Re: vpn probl

Hello Phillip Windell

Ok, no questions about it, the best place to put the routing tables is in
the router device as you said, but in my configuration I don't need to
update routing tables in clients. if I have 3000 workstations They'll only
have 1 default gateway (only one 0.0.0.0 static route) that is my vpn server
and then in my vpn server has the several static routes redirecting the
their needs.

But I agreed with you when you say that there's no need to put that static
routes on my vpn server because I already have a router that can make this
job for me, instead of vpn server.

Anyway my routing topology is a distributed messaging topology.

I not quit sure if you saw my reply to Bill Grant about my network
configuration but here it is again (only the par I'm working now):



Obs : (until now no one could explain me why I can initiate my vpn
connection only from one site??

Here it goes again my explanation about this problem as I said before:

>> Onother thing
>> I just don't understand why i only can initiate my remote router vpn
>> connection only from my 1 site???
>> i configured a remote router (assigned to a user account) on the 1
>> and 2 site, so when one is connected the other connects automaticaly
>> and it works fine the problem is that i need to initiate connections
>> from both sites when needed.. so if i ping some workstation on 2 site
>> that is on 192.168.2.x the remote router connects with no problems
>> and the router on 2 site automaticaly connects too. But if i try to
>> connect from 2 site to the 1 gives me error telling me that the
>> remote router on site 1 can't accept more connections because it
>> reach the limit??? and i go to see if that router is already connect
>> and its not?? Thanks again for your time...

)







Site 1 :
Vpn server(Windows2003 With ISA server)
Nic1:

Tcp/Ip: 172.16.0.254
Mask: 255.255.248.0
Dns: 172.16.0.254

Nic 2:

Tcp/Ip: 192.168.200.2
Mask: 255.255.252.0
Gateway: 192.168.200.1
Dns: 172.16.0.254

Server Vpn Static Routes:
0.0.0.0 Mask 0.0.0.0 Gateway: 192.168.200.1(Adsl Router)

192.168.2 Mask 255.255.255.0 Gateway: RemoteRouterSite1 (With
userAccount assign)
Tcp/Ip range to Workstations on site 1:
>From 172.16.2.x (Gateway and dns pointing to 172.16.0.254)
------------------------------------------------------------------------
Site 2
Vpn server (Windows2003 no isa server installed)
Only has one nic

Tcp/Ip: 192.168.2.254
Mask: 255.255.255.0
Gateway: 192.168.2.2
Dns: 192.168.2.254
Server Vpn Static routes:
0.0.0.0 Mask: 0.0.0.0 Gateway:192.168.2.2(Adsl router with Firewall)
10.10.0.0 Mask: 255.255.0.0 Gateway:192.168.2.1 (Cisco router with
dedicated line connected to another site and it's working with no problems)
172.16.x.x Mask:255.255.0.0 Gateway:RemoteRouterSite2(With userAccount
assign)
Tcp/Ip range to Workstations on site 2:
>From 192.168.2.x (Gateway and dns pointing to 192.168.2.254)
------------------------------------------------------------------------



Thanks again for your time
Best regards



"Phillip Windell" <@.> wrote in message
news:%23NknrckfFHA.2424@xxxxxxxxxxxxxxxxxxxxxxx
> "JMS" <jms_pt@xxxxxxxxxxx> wrote in message
> news:%23zIQo$bfFHA.2424@xxxxxxxxxxxxxxxxxxxxxxx
>> Ok i think that i discovered the problem...
>
> No. I think you are digging a deeper hole to bury yourself in. It would
> have
> been better for you to just explain you topology better so this could be
> solved instead of making it even more "murky" and piling on more
> "settings"
> that may be incorrect.
>
>> i've the gateway on workstations in remote site pointing to adsl router
> and
>> not to vpn server, so when workstations needed to reply to the ping
> requests
>> they were trying to respond though their gateway that was the adsl router
>> and not the vpn rras server so to solve this problem I a add in my vpn
>> server two static routes 0.0.0.0 with gateway pointing to adsl router and
> a
>
> That is not a Static route that is a Default Route. You cannot use more
> than one 0.0.0.0 Route, and the one is already created by the Default
> Gateway entry in the GUI. Your Static Routes must use a specific Network
> (not 0.0.0.0).
>
> The right way to do this is place a Static route for the opposite Site on
> the ADSL Router that tells it that traffic to that segment must use the
> VPN
> Device. The ADSL Device also needs the remote segments IP Range added to
> it
> Local Address Table. Repeat the process on the opposite Site.
>
> The LAN at each side of the VPN must designate *something* to behave as
> the
> LAN Router for that particular segment (a real router, a NAT-Firewall, the
> VPN Device, whatever). Whatever you use you must be consistant and not run
> around all over the place clicking here, changing there, adding here, and
> deleteing over there.
>
> Choose whatever device is the most dependable, leastly likely to be
> changed,
> least likely to ever be removed. Then that device becomes the Default
> Gateway for all the Clients. If that Device is not the DSL Device, then
> *its* Default Gateway becomses the DSL Device.
>
> The NAT-Device (DSL Device) then it must "know" that the IP Range of both
> segments are *local* and will include them in the Local Address Table (or
> whatever that vendor calls the equivalent). If this Device is going to be
> the Segment's LAN Router, then needs to have a Static Route that tells it
> to
> get to the opposite Site it must use the VPN Device. You don not have to
> alter the Route Table on the Clients,..the Clients is the last place to
> ever
> create routes. Imagine if you had 3000 Clients,..how would you ever expect
> to maintain all that?
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>


.

Relevant Pages

  • Re: VPN Advice...do I need a purchased static ip address on the external interface?
    ... >> Server then that server must have a been assigned a purchased static IP ... >> if I was to try and use Windows 2000 SBS as the server for the VPN, ... >> If I used a router instead then the router would have this purchased IP ... > supports dynamic dns, then users connect to the dynamic dns name and ...
    (comp.dcom.vpn)
  • Re: vpn probl
    ... not to vpn server, so when workstations needed to reply to the ping requests ... they were trying to respond though their gateway that was the adsl router ... static route 172.16.x..x pointing to vpn remote router in rras, ...
    (microsoft.public.windows.server.networking)
  • Re: Problem
    ... telephoned the office where the server was and asked her to re-boot the ... Once I saw the config of the VPN router there, I knew what to do on the ... on the remote site and see if they have the connection manager installed. ...
    (microsoft.public.windows.server.sbs)
  • Re: Please Help Site-To-Site without ISA
    ... You can configure more than one site to site VPN connection on the ... You set up a new demand-dial interface and configure a new site to ... public IP of the VPN server at the second site on the front. ... to router connection. ...
    (microsoft.public.windows.server.networking)
  • Re: vpn probl
    ... fact that you have ISA server at one end and not at the other. ... site to site link in ISA creates a file to configure the "answering" router. ... hub (as all other sites have a VPN link to the hub). ... > static routes redirecting the their needs. ...
    (microsoft.public.windows.server.networking)
Loading