Re: VPN Issue
- From: Joe <joe@xxxxxxxxxxxxxx>
- Date: Wed, 21 Jun 2006 13:02:27 +0100
Ripley wrote:
Joe,
Thanks for your reply. I have read some articles about this subnet issue, so I know what you mean. I will get an ipconfig / all from one of the clients shortly.
But what perplexes me is this: I have an XP Home PC at my house, connected to a router which deploys an IP address to me such as 192.168.1.3. This PC is not a domain member, and has never been connected up directly to the business network. Once my broadband is online, I then connect to my network using the VPN connectoid. This gives me an IP address from my SBS server on the business network, and this IP address happens to be in the same range as my router (192.168.1.105 or something similar). My understanding is that because the router I have carries out NAT translation along the way, then it doesn't matter that my router and the business network I'm connecting to run the same IP range??
As far as routing across the open Internet goes, yes, that is correct.
When you connect to a remote machine, you ask for the external address,
and what NAT converts it to is completely irrelevant to you. Similarly
the remote end sees the request coming from your external address, and
doesn't know what internal address your computer really has.
But when you set up a VPN connection, it effectively makes a link from
a new network adapter in the client directly to one in the server. It
gives the client end an IP address from the SBS DHCP pool. It also
sets up a rule in the client that messages going to the SBS LAN subnet
must go through this adapter. Unfortunately, where the client already
has a connection to this subnet number, there is already a rule in place
about where to send this traffic, and that is out onto the client LAN.
So the SBS will never receive traffic over the VPN, and messages sent
out over the client LAN to the Internet will never go anywhere if they
use a private IP range, which an SBS LAN should use. The VPN itself
will have been made using the external public address of the server,
it is only when routing is set up for information between client and
server through the VPN that the clash of IP addresses occurs.
Domain membership is not an issue here, this is basic IP routing.
The domain adds its own problems...
Certainly, for myself at home I have no problem mapping drives, accessing the intranet, etc. But ONLY if I add in the domain.local DNS suffix to the VPN connection.
So for the two mobile guys I have out there - what's different? They are running LAN laptops which are domain members. One is set with a static address of 192.168.2.14, the other with DHCP (which obtains a 192.168.1.x address when on the LAN). Their routers support NAT translation, so even though they may be giving them an IP address in the same range, surely this doesn't matter? Both users are connected to their routers via a USB cable also, and not ethernet.
The physical connection doesn't matter, just whether it uses IP
protocols. In order to work as a network adaptor in conjunction
with any other network adaptors in the machine, it must do so.
Even a USB-only modem involves an IP address, but one which is
distributed by the ISP and is public and unique. A router will
get the public address on its DSL port, and must use a different
subnet on its LAN side, a private one.
I just can't understand what the difference is. Surely if I had this subnet issue, then everyone would be experiencing it, including myself?
Everyone does. There is at least one case a month on this newsgroup on
the subject. All routers must connect between different subnets or
they won't know where to send things, and a VPN connection involves
a software router at each end. Where a computer has two or more NICs,
as an SBS can have, the subnets must always be different. This is
another place where mistakes are made.
To see more about routing, use the route print command on the client
before and after the VPN is connected. Afterwards, you will see
additional routes listed, which ultimately use as gateway the same
IP address as ipconfig /all shows for the PPP adapter. If the extra
routes overlap with the pre-VPN routes, there will be trouble. Use
the properties of the VPN connection to show both VPN IP addresses.
Both will be from the SBS DHCP pool, and you should be able to ping
both addresses successfully. If you can ping the client end but not
the server end, that tells you that messages for the server end are
not being routed down the VPN, or that when the SBS receives the
ping request that its replies are not being routed back. SBS also
has a routing table which is modified by VPN connections, and its
own LAN subnet entry will also override later additions for the same
subnet.
OK, to nail this down, do the ipconfig /all on the client while the
VPN is up, also on the server. It may be something more subtle than
the IP subnet, but that's still the way to bet at the moment.
.
- References:
- Re: VPN Issue
- From: Joe
- Re: VPN Issue
- Prev by Date: RE: Exch Store not starting automatically after reboot SBS PREM
- Next by Date: Re: Why is it every time I post here it is deleted?
- Previous by thread: Re: VPN Issue
- Next by thread: Re: VPN Issue
- Index(es):
Relevant Pages
|
Loading
