Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

VPN from Draytek Vigor 2900 - remote client can't ping local LAN

1,416 views
Skip to first unread message

David Elders

unread,
Jul 9, 2004, 5:56:14 PM7/9/04
to
Hi all,

Hopefully we're missing something simple and someone can point us in the
right direction.

Central Office:
SBS2000 - set-up as noted below:

Cable Modem
Broadband Router - passthrough for PPTP VPN enabled [int - 192.168.42.10]
External NIC on SBS [192.168.42.2]
ISA 2000
Internal NIC on SBS [172.16.0.1]
LAN [172.16.0.x]

Remote Office:
ADSL
Broadband Router - Draytek Vigor 2900Gi [int - 192.168.45.150]
PC - fixed IP - 192.168.45.160

As those who are familiar with the Vigor range will know, the Draytek kit
can initiate a VPN call [it can also act as a VPN Server if required]. We
can initiate a full-time VPN connection from the Vigor to our SBS box across
the Internet no problem but the remote PC cannot ping anything on the LAN IP
range.

This is kinda critical from a testing perspective as the crux of this is to
eventually implement an IP hardphone within the Remote office, connecting to
the VoIP-enabled telephone system on the LAN at the Central office.

We're sure this has to be a fairly basic routing issue and that we should be
able to add a route somehow to 'force' the VPN traffic back to the remote
LAN. Problem is we can't for the life of us work out what to do!

Anyone got any pointers?

Cheers,

David


Reggie Dones

unread,
Jul 9, 2004, 6:06:57 PM7/9/04
to
Is the VPN setup as Point to Point or RAS on SBS? We setup some netopia
routers to VPN into our SBS and we ran in to the same thing because the
routing interface was not created on the RRAS. If the routing interface for
the VPN is not created on SBS, your router connects as a RAS client.

Someone might want to check me on this.

Reggie Dones

"David Elders" <david....@akdsystems.co.uk> wrote in message
news:eQ5GN%23fZEH...@tk2msftngp13.phx.gbl...

David Elders

unread,
Jul 9, 2004, 6:31:25 PM7/9/04
to
Hi Reggie,

Thanks for replying so quickly!

At present, we've simply set-up the Vigor with the account settings of a
user with remote VPN access. That sounds plausible but I'm a little unsure
how to proceed from here. Any pointers on how you got around this?

Cheers,

David


"Reggie Dones" <rfd...@argotech.net_nospam> wrote in message
news:ObcONEgZ...@TK2MSFTNGP10.phx.gbl...

Reggie Dones

unread,
Jul 9, 2004, 6:50:31 PM7/9/04
to
It sound like you are setup as a RAS. You may be able to check if you can
ping resources at the SBS from the router itself - then its working the way
its suppose to.

I very simplified process: If you're using the ISA server, then you can use
the wizard from the routing page to create the connection and account, if
not, you can create the connection from RRAS. It will also ask you what IP
Address to use for the routing. You then would have to change the
credentials of the satellite office router to match what you have created on
SBS.


Hope that helps,
Reggie

"David Elders" <david....@akdsystems.co.uk> wrote in message

news:epb12RgZ...@tk2msftngp13.phx.gbl...

David Elders

unread,
Jul 9, 2004, 7:14:33 PM7/9/04
to
Hi again Reggie,

Did a bit more testing. Results below.

Create VPN connection from Vigor to SBS2K using settings for VPN inwards
that work fine direct from any laptop - VPN connection is brought up no
problem but any PC connected to the Vigor cannot ping anything on the SBS
LAN.

Create VPN connection from Vigor to remote Vigor [at different site, purely
for testing] WITHOUT creating any IP routes back to the iniating end - VPN
connection is again brought up but these same PCs can ping anything on the
remote LAN.

To me, this suggests that the routing issue is not at the Vigor end but that
'something' on the SBS set-up is blocking the return packets from getting
back to the PC at the remote end. Your notes about there being a difference
between standard VPN/RAS connection and P2P make sense in that I think we
need to 'tell' the SBS box how to route the packets back to the remote LAN
range - I just don't know how to do this!

Regards,

David


"Reggie Dones" <rfd...@argotech.net_nospam> wrote in message

news:#XK8icgZ...@TK2MSFTNGP10.phx.gbl...

Reggie Dones

unread,
Jul 9, 2004, 11:08:46 PM7/9/04
to
Okay I'm assuming you are running ISA Server at SBS2k site.

Open ISA Management Console
Navigate to >Server And Arrays>Server Name>Network Config
Right Click on Network Config and choose "set up local ISA VPN Server"
A VPN Wizard will pop up. Follow the instructions it will ask you for the
following:
1. Create an account (automatically places the account on AD)
2. Choose Protocol. PPTP or IPSEC.
3. Initiate connection from both sites?
4. IP range of the remote site.
5. It will ask you for NIC information.

After you go throught the wizard it will create the necessary filters and
LAT settings in ISA and it will create routing connections in RRAS of the
SBS2k. All you have to do is replace the account at you VIGOR router with
the one you just created at the SBS server and use the correct IP Address
that you assigned for the router in SBS.

You may be able to find an article in www.isaserver.org.

Reggie

"David Elders" <david....@akdsystems.co.uk> wrote in message

news:O2fB9pg...@tk2msftngp13.phx.gbl...

David Elders

unread,
Jul 12, 2004, 2:33:36 PM7/12/04
to
Hi Reggie,

After a LOT of to-ing and fro-ing, I think we're almost there. Situation
currently is this:

We CAN initiate a VPN from the Server to the Vigor OK
We still CANNOT get a stable, repeatable VPN from the Vigor to the Server

When we have the VPN from the Server to the Vigor up-and-running, we CAN
ping anything on the Vigor internal range from the Server and from a laptop
on the Vigor internal range to anything on the SBS internal LAN. We
*thought* that would be it. Wrong!

We cannot ping from any of the SBS LAN clients to the Vigor [internal or
external IP ranges] and it appears that only certain types of traffic are
being properly communicated back and forth between SBS and Vigor. For
example, from a laptop connected to the Vigor internal side I can ping the
IP-enabled phone system on the SBS LAN side but I cannot draw down a config
as I'd expect to be able to.

I cannot help thinking that if we could get the Vigor initiating the VPN
connection this would be resolved as it would be assigned an IP address on
the internal LAN range at the SBS side, whereas the external VPN outgoing
from the SBS box is being given an IP address on the Vigor internal LAN.
Could be wildly wrong on that front though!

Have checked in RRAS and there is nothing being filtered on the connection
and we've even [purely as a test - didn't work so put it back how it was]
used a test IP packet filter in ISA to allow everything in/out in order to
ascertain if ISA was perhaps blocking something. Dunno if its to do with NAT
on the SBS box or something like that [because I assume the Vigor will see
the connection as being initiated from the external side of the SBS rather
than the internal side]

Any thoughts?

In the meantime, I'll try once more to get the Vigor iniating the VPN
connection and see if that simplifies things any.

Thanks again for the help,


David


"Reggie Dones" <rfd...@argotech.net_nospam> wrote in message

news:#vCi2siZ...@TK2MSFTNGP11.phx.gbl...

0 new messages