Re: VPN from Draytek Vigor 2900 - remote client can't ping local LAN by David
David
Mon Jul 12 13:33:36 CDT 2004
Hi Reggie,
After a LOT of to-ing and fro-ing, I think we're almost there. Situation
currently is this:
We CAN initiate a VPN from the Server to the Vigor OK
We still CANNOT get a stable, repeatable VPN from the Vigor to the Server
When we have the VPN from the Server to the Vigor up-and-running, we CAN
ping anything on the Vigor internal range from the Server and from a laptop
on the Vigor internal range to anything on the SBS internal LAN. We
*thought* that would be it. Wrong!
We cannot ping from any of the SBS LAN clients to the Vigor [internal or
external IP ranges] and it appears that only certain types of traffic are
being properly communicated back and forth between SBS and Vigor. For
example, from a laptop connected to the Vigor internal side I can ping the
IP-enabled phone system on the SBS LAN side but I cannot draw down a config
as I'd expect to be able to.
I cannot help thinking that if we could get the Vigor initiating the VPN
connection this would be resolved as it would be assigned an IP address on
the internal LAN range at the SBS side, whereas the external VPN outgoing
from the SBS box is being given an IP address on the Vigor internal LAN.
Could be wildly wrong on that front though!
Have checked in RRAS and there is nothing being filtered on the connection
and we've even [purely as a test - didn't work so put it back how it was]
used a test IP packet filter in ISA to allow everything in/out in order to
ascertain if ISA was perhaps blocking something. Dunno if its to do with NAT
on the SBS box or something like that [because I assume the Vigor will see
the connection as being initiated from the external side of the SBS rather
than the internal side]
Any thoughts?
In the meantime, I'll try once more to get the Vigor iniating the VPN
connection and see if that simplifies things any.
Thanks again for the help,
David
"Reggie Dones" <rfdones@argotech.net_nospam> wrote in message
news:#vCi2siZEHA.2944@TK2MSFTNGP11.phx.gbl...
> Okay I'm assuming you are running ISA Server at SBS2k site.
>
> Open ISA Management Console
> Navigate to >Server And Arrays>Server Name>Network Config
> Right Click on Network Config and choose "set up local ISA VPN Server"
> A VPN Wizard will pop up. Follow the instructions it will ask you for the
> following:
> 1. Create an account (automatically places the account on AD)
> 2. Choose Protocol. PPTP or IPSEC.
> 3. Initiate connection from both sites?
> 4. IP range of the remote site.
> 5. It will ask you for NIC information.
>
> After you go throught the wizard it will create the necessary filters and
> LAT settings in ISA and it will create routing connections in RRAS of the
> SBS2k. All you have to do is replace the account at you VIGOR router with
> the one you just created at the SBS server and use the correct IP Address
> that you assigned for the router in SBS.
>
> You may be able to find an article in www.isaserver.org.
>
> Reggie
>
> "David Elders" <david.elders@akdsystems.co.uk> wrote in message
> news:O2fB9pgZEHA.644@tk2msftngp13.phx.gbl...
> > Hi again Reggie,
> >
> > Did a bit more testing. Results below.
> >
> > Create VPN connection from Vigor to SBS2K using settings for VPN inwards
> > that work fine direct from any laptop - VPN connection is brought up no
> > problem but any PC connected to the Vigor cannot ping anything on the
SBS
> > LAN.
> >
> > Create VPN connection from Vigor to remote Vigor [at different site,
> purely
> > for testing] WITHOUT creating any IP routes back to the iniating end -
VPN
> > connection is again brought up but these same PCs can ping anything on
the
> > remote LAN.
> >
> > To me, this suggests that the routing issue is not at the Vigor end but
> that
> > 'something' on the SBS set-up is blocking the return packets from
getting
> > back to the PC at the remote end. Your notes about there being a
> difference
> > between standard VPN/RAS connection and P2P make sense in that I think
we
> > need to 'tell' the SBS box how to route the packets back to the remote
LAN
> > range - I just don't know how to do this!
> >
> > Regards,
> >
> >
> >
> > David
> >
> >
> >
> >
> > "Reggie Dones" <rfdones@argotech.net_nospam> wrote in message
> > news:#XK8icgZEHA.1480@TK2MSFTNGP10.phx.gbl...
> > > It sound like you are setup as a RAS. You may be able to check if you
> can
> > > ping resources at the SBS from the router itself - then its working
the
> > way
> > > its suppose to.
> > >
> > > I very simplified process: If you're using the ISA server, then you
can
> > use
> > > the wizard from the routing page to create the connection and account,
> if
> > > not, you can create the connection from RRAS. It will also ask you
what
> > IP
> > > Address to use for the routing. You then would have to change the
> > > credentials of the satellite office router to match what you have
> created
> > on
> > > SBS.
> > >
> > >
> > > Hope that helps,
> > > Reggie
> > >
> > > "David Elders" <david.elders@akdsystems.co.uk> wrote in message
> > > news:epb12RgZEHA.2408@tk2msftngp13.phx.gbl...
> > > > Hi Reggie,
> > > >
> > > > Thanks for replying so quickly!
> > > >
> > > > At present, we've simply set-up the Vigor with the account settings
of
> a
> > > > user with remote VPN access. That sounds plausible but I'm a little
> > unsure
> > > > how to proceed from here. Any pointers on how you got around this?
> > > >
> > > > Cheers,
> > > >
> > > >
> > > >
> > > > David
> > > >
> > > >
> > > > "Reggie Dones" <rfdones@argotech.net_nospam> wrote in message
> > > > news:ObcONEgZEHA.3716@TK2MSFTNGP10.phx.gbl...
> > > > > Is the VPN setup as Point to Point or RAS on SBS? We setup some
> > netopia
> > > > > routers to VPN into our SBS and we ran in to the same thing
because
> > the
> > > > > routing interface was not created on the RRAS. If the routing
> > interface
> > > > for
> > > > > the VPN is not created on SBS, your router connects as a RAS
client.
> > > > >
> > > > > Someone might want to check me on this.
> > > > >
> > > > > Reggie Dones
> > > > >
> > > > > "David Elders" <david.elders@akdsystems.co.uk> wrote in message
> > > > > news:eQ5GN%23fZEHA.3112@tk2msftngp13.phx.gbl...
> > > > > > Hi all,
> > > > > >
> > > > > > Hopefully we're missing something simple and someone can point
us
> in
> > > the
> > > > > > right direction.
> > > > > >
> > > > > > Central Office:
> > > > > > SBS2000 - set-up as noted below:
> > > > > >
> > > > > > Cable Modem
> > > > > > Broadband Router - passthrough for PPTP VPN enabled [int -
> > > > 192.168.42.10]
> > > > > > External NIC on SBS [192.168.42.2]
> > > > > > ISA 2000
> > > > > > Internal NIC on SBS [172.16.0.1]
> > > > > > LAN [172.16.0.x]
> > > > > >
> > > > > > Remote Office:
> > > > > > ADSL
> > > > > > Broadband Router - Draytek Vigor 2900Gi [int - 192.168.45.150]
> > > > > > PC - fixed IP - 192.168.45.160
> > > > > >
> > > > > > As those who are familiar with the Vigor range will know, the
> > Draytek
> > > > kit
> > > > > > can initiate a VPN call [it can also act as a VPN Server if
> > required].
> > > > We
> > > > > > can initiate a full-time VPN connection from the Vigor to our
SBS
> > box
> > > > > across
> > > > > > the Internet no problem but the remote PC cannot ping anything
on
> > the
> > > > LAN
> > > > > IP
> > > > > > range.
> > > > > >
> > > > > > This is kinda critical from a testing perspective as the crux of
> > this
> > > is
> > > > > to
> > > > > > eventually implement an IP hardphone within the Remote office,
> > > > connecting
> > > > > to
> > > > > > the VoIP-enabled telephone system on the LAN at the Central
> office.
> > > > > >
> > > > > > We're sure this has to be a fairly basic routing issue and that
we
> > > > should
> > > > > be
> > > > > > able to add a route somehow to 'force' the VPN traffic back to
the
> > > > remote
> > > > > > LAN. Problem is we can't for the life of us work out what to do!
> > > > > >
> > > > > > Anyone got any pointers?
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > >
> > > > > >
> > > > > > David
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>