Re: vpn probl
- From: "Bill Grant" <not.available@online>
- Date: Sat, 2 Jul 2005 13:02:25 +1000
I suspect one reason you are having trouble getting this working is the
fact that you have ISA server at one end and not at the other. Setting up a
site to site link in ISA creates a file to configure the "answering" router.
The RRAS setup does not have this feature. You will probably need to
configure the RRAS end manually, including creating an account for the
connection (if you want to be able to connect from the ISA end). It will get
a bit messy.
Having some sites using 192.168. addresses and some using 172.16.
isn't going to make things easy if you want to route between them. The usual
way to set up the routing is a hub and spoke model. The central site is the
hub (as all other sites have a VPN link {or spoke} to the hub). All traffic
from one site to another goes down a spoke, then up another spoke if
necessary.
From a routing point of view, this is easiest if the sites all use IP
addresses which are easily bundled. So if all sites use 172.16.x.0/24
addresses, the routing is simple. At the non-central sites you just sent all
172.16 traffic down the spoke (using 172.16.0.0/16) . Only the central site
need routes to these other sites.
JMS wrote:
> Hello Phillip Windell
>
> Ok, no questions about it, the best place to put the routing tables
> is in the router device as you said, but in my configuration I don't
> need to update routing tables in clients. if I have 3000 workstations
> They'll only have 1 default gateway (only one 0.0.0.0 static route)
> that is my vpn server and then in my vpn server has the several
> static routes redirecting the their needs.
>
> But I agreed with you when you say that there's no need to put that
> static routes on my vpn server because I already have a router that
> can make this job for me, instead of vpn server.
>
> Anyway my routing topology is a distributed messaging topology.
>
> I not quit sure if you saw my reply to Bill Grant about my network
> configuration but here it is again (only the par I'm working now):
>
>
>
> Obs : (until now no one could explain me why I can initiate my vpn
> connection only from one site??
>
> Here it goes again my explanation about this problem as I said before:
>
>>> Onother thing
>>> I just don't understand why i only can initiate my remote router vpn
>>> connection only from my 1 site???
>>> i configured a remote router (assigned to a user account) on the 1
>>> and 2 site, so when one is connected the other connects automaticaly
>>> and it works fine the problem is that i need to initiate connections
>>> from both sites when needed.. so if i ping some workstation on 2
>>> site that is on 192.168.2.x the remote router connects with no
>>> problems and the router on 2 site automaticaly connects too. But if i
>>> try to
>>> connect from 2 site to the 1 gives me error telling me that the
>>> remote router on site 1 can't accept more connections because it
>>> reach the limit??? and i go to see if that router is already connect
>>> and its not?? Thanks again for your time...
>
> )
>
>
>
>
>
>
>
> Site 1 :
> Vpn server(Windows2003 With ISA server)
> Nic1:
>
> Tcp/Ip: 172.16.0.254
> Mask: 255.255.248.0
> Dns: 172.16.0.254
>
> Nic 2:
>
> Tcp/Ip: 192.168.200.2
> Mask: 255.255.252.0
> Gateway: 192.168.200.1
> Dns: 172.16.0.254
>
> Server Vpn Static Routes:
> 0.0.0.0 Mask 0.0.0.0 Gateway: 192.168.200.1(Adsl Router)
>
> 192.168.2 Mask 255.255.255.0 Gateway: RemoteRouterSite1 (With
> userAccount assign)
> Tcp/Ip range to Workstations on site 1:
> From 172.16.2.x (Gateway and dns pointing to 172.16.0.254)
> ------------------------------------------------------------------------
> Site 2
> Vpn server (Windows2003 no isa server installed)
> Only has one nic
>
> Tcp/Ip: 192.168.2.254
> Mask: 255.255.255.0
> Gateway: 192.168.2.2
> Dns: 192.168.2.254
> Server Vpn Static routes:
> 0.0.0.0 Mask: 0.0.0.0 Gateway:192.168.2.2(Adsl router with
> Firewall) 10.10.0.0 Mask: 255.255.0.0 Gateway:192.168.2.1 (Cisco router
> with
> dedicated line connected to another site and it's working with no
> problems) 172.16.x.x Mask:255.255.0.0 Gateway:RemoteRouterSite2(With
> userAccount assign)
> Tcp/Ip range to Workstations on site 2:
> From 192.168.2.x (Gateway and dns pointing to 192.168.2.254)
> ------------------------------------------------------------------------
>
>
>
> Thanks again for your time
> Best regards
>
>
>
> "Phillip Windell" <@.> wrote in message
> news:%23NknrckfFHA.2424@xxxxxxxxxxxxxxxxxxxxxxx
>> "JMS" <jms_pt@xxxxxxxxxxx> wrote in message
>> news:%23zIQo$bfFHA.2424@xxxxxxxxxxxxxxxxxxxxxxx
>>> Ok i think that i discovered the problem...
>>
>> No. I think you are digging a deeper hole to bury yourself in. It
>> would have
>> been better for you to just explain you topology better so this
>> could be solved instead of making it even more "murky" and piling on
>> more "settings"
>> that may be incorrect.
>>
>>> i've the gateway on workstations in remote site pointing to adsl
>>> router and not to vpn server, so when workstations needed to reply
>>> to the ping requests they were trying to respond though their
>>> gateway that was the adsl router and not the vpn rras server so to
>>> solve this problem I a add in my vpn server two static routes
>>> 0.0.0.0 with gateway pointing to adsl router and a
>>
>> That is not a Static route that is a Default Route. You cannot use
>> more than one 0.0.0.0 Route, and the one is already created by the
>> Default Gateway entry in the GUI. Your Static Routes must use a
>> specific Network (not 0.0.0.0).
>>
>> The right way to do this is place a Static route for the opposite
>> Site on the ADSL Router that tells it that traffic to that segment
>> must use the VPN
>> Device. The ADSL Device also needs the remote segments IP Range
>> added to it
>> Local Address Table. Repeat the process on the opposite Site.
>>
>> The LAN at each side of the VPN must designate *something* to behave
>> as the
>> LAN Router for that particular segment (a real router, a
>> NAT-Firewall, the VPN Device, whatever). Whatever you use you must
>> be consistant and not run around all over the place clicking here,
>> changing there, adding here, and deleteing over there.
>>
>> Choose whatever device is the most dependable, leastly likely to be
>> changed,
>> least likely to ever be removed. Then that device becomes the
>> Default Gateway for all the Clients. If that Device is not the DSL
>> Device, then *its* Default Gateway becomses the DSL Device.
>>
>> The NAT-Device (DSL Device) then it must "know" that the IP Range of
>> both segments are *local* and will include them in the Local Address
>> Table (or whatever that vendor calls the equivalent). If this Device
>> is going to be the Segment's LAN Router, then needs to have a Static
>> Route that tells it to
>> get to the opposite Site it must use the VPN Device. You don not
>> have to alter the Route Table on the Clients,..the Clients is the
>> last place to ever
>> create routes. Imagine if you had 3000 Clients,..how would you ever
>> expect to maintain all that?
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule Processing
>> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>>
>> Microsoft Internet Security & Acceleration Server: Guidance
>> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
>> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>>
>> Microsoft Internet Security & Acceleration Server: Partners
>> http://www.microsoft.com/isaserver/partners/default.asp
>> -----------------------------------------------------
.
- Follow-Ups:
- Re: vpn probl
- From: JMS
- Re: vpn probl
- References:
- Re: vpn probl
- From: JMS
- Re: vpn probl
- From: JMS
- Re: vpn probl
- Prev by Date: Re: How long do cached credentials last?
- Next by Date: Re: How long do cached credentials last?
- Previous by thread: Re: vpn probl
- Next by thread: Re: vpn probl
- Index(es):
Relevant Pages
|
