Re: VPN routing from NAT to NAT
From: Bob (spam_at_spam.com)
Date: 05/02/04
- Next message: Lanwench [MVP - Exchange]: "Re: Can't connect using RDC to Soho Firewall"
- Previous message: ryan: "remote desktop web connection"
- In reply to: Jeffrey Randow (MVP): "Re: VPN routing from NAT to NAT"
- Next in thread: Jeffrey Randow (MVP): "Re: VPN routing from NAT to NAT"
- Reply: Jeffrey Randow (MVP): "Re: VPN routing from NAT to NAT"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 02 May 2004 21:00:55 GMT
On Sat, 01 May 2004 23:28:14 -0500, "Jeffrey Randow (MVP)"
<jeffreyr-support@remotenetworktechnology.com> wrote:
>In summary, if you are willing to lose all LAN connectivity while on
>the VPN, you can perhaps coexist on the same subnet.. However, all
>internet accesses, etc., will go over the VPN link, not directly out
>of your computer...
Wrong, at least on my setup.
There are two Win2K machines, one named "vpnserver" at a remote
location behind a Linksys BEFSR41 router with LAN address 192.168.1.10
and the other named "vpnclient" at home behind a Linksys BEFSR41
router with LAN address 192.168.1.10. I am on the home machine.
The VPN server software is set up to allow a range of addresses
192.168.1.100 - 192.168.1.200 and to permit the VPN client to specify
its VPN IP address. The VPN client software is set up to ask for
192.168.1.125. All IP addresses, both LAN and VPN are static.
There is a third machine which is on the home LAN with static IP
address 192.168.1.20. It's name is irrelevant.
The home machine \\vpnclient connects to the remote machine
\\vpnserver successfully. I look in the STATUS|Details page of the VPN
client icon sitting in the tray. It says that the VPN server is
192.168.1.100 and the VPN client is 192.168.1.125 - both as expected.
I access the remote server at \\192.168.1.100 (I would use the NetBIOS
name \\vpnserver but that is not always reliable because although I do
have a HOSTS table entry for reasons I do not understand it does not
always work.) I can access the machine by using:
Start|Run|\\192.168.1.100
RightClickDesktop|New|Shortcut|\\192.168.1.100
The shortcut method is preferred because it leaves you with a
permanent window to access the remote machine again later.
OK, so far so good. I am connected to the remote machine over the VPN
amd I can access the shares on the remote machine. There is a
directory built specifically for me to use called c:\vpnclient and I
have full permission to use it. I create a text file and put it in
that directory. There are also some other directories I have read-only
permission which I can download files from. Everything works as
expected.
Now I try to access the local area machine on my LAN, the one with IP
address 192.168.1.20. I use the same method of accessing shares
described above and sure enough I have access in a window just like I
would have when I am not connected to the VPN. Clearly I have not lost
all LAN connectivity as you claim.
That's because the address space in the subnet has been split into two
regions and each region is bound to the appropriate adapter. The
system knows where to send packets based on those bindings.
If the IP address is below 192.168.1.100 or above 192.168.1.200, then
the system knows to send the packets to the LAN adapter, as if there
is no VPN.
If the IP address is in the range 100 - 200, then the system knows to
send the packets to the VPN adapter, in which case the system knows
how to send them thru the VPN tunnel.
>Browse to the Router's admin interface... On the main config page,
>you can change the LAN IP Address of the router.. If you want, you
>can change it to 192.168.2.x, or whatever... Let the router reboot,
>and then release and renew the IP address for your computer (ipconfig
>/release and ipconfig /renew). The router will then assign you an
>address on the new LAN network (i.e., 192.168.2.x)... Every router I
>have seen offers this ability, so I don't understand why this is an
>issue.
It's not an issue. It's something I was never aware of because I never
played with it. But thanks for the heads up - it is useful to know.
>I'm not missing that... The metrics determine which route to take..
OK, let's ask this question.
What if I set up the VPN server and the VPN client so that the allowed
range of addresses is 192.168.2.100 - 192.168.2.200 and the particular
client address is 192.168.2.125, but I do not change anything else. I
do not change the router, I do not change the LAN parameters - I just
change the VPN parameters.
What would happen then?
Presumably I would get a conflict because when I connect the
\\vpnclient machine to the \\vpnserver's LAN thru the VPN tunnel, it
becomes a member of the \\vpnserver's LAN. Therefore it would seem
that it needs the same subnet. Nevertheless I will experiment with
that when I get time.
In the meantime, I can access the machine on my LAN and the machine on
the VPN at the same time without any problems other than the usual
trouble with using NetBIOS names, which is a Win2K problem because
there is no place in the VPN software to enable NetBIOS like there is
in the VPN for XP.
-- Map Of The Vast Right Wing Conspiracy: http://www.freewebs.com/vrwc/ "You can all go to hell, and I will go to Texas." --David Crockett
- Next message: Lanwench [MVP - Exchange]: "Re: Can't connect using RDC to Soho Firewall"
- Previous message: ryan: "remote desktop web connection"
- In reply to: Jeffrey Randow (MVP): "Re: VPN routing from NAT to NAT"
- Next in thread: Jeffrey Randow (MVP): "Re: VPN routing from NAT to NAT"
- Reply: Jeffrey Randow (MVP): "Re: VPN routing from NAT to NAT"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
