Re: VPN routing from NAT to NAT

From: Jeffrey Randow (MVP) (jeffreyr-support_at_remotenetworktechnology.com)
Date: 05/07/04 

Date: Thu, 06 May 2004 20:44:45 -0500

You have two routes to the 192.168.1.0 network using different
gateway... This is not standard internet design... The only reason I
think you are connecting to the 192.168.1.125 gateway is that it is
listed last (but this is just a thought).

If it works for you, then leave it the way it is.. However, if one
wants to properly set up a TCPIP network, then it should be segmented
and subnetted properly...

For more reference, see:
http://www.draytek.co.uk/support/vpn_check.html
http://www.chicagotech.net/routing.htm
http://www.unixathome.org/adsl/archives/2001_11/0061.html
http://groups.google.com/groups?q=vpn+subnet+same+as+local+LAN&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=CQpS7.4513%24ED6.745080%40typhoon.neo.rr.com&rnum=4
http://groups.google.com/groups?q=vpn+subnet+same+as+local+LAN&start=10&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=useEwEp1BHA.2800%40tkmsftngp07&rnum=14

All I am saying is that this is not best practice for other users to
follow unless they are willing to deal with the ramifications and the
potential problems that could pop up.. Many have posted here for the
last three years (or since the end of the XP beta when these
newsgroups went live) who have had problems that were fixed the moment
they changed their local IP network to something different than the
office network.

In an ideal world, we would not have this discussion - this is a
limitation that NAT firewall devices and routers have foisted upon us.
NAT causes many of the issues that we have to strive to work around in
these discussions.

VPN connections are finicky depending on your exact network
configurations (i.e., NetBIOS over TCP enabled, presence of WINS
Servers, presence of DNS servers, whether you use PPTP or L2TP,
default gateways on remote networks, etc.). One solution doesn't fit
all cases. I have office users I support running different patch
levels of Windows XP who each get different VPN experiences when
connecting to my office network.

Jeffrey Randow (Windows Net. & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Mon, 03 May 2004 06:20:13 GMT, spam@spam.com (Bob) wrote:

>On Sun, 02 May 2004 21:23:02 -0500, "Jeffrey Randow (MVP)"
><jeffreyr-support@remotenetworktechnology.com> wrote:
>
>>Post your routing table...
>
>+++++
>Interface List
>0x1... MS TCP Loopback interface
>0x2...00 50 04 d9 4f 6a...3Com EtherLink PCI
>0x4000004...00 53 45 00 00 00...WAN (PPP/SLIP) Interface
>Active Routes:
>0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 1
>x.x.x.x 255.255.255.255 192.168.1.1 192.168.1.10 1
>127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
>192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 1
>192.168.1.0 255.255.255.0 192.168.1.125 192.168.1.125 1
>192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 1
>192.168.1.125 255.255.255.255 127.0.0.1 127.0.0.1 1
>192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 1
>192.168.1.255 255.255.255.255 192.168.1.125 192.168.1.125 1
>224.0.0.0 224.0.0.0 192.168.1.10 192.168.1.10 1
>224.0.0.0 224.0.0.0 192.168.1.125 192.168.1.125 1
>255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
>Default Gateway: 192.168.1.1
>Persistent Routes: None
>+++++
>
>I had to remove the spaces so it would not wrap.
>
>>If you are accessing machines using the
>>VPN gateway, which is what you are saying is happening, you will not
>>be able to access local machines (on the same subnet) without at least
>>a timeout...
>
>There is no timeout. I can access the VPN machine and the LAN machine
>right away. I go to Start Run, which already has the two addresses
>from previous use. I click on one and a window opens immediately. I
>click on the other and a window opens immediately. No timeout, at
>least none apparent to me. Admittedly, there is a small hesitation
>when I access the VPN machine, but I attribute that to the fact that
>it is a remote machine and not on my 100BaseTX LAN.
>
>>The point is that this is a convoluted solution and the best option is
>>to not operate on the same subnet if at all possible.
>
>I am really trying to discover why you are saying that, but I am
>unable because every time you make a claim, it isn't that way - at
>least not as I see it. You claim I can't access the LAM machine, yet I
>am able to, You claim there will be a timeout, yet there isn't any.
>
>>Trying your scenario on a Virtual PC setup does not work in my case
>>when I have the Use the default gateway option set - I have
>>connectivity to the VPN environment, but not to my local LAN... With
>>the default gateway disabled, I have access to the LAN, but no VPN
>>access.
>
>I have no earthly idea what you just said.
>
>You did not answer my earlier question:
>
>What if I set up the VPN server and the VPN client so that the allowed
>range of addresses is 192.168.2.100 - 192.168.2.200 and the particular
>client address is 192.168.2.125, but I do not change anything else. I
>do not change the router, I do not change the LAN parameters - I just
>change the VPN parameters.
>
>What would happen then?
>
>Presumably I would get a conflict because when I connect the
>\\vpnclient machine to the \\vpnserver's LAN thru the VPN tunnel, it
>becomes a member of the \\vpnserver's LAN. Therefore it would seem
>that it needs the same subnet. Nevertheless I will experiment with
>that when I get time.

Relevant Pages

  • Mysterious problem: cant backtrack an unwise router installation
    ... RH 7.0 box as the network gateway and firewall. ... LAN is all on static IPs: 192.168.1.1-5 and the IP assigned to me by my ISP ... Desktop from my XP workstation to connect to my office network. ...
    (RedHat)
  • Re: MSN Messenger while on VPN
    ... The property "Use default gateway on the remote network" makes use of the ... VPN server as the default gateway and routes all the traffic. ... MSN ...
    (microsoft.public.isa.vpn)
  • Re: RASd in : why traffic sent through VPN router ?
    ... inet gateway to 10+ secs when routed through remote VPN inet gateway. ... Exchange Server on the local network, ...
    (microsoft.public.windowsxp.network_web)
  • Re: VPN usage question
    ... Exactly the same as a LAN. ... > A VPN is a network connection on top of another connection. ...
    (microsoft.public.windowsxp.general)
  • Re: Win2K3 end point routers on separate Win2K3 networks
    ... to the Win2K3 VPN router (if and only if that traffic is ... the VPN server as thier default gateway - but I do NOT ... that article were based upon a peer to peer network, ...
    (microsoft.public.windows.server.networking)