Server 2003 R2 to SBS 2003 (not R2) Site to Site VPN

  • Thread starter Thread starter Lee
  • Start date Start date
L

Lee

Greetings,

I have a client that wants me to setup a Site-to-site VPN (and DFS, but
I'll ask that in another group). They won't buy additional hardware
yet, so I'm stuck doing this with Windows VPNs (Sonic Walls and other
devices are not options right now).

They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and
SiteB has a Server 2003 R2 System. I have successfully created a
Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN
connection, promote the SiteB server to a DC and DNS server.

Both sites will have the server acting as a router with Dual NICs (I
know this is not generally advisable but their budget until next year
won't allow hardware devices to replace this function). Both sites will
have public, STATIC, IP addresses.
SiteB can ping ANY system on SiteA's network
SiteA can ping ONLY the server on SiteB's network, and then only through
the IP of the Demand-Dial connection.

THE QUESTION
How can I get/what do I have to do to setup this system so that SiteA
can ping successfully all systems on SiteB's network? (Ultimately, I
don't care if ping works or not, I need to be able to access these
systems with Remote Assistance once I'm connected via VPN myself).

I'll be happy to answer any additional requests for information or post
settings whenever possible.

Thanks for your responses!

-Lee
 
The problem is the siteB server is DC running VPN and DNS. Since this is the
situation you face, you may have some options. 1) Install DNS on a different
server in siteB. 2) re-configure DNS to register only one DNS on the windows
2003 DC. 3) Perhaps, install WINS on one of the servers on siteB. or this
search result may help.
Name resolution on VPN
Can't ping VPN client by name Connection issues on DC, ISA, DNS and
WINS server as VPN server DNS and Split Tunneling for VPN? How to assign DNS
and WINS on ...
www.chicagotech.net/nameresolutionpnvpn.htm


--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Lee" <wtlgditc@ThatSearchEngineMSTriedToBuyInEarly08> wrote in message
news:484bc352$0$17967$607ed4bc@cv.net...
> Greetings,
>
> I have a client that wants me to setup a Site-to-site VPN (and DFS, but
> I'll ask that in another group). They won't buy additional hardware yet,
> so I'm stuck doing this with Windows VPNs (Sonic Walls and other devices
> are not options right now).
>
> They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and
> SiteB has a Server 2003 R2 System. I have successfully created a
> Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN
> connection, promote the SiteB server to a DC and DNS server.
>
> Both sites will have the server acting as a router with Dual NICs (I know
> this is not generally advisable but their budget until next year won't
> allow hardware devices to replace this function). Both sites will have
> public, STATIC, IP addresses.
> SiteB can ping ANY system on SiteA's network
> SiteA can ping ONLY the server on SiteB's network, and then only through
> the IP of the Demand-Dial connection.
>
> THE QUESTION
> How can I get/what do I have to do to setup this system so that SiteA can
> ping successfully all systems on SiteB's network? (Ultimately, I don't
> care if ping works or not, I need to be able to access these systems with
> Remote Assistance once I'm connected via VPN myself).
>
> I'll be happy to answer any additional requests for information or post
> settings whenever possible.
>
> Thanks for your responses!
>
> -Lee
 
Robert L. (MS-MVP) wrote:
> The problem is the siteB server is DC running VPN and DNS. Since this is
> the situation you face, you may have some options. 1) Install DNS on a
> different server in siteB. 2) re-configure DNS to register only one DNS
> on the windows 2003 DC. 3) Perhaps, install WINS on one of the servers
> on siteB. or this search result may help.
> Name resolution on VPN
> Can't ping VPN client by name Connection issues on DC, ISA, DNS and
> WINS server as VPN server DNS and Split Tunneling for VPN? How to assign
> DNS and WINS on ...
> www.chicagotech.net/nameresolutionpnvpn.htm
>
>

Thanks Robert, but I don't know if I agree that this is a DNS problem -
or at least only a DNS problem. In testing this, I have been pinging by
IP. So DNS shouldn't come into play (heavily) yet. It will certainly
be a concern, but I think I can work out the DNS issues later

The following is the IPCONFIG from SiteA (I've fone a find/replace) on
potentially sensitive information:

Windows IP Configuration

Host Name . . . . . . . . . . . . : SiteA
Primary Dns Suffix . . . . . . . : DOMAIN.LOCAL
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : DOMAIN.LOCAL

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.165
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Cable WAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : DGE-560T Gigabit
Physical Address. . . . . . . . . : 00-19-5B-C0-83-FE
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : public.ip.122
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : public.ip.121
DNS Servers . . . . . . . . . . . : 192.168.1.133
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom
Physical Address. . . . . . . . . : 00-18-8B-FC-B4-B8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.133
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.133
Primary WINS Server . . . . . . . : 192.168.1.133

I do not have the IPCONFIG off the SiteB server right now (I hope to be
able to get that sometime between now and tuesday, but from memory, it
was like this:
Windows IP Configuration

Host Name . . . . . . . . . . . . : SiteB
Primary Dns Suffix . . . . . . . : DOMAIN.LOCAL
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : DOMAIN.LOCAL

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.162
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Cable WAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom1
Physical Address. . . . . . . . . : 00-18-8C-EB-B3-A7
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : public.ip.203
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : public.ip.201
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom2
Physical Address. . . . . . . . . : 00-18-8C-EB-B3-A6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.17.43.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 172.17.43.1
Primary WINS Server . . . . . . . : 192.168.1.133

When I ping by name on from SiteA to the server "SiteB" I get replies
from the PPP adapter's IP as follows:

C:\>ping SiteB

Pinging SiteB.DOMAIN.LOCAL [192.168.1.162] with 32 bytes of data:

Reply from 192.168.1.162: bytes=32 time=16ms TTL=128
Reply from 192.168.1.162: bytes=32 time=17ms TTL=128
Reply from 192.168.1.162: bytes=32 time=16ms TTL=128
Reply from 192.168.1.162: bytes=32 time=17ms TTL=128

But if I ping the 172 IP address instead:

C:\Program Files\Resource Kit>ping 172.17.43.1

Pinging 172.17.43.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

My routing table on SiteA is as such:
C:\Program Files\Resource Kit>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 19 5b c0 83 fe ...... DGE-560T Gigabit
0x10004 ...00 18 8b fc b4 b8 ...... Broadcom
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 PUBLIC.IPA.121 PUBLIC.IPA.122 20
UNKNOWN.PUB.IP 255.255.255.255 PUBLIC.IPA.121 PUBLIC.IPA.122 20
PUBLIC.IPB.203 255.255.255.255 PUBLIC.IPA.121 PUBLIC.IPA.122 20
PUBLIC.IPA.120 255.255.255.248 PUBLIC.IPA.122 PUBLIC.IPA.122 20
PUBLIC.IPA.122 255.255.255.255 127.0.0.1 127.0.0.1 20
X.255.255.255 255.255.255.255 PUBLIC.IPA.122 PUBLIC.IPA.122 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.17.43.0 255.255.255.0 192.168.1.162 192.168.1.133 1
192.168.1.0 255.255.255.0 192.168.1.133 192.168.1.133 10
192.168.1.133 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.153 255.255.255.255 192.168.1.165 192.168.1.165 1
192.168.1.157 255.255.255.255 192.168.1.165 192.168.1.165 1
192.168.1.162 255.255.255.255 192.168.1.165 192.168.1.165 1
192.168.1.165 255.255.255.255 127.0.0.1 127.0.0.1 0
192.168.1.255 255.255.255.255 192.168.1.133 192.168.1.133 0
224.0.0.0 240.0.0.0 PUBLIC.IPA.122 PUBLIC.IPA.122 0
224.0.0.0 240.0.0.0 192.168.1.133 192.168.1.133 0
255.255.255.255 255.255.255.255 PUBLIC.IPA.122 PUBLIC.IPA.122 1
255.255.255.255 255.255.255.255 192.168.1.133 192.168.1.133 1
Default Gateway: PUBLIC.IPA.121
===========================================================================
Persistent Routes:
None

Both Public IP's start with the same first octet, which is represented
by X one line above.

As you can see, I tried adding a route on SITEA using the command:
ROUTE ADD 172.17.43.0 MASK 255.255.255.0 192.168.1.162
but that didn't help (the route is still there). I didn't try creating
a route back from SiteB though... could that be a problem? I wouldn't
think so because as I said, SiteB can ping all systems in SiteA so it
apparently has a route back...
 
You certainly have plenty of problems ahead, even when you get the site
to site routing working. Having a multihomed server is not a great problem
usually but it is on a DC. You will need to make sure that the second NIC
does not have Netbios over TCP/IP enabled and does not register in DNS. You
may also have similar problems with the VPN interfaces. If the name of the
server resolves to an IP other than its local LAN IP you have major
problems.

There isn't really enough info here to solve the routing problem. The
first thing to check is that each router has a route to the "other" subnet
through the VPN link. This usually requires linking the subnet routes to the
demand-dial interfaces, an then making sure that these interfaces actually
bind to the connection. The routes only become active when the interfaces
are connected.

If the routing works from one subnet I suspect that you have this bit
set up correctly. Is the RRAS router the default gateway at both sites? If
it is not, you will need extra routing to get the private traffic to the
RRAS router before it goes to the gateway router. If the private traffic
goes directly to the gateway router it will be dropped. It needs to be
encrypted and encapsulated first.
 
"Lee" <wtlgditc@ThatSearchEngineMSTriedToBuyInEarly08> wrote:
> Greetings,
>
> I have a client that wants me to setup a Site-to-site VPN (and DFS, but
> I'll ask that in another group). They won't buy additional hardware yet,
> so I'm stuck doing this with Windows VPNs (Sonic Walls and other devices
> are not options right now).
>
> They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and
> SiteB has a Server 2003 R2 System. I have successfully created a
> Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN
> connection, promote the SiteB server to a DC and DNS server.
>

If I remember correctly, you need to setup 2 VPN connections, one each way.

You may want to look at
http://www.microsoft.com/technet/pr...ogies/activedirectory/stepbystep/vpnconn.mspx
(Step-by-Step Guide to Building a Site-to-Site Virtual Private Network
Connection) to see if you missed some steps.

ThePro
 
Please see comments in-line

Bill Grant wrote:
> You certainly have plenty of problems ahead, even when you get the
> site to site routing working. Having a multihomed server is not a great
> problem usually but it is on a DC. You will need to make sure that the
> second NIC does not have Netbios over TCP/IP enabled and does not
> register in DNS. You may also have similar problems with the VPN
> interfaces. If the name of the server resolves to an IP other than its
> local LAN IP you have major problems.

I'm aware of these issues and don't feel these are anything that can be
overcome. My primary concern is the routing issue.

> There isn't really enough info here to solve the routing problem. The
> first thing to check is that each router has a route to the "other"
> subnet through the VPN link. This usually requires linking the subnet
> routes to the demand-dial interfaces, an then making sure that these
> interfaces actually bind to the connection. The routes only become
> active when the interfaces are connected.

Are you suggesting that I have Demand Dial connections from both ends?
I can try that... but it didn't seem logical at the time.

We did try to enable RIP what we did did not resolve the issue...

>
> If the routing works from one subnet I suspect that you have this bit
> set up correctly. Is the RRAS router the default gateway at both sites?
> If it is not, you will need extra routing to get the private traffic to
> the RRAS router before it goes to the gateway router. If the private
> traffic goes directly to the gateway router it will be dropped. It needs
> to be encrypted and encapsulated first.
>

I don't mind setting up additional static routes. Just need the
assistance in knowing what they are.

If there's not enough info, please, tell me what you need and I'll do my
best to get it.

Thanks,
-Lee
>
>
 
"ThePro" <mcthepro_nospam@hotmail.com> wrote in message
news:eRvU6tjyIHA.5620@TK2MSFTNGP04.phx.gbl...
> "Lee" <wtlgditc@ThatSearchEngineMSTriedToBuyInEarly08> wrote:
>> Greetings,
>>
>> I have a client that wants me to setup a Site-to-site VPN (and DFS, but
>> I'll ask that in another group). They won't buy additional hardware yet,
>> so I'm stuck doing this with Windows VPNs (Sonic Walls and other devices
>> are not options right now).
>>
>> They have two sites - SiteA has an SBS 2003 STANDARD (NON-R2) server and
>> SiteB has a Server 2003 R2 System. I have successfully created a
>> Demand-Dial VPN from SiteB to SiteA and have been able to, via this VPN
>> connection, promote the SiteB server to a DC and DNS server.
>>
>
> If I remember correctly, you need to setup 2 VPN connections, one each
> way.
>
> You may want to look at
> http://www.microsoft.com/technet/pr...ogies/activedirectory/stepbystep/vpnconn.mspx
> (Step-by-Step Guide to Building a Site-to-Site Virtual Private Network
> Connection) to see if you missed some steps.
>
> ThePro

No, that is not correct. You only use one link, but both routers must
bind to the connection.

The VPN connection is simply a point to point connection between the two
routers. When it is connected and you have the routing set up correctly it
works as a simple (slow) IP router. Each router has a route to the other
subnet through the VPN link.

As the step-by-step explains you have a demand dial interface on each
router. The static subnet route is linked to the demand-dial interface
(using the new static route wizard. You select the interface by name from
the dropdown list). This is stored in the registry until the interface
connects. The system then adds the route to the routing table using the dd
interface as the gateway. In effect you are using the name of the dd
interface as a symbolic name for the connection before it actually exists.

You do not need to use dial on demand. That is optional. You can connect
from either end and make it a persistent connection. What is essential is
the demand-dial interfaces and the routes linked to them. The other
essential is that when you make the connection, the link is bound to the dd
interface on the answering router. You do that by using the name of the dd
interface as the username.

This is what happens at the answering router. When it gets the request
it checks to see if the username matches one of its dd interfaces. If it
does it makes the connection to that interface. (This is how it manages
multiple site connections). If the username does not match, the connection
is make to the default internal interface. When this happens you do not get
the subnet route added. RRAS assumes that it is a simple client-server
connection, not a router to router. You get just a host route back to the
calling machine, not a subnet router for the machines behind it. You can
route to the router but not to the subnet behind it.
 
Back
Top