Guest Lee Posted June 8, 2008 Posted June 8, 2008 Greetings, I have a client that wants me to setup a Site-to-site VPN (and DFS, but I'll ask that in another group). They won't buy additional hardware yet, so I'm stuck doing this with Windows VPNs (Sonic Walls and other devices are not options right now). They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and SiteB has a Server 2003 R2 System. I have successfully created a Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN connection, promote the SiteB server to a DC and DNS server. Both sites will have the server acting as a router with Dual NICs (I know this is not generally advisable but their budget until next year won't allow hardware devices to replace this function). Both sites will have public, STATIC, IP addresses. SiteB can ping ANY system on SiteA's network SiteA can ping ONLY the server on SiteB's network, and then only through the IP of the Demand-Dial connection. THE QUESTION How can I get/what do I have to do to setup this system so that SiteA can ping successfully all systems on SiteB's network? (Ultimately, I don't care if ping works or not, I need to be able to access these systems with Remote Assistance once I'm connected via VPN myself). I'll be happy to answer any additional requests for information or post settings whenever possible. Thanks for your responses! -Lee
Guest Robert L. \(MS-MVP\) Posted June 8, 2008 Posted June 8, 2008 Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN The problem is the siteB server is DC running VPN and DNS. Since this is the situation you face, you may have some options. 1) Install DNS on a different server in siteB. 2) re-configure DNS to register only one DNS on the windows 2003 DC. 3) Perhaps, install WINS on one of the servers on siteB. or this search result may help. Name resolution on VPN Can't ping VPN client by name Connection issues on DC, ISA, DNS and WINS server as VPN server DNS and Split Tunneling for VPN? How to assign DNS and WINS on ... http://www.chicagotech.net/nameresolutionpnvpn.htm -- Bob Lin, MS-MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com "Lee" <wtlgditc@ThatSearchEngineMSTriedToBuyInEarly08> wrote in message news:484bc352$0$17967$607ed4bc@cv.net... > Greetings, > > I have a client that wants me to setup a Site-to-site VPN (and DFS, but > I'll ask that in another group). They won't buy additional hardware yet, > so I'm stuck doing this with Windows VPNs (Sonic Walls and other devices > are not options right now). > > They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and > SiteB has a Server 2003 R2 System. I have successfully created a > Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN > connection, promote the SiteB server to a DC and DNS server. > > Both sites will have the server acting as a router with Dual NICs (I know > this is not generally advisable but their budget until next year won't > allow hardware devices to replace this function). Both sites will have > public, STATIC, IP addresses. > SiteB can ping ANY system on SiteA's network > SiteA can ping ONLY the server on SiteB's network, and then only through > the IP of the Demand-Dial connection. > > THE QUESTION > How can I get/what do I have to do to setup this system so that SiteA can > ping successfully all systems on SiteB's network? (Ultimately, I don't > care if ping works or not, I need to be able to access these systems with > Remote Assistance once I'm connected via VPN myself). > > I'll be happy to answer any additional requests for information or post > settings whenever possible. > > Thanks for your responses! > > -Lee
Guest Lee Posted June 8, 2008 Posted June 8, 2008 Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN Robert L. (MS-MVP) wrote: > The problem is the siteB server is DC running VPN and DNS. Since this is > the situation you face, you may have some options. 1) Install DNS on a > different server in siteB. 2) re-configure DNS to register only one DNS > on the windows 2003 DC. 3) Perhaps, install WINS on one of the servers > on siteB. or this search result may help. > Name resolution on VPN > Can't ping VPN client by name Connection issues on DC, ISA, DNS and > WINS server as VPN server DNS and Split Tunneling for VPN? How to assign > DNS and WINS on ... > http://www.chicagotech.net/nameresolutionpnvpn.htm > > Thanks Robert, but I don't know if I agree that this is a DNS problem - or at least only a DNS problem. In testing this, I have been pinging by IP. So DNS shouldn't come into play (heavily) yet. It will certainly be a concern, but I think I can work out the DNS issues later The following is the IPCONFIG from SiteA (I've fone a find/replace) on potentially sensitive information: Windows IP Configuration Host Name . . . . . . . . . . . . : SiteA Primary Dns Suffix . . . . . . . : DOMAIN.LOCAL Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : Yes DNS Suffix Search List. . . . . . : DOMAIN.LOCAL PPP adapter RAS Server (Dial In) Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.165 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter Cable WAN: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : DGE-560T Gigabit Physical Address. . . . . . . . . : 00-19-5B-C0-83-FE DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : public.ip.122 Subnet Mask . . . . . . . . . . . : 255.255.255.248 Default Gateway . . . . . . . . . : public.ip.121 DNS Servers . . . . . . . . . . . : 192.168.1.133 NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter LAN: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom Physical Address. . . . . . . . . : 00-18-8B-FC-B4-B8 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.133 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 192.168.1.133 Primary WINS Server . . . . . . . : 192.168.1.133 I do not have the IPCONFIG off the SiteB server right now (I hope to be able to get that sometime between now and tuesday, but from memory, it was like this: Windows IP Configuration Host Name . . . . . . . . . . . . : SiteB Primary Dns Suffix . . . . . . . : DOMAIN.LOCAL Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : Yes DNS Suffix Search List. . . . . . : DOMAIN.LOCAL PPP adapter RAS Server (Dial In) Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.162 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter Cable WAN: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom1 Physical Address. . . . . . . . . : 00-18-8C-EB-B3-A7 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : public.ip.203 Subnet Mask . . . . . . . . . . . : 255.255.255.248 Default Gateway . . . . . . . . . : public.ip.201 NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter LAN: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom2 Physical Address. . . . . . . . . : 00-18-8C-EB-B3-A6 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.17.43.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 172.17.43.1 Primary WINS Server . . . . . . . : 192.168.1.133 When I ping by name on from SiteA to the server "SiteB" I get replies from the PPP adapter's IP as follows: C:\>ping SiteB Pinging SiteB.DOMAIN.LOCAL [192.168.1.162] with 32 bytes of data: Reply from 192.168.1.162: bytes=32 time=16ms TTL=128 Reply from 192.168.1.162: bytes=32 time=17ms TTL=128 Reply from 192.168.1.162: bytes=32 time=16ms TTL=128 Reply from 192.168.1.162: bytes=32 time=17ms TTL=128 But if I ping the 172 IP address instead: C:\Program Files\Resource Kit>ping 172.17.43.1 Pinging 172.17.43.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. My routing table on SiteA is as such: C:\Program Files\Resource Kit>route print IPv4 Route Table =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface 0x10003 ...00 19 5b c0 83 fe ...... DGE-560T Gigabit 0x10004 ...00 18 8b fc b4 b8 ...... Broadcom =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 PUBLIC.IPA.121 PUBLIC.IPA.122 20 UNKNOWN.PUB.IP 255.255.255.255 PUBLIC.IPA.121 PUBLIC.IPA.122 20 PUBLIC.IPB.203 255.255.255.255 PUBLIC.IPA.121 PUBLIC.IPA.122 20 PUBLIC.IPA.120 255.255.255.248 PUBLIC.IPA.122 PUBLIC.IPA.122 20 PUBLIC.IPA.122 255.255.255.255 127.0.0.1 127.0.0.1 20 X.255.255.255 255.255.255.255 PUBLIC.IPA.122 PUBLIC.IPA.122 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 172.17.43.0 255.255.255.0 192.168.1.162 192.168.1.133 1 192.168.1.0 255.255.255.0 192.168.1.133 192.168.1.133 10 192.168.1.133 255.255.255.255 127.0.0.1 127.0.0.1 10 192.168.1.153 255.255.255.255 192.168.1.165 192.168.1.165 1 192.168.1.157 255.255.255.255 192.168.1.165 192.168.1.165 1 192.168.1.162 255.255.255.255 192.168.1.165 192.168.1.165 1 192.168.1.165 255.255.255.255 127.0.0.1 127.0.0.1 0 192.168.1.255 255.255.255.255 192.168.1.133 192.168.1.133 0 224.0.0.0 240.0.0.0 PUBLIC.IPA.122 PUBLIC.IPA.122 0 224.0.0.0 240.0.0.0 192.168.1.133 192.168.1.133 0 255.255.255.255 255.255.255.255 PUBLIC.IPA.122 PUBLIC.IPA.122 1 255.255.255.255 255.255.255.255 192.168.1.133 192.168.1.133 1 Default Gateway: PUBLIC.IPA.121 =========================================================================== Persistent Routes: None Both Public IP's start with the same first octet, which is represented by X one line above. As you can see, I tried adding a route on SITEA using the command: ROUTE ADD 172.17.43.0 MASK 255.255.255.0 192.168.1.162 but that didn't help (the route is still there). I didn't try creating a route back from SiteB though... could that be a problem? I wouldn't think so because as I said, SiteB can ping all systems in SiteA so it apparently has a route back...
Guest Bill Grant Posted June 9, 2008 Posted June 9, 2008 Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN You certainly have plenty of problems ahead, even when you get the site to site routing working. Having a multihomed server is not a great problem usually but it is on a DC. You will need to make sure that the second NIC does not have Netbios over TCP/IP enabled and does not register in DNS. You may also have similar problems with the VPN interfaces. If the name of the server resolves to an IP other than its local LAN IP you have major problems. There isn't really enough info here to solve the routing problem. The first thing to check is that each router has a route to the "other" subnet through the VPN link. This usually requires linking the subnet routes to the demand-dial interfaces, an then making sure that these interfaces actually bind to the connection. The routes only become active when the interfaces are connected. If the routing works from one subnet I suspect that you have this bit set up correctly. Is the RRAS router the default gateway at both sites? If it is not, you will need extra routing to get the private traffic to the RRAS router before it goes to the gateway router. If the private traffic goes directly to the gateway router it will be dropped. It needs to be encrypted and encapsulated first.
Guest ThePro Posted June 9, 2008 Posted June 9, 2008 Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN "Lee" <wtlgditc@ThatSearchEngineMSTriedToBuyInEarly08> wrote: > Greetings, > > I have a client that wants me to setup a Site-to-site VPN (and DFS, but > I'll ask that in another group). They won't buy additional hardware yet, > so I'm stuck doing this with Windows VPNs (Sonic Walls and other devices > are not options right now). > > They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and > SiteB has a Server 2003 R2 System. I have successfully created a > Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN > connection, promote the SiteB server to a DC and DNS server. > If I remember correctly, you need to setup 2 VPN connections, one each way. You may want to look at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/vpnconn.mspx (Step-by-Step Guide to Building a Site-to-Site Virtual Private Network Connection) to see if you missed some steps. ThePro
Guest leew [MVP] Posted June 9, 2008 Posted June 9, 2008 Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN Please see comments in-line Bill Grant wrote: > You certainly have plenty of problems ahead, even when you get the > site to site routing working. Having a multihomed server is not a great > problem usually but it is on a DC. You will need to make sure that the > second NIC does not have Netbios over TCP/IP enabled and does not > register in DNS. You may also have similar problems with the VPN > interfaces. If the name of the server resolves to an IP other than its > local LAN IP you have major problems. I'm aware of these issues and don't feel these are anything that can be overcome. My primary concern is the routing issue. > There isn't really enough info here to solve the routing problem. The > first thing to check is that each router has a route to the "other" > subnet through the VPN link. This usually requires linking the subnet > routes to the demand-dial interfaces, an then making sure that these > interfaces actually bind to the connection. The routes only become > active when the interfaces are connected. Are you suggesting that I have Demand Dial connections from both ends? I can try that... but it didn't seem logical at the time. We did try to enable RIP what we did did not resolve the issue... > > If the routing works from one subnet I suspect that you have this bit > set up correctly. Is the RRAS router the default gateway at both sites? > If it is not, you will need extra routing to get the private traffic to > the RRAS router before it goes to the gateway router. If the private > traffic goes directly to the gateway router it will be dropped. It needs > to be encrypted and encapsulated first. > I don't mind setting up additional static routes. Just need the assistance in knowing what they are. If there's not enough info, please, tell me what you need and I'll do my best to get it. Thanks, -Lee > >
Guest Bill Grant Posted June 10, 2008 Posted June 10, 2008 Re: Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN "ThePro" <mcthepro_nospam@hotmail.com> wrote in message news:eRvU6tjyIHA.5620@TK2MSFTNGP04.phx.gbl... > "Lee" <wtlgditc@ThatSearchEngineMSTriedToBuyInEarly08> wrote: >> Greetings, >> >> I have a client that wants me to setup a Site-to-site VPN (and DFS, but >> I'll ask that in another group). They won't buy additional hardware yet, >> so I'm stuck doing this with Windows VPNs (Sonic Walls and other devices >> are not options right now). >> >> They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and >> SiteB has a Server 2003 R2 System. I have successfully created a >> Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN >> connection, promote the SiteB server to a DC and DNS server. >> > > If I remember correctly, you need to setup 2 VPN connections, one each > way. > > You may want to look at > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/vpnconn.mspx > (Step-by-Step Guide to Building a Site-to-Site Virtual Private Network > Connection) to see if you missed some steps. > > ThePro No, that is not correct. You only use one link, but both routers must bind to the connection. The VPN connection is simply a point to point connection between the two routers. When it is connected and you have the routing set up correctly it works as a simple (slow) IP router. Each router has a route to the other subnet through the VPN link. As the step-by-step explains you have a demand dial interface on each router. The static subnet route is linked to the demand-dial interface (using the new static route wizard. You select the interface by name from the dropdown list). This is stored in the registry until the interface connects. The system then adds the route to the routing table using the dd interface as the gateway. In effect you are using the name of the dd interface as a symbolic name for the connection before it actually exists. You do not need to use dial on demand. That is optional. You can connect from either end and make it a persistent connection. What is essential is the demand-dial interfaces and the routes linked to them. The other essential is that when you make the connection, the link is bound to the dd interface on the answering router. You do that by using the name of the dd interface as the username. This is what happens at the answering router. When it gets the request it checks to see if the username matches one of its dd interfaces. If it does it makes the connection to that interface. (This is how it manages multiple site connections). If the username does not match, the connection is make to the default internal interface. When this happens you do not get the subnet route added. RRAS assumes that it is a simple client-server connection, not a router to router. You get just a host route back to the calling machine, not a subnet router for the machines behind it. You can route to the router but not to the subnet behind it.
Recommended Posts