Re: Site-to-Site VPN client routing question - clients at branch office not able to access network at HQ
- From: "Hii Sing Chung" <singchung@xxxxxxxxxxx>
- Date: Sun, 14 Oct 2007 15:26:20 +0800
Thanks, Phillip,
1. & 2. These has been considered before. There is only one public IP, however considering the possibility of server breakdown higher than the router breakdown and the Internet access at Shanghai is more important than accessing to Singapore network, I opted for a less-risky, compromised solution. Also, there is no IT support at Shanghai side (possibility of flying me again from Singapore is slim), so the 'plug-and-go' type of infrastructure needs to be in place. In future when the Shanghai office is big enough (financially viable) to support multiple servers, I will ISA type solution.
3. The people who initially set up our networks in Singapore used the invalid RFC subnets for private networks, we also have 198.1.1.0, 195.1.1.0 and 193.1.1.0 before. For a number of years I had proposed to change the addressing but were turned down due to 'risks'.
4. I know about the 192.168.1.0 network potential problem, I can change that, but right now my priority is to verify that the routing (of clients at Shanghai to Singapore) can work (or is correct). On the other hand, if I can verify that this setup is not going to work, and the reason, I will not waste any more time here.
"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message news:ufSSWxhDIHA.4880@xxxxxxxxxxxxxxxxxxxxxxx
You need to:
1. In Shanghai,...Stop using the DC for this and disable RRAS on it before you start having problems with Active Directory
2. Setup RRAS on a 2-Nic machine identical to how you did the one in Singapore. It needs to sit on the network edge facing the Internet just like you did in Singapore. If you only have one Public IP# and are unable to do that,...then use the RRAS machine to completely replace the TP-LINK TL-R402M router with the RRAS machine.
It is possible to do this with a 2-Nic DC (like SBS does) but I do not recommend exposing your DC directly to the Internet like that.
3. Do you realize that you are not using a valid RFC Private IP Range on the LAN at the HQ?
4. Do you realize that 192.168.1.0 is a heavily over used RFC Private IP Range and almost every broadband device is using the same one by default? To avoid possible future conflicts with VPN change the third octet to a higher number like maybe 50 (192.168.50.0). It is much easier to do that now while the network is small.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats.
-----------------------------------------------------
"Hii Sing Chung" <singchung@xxxxxxxxxxx> wrote in message news:0481E662-8754-4E23-AD46-415A48BCDED1@xxxxxxxxxxxxxxxxI have a small network (5 clients) at Shanghai (192.168.1.0/24) and my HQ is
in Singapore (97 clients, 194.1.1.0/24). My task is to connect the 2
networks using Windows RRAS. In HQ I already has a RRAS server (SGRAS01)
that I setup using Windows 2000 server. It has been running well for 5
years, serving VPN clients. SGRAS01 has 2 physical network interfaces, one
connecting to the Internet, one sitting on 194.1.1.0 network. I set up a
Windows 2003 server at Shanghai (SHDC01), it is a domain controller of the
same domain at my HQ (no child domain). SHDC01 has only 1 network card, it
is behind a TP-LINK TL-R402M router. I also configured a persistent demand
dial interface on SHDC01 to connect to SGRAS01, and a corresponding demail
dial interface on SGRAS01 (currently disabled). The Windows Firewall hasn't
been enabled yet on SHDC01. Right now I wish to accomplish the
Shanghai-Singapore 1-way connection first, before going into the 2-way VPN
connection (I am prepared to change the router). I set a fixed IP
(194.1.1.49) on the Dial-in tab of the user account (ddsgusser) used for the
demand dial interface on SHDC01. The clients on the Shanghai networks are
configured (using DHCP) to route packets destined for 194.1.1.0 through
SHDC01. A route print on any clients can verify the routing entry 194.1.1.0
255.255.255.0 192.168.1.2, where 192.168.1.2 is the IP address of SHDC01.
The demand dial connection from SHDC01 to SGRAS01 is successful, and SHDC01
has no problem connecting to any clients on the 194.1.1.0 networks. However,
all the clients on the Shanghai network cannot access any clients on
Singapore network, tracert shows the packets are lost after going through
SHDC01. The clients on the Shanghai network can access Singapore network if
they use direct vpn connection to SGRAS01, which they have been doing all
this while.
You can see the screen captures here: http://singchung.spaces.live.com/blog/cns!CEF9A5068D415432!404.entry
Any help or suggestions is very much appreciated.
Sing Chung
.
- References:
- Prev by Date: Re: Site-to-Site VPN client routing question - clients at branch office not able to access network at HQ
- Next by Date: Re: Roaming profiles don't load on workstations
- Previous by thread: Re: Site-to-Site VPN client routing question - clients at branch office not able to access network at HQ
- Next by thread: Re: Site-to-Site VPN client routing question - clients at branch office not able to access network at HQ
- Index(es):
Relevant Pages
|
Loading
