Re: Please Help Site-To-Site without ISA
- From: "Bill Grant" <not.available@online>
- Date: Mon, 27 Nov 2006 11:54:42 +1100
Glad to hear you got it working. What exactly do you mean by "use a
specific NIC?"
A VPN connection does not really connect to any NIC. The VPN connection
terminates at the internal interface for a client-server or "dialup" type
connection and at the demand-dial interface for a router to router
connection.
"msnews.microsoft.com" <randychow2000@xxxxxxxxxxx> wrote in message
news:Od8WaNWEHHA.4508@xxxxxxxxxxxxxxxxxxxxxxx
It was a Microsoft MVP suggestion. I finally got it working. Needless to
say the Microsoft MVP didn't know what he was talking about. Thanks for
all your help. Is there a way to force a VPN connection to use a specific
NIC, or am I stuck with the NIC that is the VPN server? Have a great
weekend.
"Bill Grant" <not.available@online> wrote in message
news:ON%23jvwQEHHA.4112@xxxxxxxxxxxxxxxxxxxxxxx
Why would you add a second NIC or install NAT? That makes things worse,
not better. Your Linksys is already doing all of that.
Get rid of both of those then read my post again.
"msnews.microsoft.com" <randychow2000@xxxxxxxxxxx> wrote in message
news:OUJYDxFEHHA.992@xxxxxxxxxxxxxxxxxxxxxxx
Thank you very much for your response. I still am not able to get it to
work. I even made a couple changes to see if it will work. I added a
second NIC to the server. Then I configured NAT and VPN on the server.
I still am using the Linksys router as it is connected to the public
side of the NAT. Right now I don't care if the remote end can
communicate to my end. I created the demand dial interface on my
server. Here is the following diagram;
192.168.0.x dg 192.168.0.7
|
RRAS 192.168.0.7 Private Interface dg 192.168.0.7
Has a static route added by default by the New Demand Dial wizard
10.10.0.0 mask 255.255.255.0 using the Demand Dial Interface
|
10.100.0.2 Public Interface dg 10.100.0.1
|
10.100.0.1 Linksys Firewall
|
Internet
|
10.10.0.1 Firewall Linksys
|
RRAS 10.10.0.2 dg 10.10.0.1
|
10.10.0.x dg 10.10.0.1
The VPN connects successfully and only the server can ping all IP's on
remote end. The only IP the client can ping is the address that is
assigned to the server by the remote VPN server. Any ideas would be
greatly appreciated. Thank you very much.
"Bill Grant" <not.available@online> wrote in message
news:uAUbet1DHHA.4404@xxxxxxxxxxxxxxxxxxxxxxx
For a site to site VPN you need to have RRAS servers at both ends of
the link. Each RRAS server has a demand-dial interface configured and
there is a subnet route for the "other" site associated with each
demand-dial interface. The "calling" router must use the name of the
demand-dial interface on the "answering" router as its username when
connecting. This binds the connection to the dd interface and activates
the subnet route.
When the VPN connects correctly, each RRAS router has a subnet route
to the "other" site through the VPN. If each RRAS router is the default
gateway for its local LAN, the site to site link now works. If the
default gateway is the Linksys, you still have work to do. You need to
get the private traffic to the RRAS router before it tries to cross the
Internet. If you don't it has not been encrypted and encapsulated. It
still has a private IP and is discarded.
The way to fix that is to add a static route to the Linksys to
bounce the private subnet of the "other" site to the RRAS router. The
RRAS router will then encrypt and encapsulate the traffic before
sending it back to the gateway router. It now has a public IP header
and can be sent across the Internet to the other site.
Site A
192.168.16.x dg 192.168.16.1
|
RRAS
192.168.16.n dg 192.168.16.1
|
192.168.16.1
Linksys (static route 192.168.33.0 255.255.255.0 192.168.16.n)
Public IP
|
Internet
|
Public IP
Linksys (static route 192.168.16.0 255.255.255.0 192.168.33.n)
192.168.33.1
|
RRAS
192.168.33.n dg 192.168.33.1
|
192.168.33.x dg 192.168.33.1
Site B
"msnews.microsoft.com" <randychow2000@xxxxxxxxxxx> wrote in message
news:%23Lm1ebrDHHA.4396@xxxxxxxxxxxxxxxxxxxxxxx
Hello, I was wondering if someone could help. I am trying to
configure a demand dial interface using RRAS and not using ISA. I
have a standard linksys on remote and local networks. The servers
then sit behind the router as a standard client like all other
computers. I then want to initiate a demand dial VPN to remote
network (persistent) and allow the client to beable to use the RRAS
demand dial connection as a router. I do not want the clients to be
behind the server in a NAT environment as I think it just complicates
things. I created the demand dial interface VPN and connects
perfectly fine. The server locally can ping internally and externally
on both networks. I then add a route add that tells the clients to
use the server NIC when exiting to the remote network. I can ping the
local server's IP assigned by the remote server, but my clients cannot
ping beyond this point. Any help would be greatly appreciated.
Thanks.
.
- Follow-Ups:
- Re: Please Help Site-To-Site without ISA
- From: randychow2000
- Re: Please Help Site-To-Site without ISA
- References:
- Please Help Site-To-Site without ISA
- From: msnews.microsoft.com
- Re: Please Help Site-To-Site without ISA
- From: Bill Grant
- Re: Please Help Site-To-Site without ISA
- From: msnews.microsoft.com
- Re: Please Help Site-To-Site without ISA
- From: Bill Grant
- Re: Please Help Site-To-Site without ISA
- From: msnews.microsoft.com
- Please Help Site-To-Site without ISA
- Prev by Date: Re: Map Network Drive Between 2 Different Domains
- Next by Date: Re: The system cannot log you on now because the domain not avail
- Previous by thread: Re: Please Help Site-To-Site without ISA
- Next by thread: Re: Please Help Site-To-Site without ISA
- Index(es):
Relevant Pages
|
Loading
