Re: VPN server: routing based on source IP?
- From: "Bill Grant" <not.available@online>
- Date: Sun, 14 Oct 2007 14:41:32 +1000
"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message news:u7UQ9vfDIHA.5208@xxxxxxxxxxxxxxxxxxxxxxx
"Ryan" <Ryan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:15C19C21-AA08-41B6-B092-964BD0A6FE93@xxxxxxxxxxxxxxxxgateway on another subnet. What I want to do is make sure that when a user
is assigned to a particular subnet, they will use the gateway on that subnet.
The reason is because each subnet has a firewall and in order for packets to
make it back to the host, they have to go out through the gateway on that
subnet.
You misunderstand how VPN works. The VPN Router itself *is* the Default Gateway of the VPN Client and that is not adjustable. You will not get a VPN Client connected to one subnet while another VPN Client connectes to a different subnet when they both use the same VPN Server,...it just ain't gonna happen.
You have to have a separate VPN Server for each subnet that you want to "involve". The VPN Client will use a particular subnet based on which VPN Server they use. The VPN Client is never, ever, ever, ever "aware" of any "gateway" other than the VPN Server itself. How the traffic "routes" on the LAN side of the VPN Server depends entirely on how the VPN Server "understands" your LAN's routing scheme.
It is the way it works,..it is not "flexable". Remote Access VPN is based on the old Dial-up technology and Dial-up Technology in some ways has its "own way of doing things".
Assuming the VPN Server is a separate machine sitting on the network edge and it is *not* doubling as the LAN's Firewall or the LAN Router........
Routing problems will be most likely caused by the LAN Routing Scheme, or the lack there of. If it is a multi-subnet LAN, then there must be a LAN Router. Every Host on the LAN needs to use the LAN Router as the Default Gateway. An exception would be the VPN Server which would use a Static route since its DFG would face the Internet. Then the LAN Router would use the Firewall as the Default Gateway. You can *not* have the VPN Client use the Firewall the "get to the net" because the VPN Server doesn't use the Firewall to get to the Net. Also the VPN Client is already on the Net to begin with or they couldn't have a VPN Connection,...so they have to disconnect the VPN to use the Net by their own means.
If I still misunderstand your setup, then that just goes to show how complex this can become and why it is so important to have the "big picture" properly designed for everthing within the over all system concerning what it is expected to do and why it is so extremely important to clearly explain everything when posting a question in cases like this.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats.
-----------------------------------------------------
Of course you can always put your remote clients in their own subnet and route that subnet through your RRAS server. The RRAS server gives its "internal" interface one IP in that subnet and all the remote users get IP addresses in the same IP subnet. Since all traffic from the remote client goes to the VPN server by default, all you need to set up on the LAN is that all traffic for a remote clients get to the RRAS server. If the RRAS server is the default router for the LAN it automatically works.
.
- References:
- Re: VPN server: routing based on source IP?
- From: Phillip Windell
- Re: VPN server: routing based on source IP?
- From: Phillip Windell
- Re: VPN server: routing based on source IP?
- Prev by Date: Re: Site-to-Site VPN client routing question - clients at branch office not able to access network at HQ
- Next by Date: Re: Site-to-Site VPN client routing question - clients at branch office not able to access network at HQ
- Previous by thread: Re: VPN server: routing based on source IP?
- Next by thread: Re: can't start ipsec services
- Index(es):
Relevant Pages
|
