| Author |
Message |
Guest
|
 Posted:
Thu Nov 10, 2005 5:50 pm Post subject:
RAS VPN client routing problem |
|
|
I have a Windows 2003 RAS server configured for VPN. The server has one
NIC with address 172.16.85.164 mask 255.255.128.0. RAS is configured to
get client IP addresses from a DHCP serve. The DHCP server issues
addresses in the range 172.16.100.1-172.16.100.254 with a mask of
255.255.255.128. This has all been working fine for months.
Recently I moved an application server into a subnet and now VPN
clients cannot reach it. The app server has IP address 172.16.201.170
mask 255.255.255.0.
When a Win XP VPN client first connects to the RAS server, the 'route
print' command shows an entry like this
Net Dest Netmask Gateway Interface Metric
172.16.0.0 255.255.0.0 172.16.100.13 172.16.100.13 1
where 172.16.100.13 is the IP address of the PPP adapter. Connections
to the app server at 172.16.201.170 are correctly routed out through
the PPP adapter to the RAS server, sent through the RAS server's
default gateway to the app server.
After a few seconds, the routing entry changes its Netmask to look like
this
Net Dest Netmask Gateway Interface
Metric
172.16.0.0 255.255.128.0 172.16.100.13 172.16.100.13 1
Now packets from the VPN client to the app server are excluded from
this route, get sent to the XP machine's default router which is
outside the internal network and so fail to reach the app server.
I have found two solutions but both are less than satisfactory.
Solution 1. Check the "Use default gateway on remote network" box in
the client VPN properties. This works, but now *all* traffic, including
AIM messages, HTTP requests , etc. is routed through the RAS server
when it doesn't need to be. This slows everything down
Solution 2. Manually add a routing entry to the Win XP client like this
route add 172.16.201.0 mask 255.255.255.0 172.16.100.13 metric 1
which forces packets to the app server to use the PPP interface. This
works, but is very inconvenient for the user and not simple to script
since the PPP adapter address is different each time.
What I want is for all and only traffic destined for 172.16.0.0 mask
255.255.0.0 to use the PPP adapter but don't know how to achieve that.
I thought of having the RAS server use its own static address pool of
client addresses (rather than using DHCP) but don't see how to set the
network mask for that pool.
Ideas?
Thanks for your help.
--
Davis |
|
| Back to top |
|
 |
Neteng
Guest
|
| Posted:
Thu Nov 10, 2005 5:50 pm Post subject:
Re: RAS VPN client routing problem |
|
|
The best thing to do is fix your subnetting and IP addressing scheme.
<davis@hartwick.edu> wrote in message
news:1131641146.064963.7820@f14g2000cwb.googlegroups.com...
| Quote: | I have a Windows 2003 RAS server configured for VPN. The server has one
NIC with address 172.16.85.164 mask 255.255.128.0. RAS is configured to
get client IP addresses from a DHCP serve. The DHCP server issues
addresses in the range 172.16.100.1-172.16.100.254 with a mask of
255.255.255.128. This has all been working fine for months.
Recently I moved an application server into a subnet and now VPN
clients cannot reach it. The app server has IP address 172.16.201.170
mask 255.255.255.0.
When a Win XP VPN client first connects to the RAS server, the 'route
print' command shows an entry like this
Net Dest Netmask Gateway Interface Metric
172.16.0.0 255.255.0.0 172.16.100.13 172.16.100.13 1
where 172.16.100.13 is the IP address of the PPP adapter. Connections
to the app server at 172.16.201.170 are correctly routed out through
the PPP adapter to the RAS server, sent through the RAS server's
default gateway to the app server.
After a few seconds, the routing entry changes its Netmask to look like
this
Net Dest Netmask Gateway Interface
Metric
172.16.0.0 255.255.128.0 172.16.100.13 172.16.100.13 1
Now packets from the VPN client to the app server are excluded from
this route, get sent to the XP machine's default router which is
outside the internal network and so fail to reach the app server.
I have found two solutions but both are less than satisfactory.
Solution 1. Check the "Use default gateway on remote network" box in
the client VPN properties. This works, but now *all* traffic, including
AIM messages, HTTP requests , etc. is routed through the RAS server
when it doesn't need to be. This slows everything down
Solution 2. Manually add a routing entry to the Win XP client like this
route add 172.16.201.0 mask 255.255.255.0 172.16.100.13 metric 1
which forces packets to the app server to use the PPP interface. This
works, but is very inconvenient for the user and not simple to script
since the PPP adapter address is different each time.
What I want is for all and only traffic destined for 172.16.0.0 mask
255.255.0.0 to use the PPP adapter but don't know how to achieve that.
I thought of having the RAS server use its own static address pool of
client addresses (rather than using DHCP) but don't see how to set the
network mask for that pool.
Ideas?
Thanks for your help.
--
Davis
|
|
|
| Back to top |
|
|
Guest
|
| Posted:
Fri Nov 11, 2005 9:50 pm Post subject:
Re: RAS VPN client routing problem |
|
|
Neteng,
I can't change the subnetting; I have hundreds of computers set up
using this scheme.
Is there any way to force the RAS server to obtain IP addresses from a
particular scope, maybe on a second NIC?
Davis.
Neteng wrote:
| Quote: | The best thing to do is fix your subnetting and IP addressing scheme.
davis@hartwick.edu> wrote in message
news:1131641146.064963.7820@f14g2000cwb.googlegroups.com...
I have a Windows 2003 RAS server configured for VPN. The server has one
NIC with address 172.16.85.164 mask 255.255.128.0. RAS is configured to
get client IP addresses from a DHCP serve. The DHCP server issues
addresses in the range 172.16.100.1-172.16.100.254 with a mask of
255.255.255.128. This has all been working fine for months.
Recently I moved an application server into a subnet and now VPN
clients cannot reach it. The app server has IP address 172.16.201.170
mask 255.255.255.0.
When a Win XP VPN client first connects to the RAS server, the 'route
print' command shows an entry like this
Net Dest Netmask Gateway Interface Metric
172.16.0.0 255.255.0.0 172.16.100.13 172.16.100.13 1
where 172.16.100.13 is the IP address of the PPP adapter. Connections
to the app server at 172.16.201.170 are correctly routed out through
the PPP adapter to the RAS server, sent through the RAS server's
default gateway to the app server.
After a few seconds, the routing entry changes its Netmask to look like
this
Net Dest Netmask Gateway Interface
Metric
172.16.0.0 255.255.128.0 172.16.100.13 172.16.100.13 1
Now packets from the VPN client to the app server are excluded from
this route, get sent to the XP machine's default router which is
outside the internal network and so fail to reach the app server.
I have found two solutions but both are less than satisfactory.
Solution 1. Check the "Use default gateway on remote network" box in
the client VPN properties. This works, but now *all* traffic, including
AIM messages, HTTP requests , etc. is routed through the RAS server
when it doesn't need to be. This slows everything down
Solution 2. Manually add a routing entry to the Win XP client like this
route add 172.16.201.0 mask 255.255.255.0 172.16.100.13 metric 1
which forces packets to the app server to use the PPP interface. This
works, but is very inconvenient for the user and not simple to script
since the PPP adapter address is different each time.
What I want is for all and only traffic destined for 172.16.0.0 mask
255.255.0.0 to use the PPP adapter but don't know how to achieve that.
I thought of having the RAS server use its own static address pool of
client addresses (rather than using DHCP) but don't see how to set the
network mask for that pool.
Ideas?
Thanks for your help.
--
Davis
|
|
|
| Back to top |
|
|
Bill Grant
Guest
|
| Posted:
Sat Nov 12, 2005 1:50 am Post subject:
Re: RAS VPN client routing problem |
|
|
I am not sure how to fix it, but I think I know why this happens.
When the remote user connects, it sets up the correct route. It sets up
a subnet route based on the received IP. So you have a route to 172.16.0.0
255.255.0.0 . This route is set up by the client itself (see KB254231). At
this stage the client can't see the DHCP server and it gets its IP address
from the RRAS server as part of the PPP transaction. (The RRAS server leases
IPs from DHCP for this purpose).
After the connection is up, the remote client can get further info from
DHCP by sending a dhcpdiscover message. This is probably when it gets the
more restrictive route. The other possibility is that it comes from a
routing protocol like RIP.
davis@hartwick.edu wrote:
| Quote: | Neteng,
I can't change the subnetting; I have hundreds of computers set up
using this scheme.
Is there any way to force the RAS server to obtain IP addresses from a
particular scope, maybe on a second NIC?
Davis.
Neteng wrote:
The best thing to do is fix your subnetting and IP addressing scheme.
davis@hartwick.edu> wrote in message
news:1131641146.064963.7820@f14g2000cwb.googlegroups.com...
I have a Windows 2003 RAS server configured for VPN. The server has
one NIC with address 172.16.85.164 mask 255.255.128.0. RAS is
configured to get client IP addresses from a DHCP serve. The DHCP
server issues addresses in the range 172.16.100.1-172.16.100.254
with a mask of 255.255.255.128. This has all been working fine for
months.
Recently I moved an application server into a subnet and now VPN
clients cannot reach it. The app server has IP address
172.16.201.170 mask 255.255.255.0.
When a Win XP VPN client first connects to the RAS server, the
'route print' command shows an entry like this
Net Dest Netmask Gateway Interface
Metric 172.16.0.0 255.255.0.0 172.16.100.13 172.16.100.13 1
where 172.16.100.13 is the IP address of the PPP adapter.
Connections to the app server at 172.16.201.170 are correctly
routed out through the PPP adapter to the RAS server, sent through
the RAS server's default gateway to the app server.
After a few seconds, the routing entry changes its Netmask to look
like this
Net Dest Netmask Gateway Interface
Metric
172.16.0.0 255.255.128.0 172.16.100.13 172.16.100.13 1
Now packets from the VPN client to the app server are excluded from
this route, get sent to the XP machine's default router which is
outside the internal network and so fail to reach the app server.
I have found two solutions but both are less than satisfactory.
Solution 1. Check the "Use default gateway on remote network" box in
the client VPN properties. This works, but now *all* traffic,
including AIM messages, HTTP requests , etc. is routed through the
RAS server when it doesn't need to be. This slows everything down
Solution 2. Manually add a routing entry to the Win XP client like
this route add 172.16.201.0 mask 255.255.255.0 172.16.100.13 metric
1
which forces packets to the app server to use the PPP interface.
This works, but is very inconvenient for the user and not simple to
script since the PPP adapter address is different each time.
What I want is for all and only traffic destined for 172.16.0.0 mask
255.255.0.0 to use the PPP adapter but don't know how to achieve
that. I thought of having the RAS server use its own static address
pool of client addresses (rather than using DHCP) but don't see how
to set the network mask for that pool.
Ideas?
Thanks for your help.
--
Davis |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in