Re: vpn probl
- From: "JMS" <jms_pt@xxxxxxxxxxx>
- Date: Sun, 3 Jul 2005 19:44:22 +0100
Yeah, but is a little late for start changing ip config in all sites, that
in fact wasn't their initial configuration made by me..
For now i must deal with that, and latter I'll start changing some
configurations, for now i must start to get people working.
Thanks anyway...
"Bill Grant" <not.available@online> wrote in message
news:eGGMBKrfFHA.1372@xxxxxxxxxxxxxxxxxxxxxxx
> I suspect one reason you are having trouble getting this working is the
> fact that you have ISA server at one end and not at the other. Setting up
> a site to site link in ISA creates a file to configure the "answering"
> router. The RRAS setup does not have this feature. You will probably need
> to configure the RRAS end manually, including creating an account for the
> connection (if you want to be able to connect from the ISA end). It will
> get a bit messy.
>
> Having some sites using 192.168. addresses and some using 172.16.
> isn't going to make things easy if you want to route between them. The
> usual way to set up the routing is a hub and spoke model. The central site
> is the hub (as all other sites have a VPN link {or spoke} to the hub). All
> traffic from one site to another goes down a spoke, then up another spoke
> if necessary.
>
> From a routing point of view, this is easiest if the sites all use IP
> addresses which are easily bundled. So if all sites use 172.16.x.0/24
> addresses, the routing is simple. At the non-central sites you just sent
> all 172.16 traffic down the spoke (using 172.16.0.0/16) . Only the central
> site need routes to these other sites.
>
> JMS wrote:
>> Hello Phillip Windell
>>
>> Ok, no questions about it, the best place to put the routing tables
>> is in the router device as you said, but in my configuration I don't
>> need to update routing tables in clients. if I have 3000 workstations
>> They'll only have 1 default gateway (only one 0.0.0.0 static route)
>> that is my vpn server and then in my vpn server has the several
>> static routes redirecting the their needs.
>>
>> But I agreed with you when you say that there's no need to put that
>> static routes on my vpn server because I already have a router that
>> can make this job for me, instead of vpn server.
>>
>> Anyway my routing topology is a distributed messaging topology.
>>
>> I not quit sure if you saw my reply to Bill Grant about my network
>> configuration but here it is again (only the par I'm working now):
>>
>>
>>
>> Obs : (until now no one could explain me why I can initiate my vpn
>> connection only from one site??
>>
>> Here it goes again my explanation about this problem as I said before:
>>
>>>> Onother thing
>>>> I just don't understand why i only can initiate my remote router vpn
>>>> connection only from my 1 site???
>>>> i configured a remote router (assigned to a user account) on the 1
>>>> and 2 site, so when one is connected the other connects automaticaly
>>>> and it works fine the problem is that i need to initiate connections
>>>> from both sites when needed.. so if i ping some workstation on 2
>>>> site that is on 192.168.2.x the remote router connects with no
>>>> problems and the router on 2 site automaticaly connects too. But if i
>>>> try to
>>>> connect from 2 site to the 1 gives me error telling me that the
>>>> remote router on site 1 can't accept more connections because it
>>>> reach the limit??? and i go to see if that router is already connect
>>>> and its not?? Thanks again for your time...
>>
>> )
>>
>>
>>
>>
>>
>>
>>
>> Site 1 :
>> Vpn server(Windows2003 With ISA server)
>> Nic1:
>>
>> Tcp/Ip: 172.16.0.254
>> Mask: 255.255.248.0
>> Dns: 172.16.0.254
>>
>> Nic 2:
>>
>> Tcp/Ip: 192.168.200.2
>> Mask: 255.255.252.0
>> Gateway: 192.168.200.1
>> Dns: 172.16.0.254
>>
>> Server Vpn Static Routes:
>> 0.0.0.0 Mask 0.0.0.0 Gateway: 192.168.200.1(Adsl Router)
>>
>> 192.168.2 Mask 255.255.255.0 Gateway: RemoteRouterSite1 (With
>> userAccount assign)
>> Tcp/Ip range to Workstations on site 1:
>> From 172.16.2.x (Gateway and dns pointing to 172.16.0.254)
>> ------------------------------------------------------------------------
>> Site 2
>> Vpn server (Windows2003 no isa server installed)
>> Only has one nic
>>
>> Tcp/Ip: 192.168.2.254
>> Mask: 255.255.255.0
>> Gateway: 192.168.2.2
>> Dns: 192.168.2.254
>> Server Vpn Static routes:
>> 0.0.0.0 Mask: 0.0.0.0 Gateway:192.168.2.2(Adsl router with
>> Firewall) 10.10.0.0 Mask: 255.255.0.0 Gateway:192.168.2.1 (Cisco
>> router with
>> dedicated line connected to another site and it's working with no
>> problems) 172.16.x.x Mask:255.255.0.0 Gateway:RemoteRouterSite2(With
>> userAccount assign)
>> Tcp/Ip range to Workstations on site 2:
>> From 192.168.2.x (Gateway and dns pointing to 192.168.2.254)
>> ------------------------------------------------------------------------
>>
>>
>>
>> Thanks again for your time
>> Best regards
>>
>>
>>
>> "Phillip Windell" <@.> wrote in message
>> news:%23NknrckfFHA.2424@xxxxxxxxxxxxxxxxxxxxxxx
>>> "JMS" <jms_pt@xxxxxxxxxxx> wrote in message
>>> news:%23zIQo$bfFHA.2424@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Ok i think that i discovered the problem...
>>>
>>> No. I think you are digging a deeper hole to bury yourself in. It
>>> would have
>>> been better for you to just explain you topology better so this
>>> could be solved instead of making it even more "murky" and piling on
>>> more "settings"
>>> that may be incorrect.
>>>
>>>> i've the gateway on workstations in remote site pointing to adsl
>>>> router and not to vpn server, so when workstations needed to reply
>>>> to the ping requests they were trying to respond though their
>>>> gateway that was the adsl router and not the vpn rras server so to
>>>> solve this problem I a add in my vpn server two static routes
>>>> 0.0.0.0 with gateway pointing to adsl router and a
>>>
>>> That is not a Static route that is a Default Route. You cannot use
>>> more than one 0.0.0.0 Route, and the one is already created by the
>>> Default Gateway entry in the GUI. Your Static Routes must use a
>>> specific Network (not 0.0.0.0).
>>>
>>> The right way to do this is place a Static route for the opposite
>>> Site on the ADSL Router that tells it that traffic to that segment
>>> must use the VPN
>>> Device. The ADSL Device also needs the remote segments IP Range
>>> added to it
>>> Local Address Table. Repeat the process on the opposite Site.
>>>
>>> The LAN at each side of the VPN must designate *something* to behave
>>> as the
>>> LAN Router for that particular segment (a real router, a
>>> NAT-Firewall, the VPN Device, whatever). Whatever you use you must
>>> be consistant and not run around all over the place clicking here,
>>> changing there, adding here, and deleteing over there.
>>>
>>> Choose whatever device is the most dependable, leastly likely to be
>>> changed,
>>> least likely to ever be removed. Then that device becomes the
>>> Default Gateway for all the Clients. If that Device is not the DSL
>>> Device, then *its* Default Gateway becomses the DSL Device.
>>>
>>> The NAT-Device (DSL Device) then it must "know" that the IP Range of
>>> both segments are *local* and will include them in the Local Address
>>> Table (or whatever that vendor calls the equivalent). If this Device
>>> is going to be the Segment's LAN Router, then needs to have a Static
>>> Route that tells it to
>>> get to the opposite Site it must use the VPN Device. You don not
>>> have to alter the Route Table on the Clients,..the Clients is the
>>> last place to ever
>>> create routes. Imagine if you had 3000 Clients,..how would you ever
>>> expect to maintain all that?
>>>
>>> --
>>> Phillip Windell [MCP, MVP, CCNA]
>>> www.wandtv.com
>>> -----------------------------------------------------
>>> Understanding the ISA 2004 Access Rule Processing
>>> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>>>
>>> Microsoft Internet Security & Acceleration Server: Guidance
>>> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
>>> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>>>
>>> Microsoft Internet Security & Acceleration Server: Partners
>>> http://www.microsoft.com/isaserver/partners/default.asp
>>> -----------------------------------------------------
>
>
.
- References:
- Re: vpn probl
- From: JMS
- Re: vpn probl
- From: JMS
- Re: vpn probl
- From: Bill Grant
- Re: vpn probl
- Prev by Date: The best route please...
- Next by Date: UNC question Please?
- Previous by thread: Re: vpn probl
- Next by thread: Re: vpn probl
- Index(es):
Relevant Pages
|
Loading
