Question

Locked

Internet routes through VPN

By trillie.mensi ·
We are having some trouble with the VPN set up on our gateway running Windows Server 2008. We used the wizard to set up the VPN and NAT along with DNS, DHCP and WINS but are having a couple issues.

1. We do not get NAT internet to VPNed in clients, but machines connected to the gateway via LAN don't have a problem.

2. VPNed in clients also can't address other machines on the network by name, although they are IP addressable.

Is there something we need to reconfigure or a route to add to prevent this? Or could it be a security policy setting? Here?s the route list if that sheds any light on things. (198.185.164.30 is the static IP for the internet connection and 10.173.19.* is the internal LAN).

Thanks!


Interface List
13 ...00 15 17 1c 86 cd ...... Intel(R) PRO/1000 PT Dual Port Server Adapter #2

11 ...00 18 8b 84 f5 39 ...... Broadcom NetXtreme Gigabit Ethernet #2
18 ........................... RAS (Dial In) Interface
1 ........................... Software Loopback Interface 1
15 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
14 ...00 00 00 00 00 00 00 e0 isatap.{828665B5-0150-4A2A-802F-5A2B878D4569}
16 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
24 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
17 ...00 00 00 00 00 00 00 e0 isatap.{288359A4-7BAE-48E5-A513-7748A915E789}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 198.185.164.5 198.185.164.30 266
10.0.0.0 255.0.0.0 On-link 10.173.19.2 266
10.173.19.2 255.255.255.255 On-link 10.173.19.2 266
10.173.19.21 255.255.255.255 10.173.19.21 10.173.19.29 16
10.173.19.22 255.255.255.255 10.173.19.22 10.173.19.29 16
10.173.19.24 255.255.255.255 10.173.19.24 10.173.19.29 16
10.173.19.25 255.255.255.255 10.173.19.25 10.173.19.29 16
10.173.19.26 255.255.255.255 10.173.19.26 10.173.19.29 16
10.173.19.27 255.255.255.255 10.173.19.27 10.173.19.29 16
10.173.19.28 255.255.255.255 10.173.19.28 10.173.19.29 16
10.173.19.29 255.255.255.255 On-link 10.173.19.29 271
10.255.255.255 255.255.255.255 On-link 10.173.19.2 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
198.185.164.0 255.255.255.0 On-link 198.185.164.30 266
198.185.164.30 255.255.255.255 On-link 198.185.164.30 266
198.185.164.255 255.255.255.255 On-link 198.185.164.30 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.173.19.2 266
224.0.0.0 240.0.0.0 On-link 198.185.164.30 266
224.0.0.0 240.0.0.0 On-link 10.173.19.29 271
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.173.19.2 266
255.255.255.255 255.255.255.255 On-link 198.185.164.30 266
255.255.255.255 255.255.255.255 On-link 10.173.19.29 271
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 198.185.164.5 Default
0.0.0.0 0.0.0.0 198.185.164.5 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
15 1110 :0 2002:c058:6301::c058:6301
1 306 ::1/128 On-link
15 1010 2002:16 On-link
15 266 2002:c6b9:a41e::c6b9:a41e/128
On-link
13 266 fe80:64 On-link
11 266 fe80:64 On-link
11 266 fe80::20b9:179b:159:f7fe/128
On-link
13 266 fe80::adfd:8941:55cb:4e00/128
On-link
1 306 ff00:8 On-link
13 266 ff00:8 On-link
11 266 ff00:8 On-link
===========================================================================
Persistent Routes:
None

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Gateway address

by john In reply to Internet routes through V ...

Not sure how you're going about setting up the routing, but from my experience, the gateway address and interface addresss on your 0.0.0.0 destination should both be equal to the IP address of the network interface (or virtual interface).... you have a .5 adddress showing up under gateway which may be correct, but if .30 is the address of your internet gateway it doesn't belong there on the IF address....

Your other issue, with computer names has to do with DNS and WINS I believe, but I don't know much more than that, sorry. I'd start by making sure the IP addresses for the DNS and WINS server(s) are being set correctly.... and actually show up as properly set on the VPN client machine... if your DNS is pointing to your internet gateway that could be the issue.... it probably needs to go through your server...

Collapse -

DNS and WINS seem ok

by trillie.mensi In reply to Gateway address

They point to 10.173.19.2, which is the machine being VPNed in to. However, Default Gateway is 0.0.0.0 does that seem correct?

Collapse -

DNS and WINS server

by john In reply to DNS and WINS seem ok

Depending on what operating system the VPN clients are using, you may need to enable NETBIOS over TCP/IP...

The Default Gateway should be showing up on the VPN client machine as either 198.185.164.30 or 10.173.19.2... 0.0.0.0 is definitely a problem... see if you can set it to either of these manually (just as a test) to find out what works... but it sounds like there is a config error on the VPN server that is not passing the internet gateway address...

Collapse -

Easy to fix

by robo_dev In reply to Internet routes through V ...

Make sure that the VPN server is configured with the IP addresses of the appropriate DNS and WINS servers.

If domain authentication is required, force the clients to use TCP for Kerberos, not udp. Windows authentication uses Kerberos, and uses UDP as it's first choice. UDP is connectionless, and packets geto out of order and are dropped.
http://support.microsoft.com/kb/244474

The Internet problem is because the default gateway of the PC needs to be handled differently over a VPN connection...

There's an advanced setting on most VPN clients that says:
"use default gateway on remote network"

Otherwise the PC thinks your site is the Internet, which it most likely is not....

Collapse -

Not on a domain

by trillie.mensi In reply to Easy to fix

We are not on a domain (using workgroups), and we would like to get to the internet through the VPN and *not* through the default gateway on the PCs. Reason for this is there are ports blocked on our corporate firewall which we have been explicitly given permission to use the VPN on servers outside the firewall which can open up these ports.

We had a previous set up running under Windows 2003 which worked perfectly, but 2008 wizard doesn't seem to do it the same way.

Collapse -

VPN to internet to which ISP?

by CG IT In reply to Not on a domain

VPN is in essence a point to point tunnel so.... if you want internet access via VPN, what network is providing the internet access that clients VPN to? If you VPN in and setup a persistent connection between the W2008 server and the other endpoint, then clients must use the W2008 tunnel. So ICS on W2008 runs and clients use that route.

Windows Server 2008 isn't even out yet so you must be using a beta copy. Even then, there's 2 versions of each flavor. Core and Full. I assume your using the full version.

WINS only works on your subnet not the other network your connecting to [unless they setup their WINS to register VPN clients.

Also you have IPv6 enabled. It's possible that IPv6 is causing the problem.

Back to Networks Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums