Site-to-Site VPN client routing question - clients at branch office not able to access network at HQ

From: "Hii Sing Chung" <singchung@xxxxxxxxxxx>
Date: Sun, 14 Oct 2007 11:53:38 +0800

I have a small network (5 clients) at Shanghai (192.168.1.0/24) and my HQ is
in Singapore (97 clients, 194.1.1.0/24). My task is to connect the 2
networks using Windows RRAS. In HQ I already has a RRAS server (SGRAS01)
that I setup using Windows 2000 server. It has been running well for 5
years, serving VPN clients. SGRAS01 has 2 physical network interfaces, one
connecting to the Internet, one sitting on 194.1.1.0 network. I set up a
Windows 2003 server at Shanghai (SHDC01), it is a domain controller of the
same domain at my HQ (no child domain). SHDC01 has only 1 network card, it
is behind a TP-LINK TL-R402M router. I also configured a persistent demand
dial interface on SHDC01 to connect to SGRAS01, and a corresponding demail
dial interface on SGRAS01 (currently disabled). The Windows Firewall hasn't
been enabled yet on SHDC01. Right now I wish to accomplish the
Shanghai-Singapore 1-way connection first, before going into the 2-way VPN
connection (I am prepared to change the router). I set a fixed IP
(194.1.1.49) on the Dial-in tab of the user account (ddsgusser) used for the
demand dial interface on SHDC01. The clients on the Shanghai networks are
configured (using DHCP) to route packets destined for 194.1.1.0 through
SHDC01. A route print on any clients can verify the routing entry 194.1.1.0
255.255.255.0 192.168.1.2, where 192.168.1.2 is the IP address of SHDC01.
The demand dial connection from SHDC01 to SGRAS01 is successful, and SHDC01
has no problem connecting to any clients on the 194.1.1.0 networks. However,
all the clients on the Shanghai network cannot access any clients on
Singapore network, tracert shows the packets are lost after going through
SHDC01. The clients on the Shanghai network can access Singapore network if
they use direct vpn connection to SGRAS01, which they have been doing all
this while.

You can see the screen captures here: http://singchung.spaces.live.com/blog/cns!CEF9A5068D415432!404.entry

Any help or suggestions is very much appreciated.

Sing Chung

.

Follow-Ups:
- Re: Site-to-Site VPN client routing question - clients at branch office not able to access network at HQ
  - From: Bill Grant
- Re: Site-to-Site VPN client routing question - clients at branch office not able to access network at HQ
  - From: Phillip Windell

Prev by Date: Re: prohibit access to server based on ip address
Next by Date: Re: Site-to-Site VPN client routing question - clients at branch office not able to access network at HQ
Previous by thread: Re: Roaming profiles don't load on workstations
Next by thread: Re: Site-to-Site VPN client routing question - clients at branch office not able to access network at HQ
Index(es):
- Date
- Thread

Relevant Pages

Re: Site-to-Site VPN client routing question - clients at branch office not able to acce
... I realized that I need to key in the static routes of the corresponding networks in the clients on each networks. ... In Shanghai side, all the clients I keyed in the static route 194.1.1.0 mask 255.255.255.0 gateway 192.168.100.2 and for the clients at Singapore, I keyed in the static route ... in Shanghai has no problem seeing the clients at Singapore but the opposite don't work - Clients at Singapore side cannot see any clients in Shanghai. ... I changed the network address at Shanghai to 192.168.100.0/24. ...
(microsoft.public.windows.server.networking)
Re: Site-to-Site VPN client routing question - clients at branch office not able to acce
... In Shanghai,...Stop using the DC for this and disable RRAS on it before ... It needs to sit on the network edge facing the Internet just ... in Singapore (97 clients, 194.1.1.0/24). ... Windows 2003 server at Shanghai (SHDC01), it is a domain controller of the ...
(microsoft.public.windows.server.networking)
Re: Site-to-Site VPN client routing question - clients at branch office not able to acce
... There is only one public IP, however considering the possibility of server breakdown higher than the router breakdown and the Internet access at Shanghai is more important than accessing to Singapore network, I opted for a less-risky, compromised solution. ... in Singapore (97 clients, 194.1.1.0/24). ... Windows 2003 server at Shanghai (SHDC01), it is a domain controller of the ...
(microsoft.public.windows.server.networking)
Re: IP address assignment problem
... I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address? ... This approach doesn't stop your rogue clients from connecting to other clients, but merely doesn't give them the information they normally need to do so. ... Using 802.1x, your workstations authenticate through the switch to a radius server before they are allowed any connectivity. ... This authentication can use X.509 certificates, computer account credentials from AD, or whatever else you'd normally configure radius to authenticate with. ...
(Focus-Microsoft)
RE: Dropped Client Connections
... I understand that the SBS clients will lose ... Do all clients lose network connection at same time? ... Do you have single or double NICs on SBS? ... Modify the registry to disable Receive Side Scaling ...
(microsoft.public.windows.server.sbs)