Re: Please Help Site-To-Site without ISA
- From: <randychow2000@xxxxxxxxxxx>
- Date: Tue, 28 Nov 2006 09:59:10 -0700
Thank for all the information. It answers all my questions. I sort of
wanted to keep it clean, and have different VPN's using different NIC's.
But I guess I can't as it is going to use different gateways. Thank you
very much and have a great week.
"Bill Grant" <not.available@online> wrote in message
news:eZ6D5ypEHHA.4024@xxxxxxxxxxxxxxxxxxxxxxx
What other networks do you need to connect to? Do you want to reach them
by VPN?
You can configure more than one site to site VPN connection on the
server. You set up a new demand-dial interface and configure a new site to
site connection using a different subnet route. The traffic still all goes
out through the default gateway. But the encapsulated packets now have the
public IP of the VPN server at the second site on the front.
"Bill Grant" <not.available@online> wrote in message
news:%23UJjiznEHHA.4808@xxxxxxxxxxxxxxxxxxxxxxx
No. The VPN traffic must go out through the default gateway. While it
is crossing the Internet, the VPN traffic is encrypted and encapsulated
inside a packet with a registered public IP. There is no point in having
multiple NICs in the server if they all connect to the Linksys. The
system will only use one of them. You can only have one default gateway,
even if the NICs were connected to different routers.
<randychow2000@xxxxxxxxxxx> wrote in message
news:%23yQOB6kEHHA.3224@xxxxxxxxxxxxxxxxxxxxxxx
Thnak you again for replying. What I would like to do is have multiple
NIC's on the VPN deman dial server. Then have each NIC dedicated to
different networks. Right now when I dial out with the VPN server, it
always goes out the NIC that the server is using to surf the internet.
The server right now has 3 NIC's each NIC with a static IP connected to
the Linksys firewall. Is it possible with my current setup? Thanks.
"Bill Grant" <not.available@online> wrote in message
news:e9B$C$bEHHA.3660@xxxxxxxxxxxxxxxxxxxxxxx
Glad to hear you got it working. What exactly do you mean by "use a
specific NIC?"
A VPN connection does not really connect to any NIC. The VPN
connection terminates at the internal interface for a client-server or
"dialup" type connection and at the demand-dial interface for a router
to router connection.
"msnews.microsoft.com" <randychow2000@xxxxxxxxxxx> wrote in message
news:Od8WaNWEHHA.4508@xxxxxxxxxxxxxxxxxxxxxxx
It was a Microsoft MVP suggestion. I finally got it working.
Needless to say the Microsoft MVP didn't know what he was talking
about. Thanks for all your help. Is there a way to force a VPN
connection to use a specific NIC, or am I stuck with the NIC that is
the VPN server? Have a great weekend.
"Bill Grant" <not.available@online> wrote in message
news:ON%23jvwQEHHA.4112@xxxxxxxxxxxxxxxxxxxxxxx
Why would you add a second NIC or install NAT? That makes things
worse, not better. Your Linksys is already doing all of that.
Get rid of both of those then read my post again.
"msnews.microsoft.com" <randychow2000@xxxxxxxxxxx> wrote in message
news:OUJYDxFEHHA.992@xxxxxxxxxxxxxxxxxxxxxxx
Thank you very much for your response. I still am not able to get
it to work. I even made a couple changes to see if it will work. I
added a second NIC to the server. Then I configured NAT and VPN on
the server. I still am using the Linksys router as it is connected
to the public side of the NAT. Right now I don't care if the remote
end can communicate to my end. I created the demand dial interface
on my server. Here is the following diagram;
192.168.0.x dg 192.168.0.7
|
RRAS 192.168.0.7 Private Interface dg 192.168.0.7
Has a static route added by default by the New Demand Dial wizard
10.10.0.0 mask 255.255.255.0 using the Demand Dial Interface
|
10.100.0.2 Public Interface dg 10.100.0.1
|
10.100.0.1 Linksys Firewall
|
Internet
|
10.10.0.1 Firewall Linksys
|
RRAS 10.10.0.2 dg 10.10.0.1
|
10.10.0.x dg 10.10.0.1
The VPN connects successfully and only the server can ping all IP's
on remote end. The only IP the client can ping is the address that
is assigned to the server by the remote VPN server. Any ideas would
be greatly appreciated. Thank you very much.
"Bill Grant" <not.available@online> wrote in message
news:uAUbet1DHHA.4404@xxxxxxxxxxxxxxxxxxxxxxx
For a site to site VPN you need to have RRAS servers at both ends
of the link. Each RRAS server has a demand-dial interface
configured and there is a subnet route for the "other" site
associated with each demand-dial interface. The "calling" router
must use the name of the demand-dial interface on the "answering"
router as its username when connecting. This binds the connection
to the dd interface and activates the subnet route.
When the VPN connects correctly, each RRAS router has a subnet
route to the "other" site through the VPN. If each RRAS router is
the default gateway for its local LAN, the site to site link now
works. If the default gateway is the Linksys, you still have work
to do. You need to get the private traffic to the RRAS router
before it tries to cross the Internet. If you don't it has not been
encrypted and encapsulated. It still has a private IP and is
discarded.
The way to fix that is to add a static route to the Linksys to
bounce the private subnet of the "other" site to the RRAS router.
The RRAS router will then encrypt and encapsulate the traffic
before sending it back to the gateway router. It now has a public
IP header and can be sent across the Internet to the other site.
Site A
192.168.16.x dg 192.168.16.1
|
RRAS
192.168.16.n dg 192.168.16.1
|
192.168.16.1
Linksys (static route 192.168.33.0 255.255.255.0
192.168.16.n)
Public IP
|
Internet
|
Public IP
Linksys (static route 192.168.16.0 255.255.255.0
192.168.33.n)
192.168.33.1
|
RRAS
192.168.33.n dg 192.168.33.1
|
192.168.33.x dg 192.168.33.1
Site B
"msnews.microsoft.com" <randychow2000@xxxxxxxxxxx> wrote in message
news:%23Lm1ebrDHHA.4396@xxxxxxxxxxxxxxxxxxxxxxx
Hello, I was wondering if someone could help. I am trying to
configure a demand dial interface using RRAS and not using ISA. I
have a standard linksys on remote and local networks. The servers
then sit behind the router as a standard client like all other
computers. I then want to initiate a demand dial VPN to remote
network (persistent) and allow the client to beable to use the
RRAS demand dial connection as a router. I do not want the
clients to be behind the server in a NAT environment as I think it
just complicates things. I created the demand dial interface VPN
and connects perfectly fine. The server locally can ping
internally and externally on both networks. I then add a route
add that tells the clients to use the server NIC when exiting to
the remote network. I can ping the local server's IP assigned by
the remote server, but my clients cannot ping beyond this point.
Any help would be greatly appreciated. Thanks.
.
- Prev by Date: Re: Easy newbie question about subnets
- Next by Date: Re: Arp Table Entries are invalid
- Previous by thread: Remove and readd to domain
- Next by thread: Re: Arp Table Entries are invalid
- Index(es):
Relevant Pages
|
