If there are shared resources they may be hidden from users. That's why I bring up the permissions issue. Permissions aren't necessarily NTFS permissions rather shared permission as well. Anyone with any wherewithall would delete the everyone group from folders and assign permissions based on groups. If a user isn't a member of the group for shared resources, they won't see the resource [W2003 Server].

    +
    0 Votes
    scott_heath

    Are you using a Windows RRAS Server for the dial-up/VPN connection?

    You never mentioned whether or not the person with the problem was able to ping the IP in question.

    It is possible that the computer isn't sure which network to route down. If the routing table entries are identical. I haven't seen this sort of problem before. What I am thinking is that if it is a Windows RRAS Server it wouldn't be that difficult to change the subnet used for the VPN connections and see if it works. Or if the client is dialing in instead of using the internet to connect, have them disable the other network interface and see what happens.

    +
    0 Votes
    kjrees

    Thanks for your help guys,

    I'm not using ISDN at all and i am definitely using the internet for this connection! That much i'm sure! We are using a win2k RRAS Server and the vpn user is just set up as a user with dial in permissions - the RRAS server then lets anyone in with these dial in permissions. I realise there are thousands of class C networks using VPN, but i am sure it is not a network permssions problem. If that was the case i'm sure they could access the shares on the server that have permission for everyone enabled- i can't even see the server, they can't ping anything on our network either.

    I've done some IP configs from my end (LAN A)and his end LAN B.

    LAN B's router has the same internal address as our RRAS server which also acts as our WINS and DNS server. His DHCP server also exists on our local domain as a member server. So when his VPN connects - it gives him a Primary WINS address which is the same as his router (We are nt4 domain) . Surely this is confusing his machine?!! I'm more inclined to think along the subnet changing route, etc, I'm sure it's not looking externally but i don't really know what to change to resolve it. To change the subnet on the VPN...is that something that needs doing here maybe on the RRAS server or at LAN B's connection.

    thanks,

    Kevin

    +
    0 Votes
    scott_heath

    I'd have to fiddle with it in a VM to give you super exact instructions, but you should be a ble to set up a new DHCP scope and in the RRAS configuration use that scope for you VPN addresses. You may need to add a route manually on your RRAS server so that it knows to send packets originating on your new subnet through the network interface you are currently using.

    +
    0 Votes
    kjrees

    Hi, thanks for the reply

    thanks for that, i'm struggling to understand this a bit, sorry!! LAN_B is trying to RD our server- how does LAN_B's client know to go out through LAN_B's router to get to our (LAN_A) server. I'm not sure where the config change should be - LAN_A (us)or LAN_B(them). This is how i think the connection works:

    LANB Client VPN---> LANB Router--internet--LANA Router--->LANA RRAS Server--->LANA Server (Remote Desktop)

    I'm sure you'll know better than me, but could i be right in thinking that their router is not forwarding the requests? I asked LAN_B's guy to do some pinging. He can ping hosts on his network but not on ours. On his VPN connection (details tab)he gets the correct Server IP address from our machine and also is issued a Client IP address which looks fine. I'd appreciate any instructions as i'm not very experienced in this area, however i do appreciate everyone's responses to the question so far.

    +
    0 Votes
    richardmarkevans

    Hello,

    If you have no luck with this configuration you can always use a Hamachi client at both ends.

    Install Hamachi (www.hamachi.cc) and set-up a network. Do this at LAN_B as well and join the same network. The machine on LAN_B will show the initial machine in its dashboard with a 5.*.*.* IP address - use this to connect to the machine.

    Hamachi will automatically negotiate both firewalls - the Remote desktop will just need to be opened with the computer name as the IP address for the Hamachi console (5.*.*.*).

    We use this for quite a few Remote Access Scenarios.

    Cheers.

    +
    0 Votes
    scott_heath

    The normal flow of traffic in basic form:

    Computer's NIC - Router - Network

    But for the VPN it is:

    Computer's VPN Connection - Router at Destination - Network

    The VPN connection counts as a second interface. The computers route table tells it where to go. here is some sample routes from my system:

    Active Routes:
    NetDest - Netmask ----- Gateway -- Interface
    0.0.0.0 0.0.0.0 10.1.1.1 10.1.1.18
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
    10.1.1.0 255.255.255.0 10.1.1.1 10.1.1.18

    OK, so here's what it means. "0.0.0.0" is basically any network not listed in the table. It send it to GW 10.1.1.1 on interface 10.1.1.18.

    You see network 10.1.1.0 is listed and is directed to GW 10.1.1.1 through interface 10.1.1.18. If the client's PC has an ip of 10.1.1.18 they connect to the external IP of your company to establish the VPN connection. Say 204.110.45.19. Once the connection is established it give the VPN connection an IP. We'll call it 10.1.1.146. The Server to be termed into is 10.1.1.200. When the client computer attempts to decide where to find this device it checks the route table. Since it sees 10.1.1.0 goes through interface 10.1.1.18 not 10.1.1.146 that is where it send the request. But if 10.1.1.200 doesn't exist on their network it will time out when you ping or connect to the wrong device.

    The easiest solution assuming you have a small number of clients on each end and this is a vital operation would be to change the class c private network you use. The next easiest thing would be to set up a network just for the VPN connections.

    I would not use Hamachi as it routes your traffic through their servers and depending on your business this could violate any number of regulations since you can't prove who on the Hamachi network has access to your data, encrypted or otherwise. I use Hamachi to play StarCraft (i know, it's 9 years old, but I like it) with friends and it's a great app for that sort of thing. I would not however risk any business data traversing their network.

    You could attempt to create a custom route for a single IP address using the "route add" command. If you want to try this let me know and I'll see if it can be done.

    +
    0 Votes
    CG IT

    you keep mentioning dial in and dial in is to a modem over the phone lines. It's not a VPN in over the Internet.

    open up RRAS console. look at your DHCP relay agent and configure it. look at the miniports and the addresses assign to them from DHCP [or the static pool you create for it].

    Inbound traffic over the internet requires a public, routable address which then connects to RRAS for authentication. Once authenticated, RRAS provides a local LAN address to the public connection. It doesn't matter if both LAN have the same addressing. IF that were the case, then the 192.168.1.1-253 class c non routable addressing couldn't be used for VPN except by just 1 LAN world wide. That's just not the case.

    +
    0 Votes
    CG IT

    once you make a connection to the other network, you have to log in on the remote computer. unless you use something like gotomypc or some other 3rd party GUI, your not going to have a GUI to use unless your network supports something like Remote web workplace.

    +
    0 Votes
    yurki3

    "Demand-dial interfaces do not necessarily describe dial-up connections. VPN interfaces in Routing And Remote Access are always considered a type of demand-dial interface, even when they initiate and respond to communication over a T1 line."

    --

    Page 10-49, MCSA/MCSE exam 70-291, Windows Server 2003 Network Infrastructure.
    Self-Paced Training Kit, Second Edition. Microsoft Press.

    +
    0 Votes
    yurki3

    At the moment i am reading "windows server 2003 network infrastructure" book, and i just read that last phase when creating VPN access from one domain to another over internet, is to have static routes deployed on each VPN server.<p>

    Purpose is to direct traffic that goes to another VPN endpoint to correct "demand-dial interface".
    This routes are also used for return traffic.
    <br>
    Maybe that is what you need?
    <br><br>

    Alternative to static route is to use routing protocol, like RIP.<br>
    1. take it in use at every VPN server<br>
    2. add VPN demand-dial interface to RIP and configure other VPN servers to RIP neighbors.
    <br>
    Microsoft also says that when using routing protocol ensure that other routers support that potocol..<br>
    Also it is needed to configure network routers to accept updates from VPN servers.