RE: Connecting to resources over a SBS 2003 VPN

Hi Neil:
Thank you for your reply.:)

According to the routing table you provided, I notice that both your remote
VPN client and your SBS server are using a same subnet network
(192.168.0.0/255.255.0.0). That is the root cause of your issue.
Hi Neil:
Thank you for your reply.:)

According to the routing table you provided, I notice that both your remote
VPN client and your SBS server are using a same subnet network
(192.168.0.0/255.255.0.0). That is the root cause of your issue.

Technically speaking, the system uses route table to route IP traffics. By
default, the local subnet does not need route. The system will use
broadcast to find local clients or send traffic directly to the local
address. In your case, the remote client has the IP address which is in the
range of your local subnet. Once the VPN client tries to access the
resource in the destination network (where the VPN server resides), it will
not find the way out since its route table treat the request as a local
network request. That's why there is no response from the server.

In the routing table, we can find this route item:
192.168.0.0 255.255.0.0 192.168.0.20 192.168.0.20 20

That is to say, all requests to the subnet 192.168.x.x are sent to
192.168.0.20 (the local network adapter of the VPN client). So the traffic
is failed to send to the correct gateway (192.168.0.53).

1. To resolve this issue, we need to use different subnet addressing in the
VPN client and VPN server sites. For example, assign 10.0.0.x to the VPN
client side and 192.168.x.x to the SBS Server side. That is the recommended
configuration to establish a VPN connection.

2. I would also like to provide a workaround to you if it seems difficult
to change the subnet addressing.
To work around this problem, you can try the following method:

In your client, add a static routing after the VPN connection is
established.
- Click Start, Run, type CMD
- Type "route add <remote end IP> MASK 255.255.255.255 <IP address of your
VPN PPP adapter>"
- Type "route print". You will see a routing entry is added. The
destination IP is the route end client's IP. Subnet MASK is
255.255.255.255. The Gateway is your VPN gateway's IP.

Hope this helps, I look forward to hearing from you. If anything is
unclear, please feel to let me know, I am glad to be of assistance.

Have a nice day, Neil!:)

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Connecting to resources over a SBS 2003 VPN
| thread-index: AcWNDiqWl9o+P3yjSjKYUAsN7pz4qw==
| X-WBNR-Posting-Host: 82.118.121.88
| From: "=?Utf-8?B?TmVpbCBUQ0M=?=" <NeilTCC@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <55B46F8D-0CE3-46C4-984F-8453B3C9C35C@xxxxxxxxxxxxx>
<$SP$Gu3iFHA.2700@xxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: Connecting to resources over a SBS 2003 VPN
| Date: Wed, 20 Jul 2005 02:34:03 -0700
| Lines: 236
| Message-ID: <DC709D03-F592-4D26-9AB9-5AFFE351404A@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:137368
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Edward, thanks for your reply,
|
| Sorry for the delay i had a problem with my Net passport as i could not
view
| this thread.
|
| Yes you are right regarding the tunnel connecting, just to let you know
we
| are using
| In response to your questions:-
|
| 1: SBS 2003 Standard so ISA server is not installed.
| Service PAck 1 is applied
|
| The routing table for the server is:-
|
| Active Routes:
| Network Destination Netmask Gateway
Interface
| Metric
| 0.0.0.0 0.0.0.0 192.168.0.1

| 192.168.0.254 1
| 82.118.121.88 255.255.255.255 192.168.0.1
| 192.168.0.254 1
| 127.0.0.0 255.0.0.0 127.0.0.1
| 127.0.0.1 1
| 169.254.0.0 255.255.0.0 169.254.254.223
| 169.254.254.223 10
| 169.254.254.223 255.255.255.255 127.0.0.1
127.0.0.1
| 10
| 169.254.255.255 255.255.255.255 169.254.254.223
169.254.254.223
| 10
| 192.168.0.0 255.255.255.0 192.168.0.254
| 192.168.0.254 20
| 192.168.0.56 255.255.255.255 127.0.0.1
| 127.0.0.1 50
| 192.168.0.254 255.255.255.255 127.0.0.1
127.0.0.1
| 20
| 192.168.0.255 255.255.255.255 192.168.0.254
| 192.168.0.254 20
| 224.0.0.0 240.0.0.0 169.254.254.223
| 169.254.254.223 10
| 224.0.0.0 240.0.0.0 192.168.0.254
| 192.168.0.254 20
| 255.255.255.255 255.255.255.255 169.254.254.223
169.254.254.223
| 1
| 255.255.255.255 255.255.255.255 192.168.0.254
192.168.0.254
| 1
| Default Gateway: 192.168.0.1
|
===========================================================================
| Persistent Routes:
| None
|
| Client when the VPN is enabled is as follows:-
|
|
===========================================================================
| Active Routes:
| Network Destination Netmask Gateway Interface

| Metric
| 0.0.0.0 0.0.0.0 192.168.0.1
| 192.168.0.20 21
| 0.0.0.0 0.0.0.0 192.168.0.53
| 192.168.0.53 1
| 83.105.49.143 255.255.255.255 192.168.0.1 192.168.0.20

| 20
| 127.0.0.0 255.0.0.0 127.0.0.1
127.0.0.1
| 1
| 192.168.0.0 255.255.0.0 192.168.0.20
192.168.0.20
| 20
| 192.168.0.20 255.255.255.255 127.0.0.1 127.0.0.1

| 20
| 192.168.0.53 255.255.255.255 127.0.0.1 127.0.0.1

| 50
| 192.168.0.255 255.255.255.255 192.168.0.20 192.168.0.20

| 20
| 192.168.0.255 255.255.255.255 192.168.0.53 192.168.0.53

| 50
| 224.0.0.0 240.0.0.0 192.168.0.20
| 192.168.0.20 20
| 224.0.0.0 240.0.0.0 192.168.0.53
| 192.168.0.53 1
| 255.255.255.255 255.255.255.255 192.168.0.20 192.168.0.20

| 1
| 255.255.255.255 255.255.255.255 192.168.0.20 4

| 1
| 255.255.255.255 255.255.255.255 192.168.0.53 192.168.0.53

| 1
| Default Gateway: 192.168.0.53
|
===========================================================================
| Persistent Routes:
| None
|
| 2: Clients have been added to the Domain, they connect to resources fine
| when they are i the LAN, the problem only occurs over the VPN
| 3: I am trying to connect two clients and both are having the same
problem,
| i have also tried to use the VPN on clients not part of this domain,
again
| they authenticate fine but cannopt browse any Network locations, however
it
| seems that a lot more packets are sent and received using the machines
that
| are not part of the domain.
| 4: Can Ping the IP Address but not the server name
| 5: Internal users can connect fine
| 6:Windows IP Configuration
|
| Host Name . . . . . . . . . . . . : SimonJan05
| Primary Dns Suffix . . . . . . . : FUAL.local
| Node Type . . . . . . . . . . . . : Hybrid
| IP Routing Enabled. . . . . . . . : No
| WINS Proxy Enabled. . . . . . . . : No
| DNS Suffix Search List. . . . . . : FUAL.local
|
| Ethernet adapter Local Area Connection:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : Realtek RTL8169/8110 Family
Gigab
| Ethernet NIC
| Physical Address. . . . . . . . . : 00-01-4A-1C-57-5F
| Dhcp Enabled. . . . . . . . . . . : Yes
| Autoconfiguration Enabled . . . . : Yes
| IP Address. . . . . . . . . . . . : 192.168.0.20
| Subnet Mask . . . . . . . . . . . : 255.255.0.0
| Default Gateway . . . . . . . . . : 192.168.0.1
| DHCP Server . . . . . . . . . . . : 192.168.0.1
| DNS Servers . . . . . . . . . . . : 192.168.0.1
| Lease Obtained. . . . . . . . . . : 20 July 2005 10:21:05
| Lease Expires . . . . . . . . . . : 23 July 2005 10:21:05
|
| Ethernet adapter Wireless Network Connection:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2200BG
Netw
| Connection
| Physical Address. . . . . . . . . : 00-0E-35-B6-7C-7B
| Dhcp Enabled. . . . . . . . . . . : Yes
| Autoconfiguration Enabled . . . . : Yes
| IP Address. . . . . . . . . . . . : 0.0.0.0
| Subnet Mask . . . . . . . . . . . : 0.0.0.0
| Default Gateway . . . . . . . . . :
| DHCP Server . . . . . . . . . . . : 255.255.255.255
|
| PPP adapter FUAL:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
| Physical Address. . . . . . . . . : 00-53-45-00-00-00
| Dhcp Enabled. . . . . . . . . . . : No
| IP Address. . . . . . . . . . . . : 192.168.0.52
| Subnet Mask . . . . . . . . . . . : 255.255.255.255
| Default Gateway . . . . . . . . . : 192.168.0.52
| DNS Servers . . . . . . . . . . . : 192.168.0.254
| Primary WINS Server . . . . . . . : 192.168.16.2
|
| 7: No we cannot connect using \\servername\shared folder
|
| Many thanks for your help on this one i look forward to hearing from you.
|
| Kind Regards
|
| Neil TCC
|
|
|
|
|
|
|
|
| "Edward Tian" wrote:
|
| > Hi Neil:
| > Thank you for posting here.
| > From your description, the remote client can establish the VPN tunnel
| > successfully, but won't be able to access the shared resources from the
| > internal network. If I am off-base, please feel free to let me know.
| > To narrow down the issue, I'd like to check the following information:
| > 1. Do you have your ISA server installed? If so, which version do you
| > install? ISA2000 or ISA2004?
| > Is SBS 2003 SP1 applied? This is a known bug for Windows 2003 SP1+ISA
| > server 2000. In this scenario, the VPN tunnel can be established but no
| > traffic can go through. You can try the resolution in the article below:
| > 897651 VPN clients can no longer access internal resources after you
| > install Windows Server 2003 Service Pack 1 on a computer that is
running
| > ISA Server 2000:
| > http://support.microsoft.com/?id=897651
| > Note: According to the article, we should not only obtain the Hotfix
but
| > also modify the registry.
| > If there is no ISA installed, the problem could be related to the
routing
| > table. Use 'route print' command to collect the routing information
from
| > both the server and the VPN client and then paste the result to me for
| > further analysis.
| > 2. Have you added this remote client to the domain?
| > 3. Can the problem be reproduced on all the remote clients or just one?
| > 4. Can you ping the internal IP address of the server from your remote
| > client? You can try twice by using the IP address and the server name.
| > 5. Can internal users access the other resources which remote user
can't
| > access? Can internal users see all computers (server and all PCs) from
My
| > Network Places?
| > 6. Once the VPN connection is made, run ''ipconfig/all'' result on the
VPN
| > client and paste the result to me at your convenience.
| > 7. Can the remote client access the other shares from using the command
| > \\computername\sharefolder?
| >
| > Hope it helps, please do let me know the result of the steps above, I
look
| > forward to hearing from you.
| > If you have anything unclear, please feel free to let me know, I am
glad to
| > be of the assistance.
| >
| > Have a nice day, Neil!
| >
| > Best Regards
| > Edward Tian(MSFT)
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
|

.

Relevant Pages

  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • RE: Printing from Win9x clients stops
    ... Open Server Management. ... then right-click the name of the computer running Windows Small Business ... >From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • RE: Printing from Win9x clients stops
    ... The printers with 9x drivers on the server appeared automatically in the ... > then right-click the name of the computer running Windows Small Business ... > From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN clients unable to connect to other resources.
    ... gateway matches the IP of the remote client, and DNS and WINS point to the ... remote (although it takes close to a minute to connect, ... This is just regular Windows VPN, ... VPN server, remote routing and access running on the SBS 2003 server ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN with SBS 2003 (not R2) and DSL.
    ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
    (microsoft.public.windows.server.sbs)