Jump to content

Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN

Guest Lee

By Guest Lee
in Windows 2003 Server

 Share

Recommended Posts

Guest Lee

Guest Lee

Posted
Posted

Greetings,

 

I have a client that wants me to setup a Site-to-site VPN (and DFS, but

I'll ask that in another group). They won't buy additional hardware

yet, so I'm stuck doing this with Windows VPNs (Sonic Walls and other

devices are not options right now).

 

They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and

SiteB has a Server 2003 R2 System. I have successfully created a

Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN

connection, promote the SiteB server to a DC and DNS server.

 

Both sites will have the server acting as a router with Dual NICs (I

know this is not generally advisable but their budget until next year

won't allow hardware devices to replace this function). Both sites will

have public, STATIC, IP addresses.

SiteB can ping ANY system on SiteA's network

SiteA can ping ONLY the server on SiteB's network, and then only through

the IP of the Demand-Dial connection.

 

THE QUESTION

How can I get/what do I have to do to setup this system so that SiteA

can ping successfully all systems on SiteB's network? (Ultimately, I

don't care if ping works or not, I need to be able to access these

systems with Remote Assistance once I'm connected via VPN myself).

 

I'll be happy to answer any additional requests for information or post

settings whenever possible.

 

Thanks for your responses!

 

-Lee

  • Replies 6
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Robert L. \(MS-MVP\)

Guest Robert L. \(MS-MVP\)

Posted
Posted

Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN

 

The problem is the siteB server is DC running VPN and DNS. Since this is the

situation you face, you may have some options. 1) Install DNS on a different

server in siteB. 2) re-configure DNS to register only one DNS on the windows

2003 DC. 3) Perhaps, install WINS on one of the servers on siteB. or this

search result may help.

Name resolution on VPN

Can't ping VPN client by name Connection issues on DC, ISA, DNS and

WINS server as VPN server DNS and Split Tunneling for VPN? How to assign DNS

and WINS on ...

http://www.chicagotech.net/nameresolutionpnvpn.htm

 

 

--

Bob Lin, MS-MVP, MCSE & CNE

Networking, Internet, Routing, VPN Troubleshooting on

http://www.ChicagoTech.net

How to Setup Windows, Network, VPN & Remote Access on

http://www.HowToNetworking.com

"Lee" <wtlgditc@ThatSearchEngineMSTriedToBuyInEarly08> wrote in message

news:484bc352$0$17967$607ed4bc@cv.net...

> Greetings,

>

> I have a client that wants me to setup a Site-to-site VPN (and DFS, but

> I'll ask that in another group). They won't buy additional hardware yet,

> so I'm stuck doing this with Windows VPNs (Sonic Walls and other devices

> are not options right now).

>

> They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and

> SiteB has a Server 2003 R2 System. I have successfully created a

> Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN

> connection, promote the SiteB server to a DC and DNS server.

>

> Both sites will have the server acting as a router with Dual NICs (I know

> this is not generally advisable but their budget until next year won't

> allow hardware devices to replace this function). Both sites will have

> public, STATIC, IP addresses.

> SiteB can ping ANY system on SiteA's network

> SiteA can ping ONLY the server on SiteB's network, and then only through

> the IP of the Demand-Dial connection.

>

> THE QUESTION

> How can I get/what do I have to do to setup this system so that SiteA can

> ping successfully all systems on SiteB's network? (Ultimately, I don't

> care if ping works or not, I need to be able to access these systems with

> Remote Assistance once I'm connected via VPN myself).

>

> I'll be happy to answer any additional requests for information or post

> settings whenever possible.

>

> Thanks for your responses!

>

> -Lee

Guest Lee

Guest Lee

Posted
Posted

Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN

 

Robert L. (MS-MVP) wrote:

> The problem is the siteB server is DC running VPN and DNS. Since this is

> the situation you face, you may have some options. 1) Install DNS on a

> different server in siteB. 2) re-configure DNS to register only one DNS

> on the windows 2003 DC. 3) Perhaps, install WINS on one of the servers

> on siteB. or this search result may help.

> Name resolution on VPN

> Can't ping VPN client by name Connection issues on DC, ISA, DNS and

> WINS server as VPN server DNS and Split Tunneling for VPN? How to assign

> DNS and WINS on ...

> http://www.chicagotech.net/nameresolutionpnvpn.htm

>

>

 

Thanks Robert, but I don't know if I agree that this is a DNS problem -

or at least only a DNS problem. In testing this, I have been pinging by

IP. So DNS shouldn't come into play (heavily) yet. It will certainly

be a concern, but I think I can work out the DNS issues later

 

The following is the IPCONFIG from SiteA (I've fone a find/replace) on

potentially sensitive information:

 

Windows IP Configuration

 

Host Name . . . . . . . . . . . . : SiteA

Primary Dns Suffix . . . . . . . : DOMAIN.LOCAL

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : Yes

DNS Suffix Search List. . . . . . : DOMAIN.LOCAL

 

PPP adapter RAS Server (Dial In) Interface:

 

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-00

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.165

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . :

NetBIOS over Tcpip. . . . . . . . : Disabled

 

Ethernet adapter Cable WAN:

 

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : DGE-560T Gigabit

Physical Address. . . . . . . . . : 00-19-5B-C0-83-FE

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : public.ip.122

Subnet Mask . . . . . . . . . . . : 255.255.255.248

Default Gateway . . . . . . . . . : public.ip.121

DNS Servers . . . . . . . . . . . : 192.168.1.133

NetBIOS over Tcpip. . . . . . . . : Disabled

 

Ethernet adapter LAN:

 

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom

Physical Address. . . . . . . . . : 00-18-8B-FC-B4-B8

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.133

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 192.168.1.133

Primary WINS Server . . . . . . . : 192.168.1.133

 

I do not have the IPCONFIG off the SiteB server right now (I hope to be

able to get that sometime between now and tuesday, but from memory, it

was like this:

Windows IP Configuration

 

Host Name . . . . . . . . . . . . : SiteB

Primary Dns Suffix . . . . . . . : DOMAIN.LOCAL

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : Yes

DNS Suffix Search List. . . . . . : DOMAIN.LOCAL

 

PPP adapter RAS Server (Dial In) Interface:

 

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-00

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.162

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . :

NetBIOS over Tcpip. . . . . . . . : Disabled

 

Ethernet adapter Cable WAN:

 

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom1

Physical Address. . . . . . . . . : 00-18-8C-EB-B3-A7

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : public.ip.203

Subnet Mask . . . . . . . . . . . : 255.255.255.248

Default Gateway . . . . . . . . . : public.ip.201

NetBIOS over Tcpip. . . . . . . . : Disabled

 

Ethernet adapter LAN:

 

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom2

Physical Address. . . . . . . . . : 00-18-8C-EB-B3-A6

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.17.43.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 172.17.43.1

Primary WINS Server . . . . . . . : 192.168.1.133

 

When I ping by name on from SiteA to the server "SiteB" I get replies

from the PPP adapter's IP as follows:

 

C:\>ping SiteB

 

Pinging SiteB.DOMAIN.LOCAL [192.168.1.162] with 32 bytes of data:

 

Reply from 192.168.1.162: bytes=32 time=16ms TTL=128

Reply from 192.168.1.162: bytes=32 time=17ms TTL=128

Reply from 192.168.1.162: bytes=32 time=16ms TTL=128

Reply from 192.168.1.162: bytes=32 time=17ms TTL=128

 

But if I ping the 172 IP address instead:

 

C:\Program Files\Resource Kit>ping 172.17.43.1

 

Pinging 172.17.43.1 with 32 bytes of data:

 

Request timed out.

Request timed out.

Request timed out.

Request timed out.

 

My routing table on SiteA is as such:

C:\Program Files\Resource Kit>route print

 

IPv4 Route Table

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface

0x10003 ...00 19 5b c0 83 fe ...... DGE-560T Gigabit

0x10004 ...00 18 8b fc b4 b8 ...... Broadcom

===========================================================================

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 PUBLIC.IPA.121 PUBLIC.IPA.122 20

UNKNOWN.PUB.IP 255.255.255.255 PUBLIC.IPA.121 PUBLIC.IPA.122 20

PUBLIC.IPB.203 255.255.255.255 PUBLIC.IPA.121 PUBLIC.IPA.122 20

PUBLIC.IPA.120 255.255.255.248 PUBLIC.IPA.122 PUBLIC.IPA.122 20

PUBLIC.IPA.122 255.255.255.255 127.0.0.1 127.0.0.1 20

X.255.255.255 255.255.255.255 PUBLIC.IPA.122 PUBLIC.IPA.122 20

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

172.17.43.0 255.255.255.0 192.168.1.162 192.168.1.133 1

192.168.1.0 255.255.255.0 192.168.1.133 192.168.1.133 10

192.168.1.133 255.255.255.255 127.0.0.1 127.0.0.1 10

192.168.1.153 255.255.255.255 192.168.1.165 192.168.1.165 1

192.168.1.157 255.255.255.255 192.168.1.165 192.168.1.165 1

192.168.1.162 255.255.255.255 192.168.1.165 192.168.1.165 1

192.168.1.165 255.255.255.255 127.0.0.1 127.0.0.1 0

192.168.1.255 255.255.255.255 192.168.1.133 192.168.1.133 0

224.0.0.0 240.0.0.0 PUBLIC.IPA.122 PUBLIC.IPA.122 0

224.0.0.0 240.0.0.0 192.168.1.133 192.168.1.133 0

255.255.255.255 255.255.255.255 PUBLIC.IPA.122 PUBLIC.IPA.122 1

255.255.255.255 255.255.255.255 192.168.1.133 192.168.1.133 1

Default Gateway: PUBLIC.IPA.121

===========================================================================

Persistent Routes:

None

 

Both Public IP's start with the same first octet, which is represented

by X one line above.

 

As you can see, I tried adding a route on SITEA using the command:

ROUTE ADD 172.17.43.0 MASK 255.255.255.0 192.168.1.162

but that didn't help (the route is still there). I didn't try creating

a route back from SiteB though... could that be a problem? I wouldn't

think so because as I said, SiteB can ping all systems in SiteA so it

apparently has a route back...

Guest Bill Grant

Guest Bill Grant

Posted
Posted

Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN

 

You certainly have plenty of problems ahead, even when you get the site

to site routing working. Having a multihomed server is not a great problem

usually but it is on a DC. You will need to make sure that the second NIC

does not have Netbios over TCP/IP enabled and does not register in DNS. You

may also have similar problems with the VPN interfaces. If the name of the

server resolves to an IP other than its local LAN IP you have major

problems.

 

There isn't really enough info here to solve the routing problem. The

first thing to check is that each router has a route to the "other" subnet

through the VPN link. This usually requires linking the subnet routes to the

demand-dial interfaces, an then making sure that these interfaces actually

bind to the connection. The routes only become active when the interfaces

are connected.

 

If the routing works from one subnet I suspect that you have this bit

set up correctly. Is the RRAS router the default gateway at both sites? If

it is not, you will need extra routing to get the private traffic to the

RRAS router before it goes to the gateway router. If the private traffic

goes directly to the gateway router it will be dropped. It needs to be

encrypted and encapsulated first.

Guest ThePro

Guest ThePro

Posted
Posted

Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN

 

"Lee" <wtlgditc@ThatSearchEngineMSTriedToBuyInEarly08> wrote:

> Greetings,

>

> I have a client that wants me to setup a Site-to-site VPN (and DFS, but

> I'll ask that in another group). They won't buy additional hardware yet,

> so I'm stuck doing this with Windows VPNs (Sonic Walls and other devices

> are not options right now).

>

> They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and

> SiteB has a Server 2003 R2 System. I have successfully created a

> Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN

> connection, promote the SiteB server to a DC and DNS server.

>

 

If I remember correctly, you need to setup 2 VPN connections, one each way.

 

You may want to look at

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/vpnconn.mspx

(Step-by-Step Guide to Building a Site-to-Site Virtual Private Network

Connection) to see if you missed some steps.

 

ThePro

Guest leew [MVP]

Guest leew [MVP]

Posted
Posted

Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN

 

Please see comments in-line

 

Bill Grant wrote:

> You certainly have plenty of problems ahead, even when you get the

> site to site routing working. Having a multihomed server is not a great

> problem usually but it is on a DC. You will need to make sure that the

> second NIC does not have Netbios over TCP/IP enabled and does not

> register in DNS. You may also have similar problems with the VPN

> interfaces. If the name of the server resolves to an IP other than its

> local LAN IP you have major problems.

 

I'm aware of these issues and don't feel these are anything that can be

overcome. My primary concern is the routing issue.

> There isn't really enough info here to solve the routing problem. The

> first thing to check is that each router has a route to the "other"

> subnet through the VPN link. This usually requires linking the subnet

> routes to the demand-dial interfaces, an then making sure that these

> interfaces actually bind to the connection. The routes only become

> active when the interfaces are connected.

 

Are you suggesting that I have Demand Dial connections from both ends?

I can try that... but it didn't seem logical at the time.

 

We did try to enable RIP what we did did not resolve the issue...

>

> If the routing works from one subnet I suspect that you have this bit

> set up correctly. Is the RRAS router the default gateway at both sites?

> If it is not, you will need extra routing to get the private traffic to

> the RRAS router before it goes to the gateway router. If the private

> traffic goes directly to the gateway router it will be dropped. It needs

> to be encrypted and encapsulated first.

>

 

I don't mind setting up additional static routes. Just need the

assistance in knowing what they are.

 

If there's not enough info, please, tell me what you need and I'll do my

best to get it.

 

Thanks,

-Lee

>

>

Guest Bill Grant

Guest Bill Grant

Posted
Posted

Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN

 

 

 

"ThePro" <mcthepro_nospam@hotmail.com> wrote in message

news:eRvU6tjyIHA.5620@TK2MSFTNGP04.phx.gbl...

> "Lee" <wtlgditc@ThatSearchEngineMSTriedToBuyInEarly08> wrote:

>> Greetings,

>>

>> I have a client that wants me to setup a Site-to-site VPN (and DFS, but

>> I'll ask that in another group). They won't buy additional hardware yet,

>> so I'm stuck doing this with Windows VPNs (Sonic Walls and other devices

>> are not options right now).

>>

>> They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and

>> SiteB has a Server 2003 R2 System. I have successfully created a

>> Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN

>> connection, promote the SiteB server to a DC and DNS server.

>>

>

> If I remember correctly, you need to setup 2 VPN connections, one each

> way.

>

> You may want to look at

> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/vpnconn.mspx

> (Step-by-Step Guide to Building a Site-to-Site Virtual Private Network

> Connection) to see if you missed some steps.

>

> ThePro

 

No, that is not correct. You only use one link, but both routers must

bind to the connection.

 

The VPN connection is simply a point to point connection between the two

routers. When it is connected and you have the routing set up correctly it

works as a simple (slow) IP router. Each router has a route to the other

subnet through the VPN link.

 

As the step-by-step explains you have a demand dial interface on each

router. The static subnet route is linked to the demand-dial interface

(using the new static route wizard. You select the interface by name from

the dropdown list). This is stored in the registry until the interface

connects. The system then adds the route to the routing table using the dd

interface as the gateway. In effect you are using the name of the dd

interface as a symbolic name for the connection before it actually exists.

 

You do not need to use dial on demand. That is optional. You can connect

from either end and make it a persistent connection. What is essential is

the demand-dial interfaces and the routes linked to them. The other

essential is that when you make the connection, the link is bound to the dd

interface on the answering router. You do that by using the name of the dd

interface as the username.

 

This is what happens at the answering router. When it gets the request

it checks to see if the username matches one of its dd interfaces. If it

does it makes the connection to that interface. (This is how it manages

multiple site connections). If the username does not match, the connection

is make to the default internal interface. When this happens you do not get

the subnet route added. RRAS assumes that it is a simple client-server

connection, not a router to router. You get just a host route back to the

calling machine, not a subnet router for the machines behind it. You can

route to the router but not to the subnet behind it.

 Share
Go to topic listing
×
×
  • Create New...