Re: vpn probl
- From: "JMS" <jms_pt@xxxxxxxxxxxxx>
- Date: Fri, 1 Jul 2005 08:55:28 +0100
Hello Bill
If i have only 1 connection from the 2nd site for example the vpn it only
connects if someone from the 2nd site try to reach at someone at site 1
but and if someone at site 1 try to reach at someone at site 2?? it can't
because if i only have one connection - Site 2 ---> to ----> Site 1, isn't
right?
I need to both ends can initiate connections (this isn't a persistent
connection to save bandwidth).
About the other sites that i need to join, they all need to see eachother,
i'll connect all to the main office and then i think that they will be able
to see eachother.after configuring dns, wins, stabilishing trusts, static
routes, etc....
But if i put the staitc routes on routers on my adsl router as you suggested
i don't know how this will work... i've never tryed similar configuration...
Remember the vpn connection is made by rras servers not from routers.....
Obs(I still don't understande why my vpn remote routers can only initiate
connection from at site one, i'm sorry to insist but i would like to
understand what is causing this...)
Thanks
Best regards
"Bill Grant" <not.available@online> escreveu na mensagem
news:uZDC9tdfFHA.3460@xxxxxxxxxxxxxxxxxxxxxxx
> 1. No, you don't need RIP. Static routing can handle a straight-forward
> setup like this.
>
> 2. You should not really need to have these connect from both ends. The
> one connection handles the routing in both directions. It is probably
> better to standardise on having the branches connect to the main office.
> That way they all validate against the same database.
>
> 3. Have you considered how you are going to handle the routing when you
> have more than one branch? Do you want the branches to be able to see each
> other, or just branch to HO? You can set it up either way.
>
> 4. If the VPN router is not the default router, I prefer to use the
> following method. Set the clients to use the default router as their
> default gateway, and add a static route to the default router to redirect
> private traffic to the VPN router. The clients will "learn" to use this
> gateway automatically (through redirect messages from the router). You
> don't need RIP to do it.
>
> JMS wrote:
>> Ok i think that i discovered the problem...
>>
>> i've the gateway on workstations in remote site pointing to adsl
>> router and not to vpn server, so when workstations needed to reply to
>> the ping requests they were trying to respond though their gateway
>> that was the adsl router and not the vpn rras server so to solve this
>> problem I a add in my vpn server two static routes 0.0.0.0 with
>> gateway pointing to adsl router and a static route 172.16.x..x
>> pointing to vpn remote router in rras, and now the gateway in my
>> remote workstations is now my vpn server so My vpn server is now
>> handeling the static routes so, when remote workstations need to ping
>> 172.16.x.x they go though Vpn remote router, and when they need to go
>> to internet they go to adsl router. I think this is the right way to
>> proceed?? Is it???. do i need to enable RIP on my vpn server? i need
>> to join more two remote sites to this two....
>> Site 1 :
>> Vpn server(Windows2003 With ISA server)
>>
>> Nic1: Tcp/Ip: 172.16.0.254
>> Mask: 255.255.248.0
>> Dns: 172.16.0.254
>>
>> Nic 2:
>> Tcp/Ip: 192.168.200.2
>> Mask: 255.255.252.0
>> Gateway: 192.168.200.1
>> Dns: 172.16.0.254
>>
>> Vpn Static Routes:
>> Static routes: 0.0.0.0 Mask 0.0.0.0 Gateway:
>> 192.168.200.1
>> 192.168.2 Mask 255.255.255.0 Gateway:
>> RemoteRouterSite1 (With userAccount assign)
>>
>> Router On site 1
>> Tcp/Ip: 192.168.200.1
>>
>> Workstations on site 1:
>> From 172.16.2.x (Gateway and dns pointing to 172.16.0.254)
>>
>> ------------------------------------------------------------------------
>> Site 2
>> Vpn server (Windows2003 no isa server installed)
>> Only one nic Tcp/Ip: 192.168.2.254
>> Mask: 255.255.255.0
>> Gateway: 192.168.2.2
>> Dns: 192.168.2.254
>> Vpn Static routes:
>> Static routes: 0.0.0.0 Mask: 0.0.0.0 Gateway:
>> 192.168.2.2
>> 10.10.0.0 Mask: 10.10.0.0 Gateway:
>> 192.168.2.1 (Cisco router with dedicated line connected to another
>> site it's working with no problems)
>> 172.16.x.x Mask:255.255.0.0 Gateway:
>> RemoteRouterSite2(With userAccount assign)
>>
>> Router1 with Firewall On site 2 (dedicated line)
>> Tcp/Ip: 192.168.2.1
>>
>> Router2 (with Firewall On site 2)
>> Tcp/Ip: 192.168.2.2
>>
>> Workstations on site 2:
>> From 192.168.2.x (Gateway and dns pointing to 192.168.2.254)
>> ------------------------------------------------------------------------
>>
>>
>> Onother thing
>> I just don't understand why i only can initiate my remote router vpn
>> connection only from my 1 site???
>> i configured a remote router (assigned to a user account) on the 1
>> and 2 site, so when one is connected the other connects automaticaly
>> and it works fine the problem is that i need to initiate connections
>> from both sites when needed.. so if i ping some workstation on 2 site
>> that is on 192.168.2.x the remote router connects with no problems
>> and the router on 2 site automaticaly connects too. But if i try to
>> connect from 2 site to the 1 gives me error telling me that the
>> remote router on site 1 can't accept more connections because it
>> reach the limit??? and i go to see if that router is already connect
>> and its not?? Thanks again for your time...
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> "Phillip Windell" <@.> wrote in message
>> news:eJj3uWbfFHA.3656@xxxxxxxxxxxxxxxxxxxxxxx
>>> "JMS" <jms_pt@xxxxxxxxxxx> wrote in message
>>> news:%23Hc1GBbfFHA.3280@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Hello everyone
>>>> I've Site to site Vpn configuration and both rras servers can ping
>>>> eachother and they also can ping both sites workstations, the
>>>> problem is that the workstations on each site can't ping the server
>>>> on the remote site or the workstations on remote site. I've setup a
>>>> static route in both sites for each Remote router vpn connection,
>>>
>>> I don't think you need any other "route". The routing is working if
>>> those RRAS boxes can ping workstations on the opposite side. Ping
>>> requires two way
>>> functionality (the reply has to know how to get back to the sender),
>>> so that
>>> implies a valid path is established.
>>>
>>> But at this point I don't know what to tell you. Your setup is still
>>> just a
>>> little bit too "fuzzy" for me. What is the topology like at each
>>> Site? Single subnet or multple? If multiple, is a LAN Router being
>>> used or are you
>>> trying to "double" a Firewall or Proxy as some kind of LAN Router? Is
>>> the RRAS VPN Server also acting as the LAN's "Firewall" by using
>>> the NAT ability
>>> of RRAS?
>>>
>>> --
>>> Phillip Windell [MCP, MVP, CCNA]
>>> www.wandtv.com
>>> -----------------------------------------------------
>>> Understanding the ISA 2004 Access Rule Processing
>>> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>>>
>>> Microsoft Internet Security & Acceleration Server: Guidance
>>> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
>>> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>>>
>>> Microsoft Internet Security & Acceleration Server: Partners
>>> http://www.microsoft.com/isaserver/partners/default.asp
>>> -----------------------------------------------------
>
>
.
- References:
- Re: vpn probl
- From: JMS
- Re: vpn probl
- From: Bill Grant
- Re: vpn probl
- Prev by Date: Re: Duplicating Workstation on Network
- Next by Date: Shared Printers 2003 vs 98
- Previous by thread: Re: vpn probl
- Next by thread: Re: vpn probl
- Index(es):
Relevant Pages
|
