MS PPTP Weirdness

Jeremy Jones JJones at NWNETS.COM
Mon Dec 20 16:09:06 EST 1999 

Here's a little more detail...  Well, alot more detail, actually.

The setup is a little complex to put in words, but I'll give it a shot:

1.  Central Site's RRAS server is multihomed w/first nic on Internet and
second on LAN
2.  Central Site's RRAS server runs MS Proxy Server
3.  Central Site LAN subnet is 10.0.0.0/24
4.  LAN IP address of Central Site's RRAS server is 10.0.0.1/24
5.  VPN interface IP address of Central Site's RRAS server is 10.1.0.1/24
6.  VPN WAN cloud subnet is 10.1.0.0/24
7.  Sattellite Site #1 uses NAT on Cisco 675 ADSL router
8.  Sattellite Site #1 LAN subnet is 10.0.1.0/24
9.  Sattellite Site #1 DSL router LAN interface IP address is 10.0.1.1/24
10.  Sattellite Site #1 RRAS server's LAN IP address is 10.0.1.5/24
11.  Sattellite Site #1 RRAS server's VPN IP address is 10.1.0.2/24
12.  Workstations in Sattellite Site #1 use local RRAS Server as Default
Gateway
13.  Sattellite Site #2 uses NAT on FlowPoint 2200 SDSL router
14.  Sattellite Site #2 LAN subnet is 10.0.2.0/24
15.  Sattellite Site #2 DSL router LAN interface IP address is 10.0.2.1/24
16.  Sattellite Site #2 RRAS server's LAN IP address is 10.0.2.5/24
17.  Sattellite Site #2 RRAS server's VPN IP address is 10.1.0.3/24
18.  Workstations in Sattellite Site #2 use local RRAS Server as Default
Gateway

The Sattellite Sites are both able to connect to the RRAS VPN server at the
Central Site, and the DSL routers pass the PPTP pipes through just fine.
Host/Client Workstations at each site have full connectivity to resources in
each subnet.  I.e. a workstation in Sattellite Site #1 can ping all three
RRAS servers and any other workstation in any subnet.  However, workstations
in Sattellite Site #1 CANNOT ping the VPN IP address of the RRAS server in
Sattellite Site #2;  likewise, workstations in Sattellite Site #2 CANNOT
ping the VPN IP address of the RRAS server in Sattellite Site #1.  The RRAS
server at the Central Site can ping both the Sattellite Sites' RRAS servers
and any workstation in any site, as well as the VPN IP addresses of both
Sattellite Sites' RRAS servers.  The DSL router in Sattellite Site #1 can
ping anything EXCEPT the VPN IP address of the RRAS server in Sattellite
Site #2;  and the DSL router in Sattellite Site #2 can ping anything EXCEPT
the VPN IP address of the RRAS server in Sattellite Site #1.
The real problem is this:  the RRAS server in Sattellite Site #1 cannot ping
ANYTHING in Sattellite Site #2, including the VPN IP address of the RRAS
server in Sattellite Site #2; and likewise, the RRAS server in Sattellite
Site #2 cannot ping ANYTHING in Sattellite Site #1, including the VPN IP
address of the RRAS server in Sattellite Site #1.

The mystery to me is that the routing tables appear correct.  I've poured
over them for hours.  Here's a routing table for the RRAS server in
Sattellite Site #1:

To 10.0.0.0/24 via 10.1.0.1 metric 1 (traffic to Central Site goes through
Central Site's RRAS server's VPN interface)
To 10.0.2.0/24 via 10.1.0.3 metric 1 (traffic to Sattellite Site #2 goes
through Sattellite Site #2's RRAS server's VPN interface)
To 0.0.0.0/0 via 10.0.1.1 metric 1 (all other traffic goes through DSL/NAT
router)

And for RRAS server in Sattellite Site #2:

To 10.0.0.0/24 via 10.1.0.1 metric 1 (traffic to Central Site goes through
Central Site's RRAS server's VPN interface)
To 10.0.1.0/24 via 10.1.0.2/24 metric 1 (traffic to Sattellite Site #1goes
through Sattellite Site #1s RRAS server's VPN interface)
To 0.0.0.0/0 via 10.0.2.1 metric 1 (all other traffic goes through DSL/NAT
router)

And on Central Site's RRAS server:

To 10.0.1.0/24 via 10.1.0.2 metric 1 (traffic to Sattellite Site #1goes
through Sattellite Site #1s RRAS server's VPN interface)
To 10.0.2.0/24 via 10.1.0.3 metric 1 (traffic to Sattellite Site #2 goes
through Sattellite Site #2's RRAS server's VPN interface)
To 0.0.0.0/0 via [ISP Default Gateway] metric 1 (all other traffic goes
through the ISP's default gateway)

The DSL routes in both Sattellite Sites direct traffic for the each private
subnet back through the RRAS servers.  I.e. in Sattellite Site #1, the DSL
router's table looks like this:

To 10.0.0.0/24 via 10.0.1.5 metric 2 (traffic to Central Sitegoes through
Sattellite Site #1's RRAS server's LAN interface)
To 10.0.2.0/24 via 10.0.1.5 metric 2 (traffic to Sattellite Site #2 goes
through Sattellite Site #1's RRAS server's LAN interface)
To 10.1.0.0/24 via 10.0.1.5 metric 1 (traffic to VPN-WAN subnet goes through
Sattellite Site #1's RRAS Server's LAN interface)
To 0.0.0.0/0 via [ISP Default Gateway] metric 1 (all other traffic goes
through the ISPs default gateway)

and in Sattellite Site #2, the DSL router's table looks like this:

To 10.0.0.0/24 via 10.0.2.5 metric 2 (traffic to Central Sitegoes through
Sattellite Site #2's RRAS server's LAN interface)
To 10.0.1.0/24 via 10.0.2.5 metric 2 (traffic to Sattellite Site #1 goes
through Sattellite Site #2's RRAS server's LAN interface)
To 10.1.0.0/24 via 10.0.2.5 metric 1 (traffic to VPN-WAN subnet goes through
Sattellite Site #2's RRAS Server's LAN interface)
To 0.0.0.0/0 via [ISP Default Gateway] metric 1 (all other traffic goes
through the ISPs default gateway)

I know this is a little difficult to visualize, so if anyone interested in
helping would like a diagram, I could send one.

The problem with the two Sattellite Sites' servers' communication is
bizzarre to me, mainly because the rest of the machines on each local subnet
are able to connect to the remote servers just fine, using the RRAS servers
as their default gatway.

--Jeremy

-----Original Message-----
From: Jon Carnes [mailto:jonc at HAHT.COM]
Sent: Monday, December 20, 1999 1:44 PM
To: VPN at SECURITYFOCUS.COM
Subject: Re: MS PPTP Weirdness


Okay.  It is routing...

Each VPN server has to have as their default route, the DSL connection.  The
other local machines use the VPN as the default.  Setup a route on VPN1
server to the VPN2 network via the VPN1 connection.  Mirror that for your
VPN2 server.

Basically, print out the routes on VPN1 Server.  Do you see a route for the
VPN2 network?
   No - it goes down the default route.
   Yes - Well that's where the packets go!

Note: you cannot change the default, as that will mean the box can no longer
find the internet and therefore not find the VPN connection (unless you add
a 255.255.255.255 route that just points to the other endpoint address using
the DSL connection).

Good Luck

Jon Carnes
MIS - HAHT Software
----- Original Message -----
From: "Jeremy Jones" <JJones at NWNETS.COM>
To: <VPN at SECURITYFOCUS.COM>
Sent: Monday, December 20, 1999 10:30 AM
Subject: MS PPTP Weirdness


> Hi all,
>
> I have a client with several sites, all with 256k+ Internet connections.
> The central site has an ms vpn server behind a proxy, and two sattellite
> sites make pptp calls from behind nat firewalls to the central site.  The
> two sattellites are able to connect just fine, and the connection is as
> stable as the DSL connections.  The problem is that the vpn client servers
> in the sattellite sites cannot see eachother.  The vpn client in
sattellite
> site 1 can ping the central site, and the vpn client in sattellite site 2
> can ping the central site.  The vpn server in the central site can ping
> either vpn client.  The vpn connections are used for routing between the
> sites, and the vpn-wan cloud has its own subnet.
>
> The bizzarre thing, and the thing that makes me think that routing is NOT
> the problem, is that workstations in sattellite site 1 can ping the
> workstation machines in sattellite site 2 as well as the vpn machine in
> sattellite site 2.  Likewise, workstations in sattellite site 2 can ping
> anything.  The workstations in each sattellite site are using the vpn
> machines on their local subnet as default gateways.
>
> Now why would the workstations be able to get around just fine, using the
> routing tables set up on the vpn machines, when the vpn machines
themselves
> cannot communicate?
>
> If routing tables would be helpful, I'd be happy to send them along...
>
> Thanks in advance,
> Jeremy Jones, MA, MCSE, CCNA
> Systems Analyst
> Northwest Network Services
> (208) 343-5260 x106
> http://www.nwnets.com
> mailto:jjones at nwnets.com
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list