Re: IP routing on VPN

From: Phillip Windell (_at_.)
Date: 02/11/04 

Date: Wed, 11 Feb 2004 13:04:51 -0600

"David N" <david.naigles@lansa.com> wrote in message
news:eac801c3f0cc$63bea920$a401280a@phx.gbl...
> I have a RRAS Server setup as a VPN with two NICs. One is
> connected to a CISCO router and from there to the
> internet. It has a public IP address. The second is
> inside my LAN and has a private IP address. Neither of
> them has a default gateway. I am using DHCP to get RAS
> Client IP addresses from the LAN DHCP server. I setup a
> static route with 0.0.0.0 as destination, 0.0.0.0 as mask,
> and the router's IP address as the gateway. I also setup

Remove that route. Just use the Internet Router (frame relay router?) as
the Default Gateway of the public NIC. The private NIC should never have a
Default Gateway.

If your private LAN is a single subnet there are no routes to create, and if
there are subnets on the private side but the RRAS box servers as the
central router then there still are no routes to create. All the clients on
the private network may or may not require a Default Gateway,...it just
depends on the situation. If they did need one it would most likely be the
RRAS machine, but that isn't an absolute.

If there are subnets on the private side then a static route to each segment
must be added to the RRAS/VPN Server (not including the Public side). The
routes would point to what ever router takes it to the destination. The
rest can get really complicated. All clients would use the router that is in
their immediate subnet, then the router directly facing the RRAS/VPN box
would probably use the RRAS/VPN box as its Default Gateway, but again that
isn't absolute....it just depends.

VPN Clients, when getting the DHCP assignment, must use a Default Gateway
that agrees with what other clients using an IP# of the same subnet use. VPN
is really irelevant, the client behaves just as any other client on the same
subnet behaves (VPN or no VPN) and is subject to the same settings and
rules.

Note that all public IP#s are meaningless to any of this VPN stuff. The
public IP#s do nothing more than serve as "phone numbers" for the VPN to
"dialup" to create the Tunnel. The public IP#s have no role in routing just
as the phone number serves no "routing purpose" for a typical modem based
dialup user. 

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Relevant Pages

  • RE: VPN Clients Not Registering in AD DNS
    ... via VPN, the DNS records of the VPN clients are unable to be registered. ... Windows 2003 server? ... please let me know whether the clients get the IP ...
    (microsoft.public.windows.server.sbs)
  • RE: SBS VPN connects but no shares..
    ... VPN clients can no longer access internal resources after you install ... Windows Server 2003 Service Pack 1 on a computer that is running ISA Server ... How to configure a VPN connection to your corporate network in Windows XP ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN issue
    ... I understand that you cannot initialize the VPN ... Could you please let me know if this is a Premium SBS server box with ISA ... To support the PPTP VPN clients behind the ISA server, ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Advice...do I need a purchased static ip address on the external interface?
    ... >> Server then that server must have a been assigned a purchased static IP ... >> if I was to try and use Windows 2000 SBS as the server for the VPN, ... >> If I used a router instead then the router would have this purchased IP ... > supports dynamic dns, then users connect to the dynamic dns name and ...
    (comp.dcom.vpn)
  • RE: DHCP: not reached by clients
    ... Based on my research, we do not need to configure the DHCP or DNS on SBS, ... Run the Change Server IP address wizard to configure the SBS IP: ... One network adapter - manual router connection to broadband ... DHCP on router and other clients. ...
    (microsoft.public.windows.server.sbs)